From 295bac11e3b7c0472cd506c917d9942c2ee7e04d Mon Sep 17 00:00:00 2001
From: ghost <ma-koenig@gmx.net>
Date: Mon, 29 Dec 2025 03:08:57 +0100
Subject: [PATCH] Add: Automatically create permission for connected peers is
 not exist.

---
 src/server.rs      | 42 +++++++++++++++++++++++++++++++++---------
 src/turn_stream.rs | 42 +++++++++++++++++++++++++++++++++---------
 2 files changed, 66 insertions(+), 18 deletions(-)

diff --git a/src/server.rs b/src/server.rs
index 7090e23..47ce968 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -401,15 +401,39 @@ pub async fn udp_reader_loop_with_limits(
                         };
 
                         if !allocation.is_peer_allowed(&peer_addr) {
-                            let resp = build_error_response_with_integrity_mode(
-                                &msg.header,
-                                403,
-                                "Peer Not Permitted",
-                                &key,
-                                mi_mode,
-                            );
-                            let _ = udp.send_to(&resp, &peer).await;
-                            continue;
+                            match allocs.add_permission(peer, peer_addr) {
+                                Ok(()) => {
+                                    tracing::info!(
+                                        "added implicit permission for {} -> {} (via CHANNEL-BIND)",
+                                        peer,
+                                        peer_addr
+                                    );
+                                    crate::metrics::inc_permission_added();
+                                }
+                                Err(e) => {
+                                    tracing::error!(
+                                        "failed to add implicit permission {} -> {}: {:?}",
+                                        peer,
+                                        peer_addr,
+                                        e
+                                    );
+                                    let (code, reason) = match e.downcast_ref::<AllocationError>() {
+                                        Some(AllocationError::PermissionQuotaExceeded) => {
+                                            (508, "Insufficient Capacity")
+                                        }
+                                        _ => (403, "Peer Not Permitted"),
+                                    };
+                                    let resp = build_error_response_with_integrity_mode(
+                                        &msg.header,
+                                        code,
+                                        reason,
+                                        &key,
+                                        mi_mode,
+                                    );
+                                    let _ = udp.send_to(&resp, &peer).await;
+                                    continue;
+                                }
+                            }
                         }
 
                         if let Err(e) = allocs.add_channel_binding(peer, channel, peer_addr) {
diff --git a/src/turn_stream.rs b/src/turn_stream.rs
index 5a5060c..8205ff1 100644
--- a/src/turn_stream.rs
+++ b/src/turn_stream.rs
@@ -545,15 +545,39 @@ where
                                     };
 
                                     if !allocation.is_peer_allowed(&peer_addr) {
-                                        let resp = build_error_response_with_integrity_mode(
-                                            &msg.header,
-                                            403,
-                                            "Peer Not Permitted",
-                                            key,
-                                            mi_mode,
-                                        );
-                                        let _ = tx.send(resp).await;
-                                        continue;
+                                        match allocs.add_permission(peer, peer_addr) {
+                                            Ok(()) => {
+                                                tracing::info!(
+                                                    "added implicit permission for {} -> {} (via CHANNEL-BIND)",
+                                                    peer,
+                                                    peer_addr
+                                                );
+                                                crate::metrics::inc_permission_added();
+                                            }
+                                            Err(e) => {
+                                                tracing::error!(
+                                                    "failed to add implicit permission {} -> {}: {:?}",
+                                                    peer,
+                                                    peer_addr,
+                                                    e
+                                                );
+                                                let (code, reason) = match e.downcast_ref::<AllocationError>() {
+                                                    Some(AllocationError::PermissionQuotaExceeded) => {
+                                                        (508, "Insufficient Capacity")
+                                                    }
+                                                    _ => (403, "Peer Not Permitted"),
+                                                };
+                                                let resp = build_error_response_with_integrity_mode(
+                                                    &msg.header,
+                                                    code,
+                                                    reason,
+                                                    key,
+                                                    mi_mode,
+                                                );
+                                                let _ = tx.send(resp).await;
+                                                continue;
+                                            }
+                                        }
                                     }
 
                                     if let Err(e) =