srt: wait some seconds before returning authentication errors (#2918)

this allows to mitigate brute force attacks and is possible thanks to
https://github.com/datarhei/gosrt/pull/43

internal/servers/hls/http_server.go

@@ -20,7 +20,7 @@ import (
 )
 
 const (
-	hlsPauseAfterAuthError = 2 * time.Second
+	pauseAfterAuthError = 2 * time.Second
 )
 
 //go:embed index.html
@@ -173,8 +173,8 @@ func (s *httpServer) onRequest(ctx *gin.Context) {
 
 			s.Log(logger.Info, "connection %v failed to authenticate: %v", remoteAddr, terr.Message)
 
-			// wait some seconds to stop brute force attacks
-			<-time.After(hlsPauseAfterAuthError)
+			// wait some seconds to mitigate brute force attacks
+			<-time.After(pauseAfterAuthError)
 
 			ctx.Writer.WriteHeader(http.StatusUnauthorized)
 			return

internal/servers/rtmp/conn.go

@@ -29,7 +29,7 @@ import (
 )
 
 const (
-	rtmpPauseAfterAuthError = 2 * time.Second
+	pauseAfterAuthError = 2 * time.Second
 )
 
 func pathNameAndQuery(inURL *url.URL) (string, url.Values, string) {
@@ -181,8 +181,8 @@ func (c *conn) runRead(conn *rtmp.Conn, u *url.URL) error {
 	if res.Err != nil {
 		var terr defs.AuthenticationError
 		if errors.As(res.Err, &terr) {
-			// wait some seconds to stop brute force attacks
-			<-time.After(rtmpPauseAfterAuthError)
+			// wait some seconds to mitigate brute force attacks
+			<-time.After(pauseAfterAuthError)
 			return terr
 		}
 		return res.Err
@@ -413,8 +413,8 @@ func (c *conn) runPublish(conn *rtmp.Conn, u *url.URL) error {
 	if res.Err != nil {
 		var terr defs.AuthenticationError
 		if errors.As(res.Err, &terr) {
-			// wait some seconds to stop brute force attacks
-			<-time.After(rtmpPauseAfterAuthError)
+			// wait some seconds to mitigate brute force attacks
+			<-time.After(pauseAfterAuthError)
 			return terr
 		}
 		return res.Err

internal/servers/rtsp/conn.go

@@ -20,7 +20,7 @@ import (
 )
 
 const (
-	rtspPauseAfterAuthError = 2 * time.Second
+	pauseAfterAuthError = 2 * time.Second
 )
 
 type conn struct {
@@ -196,8 +196,8 @@ func (c *conn) handleAuthError(authErr error) (*base.Response, error) {
 		}, nil
 	}
 
-	// wait some seconds to stop brute force attacks
-	<-time.After(rtspPauseAfterAuthError)
+	// wait some seconds to mitigate brute force attacks
+	<-time.After(pauseAfterAuthError)
 
 	return &base.Response{
 		StatusCode: base.StatusUnauthorized,

internal/servers/srt/conn.go

@@ -25,6 +25,10 @@ import (
 	"github.com/bluenviron/mediamtx/internal/stream"
 )
 
+const (
+	pauseAfterAuthError = 2 * time.Second
+)
+
 func srtCheckPassphrase(connReq srt.ConnRequest, passphrase string) error {
 	if passphrase == "" {
 		return nil
@@ -197,9 +201,8 @@ func (c *conn) runPublish(req srtNewConnReq, pathName string, user string, pass
 	if res.Err != nil {
 		var terr defs.AuthenticationError
 		if errors.As(res.Err, &terr) {
-			// TODO: re-enable. Currently this freezes the listener.
-			// wait some seconds to stop brute force attacks
-			// <-time.After(srtPauseAfterAuthError)
+			// wait some seconds to mitigate brute force attacks
+			<-time.After(pauseAfterAuthError)
 			return false, terr
 		}
 		return false, res.Err
@@ -297,9 +300,8 @@ func (c *conn) runRead(req srtNewConnReq, pathName string, user string, pass str
 	if res.Err != nil {
 		var terr defs.AuthenticationError
 		if errors.As(res.Err, &terr) {
-			// TODO: re-enable. Currently this freezes the listener.
-			// wait some seconds to stop brute force attacks
-			// <-time.After(srtPauseAfterAuthError)
+			// wait some seconds to mitigate brute force attacks
+			<-time.After(pauseAfterAuthError)
 			return false, res.Err
 		}
 		return false, res.Err

internal/servers/webrtc/http_server.go

@@ -134,8 +134,8 @@ func (s *httpServer) checkAuthOutsideSession(ctx *gin.Context, path string, publ
 
 			s.Log(logger.Info, "connection %v failed to authenticate: %v", remoteAddr, terr.Message)
 
-			// wait some seconds to stop brute force attacks
-			<-time.After(webrtcPauseAfterAuthError)
+			// wait some seconds to mitigate brute force attacks
+			<-time.After(pauseAfterAuthError)
 
 			writeError(ctx, http.StatusUnauthorized, terr)
 			return false

internal/servers/webrtc/server.go

@@ -28,7 +28,7 @@ import (
 )
 
 const (
-	webrtcPauseAfterAuthError  = 2 * time.Second
+	pauseAfterAuthError        = 2 * time.Second
 	webrtcTurnSecretExpiration = 24 * 3600 * time.Second
 	webrtcPayloadMaxSize       = 1188 // 1200 - 12 (RTP header)
 )

internal/servers/webrtc/session.go

@@ -379,8 +379,8 @@ func (s *session) runPublish() (int, error) {
 	if res.Err != nil {
 		var terr defs.AuthenticationError
 		if errors.As(res.Err, &terr) {
-			// wait some seconds to stop brute force attacks
-			<-time.After(webrtcPauseAfterAuthError)
+			// wait some seconds to mitigate brute force attacks
+			<-time.After(pauseAfterAuthError)
 
 			return http.StatusUnauthorized, res.Err
 		}
@@ -510,9 +510,8 @@ func (s *session) runRead() (int, error) {
 	if res.Err != nil {
 		var terr defs.AuthenticationError
 		if errors.As(res.Err, &terr) {
-			// wait some seconds to stop brute force attacks
-			<-time.After(webrtcPauseAfterAuthError)
-
+			// wait some seconds to mitigate brute force attacks
+			<-time.After(pauseAfterAuthError)
 			return http.StatusUnauthorized, res.Err
 		}