diff --git a/examples/README.md b/examples/README.md index 691711eb..5499a772 100644 --- a/examples/README.md +++ b/examples/README.md @@ -48,6 +48,18 @@ The only downside is that you can't revoke a single username/password. You need * -authSecret : Shared secret for the Long Term Credential Mechanism +#### lt-cred-turn-rest + +This example shows how to use ephemeral credentials, generated by a REST API, with the user part formatted as `timestamp:username`. + +The REST API and TURN server use the same shared secret to compute the credentials. + +The timestamp part specifies when the credentials will expire. + +This mechanism is described in https://datatracker.ietf.org/doc/html/draft-uberti-behave-turn-rest-00 + +* -authSecret : Shared secret for the ephemeral Credential Mechanism + #### perm-filter This example demonstrates the use of a permission handler in the PION TURN server. The example implements a filtering policy that lets clients to connect back to their own host or server-reflexive address but will drop everything else. This will let the client ping-test through but will block essentially all other peer connection attempts. diff --git a/examples/turn-server/lt-cred-turn-rest/main.go b/examples/turn-server/lt-cred-turn-rest/main.go index 05c69d43..b85e8061 100644 --- a/examples/turn-server/lt-cred-turn-rest/main.go +++ b/examples/turn-server/lt-cred-turn-rest/main.go @@ -44,10 +44,7 @@ func main() { logger := logging.NewDefaultLeveledLoggerForScope("lt-creds", logging.LogLevelTrace, os.Stdout) s, err := turn.NewServer(turn.ServerConfig{ - Realm: *realm, - // Set AuthHandler callback - // This is called everytime a user tries to authenticate with the TURN server - // Return the key for that user, or false when no user is found + Realm: *realm, AuthHandler: turn.LongTermTURNRESTAuthHandler(*authSecret, logger), // PacketConnConfigs is a list of UDP Listeners and the configuration around them PacketConnConfigs: []turn.PacketConnConfig{ diff --git a/go.mod b/go.mod index a355b985..e9fb819e 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/pion/turn/v3 -go 1.19 +go 1.13 require ( github.com/pion/logging v0.2.2 @@ -10,12 +10,3 @@ require ( github.com/stretchr/testify v1.8.4 golang.org/x/sys v0.15.0 ) - -require ( - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/pion/dtls/v2 v2.2.7 // indirect - github.com/pion/transport/v2 v2.2.1 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect - golang.org/x/crypto v0.12.0 // indirect - gopkg.in/yaml.v3 v3.0.1 // indirect -) diff --git a/lt_cred.go b/lt_cred.go index 2691fbb1..42466c38 100644 --- a/lt_cred.go +++ b/lt_cred.go @@ -43,7 +43,7 @@ func longTermCredentials(username string, sharedSecret string) (string, error) { } // NewLongTermAuthHandler returns a turn.AuthAuthHandler used with Long Term (or Time Windowed) Credentials. -// See: https://tools.ietf.org/search/rfc5389#section-10.2 +// See: https://datatracker.ietf.org/doc/html/rfc8489#section-9.2 func NewLongTermAuthHandler(sharedSecret string, l logging.LeveledLogger) AuthHandler { if l == nil { l = logging.NewDefaultLoggerFactory().NewLogger("turn") @@ -68,9 +68,12 @@ func NewLongTermAuthHandler(sharedSecret string, l logging.LeveledLogger) AuthHa } } -// LongTermTURNRESTAuthHandler returns a turn.AuthAuthHandler used with Long Term (or Time Windowed) Credentials. -// https://tools.ietf.org/search/rfc5389#section-10.2 -// It supports the format timestamp:username used with the TURN REST API +// LongTermTURNRESTAuthHandler returns a turn.AuthAuthHandler that can be used to authenticate +// time-windowed ephemeral credentials generated by the TURN REST API as described in +// https://datatracker.ietf.org/doc/html/draft-uberti-behave-turn-rest-00 +// +// The supported format of is timestamp:username, where username is an arbitrary user id and the +// timestamp specifies the expiry of the credential. func LongTermTURNRESTAuthHandler(sharedSecret string, l logging.LeveledLogger) AuthHandler { if l == nil { l = logging.NewDefaultLoggerFactory().NewLogger("turn")