fix: skip-auth-prefixes not apply on listeners when users is unset

wwqgtxx · wwqgtxx · commit cd2d1c6bb0e8 · 2024-09-27T18:10:05.000+08:00
diff --git a/component/auth/auth.go b/component/auth/auth.go
@@ -5,6 +5,11 @@ type Authenticator interface {
 	Users() []string
 }
 
+type AuthStore interface {
+	Authenticator() Authenticator
+	SetAuthenticator(Authenticator)
+}
+
 type AuthUser struct {
 	User string
 	Pass string
diff --git a/hub/executor/executor.go b/hub/executor/executor.go
@@ -127,7 +127,7 @@ func initInnerTcp() {
 func GetGeneral() *config.General {
 	ports := listener.GetPorts()
 	var authenticator []string
-	if auth := authStore.Authenticator(); auth != nil {
+	if auth := authStore.Default.Authenticator(); auth != nil {
 		authenticator = auth.Users()
 	}
 
@@ -422,7 +422,7 @@ func updateGeneral(general *config.General) {
 
 func updateUsers(users []auth.AuthUser) {
 	authenticator := auth.NewAuthenticator(users)
-	authStore.SetAuthenticator(authenticator)
+	authStore.Default.SetAuthenticator(authenticator)
 	if authenticator != nil {
 		log.Infoln("Authentication of local server updated")
 	}
diff --git a/listener/auth/auth.go b/listener/auth/auth.go
@@ -4,14 +4,30 @@ import (
 	"github.com/metacubex/mihomo/component/auth"
 )
 
-var authenticator auth.Authenticator
+type authStore struct {
+	authenticator auth.Authenticator
+}
+
+func (a *authStore) Authenticator() auth.Authenticator {
+	return a.authenticator
+}
+
+func (a *authStore) SetAuthenticator(authenticator auth.Authenticator) {
+	a.authenticator = authenticator
+}
 
-func Authenticator() auth.Authenticator {
-	return authenticator
+func NewAuthStore(authenticator auth.Authenticator) auth.AuthStore {
+	return &authStore{authenticator}
 }
 
-func SetAuthenticator(au auth.Authenticator) {
-	authenticator = au
+var Default auth.AuthStore = NewAuthStore(nil)
+
+type nilAuthStore struct{}
+
+func (a *nilAuthStore) Authenticator() auth.Authenticator {
+	return nil
 }
 
-func Nil() auth.Authenticator { return nil }
+func (a *nilAuthStore) SetAuthenticator(authenticator auth.Authenticator) {}
+
+var Nil auth.AuthStore = (*nilAuthStore)(nil) // always return nil, even call SetAuthenticator() with a non-nil authenticator
diff --git a/listener/http/proxy.go b/listener/http/proxy.go
@@ -30,7 +30,7 @@ func (b *bodyWrapper) Read(p []byte) (n int, err error) {
 	return n, err
 }
 
-func HandleConn(c net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) {
+func HandleConn(c net.Conn, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) {
 	additions = append(additions, inbound.Placeholder) // Add a placeholder for InUser
 	inUserIdx := len(additions) - 1
 	client := newClient(c, tunnel, additions)
@@ -41,7 +41,7 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator,
 
 	conn := N.NewBufferedConn(c)
 
-	authenticator := getAuth()
+	authenticator := store.Authenticator()
 	keepAlive := true
 	trusted := authenticator == nil // disable authenticate if lru is nil
 	lastUser := ""
diff --git a/listener/http/server.go b/listener/http/server.go
@@ -32,20 +32,20 @@ func (l *Listener) Close() error {
 }
 
 func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) {
-	return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...)
+	return NewWithAuthenticator(addr, tunnel, authStore.Default, additions...)
 }
 
 // NewWithAuthenticate
 // never change type traits because it's used in CMFA
 func NewWithAuthenticate(addr string, tunnel C.Tunnel, authenticate bool, additions ...inbound.Addition) (*Listener, error) {
-	getAuth := authStore.Authenticator
+	store := authStore.Default
 	if !authenticate {
-		getAuth = authStore.Nil
+		store = authStore.Default
 	}
-	return NewWithAuthenticator(addr, tunnel, getAuth, additions...)
+	return NewWithAuthenticator(addr, tunnel, store, additions...)
 }
 
-func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) {
+func NewWithAuthenticator(addr string, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) (*Listener, error) {
 	isDefault := false
 	if len(additions) == 0 {
 		isDefault = true
@@ -74,17 +74,17 @@ func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Auth
 				continue
 			}
 
-			getAuth := getAuth
-			if isDefault { // only apply on default listener
+			store := store
+			if isDefault || store == authStore.Default { // only apply on default listener
 				if !inbound.IsRemoteAddrDisAllowed(conn.RemoteAddr()) {
 					_ = conn.Close()
 					continue
 				}
 				if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) {
-					getAuth = authStore.Nil
+					store = authStore.Nil
 				}
 			}
-			go HandleConn(conn, tunnel, getAuth, additions...)
+			go HandleConn(conn, tunnel, store, additions...)
 		}
 	}()
 
diff --git a/listener/inbound/auth.go b/listener/inbound/auth.go
@@ -12,7 +12,7 @@ type AuthUser struct {
 
 type AuthUsers []AuthUser
 
-func (a AuthUsers) GetAuth() func() auth.Authenticator {
+func (a AuthUsers) GetAuthStore() auth.AuthStore {
 	if a != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
 		if len(a) == 0 {
 			return authStore.Nil
@@ -25,7 +25,7 @@ func (a AuthUsers) GetAuth() func() auth.Authenticator {
 			}
 		}
 		authenticator := auth.NewAuthenticator(users)
-		return func() auth.Authenticator { return authenticator }
+		return authStore.NewAuthStore(authenticator)
 	}
-	return authStore.Authenticator
+	return authStore.Default
 }
diff --git a/listener/inbound/http.go b/listener/inbound/http.go
@@ -45,7 +45,7 @@ func (h *HTTP) Address() string {
 // Listen implements constant.InboundListener
 func (h *HTTP) Listen(tunnel C.Tunnel) error {
 	var err error
-	h.l, err = http.NewWithAuthenticator(h.RawAddress(), tunnel, h.config.Users.GetAuth(), h.Additions()...)
+	h.l, err = http.NewWithAuthenticator(h.RawAddress(), tunnel, h.config.Users.GetAuthStore(), h.Additions()...)
 	if err != nil {
 		return err
 	}
diff --git a/listener/inbound/mixed.go b/listener/inbound/mixed.go
@@ -53,7 +53,7 @@ func (m *Mixed) Address() string {
 // Listen implements constant.InboundListener
 func (m *Mixed) Listen(tunnel C.Tunnel) error {
 	var err error
-	m.l, err = mixed.NewWithAuthenticator(m.RawAddress(), tunnel, m.config.Users.GetAuth(), m.Additions()...)
+	m.l, err = mixed.NewWithAuthenticator(m.RawAddress(), tunnel, m.config.Users.GetAuthStore(), m.Additions()...)
 	if err != nil {
 		return err
 	}
diff --git a/listener/inbound/socks.go b/listener/inbound/socks.go
@@ -71,7 +71,7 @@ func (s *Socks) Address() string {
 // Listen implements constant.InboundListener
 func (s *Socks) Listen(tunnel C.Tunnel) error {
 	var err error
-	if s.stl, err = socks.NewWithAuthenticator(s.RawAddress(), tunnel, s.config.Users.GetAuth(), s.Additions()...); err != nil {
+	if s.stl, err = socks.NewWithAuthenticator(s.RawAddress(), tunnel, s.config.Users.GetAuthStore(), s.Additions()...); err != nil {
 		return err
 	}
 	if s.udp {
diff --git a/listener/mixed/mixed.go b/listener/mixed/mixed.go
@@ -37,10 +37,10 @@ func (l *Listener) Close() error {
 }
 
 func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) {
-	return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...)
+	return NewWithAuthenticator(addr, tunnel, authStore.Default, additions...)
 }
 
-func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) {
+func NewWithAuthenticator(addr string, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) (*Listener, error) {
 	isDefault := false
 	if len(additions) == 0 {
 		isDefault = true
@@ -68,24 +68,24 @@ func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Auth
 				}
 				continue
 			}
-			getAuth := getAuth
-			if isDefault { // only apply on default listener
+			store := store
+			if isDefault || store == authStore.Default { // only apply on default listener
 				if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) {
 					_ = c.Close()
 					continue
 				}
 				if inbound.SkipAuthRemoteAddr(c.RemoteAddr()) {
-					getAuth = authStore.Nil
+					store = authStore.Nil
 				}
 			}
-			go handleConn(c, tunnel, getAuth, additions...)
+			go handleConn(c, tunnel, store, additions...)
 		}
 	}()
 
 	return ml, nil
 }
 
-func handleConn(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) {
+func handleConn(conn net.Conn, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) {
 	bufConn := N.NewBufferedConn(conn)
 	head, err := bufConn.Peek(1)
 	if err != nil {
@@ -94,10 +94,10 @@ func handleConn(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticato
 
 	switch head[0] {
 	case socks4.Version:
-		socks.HandleSocks4(bufConn, tunnel, getAuth, additions...)
+		socks.HandleSocks4(bufConn, tunnel, store, additions...)
 	case socks5.Version:
-		socks.HandleSocks5(bufConn, tunnel, getAuth, additions...)
+		socks.HandleSocks5(bufConn, tunnel, store, additions...)
 	default:
-		http.HandleConn(bufConn, tunnel, getAuth, additions...)
+		http.HandleConn(bufConn, tunnel, store, additions...)
 	}
 }
diff --git a/listener/socks/tcp.go b/listener/socks/tcp.go
@@ -36,10 +36,10 @@ func (l *Listener) Close() error {
 }
 
 func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) {
-	return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...)
+	return NewWithAuthenticator(addr, tunnel, authStore.Default, additions...)
 }
 
-func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) {
+func NewWithAuthenticator(addr string, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) (*Listener, error) {
 	isDefault := false
 	if len(additions) == 0 {
 		isDefault = true
@@ -67,24 +67,24 @@ func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Auth
 				}
 				continue
 			}
-			getAuth := getAuth
-			if isDefault { // only apply on default listener
+			store := store
+			if isDefault || store == authStore.Default { // only apply on default listener
 				if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) {
 					_ = c.Close()
 					continue
 				}
 				if inbound.SkipAuthRemoteAddr(c.RemoteAddr()) {
-					getAuth = authStore.Nil
+					store = authStore.Nil
 				}
 			}
-			go handleSocks(c, tunnel, getAuth, additions...)
+			go handleSocks(c, tunnel, store, additions...)
 		}
 	}()
 
 	return sl, nil
 }
 
-func handleSocks(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) {
+func handleSocks(conn net.Conn, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) {
 	bufConn := N.NewBufferedConn(conn)
 	head, err := bufConn.Peek(1)
 	if err != nil {
@@ -94,16 +94,16 @@ func handleSocks(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticat
 
 	switch head[0] {
 	case socks4.Version:
-		HandleSocks4(bufConn, tunnel, getAuth, additions...)
+		HandleSocks4(bufConn, tunnel, store, additions...)
 	case socks5.Version:
-		HandleSocks5(bufConn, tunnel, getAuth, additions...)
+		HandleSocks5(bufConn, tunnel, store, additions...)
 	default:
 		conn.Close()
 	}
 }
 
-func HandleSocks4(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) {
-	authenticator := getAuth()
+func HandleSocks4(conn net.Conn, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) {
+	authenticator := store.Authenticator()
 	addr, _, user, err := socks4.ServerHandshake(conn, authenticator)
 	if err != nil {
 		conn.Close()
@@ -113,8 +113,8 @@ func HandleSocks4(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authentica
 	tunnel.HandleTCPConn(inbound.NewSocket(socks5.ParseAddr(addr), conn, C.SOCKS4, additions...))
 }
 
-func HandleSocks5(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) {
-	authenticator := getAuth()
+func HandleSocks5(conn net.Conn, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) {
+	authenticator := store.Authenticator()
 	target, command, user, err := socks5.ServerHandshake(conn, authenticator)
 	if err != nil {
 		conn.Close()

Original file line number	Diff line number	Diff line change
`@@ -32,20 +32,20 @@ func (l *Listener) Close() error {`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) {`
`35`		`- return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...)`
	`35`	`+ return NewWithAuthenticator(addr, tunnel, authStore.Default, additions...)`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`// NewWithAuthenticate`
`39`	`39`	`// never change type traits because it's used in CMFA`
`40`	`40`	`func NewWithAuthenticate(addr string, tunnel C.Tunnel, authenticate bool, additions ...inbound.Addition) (*Listener, error) {`
`41`		`- getAuth := authStore.Authenticator`
	`41`	`+ store := authStore.Default`
`42`	`42`	`if !authenticate {`
`43`		`- getAuth = authStore.Nil`
	`43`	`+ store = authStore.Default`
`44`	`44`	`}`
`45`		`- return NewWithAuthenticator(addr, tunnel, getAuth, additions...)`
	`45`	`+ return NewWithAuthenticator(addr, tunnel, store, additions...)`
`46`	`46`	`}`
`47`	`47`
`48`		`-func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) {`
	`48`	`+func NewWithAuthenticator(addr string, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) (*Listener, error) {`
`49`	`49`	`isDefault := false`
`50`	`50`	`if len(additions) == 0 {`
`51`	`51`	`isDefault = true`
`@@ -74,17 +74,17 @@ func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Auth`
`74`	`74`	`continue`
`75`	`75`	`}`
`76`	`76`
`77`		`- getAuth := getAuth`
`78`		`- if isDefault { // only apply on default listener`
	`77`	`+ store := store`
	`78`	`+ if isDefault \|\| store == authStore.Default { // only apply on default listener`
`79`	`79`	`if !inbound.IsRemoteAddrDisAllowed(conn.RemoteAddr()) {`
`80`	`80`	`_ = conn.Close()`
`81`	`81`	`continue`
`82`	`82`	`}`
`83`	`83`	`if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) {`
`84`		`- getAuth = authStore.Nil`
	`84`	`+ store = authStore.Nil`
`85`	`85`	`}`
`86`	`86`	`}`
`87`		`- go HandleConn(conn, tunnel, getAuth, additions...)`
	`87`	`+ go HandleConn(conn, tunnel, store, additions...)`
`88`	`88`	`}`
`89`	`89`	`}()`
`90`	`90`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ type AuthUser struct {`
`12`	`12`
`13`	`13`	`type AuthUsers []AuthUser`
`14`	`14`
`15`		`-func (a AuthUsers) GetAuth() func() auth.Authenticator {`
	`15`	`+func (a AuthUsers) GetAuthStore() auth.AuthStore {`
`16`	`16`	`if a != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array`
`17`	`17`	`if len(a) == 0 {`
`18`	`18`	`return authStore.Nil`
`@@ -25,7 +25,7 @@ func (a AuthUsers) GetAuth() func() auth.Authenticator {`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`	`authenticator := auth.NewAuthenticator(users)`
`28`		`- return func() auth.Authenticator { return authenticator }`
	`28`	`+ return authStore.NewAuthStore(authenticator)`
`29`	`29`	`}`
`30`		`- return authStore.Authenticator`
	`30`	`+ return authStore.Default`
`31`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ func (h *HTTP) Address() string {`
`45`	`45`	`// Listen implements constant.InboundListener`
`46`	`46`	`func (h *HTTP) Listen(tunnel C.Tunnel) error {`
`47`	`47`	`var err error`
`48`		`- h.l, err = http.NewWithAuthenticator(h.RawAddress(), tunnel, h.config.Users.GetAuth(), h.Additions()...)`
	`48`	`+ h.l, err = http.NewWithAuthenticator(h.RawAddress(), tunnel, h.config.Users.GetAuthStore(), h.Additions()...)`
`49`	`49`	`if err != nil {`
`50`	`50`	`return err`
`51`	`51`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ func (m *Mixed) Address() string {`
`53`	`53`	`// Listen implements constant.InboundListener`
`54`	`54`	`func (m *Mixed) Listen(tunnel C.Tunnel) error {`
`55`	`55`	`var err error`
`56`		`- m.l, err = mixed.NewWithAuthenticator(m.RawAddress(), tunnel, m.config.Users.GetAuth(), m.Additions()...)`
	`56`	`+ m.l, err = mixed.NewWithAuthenticator(m.RawAddress(), tunnel, m.config.Users.GetAuthStore(), m.Additions()...)`
`57`	`57`	`if err != nil {`
`58`	`58`	`return err`
`59`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ func (s *Socks) Address() string {`
`71`	`71`	`// Listen implements constant.InboundListener`
`72`	`72`	`func (s *Socks) Listen(tunnel C.Tunnel) error {`
`73`	`73`	`var err error`
`74`		`- if s.stl, err = socks.NewWithAuthenticator(s.RawAddress(), tunnel, s.config.Users.GetAuth(), s.Additions()...); err != nil {`
	`74`	`+ if s.stl, err = socks.NewWithAuthenticator(s.RawAddress(), tunnel, s.config.Users.GetAuthStore(), s.Additions()...); err != nil {`
`75`	`75`	`return err`
`76`	`76`	`}`
`77`	`77`	`if s.udp {`
Original file line number	Diff line number	Diff line change
`@@ -37,10 +37,10 @@ func (l *Listener) Close() error {`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) {`
`40`		`- return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...)`
	`40`	`+ return NewWithAuthenticator(addr, tunnel, authStore.Default, additions...)`
`41`	`41`	`}`
`42`	`42`
`43`		`-func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) {`
	`43`	`+func NewWithAuthenticator(addr string, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) (*Listener, error) {`
`44`	`44`	`isDefault := false`
`45`	`45`	`if len(additions) == 0 {`
`46`	`46`	`isDefault = true`
`@@ -68,24 +68,24 @@ func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Auth`
`68`	`68`	`}`
`69`	`69`	`continue`
`70`	`70`	`}`
`71`		`- getAuth := getAuth`
`72`		`- if isDefault { // only apply on default listener`
	`71`	`+ store := store`
	`72`	`+ if isDefault \|\| store == authStore.Default { // only apply on default listener`
`73`	`73`	`if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) {`
`74`	`74`	`_ = c.Close()`
`75`	`75`	`continue`
`76`	`76`	`}`
`77`	`77`	`if inbound.SkipAuthRemoteAddr(c.RemoteAddr()) {`
`78`		`- getAuth = authStore.Nil`
	`78`	`+ store = authStore.Nil`
`79`	`79`	`}`
`80`	`80`	`}`
`81`		`- go handleConn(c, tunnel, getAuth, additions...)`
	`81`	`+ go handleConn(c, tunnel, store, additions...)`
`82`	`82`	`}`
`83`	`83`	`}()`
`84`	`84`
`85`	`85`	`return ml, nil`
`86`	`86`	`}`
`87`	`87`
`88`		`-func handleConn(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) {`
	`88`	`+func handleConn(conn net.Conn, tunnel C.Tunnel, store auth.AuthStore, additions ...inbound.Addition) {`
`89`	`89`	`bufConn := N.NewBufferedConn(conn)`
`90`	`90`	`head, err := bufConn.Peek(1)`
`91`	`91`	`if err != nil {`
`@@ -94,10 +94,10 @@ func handleConn(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticato`
`94`	`94`
`95`	`95`	`switch head[0] {`
`96`	`96`	`case socks4.Version:`
`97`		`- socks.HandleSocks4(bufConn, tunnel, getAuth, additions...)`
	`97`	`+ socks.HandleSocks4(bufConn, tunnel, store, additions...)`
`98`	`98`	`case socks5.Version:`
`99`		`- socks.HandleSocks5(bufConn, tunnel, getAuth, additions...)`
	`99`	`+ socks.HandleSocks5(bufConn, tunnel, store, additions...)`
`100`	`100`	`default:`
`101`		`- http.HandleConn(bufConn, tunnel, getAuth, additions...)`
	`101`	`+ http.HandleConn(bufConn, tunnel, store, additions...)`
`102`	`102`	`}`
`103`	`103`	`}`