Add multi-secret inbound auth and per-user proxy links
Users running the proxy on OpenWRT needed per-user credentials instead of a single shared secret. This change allows configuring multiple inbound secrets and using distinct tg://proxy links per user while preserving existing single-secret behavior.
-
Config: multiple secrets for one instance
--secretnow accepts multiple values (repeatable flag and comma-separated env input).Confignow storessecrets: Vec<String>and keeps a primary-secret helper for existing flows.
-
Auth path: accept any configured secret
- Inbound MTProto handshake validation now tries all configured secrets.
- Inbound FakeTLS digest validation likewise matches against all configured secrets and responds with the matched one.
-
Link generation: per-user credentials output
- Startup output keeps the primary link and adds additional
tg://proxylinks for extra configured secrets. - Secret formatting logic is centralized via
link_secret_for(secret)to avoid duplication and keep FakeTLS/non-FakeTLS link encoding consistent.
- Startup output keeps the primary link and adds additional
-
Docs and tests
- README updated to document repeatable/comma-separated
--secretusage for per-user credentials. - Added config test coverage for multi-secret parsing and primary-secret link behavior.
- README updated to document repeatable/comma-separated
tg-ws-proxy --host 0.0.0.0 --port 443 \
--secret 11111111111111111111111111111111 \
--secret 22222222222222222222222222222222This configuration accepts both secrets on inbound connections and emits separate tg://proxy links for each user credential.