feat: Add read-only mode for terminal sessions

crates/sshx-core/proto/sshx.proto

@@ -41,13 +41,15 @@ message OpenRequest {
   string origin = 1;         // Web origin of the server.
   bytes encrypted_zeros = 2; // Encrypted zero block, for client verification.
   string name = 3;           // Name of the session (user@hostname).
+  bool enable_readers = 4;  // Enable read-only mode for the session.
 }
 
 // Details of a newly-created sshx session.
 message OpenResponse {
   string name = 1;  // Name of the session.
   string token = 2; // Signed verification token for the client.
   string url = 3;   // Public web URL to view the session.
+  string write_password = 4; // Password for write access (when readers mode enabled)
 }
 
 // Sequence numbers for all active shells, used for synchronization.
@@ -103,6 +105,7 @@ message SerializedSession {
   uint32 next_sid = 3;
   uint32 next_uid = 4;
   string name = 5;
+  string write_password = 6;
 }
 
 message SerializedShell {

crates/sshx-server/Cargo.toml

@@ -41,6 +41,7 @@ tower-http = { version = "0.4.4", features = ["fs", "redirect", "trace"] }
 tracing.workspace = true
 tracing-subscriber.workspace = true
 zstd = "0.12.4"
+constant_time_eq = "0.3.0"
 
 [dev-dependencies]
 reqwest = { version = "0.11.20", default-features = false, features = ["rustls-tls"] }

crates/sshx-server/src/grpc.rs

@@ -50,12 +50,20 @@ impl SshxService for GrpcServer {
         }
         let name = rand_alphanumeric(10);
         info!(%name, "creating new session");
+
+        let write_password = if request.enable_readers {
+            Some(rand_alphanumeric(8))
+        } else {
+            None
+        };
+
         match self.0.lookup(&name) {
             Some(_) => return Err(Status::already_exists("generated duplicate ID")),
             None => {
                 let metadata = Metadata {
                     encrypted_zeros: request.encrypted_zeros,
                     name: request.name,
+                    write_password: write_password.clone(),
                 };
                 self.0.insert(&name, Arc::new(Session::new(metadata)));
             }
@@ -66,6 +74,7 @@ impl SshxService for GrpcServer {
             name,
             token: BASE64_STANDARD.encode(token.into_bytes()),
             url,
+            write_password: write_password.unwrap_or_default(),
         }))
     }
 

crates/sshx-server/src/session.rs

@@ -33,6 +33,9 @@ pub struct Metadata {
 
     /// Name of the session (human-readable).
     pub name: String,
+
+    /// Password for write access to the session.
+    pub write_password: Option<String>,
 }
 
 /// In-memory state for a single sshx session.
@@ -325,6 +328,7 @@ impl Session {
                     name: format!("User {id}"),
                     cursor: None,
                     focus: None,
+                    can_write: false,
                 };
                 v.insert(user.clone());
                 self.broadcast.send(WsServer::UserDiff(id, Some(user))).ok();
@@ -341,6 +345,16 @@ impl Session {
         self.broadcast.send(WsServer::UserDiff(id, None)).ok();
     }
 
+    /// Check if a user has write permission in the session.
+    pub fn check_write_permission(&self, user_id: Uid) -> Result<()> {
+        let users = self.users.read();
+        let user = users.get(&user_id).context("user not found")?;
+        if !user.can_write {
+            bail!("No write permission");
+        }
+        Ok(())
+    }
+
     /// Send a chat message into the room.
     pub fn send_chat(&self, id: Uid, msg: &str) -> Result<()> {
         // Populate the message with the current name in case it's not known later.

crates/sshx-server/src/session/snapshot.rs

@@ -62,6 +62,7 @@ impl Session {
             next_sid: ids.0 .0,
             next_uid: ids.1 .0,
             name: self.metadata().name.clone(),
+            write_password: self.metadata().write_password.clone().unwrap_or_default(),
         };
         let data = message.encode_to_vec();
         ensure!(data.len() < MAX_SNAPSHOT_SIZE, "snapshot too large");
@@ -72,9 +73,17 @@ impl Session {
     pub fn restore(data: &[u8]) -> Result<Self> {
         let data = zstd::bulk::decompress(data, MAX_SNAPSHOT_SIZE)?;
         let message = SerializedSession::decode(&*data)?;
+
+        let write_password = if message.write_password.is_empty() {
+            None
+        } else {
+            Some(message.write_password)
+        };
+
         let metadata = Metadata {
             encrypted_zeros: message.encrypted_zeros,
             name: message.name,
+            write_password,
         };
 
         let session = Self::new(metadata);

crates/sshx-server/src/web/protocol.rs

@@ -39,6 +39,8 @@ pub struct WsUser {
     pub cursor: Option<(i32, i32)>,
     /// Currently focused terminal window ID.
     pub focus: Option<Sid>,
+    /// Whether the user has write permissions in the session.
+    pub can_write: bool,
 }
 
 /// A real-time message sent from the server over WebSocket.
@@ -71,8 +73,9 @@ pub enum WsServer {
 #[derive(Serialize, Deserialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
 pub enum WsClient {
-    /// Authenticate the user's encryption key by zeros block.
-    Authenticate(Bytes),
+    /// Authenticate the user's encryption key by zeros block and write password
+    /// (if provided).
+    Authenticate(Bytes, Option<Bytes>),
     /// Set the name of the current user.
     SetName(String),
     /// Send real-time information about the user's cursor.

crates/sshx-server/src/web/socket.rs

@@ -8,6 +8,7 @@ use axum::extract::{
 };
 use axum::response::IntoResponse;
 use bytes::Bytes;
+use constant_time_eq::constant_time_eq;
 use futures_util::SinkExt;
 use sshx_core::proto::{server_update::ServerMessage, NewShell, TerminalInput, TerminalSize};
 use sshx_core::Sid;
@@ -95,15 +96,46 @@ async fn handle_socket(socket: &mut WebSocket, session: Arc<Session>) -> Result<
     session.sync_now();
     send(socket, WsServer::Hello(user_id, metadata.name.clone())).await?;
 
-    match recv(socket).await? {
-        Some(WsClient::Authenticate(bytes)) if bytes == metadata.encrypted_zeros => {}
+    let (user_guard, _) = match recv(socket).await? {
+        Some(WsClient::Authenticate(bytes, write_password_bytes)) => {
+            if bytes != metadata.encrypted_zeros {
+                send(socket, WsServer::InvalidAuth()).await?;
+                return Ok(());
+            }
+
+            let can_write = match (write_password_bytes, &metadata.write_password) {
+                // No password provided and none stored, it means users can write (Default)
+                (_, None) => true,
+
+                // Both password provided and stored, validate they match using constant-time
+                // comparison.
+                (Some(provided_password), Some(stored_password)) => {
+                    if !constant_time_eq(&provided_password, stored_password.as_bytes()) {
+                        send(socket, WsServer::InvalidAuth()).await?;
+                        return Ok(());
+                    }
+                    true
+                }
+
+                // Password stored but not provided, user can't write (Read-Only)
+                (None, Some(_)) => false,
+            };
+
+            // Create user and return both guard and can_write status
+            let user_guard = session.user_scope(user_id)?;
+            session.update_user(user_id, |user| {
+                user.can_write = can_write;
+            })?;
+
+            (user_guard, can_write)
+        }
         _ => {
             send(socket, WsServer::InvalidAuth()).await?;
             return Ok(());
         }
-    }
+    };
 
-    let _user_guard = session.user_scope(user_id)?;
+    let _user_guard = user_guard;
 
     let update_tx = session.update_tx(); // start listening for updates before any state reads
     let mut broadcast_stream = session.subscribe_broadcast();
@@ -138,7 +170,7 @@ async fn handle_socket(socket: &mut WebSocket, session: Arc<Session>) -> Result<
         };
 
         match msg {
-            WsClient::Authenticate(_) => {}
+            WsClient::Authenticate(_, _) => {}
             WsClient::SetName(name) => {
                 if !name.is_empty() {
                     session.update_user(user_id, |user| user.name = name)?;
@@ -151,6 +183,10 @@ async fn handle_socket(socket: &mut WebSocket, session: Arc<Session>) -> Result<
                 session.update_user(user_id, |user| user.focus = id)?;
             }
             WsClient::Create(x, y) => {
+                if let Err(e) = session.check_write_permission(user_id) {
+                    send(socket, WsServer::Error(e.to_string())).await?;
+                    continue;
+                }
                 let id = session.counter().next_sid();
                 session.sync_now();
                 let new_shell = NewShell { id: id.0, x, y };
@@ -159,9 +195,17 @@ async fn handle_socket(socket: &mut WebSocket, session: Arc<Session>) -> Result<
                     .await?;
             }
             WsClient::Close(id) => {
+                if let Err(e) = session.check_write_permission(user_id) {
+                    send(socket, WsServer::Error(e.to_string())).await?;
+                    continue;
+                }
                 update_tx.send(ServerMessage::CloseShell(id.0)).await?;
             }
             WsClient::Move(id, winsize) => {
+                if let Err(e) = session.check_write_permission(user_id) {
+                    send(socket, WsServer::Error(e.to_string())).await?;
+                    continue;
+                }
                 if let Err(err) = session.move_shell(id, winsize) {
                     send(socket, WsServer::Error(err.to_string())).await?;
                     continue;
@@ -176,6 +220,10 @@ async fn handle_socket(socket: &mut WebSocket, session: Arc<Session>) -> Result<
                 }
             }
             WsClient::Data(id, data, offset) => {
+                if let Err(e) = session.check_write_permission(user_id) {
+                    send(socket, WsServer::Error(e.to_string())).await?;
+                    continue;
+                }
                 let input = TerminalInput {
                     id: id.0,
                     data,

crates/sshx-server/tests/common/mod.rs

@@ -113,7 +113,8 @@ impl ClientSocket {
 
     async fn authenticate(&mut self) {
         let encrypted_zeros = self.encrypt.zeros().into();
-        self.send(WsClient::Authenticate(encrypted_zeros)).await;
+        self.send(WsClient::Authenticate(encrypted_zeros, None))
+            .await;
     }
 
     pub async fn send(&mut self, msg: WsClient) {

crates/sshx-server/tests/simple.rs

@@ -15,6 +15,7 @@ async fn test_rpc() -> Result<()> {
         origin: "sshx.io".into(),
         encrypted_zeros: Encrypt::new("").zeros().into(),
         name: String::new(),
+        enable_readers: false,
     };
     let resp = client.open(req).await?;
     assert!(!resp.into_inner().name.is_empty());

crates/sshx-server/tests/snapshot.rs

@@ -16,7 +16,7 @@ pub mod common;
 async fn test_basic_restore() -> Result<()> {
     let server = TestServer::new().await;
 
-    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo).await?;
+    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo, &false).await?;
     let name = controller.name().to_owned();
     let key = controller.encryption_key().to_owned();
     tokio::spawn(async move { controller.run().await });

crates/sshx-server/tests/with_client.rs

@@ -14,7 +14,7 @@ pub mod common;
 #[tokio::test]
 async fn test_handshake() -> Result<()> {
     let server = TestServer::new().await;
-    let controller = Controller::new(&server.endpoint(), "", Runner::Echo).await?;
+    let controller = Controller::new(&server.endpoint(), "", Runner::Echo, &false).await?;
     controller.close().await?;
     Ok(())
 }
@@ -23,7 +23,7 @@ async fn test_handshake() -> Result<()> {
 async fn test_command() -> Result<()> {
     let server = TestServer::new().await;
     let runner = Runner::Shell("/bin/bash".into());
-    let mut controller = Controller::new(&server.endpoint(), "", runner).await?;
+    let mut controller = Controller::new(&server.endpoint(), "", runner, &false).await?;
 
     let session = server
         .state()
@@ -69,7 +69,7 @@ async fn test_ws_missing() -> Result<()> {
 async fn test_ws_basic() -> Result<()> {
     let server = TestServer::new().await;
 
-    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo).await?;
+    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo, &false).await?;
     let name = controller.name().to_owned();
     let key = controller.encryption_key().to_owned();
     tokio::spawn(async move { controller.run().await });
@@ -101,7 +101,7 @@ async fn test_ws_basic() -> Result<()> {
 async fn test_ws_resize() -> Result<()> {
     let server = TestServer::new().await;
 
-    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo).await?;
+    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo, &false).await?;
     let name = controller.name().to_owned();
     let key = controller.encryption_key().to_owned();
     tokio::spawn(async move { controller.run().await });
@@ -145,7 +145,7 @@ async fn test_ws_resize() -> Result<()> {
 async fn test_users_join() -> Result<()> {
     let server = TestServer::new().await;
 
-    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo).await?;
+    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo, &false).await?;
     let name = controller.name().to_owned();
     let key = controller.encryption_key().to_owned();
     tokio::spawn(async move { controller.run().await });
@@ -174,7 +174,7 @@ async fn test_users_join() -> Result<()> {
 async fn test_users_metadata() -> Result<()> {
     let server = TestServer::new().await;
 
-    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo).await?;
+    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo, &false).await?;
     let name = controller.name().to_owned();
     let key = controller.encryption_key().to_owned();
     tokio::spawn(async move { controller.run().await });
@@ -199,7 +199,7 @@ async fn test_users_metadata() -> Result<()> {
 async fn test_chat_messages() -> Result<()> {
     let server = TestServer::new().await;
 
-    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo).await?;
+    let mut controller = Controller::new(&server.endpoint(), "", Runner::Echo, &false).await?;
     let name = controller.name().to_owned();
     let key = controller.encryption_key().to_owned();
     tokio::spawn(async move { controller.run().await });