TURN REST auth, changes after review

examples/README.md

@@ -48,6 +48,18 @@ The only downside is that you can't revoke a single username/password. You need
 
 * -authSecret     : Shared secret for the Long Term Credential Mechanism
 
+#### lt-cred-turn-rest
+
+This example shows how to use ephemeral credentials, generated by a REST API, with the user part formatted as `timestamp:username`.
+
+The REST API and TURN server use the same shared secret to compute the credentials.
+
+The timestamp part specifies when the credentials will expire.
+
+This mechanism is described in https://datatracker.ietf.org/doc/html/draft-uberti-behave-turn-rest-00
+
+* -authSecret     : Shared secret for the ephemeral Credential Mechanism
+
 #### perm-filter
 
 This example demonstrates the use of a permission handler in the PION TURN server. The example implements a filtering policy that lets clients to connect back to their own host or server-reflexive address but will drop everything else. This will let the client ping-test through but will block essentially all other peer connection attempts.

examples/turn-server/lt-cred-turn-rest/main.go

@@ -44,10 +44,7 @@ func main() {
 	logger := logging.NewDefaultLeveledLoggerForScope("lt-creds", logging.LogLevelTrace, os.Stdout)
 
 	s, err := turn.NewServer(turn.ServerConfig{
-		Realm: *realm,
-		// Set AuthHandler callback
-		// This is called everytime a user tries to authenticate with the TURN server
-		// Return the key for that user, or false when no user is found
+		Realm:       *realm,
 		AuthHandler: turn.LongTermTURNRESTAuthHandler(*authSecret, logger),
 		// PacketConnConfigs is a list of UDP Listeners and the configuration around them
 		PacketConnConfigs: []turn.PacketConnConfig{

go.mod

@@ -1,6 +1,6 @@
 module github.com/pion/turn/v3
 
-go 1.19
+go 1.13
 
 require (
 	github.com/pion/logging v0.2.2
@@ -10,12 +10,3 @@ require (
 	github.com/stretchr/testify v1.8.4
 	golang.org/x/sys v0.15.0
 )
-
-require (
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/pion/dtls/v2 v2.2.7 // indirect
-	github.com/pion/transport/v2 v2.2.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/crypto v0.12.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-)

lt_cred.go

@@ -43,7 +43,7 @@ func longTermCredentials(username string, sharedSecret string) (string, error) {
 }
 
 // NewLongTermAuthHandler returns a turn.AuthAuthHandler used with Long Term (or Time Windowed) Credentials.
-// See: https://tools.ietf.org/search/rfc5389#section-10.2
+// See: https://datatracker.ietf.org/doc/html/rfc8489#section-9.2
 func NewLongTermAuthHandler(sharedSecret string, l logging.LeveledLogger) AuthHandler {
 	if l == nil {
 		l = logging.NewDefaultLoggerFactory().NewLogger("turn")
@@ -68,9 +68,12 @@ func NewLongTermAuthHandler(sharedSecret string, l logging.LeveledLogger) AuthHa
 	}
 }
 
-// LongTermTURNRESTAuthHandler returns a turn.AuthAuthHandler used with Long Term (or Time Windowed) Credentials.
-// https://tools.ietf.org/search/rfc5389#section-10.2
-// It supports the format timestamp:username used with the TURN REST API
+// LongTermTURNRESTAuthHandler returns a turn.AuthAuthHandler that can be used to authenticate
+// time-windowed ephemeral credentials generated by the TURN REST API as described in
+// https://datatracker.ietf.org/doc/html/draft-uberti-behave-turn-rest-00
+//
+// The supported format of is timestamp:username, where username is an arbitrary user id and the
+// timestamp specifies the expiry of the credential.
 func LongTermTURNRESTAuthHandler(sharedSecret string, l logging.LeveledLogger) AuthHandler {
 	if l == nil {
 		l = logging.NewDefaultLoggerFactory().NewLogger("turn")