@l7mp/stunner-auth-lib

# @l7mp/stunner-auth-lib A library to generate ICE configuration and TURN credentials for the [STUNner Kubernetes ingress gateway for WebRTC](https://github.com/l7mp/stunner). ```javascript const auth = require('@l7mp/stunner-auth-lib'); var credentials = auth.getStunnerCredentials({ auth_type: 'longterm', secret: 'my-shared-secret', duration: 24*60*60, // credentials valid for one day }); ``` ## Installation Install from NPM. ```console npm install @l7mp/stunner-auth-lib ``` ## Usage    The intended use is to ease the generation of STUN/TURN credentials and ICE server configuration stanza in the WebRTC application server. The application server can send these back to the WebRTC clients during the WebSocket/JSON call setup process. Clients can then use the STUN/TURN credentials and ICE server configuration received from the application server to authenticate with STUNner, in order to reach the WebRTC media plane deployed into Kubernetes behind STUNner. The library will automatically parse the current STUNner configuration from the Kubernetes control plane if available. Otherwise, it falls back to taking configuration from environment variables. ![STUNner authentication architecture](/stunner_auth_lib_arch.svg) ### Configuration The library depends on a valid STUNner configuration for generating STUN/TURN credentials, which is typically generated by the [STUNner Kubernetes Gateway Operator](https://github.com/l7mp/stunner-gateway-operator). The STUNner configuration is rendered into a [Kubernetes ConfigMap](https://github.com/l7mp/stunner-gateway-operator/README.md#configure-the-operator), which is then picked up by the [STUNner dataplane](https://github.com/l7mp/stunner) to ingest WebRTC media into the Kubernetes cluster. Suppose that this ConfigMap is named `stunnerd-config` (this is the default name). The below Kubernetes pod template snippet shows how to map this configuration into your WebRTC application server. ``` yaml ... spec: containers: - name: <my-application-server> image: <my-application-server-image> ... env: - name: STUNNER_CONFIG_FILENAME value: "/etc/stunnerd/stunnerd.conf" volumeMounts: - name: stunnerd-config-volume mountPath: /etc/stunnerd readOnly: true ... volumes: - name: stunnerd-config-volume configMap: name: stunnerd-config ... ``` From this point, the STUNner configuration, as actually existing in the `stunnerd-config` ConfigMap, will be mapped into the application server pod's filesystem under the path `/etc/stunnerd/stunnerd.conf` and the full path will be available in the `STUNNER_CONFIG_FILENAME` environment variable. The library will pick up this configuration and use it to generate the STUN/TURN credentials and full ICE server configurations necessary to reach STUNner. Every time you change the STUNner configuration through the [Kubernetes Gateway API](https://github.com/l7mp/stunner-gateway-operator/README.md#configure-the-operator), the new configuration will be immediately mapped into the filesystem of your application server. When called, the library will re-parse the active configuration from the filesystem and the new settings will immediately take effect: new client requests will receive up-to-date STUN/TURN credentials. If no valid configuration file is found, the library falls back to the [standalone mode](README.md#fallback-to-standalone-mode). ### Generating ICE configuration The recommended usage is generating the [ICE configuration](https://developer.mozilla.org/en-US/docs/Web/API/RTCIceServer) along with the STUNner credentials in a single step and sending it back the WebRTC clients during call setup. * Generate a full [ICE configuration object](https://developer.mozilla.org/en-US/docs/Web/API/RTCIceServer) on the [WebRTC application server](https://bloggeek.me/webrtc-server). ```javascript const auth = require('@l7mp/stunner-auth-lib'); ... var ICE_config = auth.getIceConfig(); console.log(ICE_config); ``` Output: ```javascript { iceServers: [ { url: 'turn:1.2.3.4:3478?transport=udp', username: 'my-user', credential: 'my-password' } ], iceTransportPolicy: 'relay' } ``` * Send the generated ICE configuration back to the clients during the WebSocket/JSON call setup process (e.g., during user registration) and use this configuration in the clients to initialize the WebRTC [`PeerConnection`](https://developer.mozilla.org/en-US/docs/Web/API/RTCPeerConnection/RTCPeerConnection). ```javascript var ICE_config = ...; // read ICE configuration from the WebSocket/JSON connection var pc = new RTCPeerConnection(ICE_config); ``` You can override the path to the STUNner configuration file (and other options) when calling the function. ```javascript var ICE_config = auth.getIceConfig({config_file: <MY_STUNNER_CONFIG_FILENAME>}); ``` ### Generating STUN/TURN credentials Alternatively, you can simply generate a new STUN/TURN long-term credentials that you can use for authenticating with STUNner. ```javascript var cred = auth.getStunnerCredentials({ duration: 24 * 60 * 60, // lifetime the longterm credential is effective }); console.log(`STUNner credentials: ${cred.username} / ${cred.credential}`); ``` Output: ``` STUNner credentials: 1652118264 / nRU+Iz2ENeP2Y3sDXzSRsFRDs8s= ``` ### Fallback to standalone mode Some may favor running STUNner in the [standalone mode](https://github.com/l7mp/stunner) in order to be able to manually customize the STUNner dataplane instead of relying on the operator to render the configuration. The library automatically falls back to using the standalone mode when no configuration file is available under the path specified by the `STUNNER_CONFIG_FILENAME` environment variable. For this, the application server needs to have access to the following environment variables. * `STUNNER_PUBLIC_ADDR` (no default, must be [customized](https://github.com/l7mp/stunner#learning-the-external-ip-and-port)): STUNner public IP address. * `STUNNER_PUBLIC_PORT` (default: 3478): STUNner public port. * `STUNNER_REALM` (default: `stunner.l7mp.io`): STUN/TURN realm. * `STUNNER_AUTH_TYPE` (default: `plaintext`): [STUNner authentication mode]((https://github.com/l7mp/stunner/tree/main/doc/AUTH.md)); either `plaintext` or `longterm`. * `STUNNER_USERNAME` (default: `user`): [username](https://www.rfc-editor.org/rfc/rfc8489.html#section-14.3) for `plaintext` authentication. * `STUNNER_PASSWORD` (default: `pass`): password for `plaintext` authentication. * `STUNNER_SHARED_SECRET` (default: `secret`): the shared secret for `longterm` authentication. For most configuration parameters the library specifies sane defaults, which can be overridden by the environment variables (i.e., the STUNner configuration), which can in turn be further overridden in the function arguments specified on the library calls. The below code will generate a full [ICE configuration object](https://developer.mozilla.org/en-US/docs/Web/API/RTCIceServer) in the fallback mode using the specified overrides. ```javascript const auth = require('@l7mp/stunner-auth-lib'); ... var ICE_config = auth.getIceConfig({ address: '1.2.3.4', // ovveride STUNNER_PUBLIC_ADDR port: 3478, // ovveride STUNNER_PUBLIC_PORT auth_type: 'plaintext', // override STUNNER_AUTH_TYPE username: 'my-user', // override STUNNER_USERNAME password: 'my-password', // override STUNNER_PASSWORD ice_transport_policy: 'relay', // override STUNNER_ICE_TRANSPORT_POLICY }); console.log(ICE_config); ``` The below will generate a new set of STUN/TURN long-term credentials, again using manual overrides. ```javascript var cred = auth.getStunnerCredentials({ auth_type: 'longterm', // override STUNNER_AUTH_TYPE secret: 'my-secret', // override STUNNER_SHARED_SECRET duration: 24 * 60 * 60, // lifetime the longterm credential is effective }); console.log(`STUNner credentials: ${cred.username} / ${cred.credential}`); ``` Output: ``` STUNner credentials: 1652118264 / nRU+Iz2ENeP2Y3sDXzSRsFRDs8s= ``` Note that all manual overrides are available in the default mode as well. ### Caveats * In order for the library to be able to read the STUNner configuration, the corresponding ConfigMap (i.e., `stunnerd-config`) and the application server must live in the same Kubernetes namespace (Kubernetes does not allow a ConfigMap to be mapped into a pod that exists in a different namespace). See the [STUNner examples](https://github.com/l7mp/stunner/examples/README.md) on how to configure the [STUNner Kubernetes Gateway Operator](https://github.com/l7mp/stunner-gateway-operator) to render the configuration into an arbitrary namespace from where your application server can pick it up. * If you change the STUNner credentials from the Kubernetes Gateway API then active clients, which have already received an ICE configuration that is now being rendered invalid by your change, will need to go through the authentication process (receive a new ICE configuration, re-request TURN permissions again from STUNner, etc.) again. Otherwise, they will time out on the next TURN permission refresh cycle. Currently it is the responsibility of the application server to orchestrate this process. As a rule of thumb, try to avoid resetting the authentication settings when active users are authenticated with STUNner. ## Help STUNner development is coordinated in Discord, send [us](https://github.com/l7mp/stunner/blob/main/AUTHORS) an email to ask an invitation. ## License Copyright 2021-2022 by its authors. Some rights reserved. See [AUTHORS](https://github.com/l7mp/stunner/blob/main/AUTHORS). MIT License - see [LICENSE](/LICENSE) for full text. ## Acknowledgments Initial code adopted from [@rojo2/turn-credentials](https://www.npmjs.com/package/@rojo2/turn-credentials).