Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: External authentication/authorization check #423

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

luongngocminh
Copy link
Contributor

Pull Request

Description

To keep the server functionalities as simple and compact as possible, currently only JWT verification is used to allow users access to a room. But due to the requirements of modern video conferencing applications, further authentication functionalities are needed (Room participant controls like kicking, banning, ...).
This PR is designed to keep the authen/author out of scope of the server core functions. Developer can now extends the authentication functions by providing a sort of "guard" API HTTP base endpoint.
These "guard" are placed in-front of the authenticated SDK APIs:

  • /whip/create
  • /whep/create
  • /webrtc/connect
  • /webrtc/ice-restart
    The guard API endpoint should contain all of these APIs when --ext-auth-uri is provided for the server. The guard only check for success status from this API for the guard to be passed, if the API failed in any other way, the guard will return UNAUTHORIZED.

Changes

  • New argument for media/gateway server: --ext-auth-uri Option<String>. For example: http://example.com (without the backslash at the end of the string)

Related Issue

#378

Checklist

  • I have tested the changes locally.
  • I have reviewed the code changes.

@luongngocminh luongngocminh requested a review from giangndm August 21, 2024 11:39
@luongngocminh luongngocminh linked an issue Aug 21, 2024 that may be closed by this pull request
Copy link

codecov bot commented Aug 21, 2024

Codecov Report

Attention: Patch coverage is 0% with 74 lines in your changes missing coverage. Please review.

Project coverage is 40.56%. Comparing base (260ff03) to head (5ad190e).

Files Patch % Lines
bin/src/http/api_media.rs 0.00% 54 Missing ⚠️
bin/src/http.rs 0.00% 18 Missing ⚠️
bin/src/server/gateway.rs 0.00% 1 Missing ⚠️
bin/src/server/media.rs 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master     #423      +/-   ##
==========================================
- Coverage   40.72%   40.56%   -0.17%     
==========================================
  Files         154      154              
  Lines       16644    16710      +66     
==========================================
  Hits         6778     6778              
- Misses       9866     9932      +66     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jibon57
Copy link
Contributor

jibon57 commented Aug 21, 2024

Nice Job 👍. One question regarding url, can't we use domain with path? Example: http://example.com/auth/webrtc-verify or similar?

@giangndm
Copy link
Contributor

giangndm commented Aug 22, 2024

@luongngocminh I think there might be some confusion with hard-coded URL rules. Perhaps we should use a direct endpoint and include the information in the body. As we discussed with @jibon57, it's more flexible to embed the check endpoint inside the token.

@luongngocminh
Copy link
Contributor Author

@jibon57 @giangndm my idea is to have a way to separate the checking logic for each concerns (in case we want to fine grain the permissions: create, patch, delete, etc. ) without branching in the target API logic. If I use a single webrtc verify API with body as the parameter, the handler logic of that API will need to be branch (using if or switch case) for each of the case.
Using this method will allow more fine grain control over which action will be allow, in the case the user doesn't care about the details, they can just create a catch all route like /webrtc/* handler and handle it there.

@jibon57
Copy link
Contributor

jibon57 commented Aug 22, 2024

@luongngocminh setting up a fixed url is totally fine. I'm just concerned the url pattern. Do we have to use only domain name without any path? Or path is allowed with domain? Because in your example you used a domain name only.

@luongngocminh
Copy link
Contributor Author

@luongngocminh setting up a fixed url is totally fine. I'm just concerned the url pattern. Do we have to use only domain name without any path? Or path is allowed with domain? Because in your example you used a domain name only.

You can use any path as base, it's fine, the server will send a GET request to <your base uri>/webrtc/connect, for example http://example.com/somethingrandom/otherrandom/webrtc/connect if this is what you're asking

@jibon57
Copy link
Contributor

jibon57 commented Aug 22, 2024

@luongngocminh thanks. Yes, that was my concern.

@giangndm
Copy link
Contributor

@luongngocminh @jibon57 I think we shouldn't use different endpoints. Instead, we should post to the configured endpoint, allowing users to flexibly embed more information within the hook URI parameters. This also enables us to have the same mechanism when allowing custom hook URIs per token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

feat: checker to verify before room creation
3 participants