Expand description
Stream-level authentication and authorization.
Like Observer, authorization is an injected trait with
a permit-all default — the engine never bakes in an identity scheme. A host
supplies a StreamAuthenticator (validating stream keys, signed tokens,
IP allow-lists, an external auth service, …) and the engine enforces it on
the publish and play paths.
use arcly_stream::auth::{Credentials, StreamAuthenticator};
use arcly_stream::prelude::*;
use std::sync::Arc;
struct KeyAuth { secret: String }
#[async_trait]
impl StreamAuthenticator for KeyAuth {
async fn authorize_publish(&self, _key: &StreamKey, creds: &Credentials) -> Result<()> {
match creds.token.as_deref() {
Some(t) if t == self.secret => Ok(()),
_ => Err(StreamError::Unauthorized("bad publish key".into())),
}
}
}
let engine = Engine::builder()
.application(AppSpec::new("live"))
.authenticator(KeyAuth { secret: "s3cr3t".into() })
.build();Structs§
- Allow
All - The default authenticator: permits everything. Selected when the builder is given none, preserving the engine’s zero-policy default.
- Credentials
- Credentials presented by a connecting publisher or player.
- Token
Authenticator auth-token - A production-ready, time-limited signed-token authenticator
(
feature = "auth-token").
Traits§
- Stream
Authenticator - Authorizes publish and play attempts. Both methods default to permit, so an implementor overrides only the side it gates.