(Likely) Authentication-issues connecting moq-clock

[pellju]

Greetings @kixelated (and apologizes for bothering you again)!

I have been playing around with the recent changes in the backend, and seems that recent change introducing the authentication-part have broken moq-clock. I got following output:

   Compiling moq-clock v0.6.3 (/home/juho/moq-rs/moq-rs-2025-05-24/rs/moq-clock)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 3.15s
RUST_LOG=debug cargo run --bin moq-clock -- "https://my.domain:4443" subscribe
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.13s
     Running `target/debug/moq-clock 'https://my.domain.org:4443' subscribe`
2025-06-25T20:18:05.804685Z  INFO moq_clock: connecting to server url=Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("my.domain")), port: Some(4443), path: "/", query: None, fragment: None }
2025-06-25T20:18:05.805018Z DEBUG moq_native::client: connecting url=https://my.domain:4443/ ip=192.168.1.243:4443 alpn=h3
Error: webtransport error: session error: connection error: closed by peer: invalid token (code 91141958510812)

Caused by:
    0: session error: connection error: closed by peer: invalid token (code 91141958510812)
    1: connection error: closed by peer: invalid token (code 91141958510812)
    2: closed by peer: invalid token (code 91141958510812)
error: Recipe `clock` failed on line 157 with exit code 1

Cloned the whole repository again, and when trying to run just clock subscribe, I'm getting following output (including an error):

if [ "subscribe" != "publish" ] && [ "subscribe" != "subscribe" ]; then echo "Error: action must be 'publish' or 'subscribe', got 'subscribe'" >&2; exit 1; fi
cargo run --bin moq-clock -- "http://localhost:4443" subscribe
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.12s
     Running `target/debug/moq-clock 'http://localhost:4443' subscribe`
2025-06-25T20:16:51.861045Z  INFO moq_clock: connecting to server url=Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("localhost")), port: Some(4443), path: "/", query: None, fragment: None }
2025-06-25T20:16:51.861637Z  WARN moq_native::client: performing insecure HTTP request for certificate url=http://localhost:4443/certificate.sha256
Error: webtransport error: session error: connection error: closed by peer: invalid token (code 91141958510812)

Caused by:
    0: session error: connection error: closed by peer: invalid token (code 91141958510812)
    1: connection error: closed by peer: invalid token (code 91141958510812)
    2: closed by peer: invalid token (code 91141958510812)
error: Recipe `clock` failed on line 133 with exit code 1

Running just relay returns following output (with the relay changes in my own testings and with the fresh version from Github):

# By default, this uses HMAC-SHA256.
if [ ! -f "dev/root.jwk" ]; then cargo run --bin moq-token -- --key "dev/root.jwk" generate; fi
# Generate a token that allows us to publish and subscribe to all paths.
# Obviously this needs to be secured in production.
# The primary/secondary flags are used to change what gets published based on the client.
if [ ! -f "dev/node.jwt" ]; then cargo run --quiet --bin moq-token -- --key "dev/root.jwk" sign --path "" --subscribe "" --subscribe-primary --publish "" --publish-secondary > dev/node.jwt; fi
# Run the relay server overriding the provided configuration file.
cargo run --bin moq-relay moq-relay/dev.toml
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.12s
     Running `target/debug/moq-relay moq-relay/dev.toml`
2025-06-25T20:14:41.089440Z  INFO moq_relay::cluster: running as root, accepting leaf nodes
2025-06-25T20:14:41.089716Z  INFO moq_relay: listening addr=[::]:4443
2025-06-25T20:14:42.617676Z  WARN moq_relay: failed to validate token err=token required for prefix:

In the both occasions I tried adding clock = "" to path in rs/moq-relay/dev.toml (to allow its path without token), but it did not have any effect.

Most likely I'm missing something related to the authentication, but I have no idea about the issue. Any ideas what would cause the missing invalid token here?

[kixelated]

Sorry about the lack of documentation around this.

Tokens are evaluated at connect time. So if you connect to https://my.domain:4443, then you'll need a token that gives you root access, even if you only intend to publish clock.

What you actually want to do is connect to https://my.domain:4443/clock and publish the broadcast "". That will work if you add clock = "" to the config file to allow unauthorized connections to that URL.

NOTE: the broadcast path is appended to the connection path. It's also relative now, which is a bit confusing but makes auth much easier because everything is scoped. There's no ../ to break out of an authenticated scope.

[kixelated]

Should be fixed by #453 as it moved clock into the unauthenticated demo/clock path.