feat: rework login authentication and add API token support

cmake/compile_definitions/common.cmake

@@ -114,6 +114,7 @@ set(SUNSHINE_TARGET_FILES
         "${CMAKE_SOURCE_DIR}/src/stat_trackers.cpp"
         "${CMAKE_SOURCE_DIR}/src/rswrapper.h"
         "${CMAKE_SOURCE_DIR}/src/rswrapper.c"
+        "${CMAKE_SOURCE_DIR}/src/http_auth.cpp"
         ${PLATFORM_TARGET_FILES})
 
 if(NOT SUNSHINE_ASSETS_DIR_DEF)

docs/api.md

@@ -2,13 +2,29 @@
 
 Sunshine has a RESTful API which can be used to interact with the service.
 
-Unless otherwise specified, authentication is required for all API calls. You can authenticate using
-basic authentication with the admin username and password.
+Unless otherwise specified, authentication is required for all API calls. You can authenticate using either basic authentication with the admin username and password, or with an API token that provides fine-grained access control.
 
 @htmlonly
 <script src="api.js"></script>
 @endhtmlonly
 
+## API Token Security Model and Best Practices
+
+Sunshine API tokens are designed for security and fine-grained access control:
+
+- **Token Creation:** When you generate an API token, Sunshine creates a secure random 32-character string. Only a cryptographic hash of the token is stored on disk and in memory. The raw token is shown to you only once—immediately after creation. If you lose it, you must generate a new token.
+- **Security:** Because only the hash is stored, even if the state file is compromised, attackers cannot recover the original token value.
+- **Principle of Least Privilege:** When creating a token, always grant access only to the specific API paths and HTTP methods required for your use case. Avoid giving broad or unnecessary permissions.
+- **Token Management:**
+  - Store your token securely after creation. Never share or log it.
+  - Revoke tokens immediately if they are no longer needed or if you suspect they are compromised.
+  - Use HTTPS to protect tokens in transit.
+- **Listing and Revocation:** You can list all active tokens (metadata only, not the token value) and revoke any token at any time using the API.
+
+API Tokens can also be managed in the Web UI under the "API Token" tab in the navigation bar.
+
+See below for details on token endpoints and usage examples.
+
 ## GET /api/apps
 @copydoc confighttp::getApps()
 
@@ -57,6 +73,47 @@ basic authentication with the admin username and password.
 ## POST /api/restart
 @copydoc confighttp::restart()
 
+## Authentication
+
+All API calls require authentication. You can use either:
+- **Basic Authentication**: Use your admin username and password.
+- **API Token (recommended for automation)**: Use a generated token with fine-grained access control.
+
+### Generating an API Token
+
+**POST /api/token**
+
+Authenticate with Basic Auth. The request body should specify the allowed API paths and HTTP methods for the token:
+
+```json
+{
+  "scopes": [
+    { "path": "/api/apps", "methods": ["GET", "POST"] },
+    { "path": "/api/logs", "methods": ["GET"] }
+  ]
+}
+```
+
+**Response:**
+```json
+{ "token": "...your-new-token..." }
+```
+> The token is only shown once. Store it securely.
+
+### Using an API Token
+
+Send the token in the `Authorization` header:
+```
+Authorization: Bearer <token>
+```
+
+The token grants access only to the specified paths and HTTP methods.
+
+### Managing API Tokens
+
+- **List tokens:** `GET /api/tokens` (shows metadata, not token values)
+- **Revoke token:** `DELETE /api/token/{hash}`
+
 <div class="section_buttons">
 
 | Previous                                    |                                  Next |

docs/configuration.md

@@ -1685,6 +1685,36 @@ editing the `conf` file in a text editor. Use the examples as reference.
     </tr>
 </table>
 
+### session_token_ttl_seconds
+
+<table>
+    <tr>
+        <td>Description</td>
+        <td colspan="2">
+            Web UI session timeout in seconds. Determines how long a login session remains valid before re-authentication is required.
+        </td>
+    </tr>
+    <tr>
+        <td>Default</td>
+        <td colspan="2">@code{}
+            7200
+            @endcode (2 hours)
+        </td>
+    </tr>
+    <tr>
+        <td>Notes</td>
+        <td colspan="2">
+            For higher security on shared systems, reduce this value (e.g. 3600 for 1 hour). Minimum is 1 second.
+        </td>
+    </tr>
+    <tr>
+        <td>Example</td>
+        <td colspan="2">@code{}
+            session_token_ttl_seconds = 3600
+            @endcode</td>
+    </tr>
+</table>
+
 ### log_path
 
 <table>
@@ -2324,7 +2354,7 @@ editing the `conf` file in a text editor. Use the examples as reference.
         </td>
     </tr>
     <tr>
-        <td>Default</td>
+               <td>Default</td>
         <td colspan="2">@code{}
             medium
             @endcode</td>

src/config.cpp

@@ -578,6 +578,7 @@ namespace config {
     platf::appdata().string() + "/sunshine.log",  // log file
     false,  // notify_pre_releases
     {},  // prep commands
+    std::chrono::hours {2}  // session_token_ttl default 2h
   };
 
   bool endline(char ch) {
@@ -1298,6 +1299,15 @@ namespace config {
       vars.erase(it);
     }
 
+    // Parse session token TTL (seconds) if provided
+    {
+      int ttl_secs = -1;
+      int_between_f(vars, "session_token_ttl_seconds", ttl_secs, {1, std::numeric_limits<int>::max()});
+      if (ttl_secs > 0) {
+        sunshine.session_token_ttl = std::chrono::seconds {ttl_secs};
+      }
+    }
+
     if (sunshine.min_log_level <= 3) {
       for (auto &[var, _] : vars) {
         std::cout << "Warning: Unrecognized configurable option ["sv << var << ']' << std::endl;

src/config.h

@@ -256,6 +256,7 @@ namespace config {
     std::string log_file;
     bool notify_pre_releases;
     std::vector<prep_cmd_t> prep_cmds;
+    std::chrono::seconds session_token_ttl;  ///< Session token time-to-live (seconds)
   };
 
   extern video_t video;