[Galene] Re: coturn config

["Toke Høiland-Jørgensen" <toke@toke.dk>]

Juliusz Chroboczek <jch@irif.fr> writes:

>>> In Galène, authentication only happens when you join a group, so that
>>> would mean communicating the ICE configuration together with the "joined"
>>> message that carries the client's permissions.
>
>> Yup, that makes sense!
>
> I've made the protocol change in the master branch, and made it so the
> TURN configuration can change at any time and Galène will notice within
> 5 minutes at most.  We're not changing the configuration of previously
> joined clients yet, but the protocol could support it quite easily.
>
> (We'd simply need to send a "type=joined, kind=change" message to all the
> clients when we detect a change, and the clients will switch to the new
> TURN credentials at the next ICE restart.)
>
>> I look forward to your implementation :)
>
> I've put an implementation into the branch "tokes-folly".  It's completely
> untested, please let me know if it works.
>
> I'm a little hesitant to merge it, since it is just as easily done by
> writing a five-line Python or Lua script that fetches the new
> configuration and dumps it into Galènes data directory.

Heh, I see what you mean. And indeed when looking at this I failed to
actually get coturn to return anything via any REST interface, so I went
and looked at what Nextcloud Talk is actually doing...

...And it turns out that I completely misunderstood how this is supposed
to work: there's not supposed to be any communication between the WebRTC
server and Coturn. Rather, there's a configured shared secret that the
WebRTC server can use to generate as many ephemeral credentials as it
wants. In Nextcloud Talk, the relevant code is just this:

               $timestamp = $this->timeFactory->getTime() + 86400;
               $rnd = $this->secureRandom->generate(16);
               $username = $timestamp . ':' . $rnd;
               $password = base64_encode(hash_hmac('sha1', $username, $server['secret'], true));

where $server['secret'] is the value configured as 'static-auth-secret'
in coturn. The resulting username and password is then communicated to
the client.

I didn't dig any further, so not sure if a separate set of credentials
is generated for every user in a call; but I suppose they could be? The
actual username could also be used in place of (or together with) the
random value above? Not sure what makes the most sense for Galene. TBH
I'm less concerned about the security aspects of this, and more about
compatibility with other software (i.e., being able to use
static-auth-secret at all).

My apologies for the misunderstanding! Hope the above makes (more) sense :)

-Toke