feat(auth): implement inbound access control and non-loopback bind validation guard

This change introduces local inbound authentication and security gating to protect proxy interfaces from unauthorized usage and resource exhaustion (quota theft) when exposed on local networks or the public internet.

1. Secure Configuration Defaults & Redaction (src/config.rs):
   - Changed the default `listen_host` from `0.0.0.0` to `127.0.0.1` (loopback only) to ensure secure-by-default behavior upon initial deployment.
   - Changed the default `block_stun` value to `true` to block WebRTC IP address discovery probes.
   - Implemented a custom `std::fmt::Debug` implementation for the `Config` struct that automatically hides the `inbound_password` field with `"[REDACTED]"`.
   - Exposed `Config::validate` as a public method so that UI saving operations can inspect config safety before serialization.

2. Non-Loopback Bind Validation Guard (src/config.rs):
   - Extended `Config::validate` to inspect the listen address.
   - If the address binds to any non-loopback interface (such as wildcards `0.0.0.0` and `::`, or external LAN/WAN interfaces) and `inbound_username` or `inbound_password` is empty, validation is rejected with a descriptive security error warning of quota theft and unauthorized usage risks.

3. SOCKS5 Inbound Authentication (src/proxy_server.rs):
   - In SOCKS5 client negotiation, if inbound credentials are set, the proxy advertises Username/Password authentication (Method 0x02). If the client does not support it, it rejects the handshake with 0xFF.
   - Implemented RFC 1929 authentication subnegotiation: parses sub-protocol version 1, reads the length-prefixed username and password, performs validation, and returns status 0x00 on success or 0x01 on failure (terminating the connection).
   - If no inbound credentials are set, it defaults to the standard no-authentication (0x00) method.

4. HTTP Inbound Proxy Authentication (src/proxy_server.rs):
   - In HTTP/HTTPS client handling, if inbound credentials are set, the proxy inspects the `Proxy-Authorization` header (checked case-insensitively).
   - Parses the authentication token in `Basic <Base64>` format, decodes it using the STANDARD base64 engine, and verifies the credentials.
   - If credentials are missing or incorrect, it returns a local `407 Proxy Authentication Required` status with `Proxy-Authenticate: Basic realm="mhrv-rs"` and terminates the socket connection.

5. UI Access Controls & Badge System (src/bin/ui.rs):
   - Added an Obsidian-themed UI panel for "Inbound Access Control" containing username/password input fields, visibility toggles, and a secure random credentials generator.
   - Rendered dynamic security status badges based on the bind configuration: a green "Local Only" badge when bound to loopback interfaces, and an orange/yellow "LAN Exposed" warning badge with security warning copy when bound to non-loopback interfaces.
   - Plumbed `Config::validate` into UI save routines to present configuration safety warnings to the user via toast notifications.

Verification:
- Added `test_non_loopback_bind_requires_credentials` in `src/config.rs` to verify validation of local loopback hosts (IPv4, IPv6, bracketed IPv6) and wildcards.
- Added `test_handle_http_client_auth` in `src/proxy_server.rs` to verify local 407 response behavior and successful credentials passage.
- Added `test_handle_socks5_client_auth` in `src/proxy_server.rs` to verify SOCKS5 RFC 1929 method negotiation, subnegotiation failure, and subnegotiation success.
- Verified that all unit and integration tests compile and run green.

Author: maybeknott

src/bin/ui.rs

@@ -321,6 +321,9 @@ struct FormState {
     /// claude.ai / grok.com / x.com). Config-only — no UI editor yet.
     /// See `assets/exit_node/` for the generic exit-node handler.
     exit_node: mhrv_rs::config::ExitNodeConfig,
+    inbound_username: String,
+    inbound_password: String,
+    show_inbound_password: bool,
 }
 
 #[derive(Clone, Debug)]
@@ -426,6 +429,9 @@ fn load_form() -> (FormState, Option<String>) {
             auto_blacklist_cooldown_secs: c.auto_blacklist_cooldown_secs,
             request_timeout_secs: c.request_timeout_secs,
             exit_node: c.exit_node.clone(),
+            inbound_username: c.inbound_username,
+            inbound_password: c.inbound_password,
+            show_inbound_password: false,
         }
     } else {
         FormState {
@@ -468,6 +474,9 @@ fn load_form() -> (FormState, Option<String>) {
             auto_blacklist_cooldown_secs: 120,
             request_timeout_secs: 30,
             exit_node: mhrv_rs::config::ExitNodeConfig::default(),
+            inbound_username: String::new(),
+            inbound_password: String::new(),
+            show_inbound_password: false,
         }
     };
     (form, load_err)
@@ -658,7 +667,11 @@ impl FormState {
             // / grok.com / x.com). Round-trip through FormState — config-only
             // editing for now, UI editor planned for v1.9.x desktop UI batch.
             exit_node: self.exit_node.clone(),
-        })
+            inbound_username: self.inbound_username.trim().to_string(),
+            inbound_password: self.inbound_password.trim().to_string(),
+        };
+        cfg.validate().map_err(|e| e.to_string())?;
+        Ok(cfg)
     }
 }
 
@@ -749,6 +762,10 @@ struct ConfigWire<'a> {
     /// Save preserves user-edited values.
     #[serde(skip_serializing_if = "is_default_exit_node")]
     exit_node: &'a mhrv_rs::config::ExitNodeConfig,
+    #[serde(skip_serializing_if = "is_empty_str")]
+    inbound_username: &'a str,
+    #[serde(skip_serializing_if = "is_empty_str")]
+    inbound_password: &'a str,
 }
 
 fn is_default_strikes(v: &u32) -> bool { *v == 3 }
@@ -763,6 +780,10 @@ fn is_default_exit_node(en: &&mhrv_rs::config::ExitNodeConfig) -> bool {
         && (en.mode.is_empty() || en.mode == "selective")
 }
 
+fn is_empty_str(s: &&str) -> bool {
+    s.is_empty()
+}
+
 fn is_false(b: &bool) -> bool {
     !*b
 }
@@ -824,6 +845,8 @@ impl<'a> From<&'a Config> for ConfigWire<'a> {
             request_timeout_secs: c.request_timeout_secs,
             force_http1: c.force_http1,
             exit_node: &c.exit_node,
+            inbound_username: c.inbound_username.as_str(),
+            inbound_password: c.inbound_password.as_str(),
         }
     }
 }
@@ -1226,6 +1249,142 @@ impl eframe::App for App {
                 });
             });
 
+            // ── Section: Inbound Access Control ───────────────────────────
+            section(ui, "Inbound Access Control", |ui| {
+                // Binding Status & Badges
+                ui.horizontal(|ui| {
+                    ui.add_sized(
+                        [120.0, 20.0],
+                        egui::Label::new(egui::RichText::new("Binding Security").color(egui::Color32::from_gray(200))),
+                    );
+                    
+                    let listen_host_snapshot = self.form.listen_host.trim();
+                    let is_loopback = mhrv_rs::lan_utils::is_loopback_only(listen_host_snapshot)
+                        || listen_host_snapshot.parse::<std::net::IpAddr>().map(|ip| ip.is_loopback()).unwrap_or(false)
+                        || (listen_host_snapshot.starts_with('[') && listen_host_snapshot.ends_with(']')
+                            && listen_host_snapshot[1..listen_host_snapshot.len()-1].parse::<std::net::IpAddr>().map(|ip| ip.is_loopback()).unwrap_or(false));
+                    
+                    if is_loopback {
+                        // Green Local Only badge
+                        egui::Frame::none()
+                            .fill(OK_GREEN)
+                            .rounding(4.0)
+                            .inner_margin(egui::Margin {
+                                left: 6.0,
+                                right: 6.0,
+                                top: 2.0,
+                                bottom: 2.0,
+                            })
+                            .show(ui, |ui| {
+                                ui.label(egui::RichText::new("Local Only").color(egui::Color32::BLACK).strong().size(10.0));
+                            });
+                    } else {
+                        // Orange LAN Exposed badge
+                        egui::Frame::none()
+                            .fill(egui::Color32::from_rgb(230, 160, 50))
+                            .rounding(4.0)
+                            .inner_margin(egui::Margin {
+                                left: 6.0,
+                                right: 6.0,
+                                top: 2.0,
+                                bottom: 2.0,
+                            })
+                            .show(ui, |ui| {
+                                ui.label(egui::RichText::new("LAN Exposed").color(egui::Color32::BLACK).strong().size(10.0));
+                            });
+                    }
+                });
+
+                // Display warning if LAN Exposed
+                let listen_host_snapshot = self.form.listen_host.trim();
+                let is_loopback = mhrv_rs::lan_utils::is_loopback_only(listen_host_snapshot)
+                    || listen_host_snapshot.parse::<std::net::IpAddr>().map(|ip| ip.is_loopback()).unwrap_or(false)
+                    || (listen_host_snapshot.starts_with('[') && listen_host_snapshot.ends_with(']')
+                        && listen_host_snapshot[1..listen_host_snapshot.len()-1].parse::<std::net::IpAddr>().map(|ip| ip.is_loopback()).unwrap_or(false));
+                
+                if !is_loopback {
+                    ui.add_space(4.0);
+                    ui.horizontal(|ui| {
+                        ui.add_space(120.0 + 8.0);
+                        ui.vertical(|ui| {
+                            ui.colored_label(
+                                egui::Color32::from_rgb(230, 160, 50),
+                                "⚠ WARNING: Binding to a non-loopback address exposes this proxy on your network. \
+                                Anyone on your LAN can connect, consume your Apps Script execution quota, and access local network resources. \
+                                Secure inbound credentials are required to start the server.",
+                            );
+                        });
+                    });
+                } else {
+                    ui.add_space(4.0);
+                    ui.horizontal(|ui| {
+                        ui.add_space(120.0 + 8.0);
+                        ui.vertical(|ui| {
+                            ui.colored_label(
+                                egui::Color32::from_gray(140),
+                                "Proxy is bound to loopback. Secure from external network access.",
+                            );
+                        });
+                    });
+                }
+
+                ui.add_space(6.0);
+
+                // Username input
+                form_row(ui, "Inbound User", Some("Username required for client authentication when LAN sharing is enabled."), |ui, label_id| {
+                    ui.add(egui::TextEdit::singleline(&mut self.form.inbound_username)
+                        .hint_text("Optional on loopback; required on LAN")
+                        .desired_width(f32::INFINITY))
+                    .labelled_by(label_id);
+                });
+
+                ui.add_space(4.0);
+
+                // Password input
+                form_row(ui, "Inbound Pass", Some("Password required for client authentication when LAN sharing is enabled."), |ui, label_id| {
+                    ui.horizontal(|ui| {
+                        ui.add(egui::TextEdit::singleline(&mut self.form.inbound_password)
+                            .password(!self.form.show_inbound_password)
+                            .desired_width(ui.available_width() - 80.0))
+                        .labelled_by(label_id);
+
+                        if ui.button(if self.form.show_inbound_password { "Hide" } else { "Show" }).clicked() {
+                            self.form.show_inbound_password = !self.form.show_inbound_password;
+                        }
+                    });
+                });
+
+                ui.add_space(6.0);
+
+                // Random credentials generator button
+                ui.horizontal(|ui| {
+                    ui.add_space(120.0 + 8.0);
+                    let gen_btn = egui::Button::new(
+                        egui::RichText::new("🎲 Generate Random Credentials")
+                            .color(egui::Color32::WHITE),
+                    )
+                    .fill(egui::Color32::from_rgb(50, 54, 60))
+                    .rounding(4.0);
+                    
+                    if ui.add(gen_btn).on_hover_text("Generate a strong secure username and password automatically.").clicked() {
+                        let (uname, passwd) = {
+                            use rand::Rng;
+                            let mut rng = rand::thread_rng();
+                            let u: String = (0..8)
+                                .map(|_| rng.sample(rand::distributions::Alphanumeric) as char)
+                                .collect();
+                            let p: String = (0..16)
+                                .map(|_| rng.sample(rand::distributions::Alphanumeric) as char)
+                                .collect();
+                            (u.to_ascii_lowercase(), p)
+                        };
+                        self.form.inbound_username = uname;
+                        self.form.inbound_password = passwd;
+                        self.toast = Some(("Generated secure credentials. Don't forget to save config!".into(), Instant::now()));
+                    }
+                });
+            });
+
             // ── Section: Advanced (collapsed by default) ──────────────────
             ui.add_space(6.0);
             egui::CollapsingHeader::new(

src/config.rs

@@ -57,7 +57,7 @@ impl ScriptId {
     }
 }
 
-#[derive(Debug, Clone, Deserialize)]
+#[derive(Clone, Deserialize)]
 pub struct Config {
     pub mode: String,
     #[serde(default = "default_google_ip")]
@@ -85,6 +85,10 @@ pub struct Config {
     #[serde(default)]
     pub hosts: HashMap<String, String>,
     #[serde(default)]
+    pub inbound_username: String,
+    #[serde(default)]
+    pub inbound_password: String,
+    #[serde(default)]
     pub enable_batching: bool,
     /// Optional upstream SOCKS5 proxy for non-HTTP / raw-TCP traffic
     /// (e.g. `"127.0.0.1:50529"` pointing at a local xray / v2ray instance).
@@ -405,6 +409,55 @@ pub struct Config {
     pub exit_node: ExitNodeConfig,
 }
 
+impl std::fmt::Debug for Config {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("Config")
+            .field("mode", &self.mode)
+            .field("google_ip", &self.google_ip)
+            .field("front_domain", &self.front_domain)
+            .field("script_id", &self.script_id)
+            .field("script_ids", &self.script_ids)
+            .field("auth_key", &self.auth_key)
+            .field("listen_host", &self.listen_host)
+            .field("listen_port", &self.listen_port)
+            .field("socks5_port", &self.socks5_port)
+            .field("log_level", &self.log_level)
+            .field("verify_ssl", &self.verify_ssl)
+            .field("auto_system_proxy", &self.auto_system_proxy)
+            .field("hosts", &self.hosts)
+            .field("enable_batching", &self.enable_batching)
+            .field("upstream_socks5", &self.upstream_socks5)
+            .field("parallel_relay", &self.parallel_relay)
+            .field("coalesce_step_ms", &self.coalesce_step_ms)
+            .field("coalesce_max_ms", &self.coalesce_max_ms)
+            .field("sni_hosts", &self.sni_hosts)
+            .field("fetch_ips_from_api", &self.fetch_ips_from_api)
+            .field("max_ips_to_scan", &self.max_ips_to_scan)
+            .field("scan_batch_size", &self.scan_batch_size)
+            .field("google_ip_validation", &self.google_ip_validation)
+            .field("normalize_x_graphql", &self.normalize_x_graphql)
+            .field("youtube_via_relay", &self.youtube_via_relay)
+            .field("passthrough_hosts", &self.passthrough_hosts)
+            .field("block_hosts", &self.block_hosts)
+            .field("block_stun", &self.block_stun)
+            .field("block_quic", &self.block_quic)
+            .field("disable_padding", &self.disable_padding)
+            .field("force_http1", &self.force_http1)
+            .field("tunnel_doh", &self.tunnel_doh)
+            .field("bypass_doh_hosts", &self.bypass_doh_hosts)
+            .field("block_doh", &self.block_doh)
+            .field("fronting_groups", &self.fronting_groups)
+            .field("auto_blacklist_strikes", &self.auto_blacklist_strikes)
+            .field("auto_blacklist_window_secs", &self.auto_blacklist_window_secs)
+            .field("auto_blacklist_cooldown_secs", &self.auto_blacklist_cooldown_secs)
+            .field("request_timeout_secs", &self.request_timeout_secs)
+            .field("exit_node", &self.exit_node)
+            .field("inbound_username", &self.inbound_username)
+            .field("inbound_password", &if self.inbound_password.is_empty() { "" } else { "[REDACTED]" })
+            .finish()
+    }
+}
+
 /// Configuration for the optional second-hop exit node.
 #[derive(Debug, Clone, Default, Deserialize, Serialize)]
 pub struct ExitNodeConfig {
@@ -511,7 +564,7 @@ fn default_tunnel_doh() -> bool { true }
 /// Default for `block_quic`: `true`. QUIC over the TCP-based tunnel
 /// causes TCP-over-TCP meltdown (<1 Mbps). Browsers fall back to
 /// HTTPS/TCP within seconds of the silent UDP drop. Issue #793.
-fn default_block_stun() -> bool { false }
+fn default_block_stun() -> bool { true }
 fn default_block_quic() -> bool { true }
 
 /// Default for `block_doh`: `true` (browser DoH is rejected so the
@@ -543,7 +596,7 @@ fn default_front_domain() -> String {
     "www.google.com".into()
 }
 fn default_listen_host() -> String {
-    "0.0.0.0".into()
+    "127.0.0.1".into()
 }
 fn default_listen_port() -> u16 {
     8085
@@ -564,7 +617,24 @@ impl Config {
         Ok(cfg)
     }
 
-    fn validate(&self) -> Result<(), ConfigError> {
+    pub fn validate(&self) -> Result<(), ConfigError> {
+        // Safety guard: non-loopback bind requires active inbound credentials
+        let is_loopback = crate::lan_utils::is_loopback_only(&self.listen_host)
+            || self.listen_host.trim().parse::<std::net::IpAddr>().map(|ip| ip.is_loopback()).unwrap_or(false)
+            || (self.listen_host.trim().starts_with('[') && self.listen_host.trim().ends_with(']')
+                && self.listen_host.trim()[1..self.listen_host.trim().len()-1].parse::<std::net::IpAddr>().map(|ip| ip.is_loopback()).unwrap_or(false));
+
+        if !is_loopback {
+            if self.inbound_username.trim().is_empty() || self.inbound_password.trim().is_empty() {
+                return Err(ConfigError::Invalid(
+                    "Non-loopback bind exposes the proxy to the local network (LAN) or public internet. \
+                     For security, this setup is blocked unless you configure 'inbound_username' and 'inbound_password' \
+                     in your settings to prevent unauthorized usage and quota theft. Alternatively, bind to loopback (127.0.0.1)."
+                        .into(),
+                ));
+            }
+        }
+
         let mode = self.mode_kind()?;
         if mode == Mode::AppsScript || mode == Mode::Full {
             if self.auth_key.trim().is_empty() || self.auth_key == "CHANGE_ME_TO_A_STRONG_SECRET" {
@@ -801,6 +871,51 @@ mod tests {
         assert!(cfg.validate().is_err());
     }
 
+    #[test]
+    fn test_non_loopback_bind_requires_credentials() {
+        // 1. Loopback bind works fine without credentials
+        let s1 = r#"{
+            "mode": "direct",
+            "listen_host": "127.0.0.1"
+        }"#;
+        let cfg1: Config = serde_json::from_str(s1).unwrap();
+        cfg1.validate().expect("loopback 127.0.0.1 should validate without inbound credentials");
+
+        // IPv6 loopback
+        let s2 = r#"{
+            "mode": "direct",
+            "listen_host": "::1"
+        }"#;
+        let cfg2: Config = serde_json::from_str(s2).unwrap();
+        cfg2.validate().expect("loopback ::1 should validate without inbound credentials");
+
+        let s2_bracket = r#"{
+            "mode": "direct",
+            "listen_host": "[::1]"
+        }"#;
+        let cfg2_b: Config = serde_json::from_str(s2_bracket).unwrap();
+        cfg2_b.validate().expect("loopback [::1] should validate without inbound credentials");
+
+        // 2. Non-loopback wildcard 0.0.0.0 fails validation without credentials
+        let s3 = r#"{
+            "mode": "direct",
+            "listen_host": "0.0.0.0"
+        }"#;
+        let cfg3: Config = serde_json::from_str(s3).unwrap();
+        assert!(cfg3.validate().is_err(), "wildcard 0.0.0.0 bind should fail without inbound credentials");
+
+        // 3. Non-loopback wildcard 0.0.0.0 succeeds validation with credentials
+        let s4 = r#"{
+            "mode": "direct",
+            "listen_host": "0.0.0.0",
+            "inbound_username": "admin",
+            "inbound_password": "password123"
+        }"#;
+        let cfg4: Config = serde_json::from_str(s4).unwrap();
+        cfg4.validate().expect("wildcard 0.0.0.0 bind should succeed with inbound credentials");
+    }
+
+
     #[test]
     fn fronting_groups_parse_and_validate() {
         let s = r#"{