Exclude actions when using JWT authentication

internal/auth/manager.go

@@ -106,6 +106,7 @@ type Manager struct {
 	HTTPAddress     string
 	HTTPExclude     []conf.AuthInternalUserPermission
 	JWTJWKS         string
+	JWTExclude      []conf.AuthInternalUserPermission
 	JWTClaimKey     string
 	ReadTimeout     time.Duration
 	RTSPAuthMethods []auth.ValidateMethod
@@ -250,6 +251,10 @@ func (m *Manager) authenticateHTTP(req *Request) error {
 }
 
 func (m *Manager) authenticateJWT(req *Request) error {
+	if matchesPermission(m.JWTExclude, req) {
+		return nil
+	}
+
 	keyfunc, err := m.pullJWTJWKS()
 	if err != nil {
 		return err

internal/auth/manager_test.go

@@ -431,3 +431,24 @@ func TestAuthJWT(t *testing.T) {
 		})
 	}
 }
+
+func TestAuthJWTExclude(t *testing.T) {
+	m := Manager{
+		Method: conf.AuthMethodJWT,
+		JWTExclude: []conf.AuthInternalUserPermission{{
+			Action: conf.AuthActionPublish,
+		}},
+		RTSPAuthMethods: nil,
+	}
+
+	err := m.Authenticate(&Request{
+		User:     "",
+		Pass:     "",
+		IP:       net.ParseIP("127.0.0.1"),
+		Action:   conf.AuthActionPublish,
+		Path:     "teststream",
+		Protocol: ProtocolRTSP,
+		Query:    "param=value",
+	})
+	require.NoError(t, err)
+}

internal/conf/conf.go

@@ -178,6 +178,7 @@ type Conf struct {
 	AuthHTTPExclude           AuthInternalUserPermissions `json:"authHTTPExclude"`
 	AuthJWTJWKS               string                      `json:"authJWTJWKS"`
 	AuthJWTClaimKey           string                      `json:"authJWTClaimKey"`
+	AuthJWTExclude            AuthInternalUserPermissions `json:"authJWTExclude"`
 
 	// Control API
 	API               bool       `json:"api"`
@@ -330,6 +331,17 @@ func (conf *Conf) setDefaults() {
 		},
 	}
 	conf.AuthJWTClaimKey = "mediamtx_permissions"
+	conf.AuthJWTExclude = []AuthInternalUserPermission{
+		{
+			Action: AuthActionAPI,
+		},
+		{
+			Action: AuthActionMetrics,
+		},
+		{
+			Action: AuthActionPprof,
+		},
+	}
 
 	// Control API
 	conf.APIAddress = ":9997"

internal/conf/conf_test.go

@@ -425,6 +425,8 @@ func TestConfOverrideDefaultSlices(t *testing.T) {
 			"  - user: user1\n" +
 			"  - user: user2\n" +
 			"authHTTPExclude:\n" +
+			"  - path: ''\n" +
+			"authJWTExclude:\n" +
 			"  - path: ''\n"))
 	require.NoError(t, err)
 	defer os.Remove(tmpf)
@@ -444,4 +446,8 @@ func TestConfOverrideDefaultSlices(t *testing.T) {
 	require.Equal(t, AuthInternalUserPermissions{
 		{},
 	}, conf.AuthHTTPExclude)
+
+	require.Equal(t, AuthInternalUserPermissions{
+		{},
+	}, conf.AuthJWTExclude)
 }

internal/core/core.go

@@ -269,6 +269,7 @@ func (p *Core) createResources(initial bool) error {
 			HTTPAddress:     p.conf.AuthHTTPAddress,
 			HTTPExclude:     p.conf.AuthHTTPExclude,
 			JWTJWKS:         p.conf.AuthJWTJWKS,
+			JWTExclude:      p.conf.AuthJWTExclude,
 			JWTClaimKey:     p.conf.AuthJWTClaimKey,
 			ReadTimeout:     time.Duration(p.conf.ReadTimeout),
 			RTSPAuthMethods: p.conf.RTSPAuthMethods,
@@ -652,6 +653,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) {
 		newConf.AuthHTTPAddress != p.conf.AuthHTTPAddress ||
 		!reflect.DeepEqual(newConf.AuthHTTPExclude, p.conf.AuthHTTPExclude) ||
 		newConf.AuthJWTJWKS != p.conf.AuthJWTJWKS ||
+		!reflect.DeepEqual(newConf.AuthJWTExclude, p.conf.AuthJWTExclude) ||
 		newConf.AuthJWTClaimKey != p.conf.AuthJWTClaimKey ||
 		newConf.ReadTimeout != p.conf.ReadTimeout ||
 		!reflect.DeepEqual(newConf.RTSPAuthMethods, p.conf.RTSPAuthMethods)

mediamtx.yml

@@ -123,6 +123,12 @@ authHTTPExclude:
 authJWTJWKS:
 # name of the claim that contains permissions.
 authJWTClaimKey: mediamtx_permissions
+# Actions to exclude from JWT-based authentication.
+# Format is the same as the one of user permissions.
+authJWTExclude:
+- action: api
+- action: metrics
+- action: pprof
 
 ###############################################
 # Global settings -> Control API