diff --git a/lk-jwt-service b/lk-jwt-service deleted file mode 160000 index fa22603..0000000 --- a/lk-jwt-service +++ /dev/null @@ -1 +0,0 @@ -Subproject commit fa226031ac7a9252996f8d038c45fc086d9d960b diff --git a/lk-jwt-service/Dockerfile b/lk-jwt-service/Dockerfile new file mode 100644 index 0000000..c6c84d7 --- /dev/null +++ b/lk-jwt-service/Dockerfile @@ -0,0 +1,28 @@ +# Set the version to match that which is in go.mod +ARG GO_VERSION="build-arg-must-be-provided" + +FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine AS builder + +WORKDIR /proj + +COPY go.mod ./ +COPY go.sum ./ +RUN go mod download + +COPY *.go ./ + +ARG TARGETOS TARGETARCH +RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o lk-jwt-service +# set up nsswitch.conf for Go's "netgo" implementation +# - https://github.com/golang/go/blob/go1.24.0/src/net/conf.go#L343 +RUN echo 'hosts: files dns' > /etc/nsswitch.conf + +FROM scratch + +COPY --from=builder /proj/lk-jwt-service /lk-jwt-service +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /etc/nsswitch.conf /etc/nsswitch.conf + +EXPOSE 8080 + +CMD [ "/lk-jwt-service" ] diff --git a/lk-jwt-service/LICENSE b/lk-jwt-service/LICENSE new file mode 100644 index 0000000..f36a7b7 --- /dev/null +++ b/lk-jwt-service/LICENSE @@ -0,0 +1,662 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + + Copyright (C) {{ year }} {{ organization }} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/lk-jwt-service/LICENSE-COMMERCIAL b/lk-jwt-service/LICENSE-COMMERCIAL new file mode 100644 index 0000000..39041ce --- /dev/null +++ b/lk-jwt-service/LICENSE-COMMERCIAL @@ -0,0 +1,6 @@ +Licensees holding a valid commercial license with Element may use this +software in accordance with the terms contained in a written agreement +between you and Element. + +To purchase a commercial license please contact our sales team at +licensing@element.io diff --git a/lk-jwt-service/README.md b/lk-jwt-service/README.md new file mode 100644 index 0000000..a50e2ec --- /dev/null +++ b/lk-jwt-service/README.md @@ -0,0 +1,262 @@ +# πŸŽ₯ MatrixRTC Authorization Service + +The **MatrixRTC Authorization Service** bridges Matrix and LiveKit, handling +authentication and room creation when needed. + +## πŸ’‘ TL;DR + +Matrix user wants to start or join a call? + +πŸ‘€ ➑️ Gets OpenID token ➑️ Sends it to the **MatrixRTC Authorization Service** ➑️ +Receives LiveKit JWT ➑️ + +- **If full-access user** ➑️ Can trigger LiveKit room creation (if needed) ➑️ + Joins the call πŸŽ‰ +- **If restricted user** ➑️ Can join existing rooms ➑️ Joins the call πŸŽ‰ + +πŸ“‘ Once connected, the LiveKit SFU handles all real-time media routing so +participants can see and hear each other. + +## πŸ—οΈ MatrixRTC Stack: Architecture Overview + +

+ MatrixRTC Architecture +

+ +## πŸ“Œ When to Use + +This service is part of the **MatrixRTC stack** and is primarily used when the +[LiveKit RTC backend (MSC4195)](https://github.com/matrix-org/matrix-spec-proposals/pull/4195) +is in use. + +As outlined in the +[Element Call Self-Hosting Guide](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md), +you’ll also need: + +- A [LiveKit SFU](https://github.com/livekit/livekit) +- MatrixRTC-compatible clients such as + [Element Call](https://github.com/element-hq/element-call), which can run + either: + - As a standalone Single Page Application (SPA) or + - Embedded for in-app calling + +## ✨ What It Does + +πŸ”‘ **Generates JWT tokens** for a given LiveKit identity and room derived from +the Matrix user and Matrix room, allowing users to authenticate with the LiveKit +SFU. + +πŸ›‘οΈ **Manages user access levels** to ensure the proper and secure use of +infrastructure: + +- **Full-access users** β€” Matrix users from homeservers in the same or related + deployment as the MatrixRTC backend. Can trigger automatic LiveKit room + creation if needed. +- **Restricted users** β€” All other Matrix users. Can join existing LiveKit SFU + rooms, but cannot auto-create new ones. + +πŸ—οΈ **Auto-creates LiveKit rooms** for full-access users if they don’t already +exist. + +> [!NOTE] +> This setup ensures resources are used appropriately while still supporting +> seamless cross-federation MatrixRTC sessions, e.g., video calls. Remote users +> (not on the same deployment) can join existing rooms, but only full-access +> (local) users can trigger room creation. The SFU selection algorithm and event +> ordering ensure that conferences across Matrix federation remain fully +> functional. + +## πŸ—ΊοΈ How It Works β€” Token Exchange Flow + +```mermaid +sequenceDiagram + participant U as πŸ§‘ User + participant M as 🏒 Matrix Homeserver + participant A as πŸ” MatrixRTC Authorization Service + participant L as πŸ“‘ LiveKit SFU + + U->>M: Requests OpenID token + M-->>U: Returns OpenID token + U->>A: Sends OpenID token & room request + A->>M: Validates token via OpenID API + M-->>A: Confirms user identity + A->>A: Generates LiveKit JWT + A->>L: (If full-access user) Create room if missing + A-->>U: Returns LiveKit JWT + U->>L: Connects to room using JWT +``` + +## πŸš€ Installation + +Releases are available +**[here](https://github.com/element-hq/lk-jwt-service/releases)**. + +### 🐳 From Docker Image + +```shell +docker run -e LIVEKIT_URL="ws://somewhere" -e LIVEKIT_KEY=devkey -e LIVEKIT_SECRET=secret -e LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com -p 8080:8080 ghcr.io/element-hq/lk-jwt-service:0.3.0 +``` + +### πŸ“¦ From Release + +1. Download & mark as executable (example is amd64, replace with arm64 if needed): + +```shell +wget https://github.com/element-hq/lk-jwt-service/releases/latest/download/lk-jwt-service_linux_amd64 +chmod +x lk-jwt-service_linux_amd64 +``` + +3. Run locally: + +```shell +LIVEKIT_URL="ws://somewhere" LIVEKIT_KEY=devkey LIVEKIT_SECRET=secret LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com ./lk-jwt-service_linux_amd64 +``` + +## βš™οΈ Configuration + +Set environment variables to configure the service: + +| Variable | Description | Required | Default | +| --------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------- | ------- | +| `LIVEKIT_URL` | WebSocket URL of the LiveKit SFU | βœ… Yes | | +| `LIVEKIT_KEY` / `LIVEKIT_KEY_FROM_FILE` | API key or file path for LiveKit SFU | βœ… Yes | | +| `LIVEKIT_SECRET` / `LIVEKIT_SECRET_FROM_FILE` | API secret or file path for LiveKit SFU | βœ… Yes | | +| `LIVEKIT_KEY_FILE` | File path with `APIkey: secret` format | ⚠️ mutually exclusive with LIVEKIT_{KEY|SECRET} | | +| `LIVEKIT_JWT_BIND` | Address to bind the server to | ❌ No, ⚠️ mutually exclusive with `LIVEKIT_JWT_PORT` | `:8080` | +| `LIVEKIT_JWT_PORT` | ⚠️ Deprecated Port to bind the server to | ❌ No, ⚠️ mutually exclusive with `LIVEKIT_JWT_BIND` | | +| `LIVEKIT_FULL_ACCESS_HOMESERVERS` | Comma-separated list of full-access homeservers (`*` for all) | ❌ No | `*` | + +> [!IMPORTANT] +> By default, the LiveKit SFU auto-creates rooms for all users. To ensure proper +> access control, update your LiveKit +> [config.yaml](https://github.com/livekit/livekit/blob/7350e9933107ecdea4ada8f8bcb0d6ca78b3f8f7/config-sample.yaml#L170) +> to **disable automatic room creation**. + +**LiveKit SFU config should include:** + +```yaml +room: + auto_create: false +``` + +## πŸ”’ Transport Layer Security (TLS) Setup Using a Reverse Proxy + +To properly secure the MatrixRTC Authorization Service, a reverse proxy is +recommended. + +### Example Caddy Config + +```caddy +matrix-rtc.domain.tld { + bind xx.xx.xx.xx + + handle /livekit/jwt* { + reverse_proxy localhost:8080 + } +} +``` + +### Example Nginx Config + +```nginx +server { + listen 80; + server_name matrix-rtc.domain.tld; + + # Redirect HTTP β†’ HTTPS + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name matrix-rtc.domain.tld; + + # TLS certificate paths (replace with your own) + ssl_certificate /etc/ssl/certs/matrix-rtc.crt; + ssl_certificate_key /etc/ssl/private/matrix-rtc.key; + + # TLS settings (minimal) + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + location /livekit/jwt/ { + proxy_pass http://localhost:8080/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} +``` + +## πŸ“Œ Do Not Forget to Update Your Matrix Site's `.well-known/matrix/client` + +For proper MatrixRTC functionality, you need to configure your site's +`.well-known/matrix/client`. See the +[Element Call self-hosting guide](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md#matrixrtc-backend-announcement) +for reference. + +The following key must be included in +`https://domain.tld/.well-known/matrix/client`: + +```json +"org.matrix.msc4143.rtc_foci": [ + { + "type": "livekit", + "livekit_service_url": "https://matrix-rtc.domain.tld/livekit/jwt" + } +] +``` + +## πŸ§ͺ Development & Testing + +### Disable TLS verification + +For testing and debugging (e.g. in the absence of trusted certificates while +testing in a lab), you can disable TLS verification for the outgoing connection +to the Matrix homeserver by setting the environment variable +`LIVEKIT_INSECURE_SKIP_VERIFY_TLS` to `YES_I_KNOW_WHAT_I_AM_DOING`. + +### πŸ› οΈ Development Environment (Docker Compose) + +Based on the +[Element Call GitHub repo](https://github.com/element-hq/element-call) + +The easiest way to spin up the full Matrix stack is by using the development +environment provided by Element Call. For detailed instructions, see +[Element Call Backend Setup](https://github.com/element-hq/element-call?tab=readme-ov-file#backend). + +> [!NOTE] +> To ensure your local frontend works properly, you need to add certificate +> exceptions in your browser for: +> +> - `https://localhost:3000` +> - `https://matrix-rtc.m.localhost/livekit/jwt/healthz` +> - `https://synapse.m.localhost/.well-known/matrix/client` +> +> You can do this either by adding the minimal m.localhost CA +> ([dev_tls_m.localhost.crt](https://raw.githubusercontent.com/element-hq/element-call/refs/heads/livekit/backend/dev_tls_m.localhost.crt)) +> to your browser’s trusted certificates, or by visiting each URL in your +> browser and following the prompts to accept the exception. + +#### 🐳 Start MatrixRTC stack without the MatrixRTC Authorization Service + +```sh +git clone https://github.com/element-hq/element-call.git +cd element-call +docker-compose -f ./dev-backend-docker-compose.yml -f ./playwright-backend-docker-compose.override.yml up nginx livekit synapse redis +``` + +#### πŸ”‘ Start the MatrixRTC Authorization Service locally + +```sh +git clone https://github.com/element-hq/lk-jwt-service +cd lk-jwt-service +LIVEKIT_INSECURE_SKIP_VERIFY_TLS="YES_I_KNOW_WHAT_I_AM_DOING" \ +LIVEKIT_URL="wss://matrix-rtc.m.localhost/livekit/sfu" \ +LIVEKIT_KEY=devkey \ +LIVEKIT_SECRET=secret \ +LIVEKIT_JWT_PORT=6080 \ +LIVEKIT_FULL_ACCESS_HOMESERVERS=synapse.m.localhost \ +./lk-jwt-service +``` diff --git a/lk-jwt-service/go.mod b/lk-jwt-service/go.mod new file mode 100644 index 0000000..fa0989f --- /dev/null +++ b/lk-jwt-service/go.mod @@ -0,0 +1,92 @@ +module lk-jwt-service + +go 1.23.0 + +toolchain go1.25.3 + +require ( + github.com/golang-jwt/jwt/v5 v5.3.0 + github.com/livekit/protocol v1.34.0 + github.com/livekit/server-sdk-go/v2 v2.5.0 + github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 + github.com/matrix-org/gomatrixserverlib v0.0.0-20250815065806-6697d93cbcba +) + +require ( + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.0-20241127180247-a33202765966.1 // indirect + buf.build/go/protoyaml v0.3.1 // indirect + cel.dev/expr v0.19.0 // indirect + github.com/antlr4-go/antlr/v4 v4.13.0 // indirect + github.com/benbjohnson/clock v1.3.5 // indirect + github.com/bep/debounce v1.2.1 // indirect + github.com/bufbuild/protovalidate-go v0.8.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/dennwc/iters v1.0.1 // indirect + github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect + github.com/frostbyte73/core v0.1.1 // indirect + github.com/fsnotify/fsnotify v1.8.0 // indirect + github.com/gammazero/deque v1.0.0 // indirect + github.com/go-jose/go-jose/v3 v3.0.4 // indirect + github.com/go-logr/logr v1.4.2 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/google/cel-go v0.22.1 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/gorilla/websocket v1.5.3 // indirect + github.com/hashicorp/go-set/v3 v3.0.0 // indirect + github.com/jxskiss/base62 v1.1.0 // indirect + github.com/klauspost/compress v1.17.11 // indirect + github.com/klauspost/cpuid/v2 v2.2.7 // indirect + github.com/kr/pretty v0.3.1 // indirect + github.com/lithammer/shortuuid/v4 v4.2.0 // indirect + github.com/livekit/mageutil v0.0.0-20230125210925-54e8a70427c1 // indirect + github.com/livekit/mediatransportutil v0.0.0-20241220010243-a2bdee945564 // indirect + github.com/livekit/psrpc v0.6.1-0.20250205181828-a0beed2e4126 // indirect + github.com/magefile/mage v1.15.0 // indirect + github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 // indirect + github.com/nats-io/nats.go v1.38.0 // indirect + github.com/nats-io/nkeys v0.4.9 // indirect + github.com/nats-io/nuid v1.0.1 // indirect + github.com/oleiade/lane/v2 v2.0.0 // indirect + github.com/pion/datachannel v1.5.10 // indirect + github.com/pion/dtls/v3 v3.0.4 // indirect + github.com/pion/ice/v4 v4.0.6 // indirect + github.com/pion/interceptor v0.1.39 // indirect + github.com/pion/logging v0.2.3 // indirect + github.com/pion/mdns/v2 v2.0.7 // indirect + github.com/pion/randutil v0.1.0 // indirect + github.com/pion/rtcp v1.2.15 // indirect + github.com/pion/rtp v1.8.18 // indirect + github.com/pion/sctp v1.8.35 // indirect + github.com/pion/sdp/v3 v3.0.10 // indirect + github.com/pion/srtp/v3 v3.0.4 // indirect + github.com/pion/stun/v3 v3.0.0 // indirect + github.com/pion/transport/v3 v3.0.7 // indirect + github.com/pion/turn/v4 v4.0.0 // indirect + github.com/pion/webrtc/v4 v4.0.9 // indirect + github.com/puzpuzpuz/xsync/v3 v3.5.0 // indirect + github.com/redis/go-redis/v9 v9.7.3 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/stoewer/go-strcase v1.3.0 // indirect + github.com/tidwall/gjson v1.18.0 // indirect + github.com/tidwall/match v1.1.1 // indirect + github.com/tidwall/pretty v1.2.1 // indirect + github.com/tidwall/sjson v1.2.5 // indirect + github.com/twitchtv/twirp v8.1.3+incompatible // indirect + github.com/wlynxg/anet v0.0.5 // indirect + github.com/zeebo/xxh3 v1.0.2 // indirect + go.uber.org/atomic v1.11.0 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.27.0 // indirect + go.uber.org/zap/exp v0.3.0 // indirect + golang.org/x/crypto v0.38.0 // indirect + golang.org/x/exp v0.0.0-20250207012021-f9890c6ad9f3 // indirect + golang.org/x/net v0.40.0 // indirect + golang.org/x/sync v0.14.0 // indirect + golang.org/x/sys v0.33.0 // indirect + golang.org/x/text v0.25.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250204164813-702378808489 // indirect + google.golang.org/grpc v1.70.0 // indirect + google.golang.org/protobuf v1.36.5 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/lk-jwt-service/go.sum b/lk-jwt-service/go.sum new file mode 100644 index 0000000..71120af --- /dev/null +++ b/lk-jwt-service/go.sum @@ -0,0 +1,310 @@ +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.0-20241127180247-a33202765966.1 h1:ntAj16eF7AtUyzOOAFk5gvbAO52QmUKPKk7GmsIEORo= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.0-20241127180247-a33202765966.1/go.mod h1:AxRT+qTj5PJCz2nyQzsR/qxAcveW5USRhJTt/edTO5w= +buf.build/go/protoyaml v0.3.1 h1:ucyzE7DRnjX+mQ6AH4JzN0Kg50ByHHu+yrSKbgQn2D4= +buf.build/go/protoyaml v0.3.1/go.mod h1:0TzNpFQDXhwbkXb/ajLvxIijqbve+vMQvWY/b3/Dzxg= +cel.dev/expr v0.19.0 h1:lXuo+nDhpyJSpWxpPVi5cPUwzKb+dsdOiw6IreM5yt0= +cel.dev/expr v0.19.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= +dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= +dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= +github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= +github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= +github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw= +github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= +github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= +github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= +github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o= +github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/bep/debounce v1.2.1 h1:v67fRdBA9UQu2NhLFXrSg0Brw7CexQekrBwDMM8bzeY= +github.com/bep/debounce v1.2.1/go.mod h1:H8yggRPQKLUhUoqrJC1bO2xNya7vanpDl7xR3ISbCJ0= +github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs= +github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c= +github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA= +github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0= +github.com/bufbuild/protovalidate-go v0.8.0 h1:Xs3kCLCJ4tQiogJ0iOXm+ClKw/KviW3nLAryCGW2I3Y= +github.com/bufbuild/protovalidate-go v0.8.0/go.mod h1:JPWZInGm2y2NBg3vKDKdDIkvDjyLv31J3hLH5GIFc/Q= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= +github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dennwc/iters v1.0.1 h1:XwMudE6xtS0ugEdum4HQ+iRi+5HSvaeKxJPM/VI3pJs= +github.com/dennwc/iters v1.0.1/go.mod h1:M9KuuMBeyEXYTmB7EnI9SCyALFCmPWOIxn5W1L0CjGg= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= +github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8= +github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY= +github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= +github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= +github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/frostbyte73/core v0.1.1 h1:ChhJOR7bAKOCPbA+lqDLE2cGKlCG5JXsDvvQr4YaJIA= +github.com/frostbyte73/core v0.1.1/go.mod h1:mhfOtR+xWAvwXiwor7jnqPMnu4fxbv1F2MwZ0BEpzZo= +github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= +github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= +github.com/gammazero/deque v1.0.0 h1:LTmimT8H7bXkkCy6gZX7zNLtkbz4NdS2z8LZuor3j34= +github.com/gammazero/deque v1.0.0/go.mod h1:iflpYvtGfM3U8S8j+sZEKIak3SAKYpA5/SQewgfXDKo= +github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY= +github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= +github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= +github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/cel-go v0.22.1 h1:AfVXx3chM2qwoSbM7Da8g8hX8OVSkBFwX+rz2+PcK40= +github.com/google/cel-go v0.22.1/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= +github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw= +github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI= +github.com/hashicorp/go-set/v3 v3.0.0 h1:CaJBQvQCOWoftrBcDt7Nwgo0kdpmrKxar/x2o6pV9JA= +github.com/hashicorp/go-set/v3 v3.0.0/go.mod h1:IEghM2MpE5IaNvL+D7X480dfNtxjRXZ6VMpK3C8s2ok= +github.com/jxskiss/base62 v1.1.0 h1:A5zbF8v8WXx2xixnAKD2w+abC+sIzYJX+nxmhA6HWFw= +github.com/jxskiss/base62 v1.1.0/go.mod h1:HhWAlUXvxKThfOlZbcuFzsqwtF5TcqS9ru3y5GfjWAc= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= +github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM= +github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/lithammer/shortuuid/v4 v4.2.0 h1:LMFOzVB3996a7b8aBuEXxqOBflbfPQAiVzkIcHO0h8c= +github.com/lithammer/shortuuid/v4 v4.2.0/go.mod h1:D5noHZ2oFw/YaKCfGy0YxyE7M0wMbezmMjPdhyEFe6Y= +github.com/livekit/mageutil v0.0.0-20230125210925-54e8a70427c1 h1:jm09419p0lqTkDaKb5iXdynYrzB84ErPPO4LbRASk58= +github.com/livekit/mageutil v0.0.0-20230125210925-54e8a70427c1/go.mod h1:Rs3MhFwutWhGwmY1VQsygw28z5bWcnEYmS1OG9OxjOQ= +github.com/livekit/mediatransportutil v0.0.0-20241220010243-a2bdee945564 h1:GX7KF/V9ExmcfT/2Bdia8aROjkxrgx7WpyH7w9MB4J4= +github.com/livekit/mediatransportutil v0.0.0-20241220010243-a2bdee945564/go.mod h1:36s+wwmU3O40IAhE+MjBWP3W71QRiEE9SfooSBvtBqY= +github.com/livekit/protocol v1.34.0 h1:hbIXgNW+JPiTcGjzNg1XgQg3Wqa2R5dBhzuy+LLEIS4= +github.com/livekit/protocol v1.34.0/go.mod h1:yXuQ7ucrLj91nbxL6/AHgtxdha1DGzLj1LkgvnT90So= +github.com/livekit/psrpc v0.6.1-0.20250205181828-a0beed2e4126 h1:fzuYpAQbCid7ySPpQWWePfQOWUrs8x6dJ0T3Wl07n+Y= +github.com/livekit/psrpc v0.6.1-0.20250205181828-a0beed2e4126/go.mod h1:X5WtEZ7OnEs72Fi5/J+i0on3964F1aynQpCalcgMqRo= +github.com/livekit/server-sdk-go/v2 v2.5.0 h1:HCKm3f6PvefGp8emNC2mi9+9IXzBYrynuGbtUdp5u+w= +github.com/livekit/server-sdk-go/v2 v2.5.0/go.mod h1:98/Sa+Wgb27ABwu0WYxLaMZaRfGljrrtoZDQ2xA4oVg= +github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg= +github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= +github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 h1:kHKxCOLcHH8r4Fzarl4+Y3K5hjothkVW5z7T1dUM11U= +github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530/go.mod h1:/gBX06Kw0exX1HrwmoBibFA98yBk/jxKpGVeyQbff+s= +github.com/matrix-org/gomatrixserverlib v0.0.0-20250619052822-904c8f04597e h1:SWediqisy1Eoumr06sjGaA6gt6gS4FtXe00VB6fSNZw= +github.com/matrix-org/gomatrixserverlib v0.0.0-20250619052822-904c8f04597e/go.mod h1:61LpEsWAroRfdVh2dnr6fQ+K3MmRgD5I35GVvF4FpXQ= +github.com/matrix-org/gomatrixserverlib v0.0.0-20250704071233-a234d6df21c7 h1:WAcUwx+ZCK8znn1etraC2JWTns3ppcH6/gVQLfrCAnI= +github.com/matrix-org/gomatrixserverlib v0.0.0-20250704071233-a234d6df21c7/go.mod h1:61LpEsWAroRfdVh2dnr6fQ+K3MmRgD5I35GVvF4FpXQ= +github.com/matrix-org/gomatrixserverlib v0.0.0-20250815065806-6697d93cbcba h1:vUUjTOXZ/bYdF/SmJPH8HZ/UTmvw+ldngFKVLElmn+I= +github.com/matrix-org/gomatrixserverlib v0.0.0-20250815065806-6697d93cbcba/go.mod h1:b6KVfDjXjA5Q7vhpOaMqIhFYvu5BuFVZixlNeTV/CLc= +github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 h1:6z4KxomXSIGWqhHcfzExgkH3Z3UkIXry4ibJS4Aqz2Y= +github.com/matrix-org/util v0.0.0-20221111132719-399730281e66/go.mod h1:iBI1foelCqA09JJgPV0FYz4qA5dUXYOxMi57FxKBdd4= +github.com/miekg/dns v1.1.66 h1:FeZXOS3VCVsKnEAd+wBkjMC3D2K+ww66Cq3VnCINuJE= +github.com/miekg/dns v1.1.66/go.mod h1:jGFzBsSNbJw6z1HYut1RKBKHA9PBdxeHrZG8J+gC2WE= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= +github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= +github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= +github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/nats-io/nats.go v1.38.0 h1:A7P+g7Wjp4/NWqDOOP/K6hfhr54DvdDQUznt5JFg9XA= +github.com/nats-io/nats.go v1.38.0/go.mod h1:IGUM++TwokGnXPs82/wCuiHS02/aKrdYUQkU8If6yjw= +github.com/nats-io/nkeys v0.4.9 h1:qe9Faq2Gxwi6RZnZMXfmGMZkg3afLLOtrU+gDZJ35b0= +github.com/nats-io/nkeys v0.4.9/go.mod h1:jcMqs+FLG+W5YO36OX6wFIFcmpdAns+w1Wm6D3I/evE= +github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw= +github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= +github.com/oleiade/lane/v2 v2.0.0 h1:XW/ex/Inr+bPkLd3O240xrFOhUkTd4Wy176+Gv0E3Qw= +github.com/oleiade/lane/v2 v2.0.0/go.mod h1:i5FBPFAYSWCgLh58UkUGCChjcCzef/MI7PlQm2TKCeg= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/runc v1.1.13 h1:98S2srgG9vw0zWcDpFMn5TRrh8kLxa/5OFUstuUhmRs= +github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA= +github.com/ory/dockertest/v3 v3.11.0 h1:OiHcxKAvSDUwsEVh2BjxQQc/5EHz9n0va9awCtNGuyA= +github.com/ory/dockertest/v3 v3.11.0/go.mod h1:VIPxS1gwT9NpPOrfD3rACs8Y9Z7yhzO4SB194iUDnUI= +github.com/pion/datachannel v1.5.10 h1:ly0Q26K1i6ZkGf42W7D4hQYR90pZwzFOjTq5AuCKk4o= +github.com/pion/datachannel v1.5.10/go.mod h1:p/jJfC9arb29W7WrxyKbepTU20CFgyx5oLo8Rs4Py/M= +github.com/pion/dtls/v3 v3.0.4 h1:44CZekewMzfrn9pmGrj5BNnTMDCFwr+6sLH+cCuLM7U= +github.com/pion/dtls/v3 v3.0.4/go.mod h1:R373CsjxWqNPf6MEkfdy3aSe9niZvL/JaKlGeFphtMg= +github.com/pion/ice/v4 v4.0.6 h1:jmM9HwI9lfetQV/39uD0nY4y++XZNPhvzIPCb8EwxUM= +github.com/pion/ice/v4 v4.0.6/go.mod h1:y3M18aPhIxLlcO/4dn9X8LzLLSma84cx6emMSu14FGw= +github.com/pion/interceptor v0.1.39 h1:Y6k0bN9Y3Lg/Wb21JBWp480tohtns8ybJ037AGr9UuA= +github.com/pion/interceptor v0.1.39/go.mod h1:Z6kqH7M/FYirg3frjGJ21VLSRJGBXB/KqaTIrdqnOic= +github.com/pion/logging v0.2.3 h1:gHuf0zpoh1GW67Nr6Gj4cv5Z9ZscU7g/EaoC/Ke/igI= +github.com/pion/logging v0.2.3/go.mod h1:z8YfknkquMe1csOrxK5kc+5/ZPAzMxbKLX5aXpbpC90= +github.com/pion/mdns/v2 v2.0.7 h1:c9kM8ewCgjslaAmicYMFQIde2H9/lrZpjBkN8VwoVtM= +github.com/pion/mdns/v2 v2.0.7/go.mod h1:vAdSYNAT0Jy3Ru0zl2YiW3Rm/fJCwIeM0nToenfOJKA= +github.com/pion/randutil v0.1.0 h1:CFG1UdESneORglEsnimhUjf33Rwjubwj6xfiOXBa3mA= +github.com/pion/randutil v0.1.0/go.mod h1:XcJrSMMbbMRhASFVOlj/5hQial/Y8oH/HVo7TBZq+j8= +github.com/pion/rtcp v1.2.15 h1:LZQi2JbdipLOj4eBjK4wlVoQWfrZbh3Q6eHtWtJBZBo= +github.com/pion/rtcp v1.2.15/go.mod h1:jlGuAjHMEXwMUHK78RgX0UmEJFV4zUKOFHR7OP+D3D0= +github.com/pion/rtp v1.8.18 h1:yEAb4+4a8nkPCecWzQB6V/uEU18X1lQCGAQCjP+pyvU= +github.com/pion/rtp v1.8.18/go.mod h1:bAu2UFKScgzyFqvUKmbvzSdPr+NGbZtv6UB2hesqXBk= +github.com/pion/sctp v1.8.35 h1:qwtKvNK1Wc5tHMIYgTDJhfZk7vATGVHhXbUDfHbYwzA= +github.com/pion/sctp v1.8.35/go.mod h1:EcXP8zCYVTRy3W9xtOF7wJm1L1aXfKRQzaM33SjQlzg= +github.com/pion/sdp/v3 v3.0.10 h1:6MChLE/1xYB+CjumMw+gZ9ufp2DPApuVSnDT8t5MIgA= +github.com/pion/sdp/v3 v3.0.10/go.mod h1:88GMahN5xnScv1hIMTqLdu/cOcUkj6a9ytbncwMCq2E= +github.com/pion/srtp/v3 v3.0.4 h1:2Z6vDVxzrX3UHEgrUyIGM4rRouoC7v+NiF1IHtp9B5M= +github.com/pion/srtp/v3 v3.0.4/go.mod h1:1Jx3FwDoxpRaTh1oRV8A/6G1BnFL+QI82eK4ms8EEJQ= +github.com/pion/stun/v3 v3.0.0 h1:4h1gwhWLWuZWOJIJR9s2ferRO+W3zA/b6ijOI6mKzUw= +github.com/pion/stun/v3 v3.0.0/go.mod h1:HvCN8txt8mwi4FBvS3EmDghW6aQJ24T+y+1TKjB5jyU= +github.com/pion/transport/v3 v3.0.7 h1:iRbMH05BzSNwhILHoBoAPxoB9xQgOaJk+591KC9P1o0= +github.com/pion/transport/v3 v3.0.7/go.mod h1:YleKiTZ4vqNxVwh77Z0zytYi7rXHl7j6uPLGhhz9rwo= +github.com/pion/turn/v4 v4.0.0 h1:qxplo3Rxa9Yg1xXDxxH8xaqcyGUtbHYw4QSCvmFWvhM= +github.com/pion/turn/v4 v4.0.0/go.mod h1:MuPDkm15nYSklKpN8vWJ9W2M0PlyQZqYt1McGuxG7mA= +github.com/pion/webrtc/v4 v4.0.9 h1:PyOYMRKJgfy0dzPcYtFD/4oW9zaw3Ze3oZzzbj2LV9E= +github.com/pion/webrtc/v4 v4.0.9/go.mod h1:ViHLVaNpiuvaH8pdiuQxuA9awuE6KVzAXx3vVWilOck= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/puzpuzpuz/xsync/v3 v3.5.0 h1:i+cMcpEDY1BkNm7lPDkCtE4oElsYLn+EKF8kAu2vXT4= +github.com/puzpuzpuz/xsync/v3 v3.5.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA= +github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM= +github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/shoenig/test v1.7.0 h1:eWcHtTXa6QLnBvm0jgEabMRN/uJ4DMV3M8xUGgRkZmk= +github.com/shoenig/test v1.7.0/go.mod h1:UxJ6u/x2v/TNs/LoLxBNJRV9DiwBBKYxXSyczsBHFoI= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= +github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= +github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= +github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= +github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= +github.com/twitchtv/twirp v8.1.3+incompatible h1:+F4TdErPgSUbMZMwp13Q/KgDVuI7HJXP61mNV3/7iuU= +github.com/twitchtv/twirp v8.1.3+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A= +github.com/wlynxg/anet v0.0.5 h1:J3VJGi1gvo0JwZ/P1/Yc/8p63SoW98B5dHkYDmpgvvU= +github.com/wlynxg/anet v0.0.5/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ= +github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= +github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0= +github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= +go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= +go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U= +go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= +golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= +golang.org/x/exp v0.0.0-20250207012021-f9890c6ad9f3 h1:qNgPs5exUA+G0C96DrPwNrvLSj7GT/9D+3WMWUcUg34= +golang.org/x/exp v0.0.0-20250207012021-f9890c6ad9f3/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= +golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= +golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= +golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= +golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= +golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= +golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a h1:OAiGFfOiA0v9MRYsSidp3ubZaBnteRUyn3xB2ZQ5G/E= +google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a/go.mod h1:jehYqy3+AhJU9ve55aNOaSml7wUXjF9x6z2LcCfpAhY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250204164813-702378808489 h1:5bKytslY8ViY0Cj/ewmRtrWHW64bNF03cAatUUFCdFI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250204164813-702378808489/go.mod h1:8BS3B93F/U1juMFq9+EDk+qOT5CO1R9IzXxG3PTqiRk= +google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ= +google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw= +google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= +google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/h2non/gock.v1 v1.1.2 h1:jBbHXgGBK/AoPVfJh5x4r/WxIrElvbLel8TCZkkZJoY= +gopkg.in/h2non/gock.v1 v1.1.2/go.mod h1:n7UGz/ckNChHiK05rDoiC4MYSunEC/lyaUm2WWaDva0= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/lk-jwt-service/main.go b/lk-jwt-service/main.go new file mode 100644 index 0000000..8f3e030 --- /dev/null +++ b/lk-jwt-service/main.go @@ -0,0 +1,638 @@ +// Copyright 2025 Element Creations Ltd. +// Copyright 2023 - 2025 New Vector Ltd. +// +// SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial +// Please see LICENSE files in the repository root for full details. + +package main + +import ( + "context" + "crypto/sha256" + "crypto/tls" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "io" + "log" + "net/http" + "os" + "slices" + "strings" + + "time" + + "github.com/livekit/protocol/auth" + "github.com/livekit/protocol/livekit" + lksdk "github.com/livekit/server-sdk-go/v2" + + "github.com/matrix-org/gomatrix" + "github.com/matrix-org/gomatrixserverlib/fclient" + "github.com/matrix-org/gomatrixserverlib/spec" +) + +type Handler struct { + key, secret, lkUrl string + fullAccessHomeservers []string + skipVerifyTLS bool +} +type Config struct { + Key string + Secret string + LkUrl string + SkipVerifyTLS bool + FullAccessHomeservers []string + LkJwtBind string +} +type MatrixRTCMemberType struct { + ID string `json:"id"` + ClaimedUserID string `json:"claimed_user_id"` + ClaimedDeviceID string `json:"claimed_device_id"` +} + +type OpenIDTokenType struct { + AccessToken string `json:"access_token"` + TokenType string `json:"token_type"` + MatrixServerName string `json:"matrix_server_name"` + ExpiresIn int `json:"expires_in"` +} + +type LegacySFURequest struct { + Room string `json:"room"` + OpenIDToken OpenIDTokenType `json:"openid_token"` + DeviceID string `json:"device_id"` +} + +type SFURequest struct { + RoomID string `json:"room_id"` + SlotID string `json:"slot_id"` + OpenIDToken OpenIDTokenType `json:"openid_token"` + Member MatrixRTCMemberType `json:"member"` + DelayedEventID string `json:"delayed_event_id"` +} +type SFUResponse struct { + URL string `json:"url"` + JWT string `json:"jwt"` +} + +type MatrixErrorResponse struct { + Status int + ErrCode string + Err string +} + +type ValidatableSFURequest interface { + Validate() error +} + +var unpaddedBase64 = base64.StdEncoding.WithPadding(base64.NoPadding) + +func (e *MatrixErrorResponse) Error() string { + return e.Err +} + +func (r *SFURequest) Validate() error { + if r.RoomID == "" || r.SlotID == "" { + log.Printf("Missing room_id or slot_id: room_id='%s', slot_id='%s'", r.RoomID, r.SlotID) + return &MatrixErrorResponse{ + Status: http.StatusBadRequest, + ErrCode: "M_BAD_JSON", + Err: "The request body is missing `room_id` or `slot_id`", + } + } + if r.Member.ID == "" || r.Member.ClaimedUserID == "" || r.Member.ClaimedDeviceID == "" { + log.Printf("Missing member parameters: %+v", r.Member) + return &MatrixErrorResponse{ + Status: http.StatusBadRequest, + ErrCode: "M_BAD_JSON", + Err: "The request body `member` is missing a `id`, `claimed_user_id` or `claimed_device_id`", + } + } + if r.OpenIDToken.AccessToken == "" || r.OpenIDToken.MatrixServerName == "" { + log.Printf("Missing OpenID token parameters: %+v", r.OpenIDToken) + return &MatrixErrorResponse{ + Status: http.StatusBadRequest, + ErrCode: "M_BAD_JSON", + Err: "The request body `openid_token` is missing a `access_token` or `matrix_server_name`", + } + } + return nil +} + +func (r *LegacySFURequest) Validate() error { + if r.Room == "" { + return &MatrixErrorResponse{ + Status: http.StatusBadRequest, + ErrCode: "M_BAD_JSON", + Err: "Missing room parameter", + } + } + if r.OpenIDToken.AccessToken == "" || r.OpenIDToken.MatrixServerName == "" { + return &MatrixErrorResponse{ + Status: http.StatusBadRequest, + ErrCode: "M_BAD_JSON", + Err: "Missing OpenID token parameters", + } + } + return nil +} + +// writeMatrixError writes a Matrix-style error response to the HTTP response writer. +func writeMatrixError(w http.ResponseWriter, status int, errCode string, errMsg string) { + w.WriteHeader(status) + if err := json.NewEncoder(w).Encode(gomatrix.RespError{ + ErrCode: errCode, + Err: errMsg, + }); err != nil { + log.Printf("failed to encode json error message! %v", err) + } +} + +func getJoinToken(apiKey, apiSecret, room, identity string) (string, error) { + at := auth.NewAccessToken(apiKey, apiSecret) + + canPublish := true + canSubscribe := true + grant := &auth.VideoGrant{ + RoomJoin: true, + RoomCreate: false, + CanPublish: &canPublish, + CanSubscribe: &canSubscribe, + Room: room, + } + + at.SetVideoGrant(grant). + SetIdentity(identity). + SetValidFor(time.Hour) + + return at.ToJWT() +} + +var exchangeOpenIdUserInfo = func( + ctx context.Context, token OpenIDTokenType, skipVerifyTLS bool, +) (*fclient.UserInfo, error) { + if token.AccessToken == "" || token.MatrixServerName == "" { + return nil, errors.New("missing parameters in openid token") + } + + if skipVerifyTLS { + log.Printf("!!! WARNING !!! Skipping TLS verification for matrix client connection to %s", token.MatrixServerName) + // Disable TLS verification on the default HTTP Transport for the well-known lookup + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + } + client := fclient.NewClient(fclient.WithWellKnownSRVLookups(true), fclient.WithSkipVerify(skipVerifyTLS)) + + // validate the openid token by getting the user's ID + userinfo, err := client.LookupUserInfo( + ctx, spec.ServerName(token.MatrixServerName), token.AccessToken, + ) + if err != nil { + log.Printf("Failed to look up user info: %v", err) + return nil, errors.New("failed to look up user info") + } + return &userinfo, nil +} + +func (h *Handler) isFullAccessUser(matrixServerName string) bool { + // Grant full access if wildcard '*' is present as the only entry + if len(h.fullAccessHomeservers) == 1 && h.fullAccessHomeservers[0] == "*" { + return true + } + + // Check if the matrixServerName is in the list of full-access homeservers + return slices.Contains(h.fullAccessHomeservers, matrixServerName) +} + +func (h *Handler) processLegacySFURequest(r *http.Request, req *LegacySFURequest) (*SFUResponse, error) { + // Note LegacySFURequest has already been validated at this point + + userInfo, err := exchangeOpenIdUserInfo(r.Context(), req.OpenIDToken, h.skipVerifyTLS) + if err != nil { + return nil, &MatrixErrorResponse{ + Status: http.StatusInternalServerError, + ErrCode: "M_LOOKUP_FAILED", + Err: "Failed to look up user info from homeserver", + } + } + + isFullAccessUser := h.isFullAccessUser(req.OpenIDToken.MatrixServerName) + + log.Printf( + "Got Matrix user info for %s (%s)", + userInfo.Sub, + map[bool]string{true: "full access", false: "restricted access"}[isFullAccessUser], + ) + + // TODO: is DeviceID required? If so then we should have validated at the start + lkIdentity := userInfo.Sub + ":" + req.DeviceID + + // We can hard-code the slotId since for the m.call application only the m.call#ROOM slot is defined. + // This ensures that the same LiveKit room alias being derived for the same Matrix room for both the + // LegacySFURequest (/sfu/get endpoint) and the SFURequest (/get_token endpoint). + // + // Note a mismatch between the legacy livekit_alias (which is the Matrix roomId) field in the MatrixRTC + // membership state event and the actual lkRoomAlias (as derived below and used on the SFU) which is + // part of the LiveKit JWT Token does in general NOT confuse clients as the JWT token is passed as is + // to the livekit-client SDK. + // + // This change ensures compatibility with clients using pseudonymous livekit_aliases. + slotId := "m.call#ROOM" + lkRoomAliasHash := sha256.Sum256([]byte(req.Room + "|" + slotId)) + lkRoomAlias := unpaddedBase64.EncodeToString(lkRoomAliasHash[:]) + token, err := getJoinToken(h.key, h.secret, lkRoomAlias, lkIdentity) + if err != nil { + return nil, &MatrixErrorResponse{ + Status: http.StatusInternalServerError, + ErrCode: "M_UNKNOWN", + Err: "Internal Server Error", + } + } + + if isFullAccessUser { + if err := createLiveKitRoom(r.Context(), h, lkRoomAlias, userInfo.Sub, lkIdentity); err != nil { + return nil, &MatrixErrorResponse{ + Status: http.StatusInternalServerError, + ErrCode: "M_UNKNOWN", + Err: "Unable to create room on SFU", + } + } + } + + return &SFUResponse{URL: h.lkUrl, JWT: token}, nil +} + +func (h *Handler) processSFURequest(r *http.Request, req *SFURequest) (*SFUResponse, error) { + // Note SFURequest has already been validated at this point + + userInfo, err := exchangeOpenIdUserInfo(r.Context(), req.OpenIDToken, h.skipVerifyTLS) + if err != nil { + return nil, &MatrixErrorResponse{ + Status: http.StatusUnauthorized, + ErrCode: "M_UNAUTHORIZED", + Err: "The request could not be authorised.", + } + } + + // Check if validated userInfo.Sub matches req.Member.ClaimedUserID + if req.Member.ClaimedUserID != userInfo.Sub { + log.Printf("Claimed user ID %s does not match token subject %s", req.Member.ClaimedUserID, userInfo.Sub) + return nil, &MatrixErrorResponse{ + Status: http.StatusUnauthorized, + ErrCode: "M_UNAUTHORIZED", + Err: "The request could not be authorised.", + } + } + + // Does the user belong to homeservers granted full access + isFullAccessUser := h.isFullAccessUser(req.OpenIDToken.MatrixServerName) + + log.Printf( + "Got Matrix user info for %s (%s)", + userInfo.Sub, + map[bool]string{true: "full access", false: "restricted access"}[isFullAccessUser], + ) + + lkIdentityRaw := userInfo.Sub + "|" + req.Member.ClaimedDeviceID + "|" + req.Member.ID + lkIdentityHash := sha256.Sum256([]byte(lkIdentityRaw)) + lkIdentity := unpaddedBase64.EncodeToString(lkIdentityHash[:]) + + lkRoomAliasHash := sha256.Sum256([]byte(req.RoomID + "|" + req.SlotID)) + lkRoomAlias := unpaddedBase64.EncodeToString(lkRoomAliasHash[:]) + + token, err := getJoinToken(h.key, h.secret, lkRoomAlias, lkIdentity) + if err != nil { + log.Printf("Error getting LiveKit token: %v", err) + return nil, &MatrixErrorResponse{ + Status: http.StatusInternalServerError, + ErrCode: "M_UNKNOWN", + Err: "Internal Server Error", + } + } + + if isFullAccessUser { + if err := createLiveKitRoom(r.Context(), h, lkRoomAlias, userInfo.Sub, lkIdentity); err != nil { + return nil, &MatrixErrorResponse{ + Status: http.StatusInternalServerError, + ErrCode: "M_UNKNOWN", + Err: "Unable to create room on SFU", + } + } + } + + return &SFUResponse{URL: h.lkUrl, JWT: token}, nil +} + +var createLiveKitRoom = func(ctx context.Context, h *Handler, room, matrixUser, lkIdentity string) error { + roomClient := lksdk.NewRoomServiceClient(h.lkUrl, h.key, h.secret) + creationStart := time.Now().Unix() + lkRoom, err := roomClient.CreateRoom( + ctx, + &livekit.CreateRoomRequest{ + Name: room, + EmptyTimeout: 5 * 60, // 5 Minutes to keep the room open if no one joins + DepartureTimeout: 20, // number of seconds to keep the room after everyone leaves + MaxParticipants: 0, // 0 == no limitation + }, + ) + + if err != nil { + return fmt.Errorf("unable to create room %s: %w", room, err) + } + + // Log the room creation time and the user info + isNewRoom := lkRoom.GetCreationTime() >= creationStart && lkRoom.GetCreationTime() <= time.Now().Unix() + log.Printf( + "%s LiveKit room sid: %s (alias: %s) for full-access Matrix user %s (LiveKit identity: %s)", + map[bool]string{true: "Created", false: "Using"}[isNewRoom], + lkRoom.Sid, room, matrixUser, lkIdentity, + ) + + return nil +} + +func (h *Handler) prepareMux() *http.ServeMux { + + mux := http.NewServeMux() + mux.HandleFunc("/sfu/get", h.handle_legacy) // TODO: This is deprecated and will be removed in future versions + mux.HandleFunc("/get_token", h.handle) + mux.HandleFunc("/healthz", h.healthcheck) + + return mux +} + +func (h *Handler) healthcheck(w http.ResponseWriter, r *http.Request) { + log.Printf("Health check from %s", r.RemoteAddr) + + if r.Method == "GET" { + w.WriteHeader(http.StatusOK) + return + } else { + w.WriteHeader(http.StatusMethodNotAllowed) + } +} + +// TODO: This is deprecated and will be removed in future versions +func mapSFURequest(data *[]byte) (any, error) { + requestTypes := []ValidatableSFURequest{&LegacySFURequest{}, &SFURequest{}} + for _, req := range requestTypes { + decoder := json.NewDecoder(strings.NewReader(string(*data))) + decoder.DisallowUnknownFields() + if err := decoder.Decode(req); err == nil { + if err := req.Validate(); err != nil { + return nil, err + } + return req, nil + } + } + + return nil, &MatrixErrorResponse{ + Status: http.StatusBadRequest, + ErrCode: "M_BAD_JSON", + Err: "The request body was malformed, missing required fields, or contained invalid values (e.g. missing `room_id`, `slot_id`, or `openid_token`).", + } +} + +// TODO: This is deprecated and will be removed in future versions +func (h *Handler) handle_legacy(w http.ResponseWriter, r *http.Request) { + log.Printf("Request from %s at \"%s\"", r.RemoteAddr, r.Header.Get("Origin")) + + w.Header().Set("Content-Type", "application/json") + + // Set the CORS headers + w.Header().Set("Access-Control-Allow-Origin", "*") + w.Header().Set("Access-Control-Allow-Methods", "POST") + w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token") + + switch r.Method { + case "OPTIONS": + // Handle preflight request (CORS) + w.WriteHeader(http.StatusOK) + return + case "POST": + // Read request body once for later JSON parsing + body, err := io.ReadAll(r.Body) + if err != nil { + log.Printf("Error reading request body: %v", err) + writeMatrixError(w, http.StatusBadRequest, "M_NOT_JSON", "Error reading request") + return + } + + var sfuAccessResponse *SFUResponse + + sfuAccessRequest, err := mapSFURequest(&body) + if err != nil { + matrixErr := &MatrixErrorResponse{} + if errors.As(err, &matrixErr) { + log.Printf("Error processing request: %v", matrixErr.Err) + writeMatrixError(w, matrixErr.Status, matrixErr.ErrCode, matrixErr.Err) + return + } + } + + switch sfuReq := sfuAccessRequest.(type) { + case *SFURequest: + log.Printf("Processing SFU request") + sfuAccessResponse, err = h.processSFURequest(r, sfuReq) + case *LegacySFURequest: + log.Printf("Processing legacy SFU request") + sfuAccessResponse, err = h.processLegacySFURequest(r, sfuReq) + } + + if err != nil { + matrixErr := &MatrixErrorResponse{} + if errors.As(err, &matrixErr) { + log.Printf("Error processing request: %v", matrixErr.Err) + writeMatrixError(w, matrixErr.Status, matrixErr.ErrCode, matrixErr.Err) + return + } + } + + if err := json.NewEncoder(w).Encode(&sfuAccessResponse); err != nil { + log.Printf("failed to encode json response! %v", err) + } + default: + w.WriteHeader(http.StatusMethodNotAllowed) + } +} + +func (h *Handler) handle(w http.ResponseWriter, r *http.Request) { + log.Printf("Request from %s at \"%s\"", r.RemoteAddr, r.Header.Get("Origin")) + + w.Header().Set("Content-Type", "application/json") + + // Set the CORS headers + w.Header().Set("Access-Control-Allow-Origin", "*") + w.Header().Set("Access-Control-Allow-Methods", "POST") + w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token") + + // Handle preflight request (CORS) + switch r.Method { + case "OPTIONS": + w.WriteHeader(http.StatusOK) + return + case "POST": + var sfuAccessRequest SFURequest + + decoder := json.NewDecoder(r.Body) + decoder.DisallowUnknownFields() + if err := decoder.Decode(&sfuAccessRequest); err == nil { + if err := sfuAccessRequest.Validate(); err != nil { + matrixErr := &MatrixErrorResponse{} + if errors.As(err, &matrixErr) { + log.Printf("Error processing request: %v", matrixErr.Err) + writeMatrixError(w, matrixErr.Status, matrixErr.ErrCode, matrixErr.Err) + return + } + } + } else { + log.Printf("Error reading request body: %v", err) + writeMatrixError(w, http.StatusBadRequest, "M_NOT_JSON", "Error reading request") + return + } + + log.Printf("Processing SFU request") + sfuAccessResponse, err := h.processSFURequest(r, &sfuAccessRequest) + + if err != nil { + matrixErr := &MatrixErrorResponse{} + if errors.As(err, &matrixErr) { + log.Printf("Error processing request: %v", matrixErr.Err) + writeMatrixError(w, matrixErr.Status, matrixErr.ErrCode, matrixErr.Err) + return + } + } + + if err := json.NewEncoder(w).Encode(&sfuAccessResponse); err != nil { + log.Printf("failed to encode json response! %v", err) + } + + default: + w.WriteHeader(http.StatusMethodNotAllowed) + } +} + +func readKeySecret() (string, string) { + // We initialize keys & secrets from environment variables + key := os.Getenv("LIVEKIT_KEY") + secret := os.Getenv("LIVEKIT_SECRET") + // We initialize potential key & secret path from environment variables + keyPath := os.Getenv("LIVEKIT_KEY_FROM_FILE") + secretPath := os.Getenv("LIVEKIT_SECRET_FROM_FILE") + keySecretPath := os.Getenv("LIVEKIT_KEY_FILE") + + // If keySecretPath is set we read the file and split it into two parts + // It takes over any other initialization + if keySecretPath != "" { + if keySecretBytes, err := os.ReadFile(keySecretPath); err != nil { + log.Fatal(err) + } else { + keySecrets := strings.Split(string(keySecretBytes), ":") + if len(keySecrets) != 2 { + log.Fatalf("invalid key secret file format!") + } + log.Printf("Using LiveKit API key and API secret from LIVEKIT_KEY_FILE") + key = keySecrets[0] + secret = keySecrets[1] + } + } else { + // If keySecretPath is not set, we try to read the key and secret from files + // If those files are not set, we return the key & secret from the environment variables + if keyPath != "" { + if keyBytes, err := os.ReadFile(keyPath); err != nil { + log.Fatal(err) + } else { + log.Printf("Using LiveKit API key from LIVEKIT_KEY_FROM_FILE") + key = string(keyBytes) + } + } + + if secretPath != "" { + if secretBytes, err := os.ReadFile(secretPath); err != nil { + log.Fatal(err) + } else { + log.Printf("Using LiveKit API secret from LIVEKIT_SECRET_FROM_FILE") + secret = string(secretBytes) + } + } + + } + + // remove white spaces, new lines and carriage returns + // from key and secret + return strings.Trim(key, " \r\n"), strings.Trim(secret, " \r\n") +} + +func parseConfig() (*Config, error) { + skipVerifyTLS := os.Getenv("LIVEKIT_INSECURE_SKIP_VERIFY_TLS") == "YES_I_KNOW_WHAT_I_AM_DOING" + if skipVerifyTLS { + log.Printf("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!") + log.Printf("!!! WARNING !!! LIVEKIT_INSECURE_SKIP_VERIFY_TLS !!! WARNING !!!") + log.Printf("!!! WARNING !!! Allow to skip invalid TLS certificates !!! WARNING !!!") + log.Printf("!!! WARNING !!! Use only for testing or debugging !!! WARNING !!!") + log.Println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!") + } + + key, secret := readKeySecret() + lkUrl := os.Getenv("LIVEKIT_URL") + + if key == "" || secret == "" || lkUrl == "" { + return nil, fmt.Errorf("LIVEKIT_KEY[_FILE], LIVEKIT_SECRET[_FILE] and LIVEKIT_URL environment variables must be set") + } + + fullAccessHomeservers := os.Getenv("LIVEKIT_FULL_ACCESS_HOMESERVERS") + + if len(fullAccessHomeservers) == 0 { + localHomeservers := os.Getenv("LIVEKIT_LOCAL_HOMESERVERS") + if len(localHomeservers) > 0 { + log.Printf("!!! LIVEKIT_LOCAL_HOMESERVERS is deprecated, please use LIVEKIT_FULL_ACCESS_HOMESERVERS instead !!!") + fullAccessHomeservers = localHomeservers + } else { + log.Printf("LIVEKIT_FULL_ACCESS_HOMESERVERS not set, defaulting to wildcard (*) for full access") + fullAccessHomeservers = "*" + } + } + + lkJwtBind := os.Getenv("LIVEKIT_JWT_BIND") + lkJwtPort := os.Getenv("LIVEKIT_JWT_PORT") + + if lkJwtBind == "" { + if lkJwtPort == "" { + lkJwtPort = "8080" + } else { + log.Printf("!!! LIVEKIT_JWT_PORT is deprecated, please use LIVEKIT_JWT_BIND instead !!!") + } + lkJwtBind = fmt.Sprintf(":%s", lkJwtPort) + } else if lkJwtPort != "" { + return nil, fmt.Errorf("LIVEKIT_JWT_BIND and LIVEKIT_JWT_PORT environment variables MUST NOT be set together") + } + + return &Config{ + Key: key, + Secret: secret, + LkUrl: lkUrl, + SkipVerifyTLS: skipVerifyTLS, + FullAccessHomeservers: strings.Fields(strings.ReplaceAll(fullAccessHomeservers, ",", " ")), + LkJwtBind: lkJwtBind, + }, nil +} + +func main() { + config, err := parseConfig() + if err != nil { + log.Fatal(err) + } + + log.Printf("LIVEKIT_URL: %s, LIVEKIT_JWT_BIND: %s", config.LkUrl, config.LkJwtBind) + log.Printf("LIVEKIT_FULL_ACCESS_HOMESERVERS: %v", config.FullAccessHomeservers) + + handler := &Handler{ + key: config.Key, + secret: config.Secret, + lkUrl: config.LkUrl, + skipVerifyTLS: config.SkipVerifyTLS, + fullAccessHomeservers: config.FullAccessHomeservers, + } + + log.Fatal(http.ListenAndServe(config.LkJwtBind, handler.prepareMux())) +} diff --git a/lk-jwt-service/main_test.go b/lk-jwt-service/main_test.go new file mode 100644 index 0000000..993647c --- /dev/null +++ b/lk-jwt-service/main_test.go @@ -0,0 +1,1083 @@ +// Copyright 2025 Element Creations Ltd. +// Copyright 2025 New Vector Ltd. +// +// SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial +// Please see LICENSE files in the repository root for full details. + +package main + +import ( + "bytes" + "context" + "crypto/sha256" + "encoding/json" + "errors" + "fmt" + "net/http" + "net/http/httptest" + "net/url" + "os" + "reflect" + "runtime" + "strings" + "testing" + + "github.com/golang-jwt/jwt/v5" + "github.com/matrix-org/gomatrix" + "github.com/matrix-org/gomatrixserverlib/fclient" +) + +func TestHealthcheck(t *testing.T) { + handler := &Handler{} + req, err := http.NewRequest("GET", "/healthz", nil) + if err != nil { + t.Fatal(err) + } + + rr := httptest.NewRecorder() + handler.prepareMux().ServeHTTP(rr, req) + + if status := rr.Code; status != http.StatusOK { + t.Errorf("handler returned wrong status code: got %v want %v", status, http.StatusOK) + } +} + +func TestHandleOptions(t *testing.T) { + handler := &Handler{} + req, err := http.NewRequest("OPTIONS", "/sfu/get", nil) + if err != nil { + t.Fatal(err) + } + + rr := httptest.NewRecorder() + handler.prepareMux().ServeHTTP(rr, req) + + if status := rr.Code; status != http.StatusOK { + t.Errorf("handler returned wrong status code for OPTIONS: got %v want %v", status, http.StatusOK) + } + + if accessControlAllowOrigin := rr.Header().Get("Access-Control-Allow-Origin"); accessControlAllowOrigin != "*" { + t.Errorf("handler returned wrong Access-Control-Allow-Origin: got %v want %v", accessControlAllowOrigin, "*") + } + + if accessControlAllowMethods := rr.Header().Get("Access-Control-Allow-Methods"); accessControlAllowMethods != "POST" { + t.Errorf("handler returned wrong Access-Control-Allow-Methods: got %v want %v", accessControlAllowMethods, "POST") + } +} + +func TestHandlePostMissingParams(t *testing.T) { + handler := &Handler{} + + testCases := []map[string]interface{}{ + {}, + { + "room": "", + }, + } + + for _, testCase := range testCases { + jsonBody, _ := json.Marshal(testCase) + + req, err := http.NewRequest("POST", "/sfu/get", bytes.NewBuffer(jsonBody)) + if err != nil { + t.Fatal(err) + } + + rr := httptest.NewRecorder() + handler.prepareMux().ServeHTTP(rr, req) + + if status := rr.Code; status != http.StatusBadRequest { + t.Errorf("handler returned wrong status code: got %v want %v", status, http.StatusBadRequest) + } + + var resp gomatrix.RespError + err = json.NewDecoder(rr.Body).Decode(&resp) + if err != nil { + t.Errorf("failed to decode response body %v", err) + } + + if resp.ErrCode != "M_BAD_JSON" { + t.Errorf("unexpected error code: got %v want %v", resp.ErrCode, "M_BAD_JSON") + } + } +} + +func TestHandlePost(t *testing.T) { + handler := &Handler{ + secret: "testSecret", + key: "testKey", + lkUrl: "wss://lk.local:8080/foo", + fullAccessHomeservers: []string{"example.com"}, + skipVerifyTLS: true, + } + + var matrixServerName = "" + + testServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + t.Log("Received request") + // Inspect the request + if r.URL.Path != "/_matrix/federation/v1/openid/userinfo" { + t.Errorf("unexpected request path: got %v want %v", r.URL.Path, "/_matrix/federation/v1/openid/userinfo") + } + + if accessToken := r.URL.Query().Get("access_token"); accessToken != "testAccessToken" { + t.Errorf("unexpected access token: got %v want %v", accessToken, "testAccessToken") + } + + // Mock response + w.WriteHeader(http.StatusOK) + w.Header().Set("Content-Type", "application/json") + _, err := fmt.Fprintf(w, `{"sub": "@user:%s"}`, matrixServerName) + if err != nil { + t.Fatalf("failed to write response: %v", err) + } + })) + defer testServer.Close() + + u, _ := url.Parse(testServer.URL) + + matrixServerName = u.Host + + testCase := map[string]interface{}{ + "room_id": "!testRoom:example.com", + "slot_id": "m.call#ROOM", + "openid_token": map[string]interface{}{ + "access_token": "testAccessToken", + "token_type": "testTokenType", + "matrix_server_name": u.Host, + "expires_in": 3600, + }, + "member": map[string]interface{}{ + "id": "member_test_id", + "claimed_user_id": "@user:" + matrixServerName, + "claimed_device_id": "testDevice", + }, + } + + jsonBody, _ := json.Marshal(testCase) + + req, err := http.NewRequest("POST", "/get_token", bytes.NewBuffer(jsonBody)) + if err != nil { + t.Fatal(err) + } + + rr := httptest.NewRecorder() + handler.prepareMux().ServeHTTP(rr, req) + + if status := rr.Code; status != http.StatusOK { + t.Errorf("handler returned wrong status code: got %v want %v", status, http.StatusOK) + } + + if contentType := rr.Header().Get("Content-Type"); contentType != "application/json" { + t.Errorf("handler returned wrong Content-Type: got %v want %v", contentType, "application/json") + } + + var resp SFUResponse + err = json.NewDecoder(rr.Body).Decode(&resp) + if err != nil { + t.Errorf("failed to decode response body %v", err) + } + + if resp.URL != "wss://lk.local:8080/foo" { + t.Errorf("unexpected URL: got %v want %v", resp.URL, "wss://lk.local:8080/foo") + } + + if resp.JWT == "" { + t.Error("expected JWT to be non-empty") + } + + // parse JWT checking the shared secret + token, err := jwt.Parse(resp.JWT, func(token *jwt.Token) (interface{}, error) { + return []byte(handler.secret), nil + }) + + if err != nil { + t.Fatalf("failed to parse JWT: %v", err) + } + + claims, ok := token.Claims.(jwt.MapClaims) + + if !ok || !token.Valid { + t.Fatalf("failed to parse claims from JWT: %v", err) + } + + want_sub_hash := sha256.Sum256([]byte("@user:"+ matrixServerName + "|testDevice|member_test_id")) + want_sub := unpaddedBase64.EncodeToString(want_sub_hash[:]) + if claims["sub"] != want_sub { + t.Errorf("unexpected sub: got %v want %v", claims["sub"], "member_test_id") + } + + // should have permission for the room + want_room_hash := sha256.Sum256([]byte("!testRoom:example.com" + "|" + "m.call#ROOM")) + want_room := unpaddedBase64.EncodeToString(want_room_hash[:]) + if claims["video"].(map[string]interface{})["room"] != want_room { + t.Errorf("unexpected room: got %v want %v", claims["video"].(map[string]interface{})["room"], want_room) + } +} + +func TestLegacyHandlePost(t *testing.T) { + handler := &Handler{ + secret: "testSecret", + key: "testKey", + lkUrl: "wss://lk.local:8080/foo", + fullAccessHomeservers: []string{"example.com"}, + skipVerifyTLS: true, + } + + var matrixServerName = "" + + testServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + t.Log("Received request") + // Inspect the request + if r.URL.Path != "/_matrix/federation/v1/openid/userinfo" { + t.Errorf("unexpected request path: got %v want %v", r.URL.Path, "/_matrix/federation/v1/openid/userinfo") + } + + if accessToken := r.URL.Query().Get("access_token"); accessToken != "testAccessToken" { + t.Errorf("unexpected access token: got %v want %v", accessToken, "testAccessToken") + } + + // Mock response + w.WriteHeader(http.StatusOK) + w.Header().Set("Content-Type", "application/json") + _, err := fmt.Fprintf(w, `{"sub": "@user:%s"}`, matrixServerName) + if err != nil { + t.Fatalf("failed to write response: %v", err) + } + })) + defer testServer.Close() + + u, _ := url.Parse(testServer.URL) + + matrixServerName = u.Host + matrixRoom := "testRoom" + + testCase := map[string]interface{}{ + "room": matrixRoom, + "openid_token": map[string]interface{}{ + "access_token": "testAccessToken", + "token_type": "testTokenType", + "matrix_server_name": u.Host, + "expires_in": 3600, + }, + "device_id": "testDevice", + } + + jsonBody, _ := json.Marshal(testCase) + + req, err := http.NewRequest("POST", "/sfu/get", bytes.NewBuffer(jsonBody)) + if err != nil { + t.Fatal(err) + } + + rr := httptest.NewRecorder() + handler.prepareMux().ServeHTTP(rr, req) + + if status := rr.Code; status != http.StatusOK { + t.Errorf("handler returned wrong status code: got %v want %v", status, http.StatusOK) + } + + if contentType := rr.Header().Get("Content-Type"); contentType != "application/json" { + t.Errorf("handler returned wrong Content-Type: got %v want %v", contentType, "application/json") + } + + var resp SFUResponse + err = json.NewDecoder(rr.Body).Decode(&resp) + if err != nil { + t.Errorf("failed to decode response body %v", err) + } + + if resp.URL != "wss://lk.local:8080/foo" { + t.Errorf("unexpected URL: got %v want %v", resp.URL, "wss://lk.local:8080/foo") + } + + if resp.JWT == "" { + t.Error("expected JWT to be non-empty") + } + + // parse JWT checking the shared secret + token, err := jwt.Parse(resp.JWT, func(token *jwt.Token) (interface{}, error) { + return []byte(handler.secret), nil + }) + + if err != nil { + t.Fatalf("failed to parse JWT: %v", err) + } + + claims, ok := token.Claims.(jwt.MapClaims) + + if !ok || !token.Valid { + t.Fatalf("failed to parse claims from JWT: %v", err) + } + + if claims["sub"] != "@user:"+matrixServerName+":testDevice" { + t.Errorf("unexpected sub: got %v want %v", claims["sub"], "@user:"+matrixServerName+":testDevice") + } + + slotId := "m.call#ROOM" + lkRoomAliasHash := sha256.Sum256([]byte(matrixRoom + "|" + slotId)) + lkRoomAlias := unpaddedBase64.EncodeToString(lkRoomAliasHash[:]) + + // should have permission for the room + if claims["video"].(map[string]interface{})["room"] != lkRoomAlias { + t.Errorf("unexpected room: got %v want %v", claims["room"], lkRoomAlias) + } +} + +func TestIsFullAccessUser(t *testing.T) { + handler := &Handler{ + secret: "testSecret", + key: "testKey", + lkUrl: "wss://lk.local:8080/foo", + fullAccessHomeservers: []string{"example.com", "another.example.com"}, + skipVerifyTLS: true, + } + + // Test cases for full access users + if handler.isFullAccessUser("example.com") { + t.Log("User has full access") + } else { + t.Error("User has restricted access") + } + + if handler.isFullAccessUser("another.example.com") { + t.Log("User has full access") + } else { + t.Error("User has restricted access") + } + + // Test cases for restricted access users + if handler.isFullAccessUser("aanother.example.com") { + t.Error("User has full access") + } else { + t.Log("User has restricted access") + } + + if handler.isFullAccessUser("matrix.example.com") { + t.Error("User has full access") + } else { + t.Log("User has restricted access") + } + + // test wildcard access + handler.fullAccessHomeservers = []string{"*"} + if handler.isFullAccessUser("other.com") { + t.Log("User has full access") + } else { + t.Error("User has restricted access") + } +} + +func TestGetJoinToken(t *testing.T) { + apiKey := "testKey" + apiSecret := "testSecret" + room := "testRoom" + identity := "testIdentity@example.com" + + tokenString, err := getJoinToken(apiKey, apiSecret, room, identity) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + + if tokenString == "" { + t.Error("expected token to be non-empty") + } + + // parse JWT checking the shared secret + token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { + return []byte(apiSecret), nil + }) + claims, ok := token.Claims.(jwt.MapClaims) + + if !ok || !token.Valid { + t.Fatalf("failed to parse claims from JWT: %v", err) + } + + claimRoomCreate := claims["video"].(map[string]interface{})["roomCreate"] + if claimRoomCreate == nil { + claimRoomCreate = false + } + + if claimRoomCreate == true { + t.Fatalf("roomCreate property needs to be false, since the lk-jwt-service creates the room") + } +} + +func TestReadKeySecret(t *testing.T) { + testCases := []struct { + name string + env map[string]string + expectedKey string + expectedSecret string + err bool + }{ + { + name: "Read from env", + env: map[string]string{ + "LIVEKIT_KEY": "from_env_pheethiewixohp9eecheeGhuayeeph4l", + "LIVEKIT_SECRET": "from_env_ahb8eiwae0viey7gee4ieNgahgeeQuie", + }, + expectedKey: "from_env_pheethiewixohp9eecheeGhuayeeph4l", + expectedSecret: "from_env_ahb8eiwae0viey7gee4ieNgahgeeQuie", + err: false, + }, + { + name: "Read from livekit keysecret", + env: map[string]string{ + "LIVEKIT_KEY_FILE": "./tests/keysecret.yaml", + }, + expectedKey: "keysecret_iethuB2LeLiNuishiaKeephei9jaatio", + expectedSecret: "keysecret_xefaingo4oos6ohla9phiMieBu3ohJi2", + }, + { + name: "Read from file", + env: map[string]string{ + "LIVEKIT_KEY_FROM_FILE": "./tests/key", + "LIVEKIT_SECRET_FROM_FILE": "./tests/secret", + }, + expectedKey: "from_file_oquusheiheiw4Iegah8te3Vienguus5a", + expectedSecret: "from_file_vohmahH3eeyieghohSh3kee8feuPhaim", + }, + { + name: "Read from file key only", + env: map[string]string{ + "LIVEKIT_KEY_FROM_FILE": "./tests/key", + "LIVEKIT_SECRET": "from_env_ahb8eiwae0viey7gee4ieNgahgeeQuie", + }, + expectedKey: "from_file_oquusheiheiw4Iegah8te3Vienguus5a", + expectedSecret: "from_env_ahb8eiwae0viey7gee4ieNgahgeeQuie", + }, + { + name: "Read from file secret only", + env: map[string]string{ + "LIVEKIT_SECRET_FROM_FILE": "./tests/secret", + "LIVEKIT_KEY": "from_env_qui8aiTopiekiechah9oocbeimeew2O", + }, + expectedKey: "from_env_qui8aiTopiekiechah9oocbeimeew2O", + expectedSecret: "from_file_vohmahH3eeyieghohSh3kee8feuPhaim", + }, + { + name: "Empty if secret no env", + env: map[string]string{}, + expectedKey: "", + expectedSecret: "", + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + for k, v := range tc.env { + if err := os.Setenv(k, v); err != nil { + t.Errorf("Failed to set environment variable %s: %v", k, err) + } + } + + key, secret := readKeySecret() + if secret != tc.expectedSecret || key != tc.expectedKey { + t.Errorf("Expected secret and key to be %s and %s but got %s and %s", + tc.expectedSecret, + tc.expectedKey, + secret, + key) + } + for k := range tc.env { + if err := os.Unsetenv(k); err != nil { + t.Errorf("Failed to unset environment variable %s: %v", k, err) + } + } + }) + } +} + +func TestParseConfig(t *testing.T) { + testCases := []struct { + name string + env map[string]string + wantConfig *Config + wantErrMsg string + }{ + { + name: "Minimal valid config", + env: map[string]string{ + "LIVEKIT_KEY": "test_key", + "LIVEKIT_SECRET": "test_secret", + "LIVEKIT_URL": "wss://test.livekit.cloud", + }, + wantConfig: &Config{ + Key: "test_key", + Secret: "test_secret", + LkUrl: "wss://test.livekit.cloud", + SkipVerifyTLS: false, + FullAccessHomeservers: []string{"*"}, + LkJwtBind: ":8080", + }, + }, + { + name: "Full config with all options", + env: map[string]string{ + "LIVEKIT_KEY": "test_key", + "LIVEKIT_SECRET": "test_secret", + "LIVEKIT_URL": "wss://test.livekit.cloud", + "LIVEKIT_FULL_ACCESS_HOMESERVERS": "example.com, test.com", + "LIVEKIT_JWT_BIND": ":9090", + "LIVEKIT_INSECURE_SKIP_VERIFY_TLS": "YES_I_KNOW_WHAT_I_AM_DOING", + }, + wantConfig: &Config{ + Key: "test_key", + Secret: "test_secret", + LkUrl: "wss://test.livekit.cloud", + SkipVerifyTLS: true, + FullAccessHomeservers: []string{"example.com", "test.com"}, + LkJwtBind: ":9090", + }, + }, + { + name: "Legacy port configuration", + env: map[string]string{ + "LIVEKIT_KEY": "test_key", + "LIVEKIT_SECRET": "test_secret", + "LIVEKIT_URL": "wss://test.livekit.cloud", + "LIVEKIT_JWT_PORT": "9090", + }, + wantConfig: &Config{ + Key: "test_key", + Secret: "test_secret", + LkUrl: "wss://test.livekit.cloud", + SkipVerifyTLS: false, + FullAccessHomeservers: []string{"*"}, + LkJwtBind: ":9090", + }, + }, + { + name: "Legacy full-access homeservers configuration", + env: map[string]string{ + "LIVEKIT_KEY": "test_key", + "LIVEKIT_SECRET": "test_secret", + "LIVEKIT_URL": "wss://test.livekit.cloud", + "LIVEKIT_LOCAL_HOMESERVERS": "legacy.com", + }, + wantConfig: &Config{ + Key: "test_key", + Secret: "test_secret", + LkUrl: "wss://test.livekit.cloud", + SkipVerifyTLS: false, + FullAccessHomeservers: []string{"legacy.com"}, + LkJwtBind: ":8080", + }, + }, + { + name: "Missing required config", + env: map[string]string{ + "LIVEKIT_KEY": "test_key", + }, + wantErrMsg: "LIVEKIT_KEY[_FILE], LIVEKIT_SECRET[_FILE] and LIVEKIT_URL environment variables must be set", + }, + { + name: "Conflicting bind configuration", + env: map[string]string{ + "LIVEKIT_KEY": "test_key", + "LIVEKIT_SECRET": "test_secret", + "LIVEKIT_URL": "wss://test.livekit.cloud", + "LIVEKIT_JWT_BIND": ":9090", + "LIVEKIT_JWT_PORT": "8080", + }, + wantErrMsg: "LIVEKIT_JWT_BIND and LIVEKIT_JWT_PORT environment variables MUST NOT be set together", + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + // Setup: set env variables + for k, v := range tc.env { + if err := os.Setenv(k, v); err != nil { + t.Fatalf("Failed to set environment variable %s: %v", k, err) + } + } + defer func() { + // Cleanup: reset env variables after test + for k := range tc.env { + if err := os.Unsetenv(k); err != nil { + t.Errorf("Failed to unset environment variable %s: %v", k, err) + } + } + }() + + // parse config from env variables + got, err := parseConfig() + + // Given error(s), check potential error messages + if tc.wantErrMsg != "" { + if err == nil { + t.Errorf("parseConfig() error = nil, wantErr %q", tc.wantErrMsg) + return + } + if err.Error() != tc.wantErrMsg { + t.Errorf("parseConfig() error = %q, wantErr %q", err.Error(), tc.wantErrMsg) + } + return + } + + // Given no error, check for unexpected error messages + if err != nil { + t.Errorf("parseConfig() unexpected error: %v", err) + return + } + + // Compare parsed (got) config with wanted config + if got.Key != tc.wantConfig.Key { + t.Errorf("Key = %q, want %q", got.Key, tc.wantConfig.Key) + } + if got.Secret != tc.wantConfig.Secret { + t.Errorf("Secret = %q, want %q", got.Secret, tc.wantConfig.Secret) + } + if got.LkUrl != tc.wantConfig.LkUrl { + t.Errorf("LkUrl = %q, want %q", got.LkUrl, tc.wantConfig.LkUrl) + } + if got.SkipVerifyTLS != tc.wantConfig.SkipVerifyTLS { + t.Errorf("SkipVerifyTLS = %v, want %v", got.SkipVerifyTLS, tc.wantConfig.SkipVerifyTLS) + } + if !reflect.DeepEqual(got.FullAccessHomeservers, tc.wantConfig.FullAccessHomeservers) { + t.Errorf("FullAccessHomeservers = %v, want %v", got.FullAccessHomeservers, tc.wantConfig.FullAccessHomeservers) + } + if got.LkJwtBind != tc.wantConfig.LkJwtBind { + t.Errorf("JwtBind = %q, want %q", got.LkJwtBind, tc.wantConfig.LkJwtBind) + } + }) + } +} + +func TestMapSFURequest(t *testing.T) { + testCases := []struct { + name string + input string + want any + wantErrCode string + }{ + { + name: "Valid legacy request", + input: `{ + "room": "testRoom", + "openid_token": { + "access_token": "test_token", + "token_type": "Bearer", + "matrix_server_name": "example.com", + "expires_in": 3600 + }, + "device_id": "testDevice" + }`, + want: &LegacySFURequest{ + Room: "testRoom", + OpenIDToken: OpenIDTokenType{ + AccessToken: "test_token", + TokenType: "Bearer", + MatrixServerName: "example.com", + ExpiresIn: 3600, + }, + DeviceID: "testDevice", + }, + }, + { + name: "Valid Matrix2 request", + input: `{ + "room_id": "!testRoom:example.com", + "slot_id": "123", + "openid_token": { + "access_token": "test_token", + "token_type": "Bearer", + "matrix_server_name": "example.com", + "expires_in": 3600 + }, + "member": { + "id": "test_id", + "claimed_user_id": "@test:example.com", + "claimed_device_id": "testDevice" + } + }`, + want: &SFURequest{ + RoomID: "!testRoom:example.com", + SlotID: "123", + OpenIDToken: OpenIDTokenType{ + AccessToken: "test_token", + TokenType: "Bearer", + MatrixServerName: "example.com", + ExpiresIn: 3600, + }, + Member: MatrixRTCMemberType{ + ID: "test_id", + ClaimedUserID: "@test:example.com", + ClaimedDeviceID: "testDevice", + }, + }, + }, + { + name: "Invalid JSON", + input: `{"invalid": json}`, + want: nil, + wantErrCode: "M_BAD_JSON", + }, + { + name: "Empty request", + input: `{}`, + want: nil, + wantErrCode: "M_BAD_JSON", + }, + { + name: "Invalid legacy request with extra field", + input: `{ + "room": "testRoom", + "openid_token": { + "access_token": "test_token", + "token_type": "Bearer", + "matrix_server_name": "example.com", + "expires_in": 3600 + }, + "device_id": "testDevice", + "extra_field": "should_fail" + }`, + want: nil, + wantErrCode: "M_BAD_JSON", + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + // Convert string to []byte for input + input := []byte(tc.input) + + // Call mapSFURequest + got, err := mapSFURequest(&input) + + // Check error cases + if tc.wantErrCode != "" { + matrixErr := &MatrixErrorResponse{} + if !errors.As(err, &matrixErr) { + t.Errorf("mapSFURequest() error = %v, want MatrixErrorResponse", err) + return + } + if matrixErr.ErrCode != tc.wantErrCode { + t.Errorf("mapSFURequest() error code = %v, want %v", matrixErr.ErrCode, tc.wantErrCode) + } + return + } + + // Check success cases + if err != nil { + t.Errorf("mapSFURequest() unexpected error: %v", err) + return + } + + // Type-specific comparisons + switch expected := tc.want.(type) { + case *LegacySFURequest: + actual, ok := got.(*LegacySFURequest) + if !ok { + t.Errorf("mapSFURequest() returned wrong type, got %T, want *LegacySFURequest", got) + return + } + if !reflect.DeepEqual(actual, expected) { + t.Errorf("mapSFURequest() = %+v, want %+v", actual, expected) + } + case *SFURequest: + actual, ok := got.(*SFURequest) + if !ok { + t.Errorf("mapSFURequest() returned wrong type, got %T, want *SFURequest", got) + return + } + if !reflect.DeepEqual(actual, expected) { + t.Errorf("mapSFURequest() = %+v, want %+v", actual, expected) + } + } + }) + } +} + +func TestMapSFURequestMemoryLeak(t *testing.T) { + const iterations = 100000 + + input := []byte(`{ + "room_id": "!testRoom:example.com", + "slot_id": "123", + "openid_token": { + "access_token": "test_token", + "token_type": "Bearer", + "matrix_server_name": "example.com", + "expires_in": 3600 + }, + "member": { + "id": "test_id", + "claimed_user_id": "@test:example.com", + "claimed_device_id": "testDevice" + } + }`) + + // Force a garbage collection to start from a clean slate. + var mStart, mEnd runtime.MemStats + runtime.GC() + runtime.ReadMemStats(&mStart) + + for i := 0; i < iterations; i++ { + _, err := mapSFURequest(&input) + if err != nil { + t.Fatalf("unexpected error in mapSFURequest iteration %d: %v", i, err) + } + } + + // Force another GC to clear unreferenced memory + runtime.GC() + runtime.ReadMemStats(&mEnd) + + t.Logf("Start Alloc: %d bytes, End Alloc: %d bytes", mStart.Alloc, mEnd.Alloc) + + // Check that allocated heap hasn’t grown unboundedly + if mEnd.Alloc > mStart.Alloc { + allocDiff := mEnd.Alloc - mStart.Alloc + t.Logf("Heap allocation growth after %d iterations: %d bytes", iterations, allocDiff) + + // Heuristic threshold: less than 100KB growth across 100k iterations is fine + const leakThreshold uint64 = 100 * 1024 // 100KB + if allocDiff > leakThreshold { + t.Errorf("Potential memory leak: heap grew by %d bytes (> %d)", allocDiff, leakThreshold) + } + } +} + +func TestProcessSFURequest(t *testing.T) { + // mock createLiveKitRoom + var called_createLiveKitRoom bool + original_createLiveKitRoom := createLiveKitRoom + createLiveKitRoom = func(ctx context.Context, h *Handler, room, matrixUser, lkIdentity string) error { + called_createLiveKitRoom = true + if room == "" { + t.Error("expected room name passed into mock") + } + return nil + } + t.Cleanup(func() { createLiveKitRoom = original_createLiveKitRoom }) + + // mock OpenID lookup + var failed_exchangeOpenIdUserInfo bool + var exchangeOpenIdUserInfo_MatrixID string + original_exchangeOpenIdUserInfo := exchangeOpenIdUserInfo + exchangeOpenIdUserInfo = func(ctx context.Context, token OpenIDTokenType, skip bool) (*fclient.UserInfo, error) { + if failed_exchangeOpenIdUserInfo { + return nil, &MatrixErrorResponse{ + Status: http.StatusUnauthorized, + ErrCode: "M_UNAUTHORIZED", + Err: "The request could not be authorised.", + } + } + return &fclient.UserInfo{Sub: exchangeOpenIdUserInfo_MatrixID}, nil + } + t.Cleanup(func() { exchangeOpenIdUserInfo = original_exchangeOpenIdUserInfo }) + + type testCase struct { + name string + MatrixID string + ClaimedMatrixID string + getJoinTokenErr error + expectJoinTokenError bool + expectExchangeOpendIdError bool + expectCreateRoomCall bool + expectError bool + exchangeErr error + } + + tests := []testCase{ + { + name: "Full access user + all OK", + MatrixID: "@user:example.com", + ClaimedMatrixID: "@user:example.com", + expectCreateRoomCall: true, + expectError: false, + }, + { + name: "Restricted user + all OK", + MatrixID: "@user:otherdomain.com", + ClaimedMatrixID: "@user:otherdomain.com", + expectCreateRoomCall: false, + expectError: false, + }, + { + name: "Full access user but exchangeOpenIdUserInfo fails", + MatrixID: "@user:example.com", + ClaimedMatrixID: "@user:example.com", + expectExchangeOpendIdError: true, + exchangeErr: &MatrixErrorResponse{}, + expectCreateRoomCall: false, + expectError: true, + }, + { + name: "Full access user but getJoinToken fails", + MatrixID: "@user:example.com", + ClaimedMatrixID: "@user:example.com", + expectJoinTokenError: true, + getJoinTokenErr: &MatrixErrorResponse{}, + expectCreateRoomCall: false, + expectError: true, + }, + { + name: "Full access user but claimed_matrix_id fails", + MatrixID: "@user:example.com", + ClaimedMatrixID: "@user:faked.com", + expectJoinTokenError: false, + getJoinTokenErr: &MatrixErrorResponse{}, + expectCreateRoomCall: false, + expectError: true, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + // --- mock createLiveKitRoom --- + called_createLiveKitRoom = false + failed_exchangeOpenIdUserInfo = tc.expectExchangeOpendIdError + exchangeOpenIdUserInfo_MatrixID = tc.MatrixID + + handler := &Handler{ + key: map[bool]string{true: "", false: "the_api_key"}[tc.expectJoinTokenError], + secret: "secret", + lkUrl: "wss://lk.local:8080/foo", + fullAccessHomeservers: []string{"example.com"}, + } + + req := &SFURequest{ + RoomID: "!room:example.com", + SlotID: "slot", + OpenIDToken: OpenIDTokenType{ + AccessToken: "token", + MatrixServerName: strings.Split(tc.ClaimedMatrixID, ":")[1], + }, + Member: MatrixRTCMemberType{ + ID: "device", + ClaimedUserID: tc.ClaimedMatrixID, + ClaimedDeviceID: "dev", + }, + } + + _, err := handler.processSFURequest(&http.Request{}, req) + if tc.expectError && err == nil { + t.Fatalf("expected error but got nil") + } + if !tc.expectError && err != nil { + t.Fatalf("unexpected error: %v", err) + } + + if called_createLiveKitRoom != tc.expectCreateRoomCall { + t.Errorf("expected createLiveKitRoom called=%v, got %v", tc.expectCreateRoomCall, called_createLiveKitRoom) + } + + }) + } + + +} + +func TestProcessLegacySFURequest(t *testing.T) { + // mock createLiveKitRoom + var called_createLiveKitRoom bool + original_createLiveKitRoom := createLiveKitRoom + createLiveKitRoom = func(ctx context.Context, h *Handler, room, matrixUser, lkIdentity string) error { + called_createLiveKitRoom = true + if room == "" { + t.Error("expected room name passed into mock") + } + return nil + } + t.Cleanup(func() { createLiveKitRoom = original_createLiveKitRoom }) + + // mock OpenID lookup + var failed_exchangeOpenIdUserInfo bool + original_exchangeOpenIdUserInfo := exchangeOpenIdUserInfo + exchangeOpenIdUserInfo = func(ctx context.Context, token OpenIDTokenType, skip bool) (*fclient.UserInfo, error) { + if failed_exchangeOpenIdUserInfo { + return nil, &MatrixErrorResponse{ + Status: http.StatusUnauthorized, + ErrCode: "M_UNAUTHORIZED", + Err: "The request could not be authorised.", + } + } + return &fclient.UserInfo{Sub: "@mock:example.com"}, nil + } + t.Cleanup(func() { exchangeOpenIdUserInfo = original_exchangeOpenIdUserInfo }) + + type testCase struct { + name string + MatrixID string + getJoinTokenErr error + expectJoinTokenError bool + expectExchangeOpendIdError bool + expectCreateRoomCall bool + expectError bool + exchangeErr error + } + + tests := []testCase{ + { + name: "Full access user + all OK", + MatrixID: "@user:example.com", + expectCreateRoomCall: true, + expectError: false, + }, + { + name: "Restricted user + all OK", + MatrixID: "@user:otherdomain.com", + expectCreateRoomCall: false, + expectError: false, + }, + { + name: "Full access user but exchangeOpenIdUserInfo fails", + MatrixID: "@user:example.com", + expectExchangeOpendIdError: true, + exchangeErr: &MatrixErrorResponse{}, + expectCreateRoomCall: false, + expectError: true, + }, + { + name: "Full access user but getJoinToken fails", + MatrixID: "@user:example.com", + expectJoinTokenError: true, + getJoinTokenErr: &MatrixErrorResponse{}, + expectCreateRoomCall: false, + expectError: true, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + // --- mock createLiveKitRoom --- + called_createLiveKitRoom = false + failed_exchangeOpenIdUserInfo = tc.expectExchangeOpendIdError + + handler := &Handler{ + key: map[bool]string{true: "", false: "the_api_key"}[tc.expectJoinTokenError], + secret: "secret", + lkUrl: "wss://lk.local:8080/foo", + fullAccessHomeservers: []string{"example.com"}, + } + + req := &LegacySFURequest{ + Room: "!room:example.com", + OpenIDToken: OpenIDTokenType{ + AccessToken: "token", + MatrixServerName: strings.Split(tc.MatrixID, ":")[1], + }, + DeviceID: "dev", + } + + _, err := handler.processLegacySFURequest(&http.Request{}, req) + if tc.expectError && err == nil { + t.Fatalf("expected error but got nil") + } + if !tc.expectError && err != nil { + t.Fatalf("unexpected error: %v", err) + } + + if called_createLiveKitRoom != tc.expectCreateRoomCall { + t.Errorf("expected createLiveKitRoom called=%v, got %v", tc.expectCreateRoomCall, called_createLiveKitRoom) + } + + }) + } + + +} diff --git a/lk-jwt-service/renovate.json b/lk-jwt-service/renovate.json new file mode 100644 index 0000000..068c0ea --- /dev/null +++ b/lk-jwt-service/renovate.json @@ -0,0 +1,25 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + "schedule:monthly", + "helpers:pinGitHubActionDigestsToSemver", + ":enableVulnerabilityAlertsWithLabel(security)" + ], + "addLabels": ["dependencies"], + "vulnerabilityAlerts": { + "schedule": [ + "at any time" + ], + "prHourlyLimit": 0, + "minimumReleaseAge": null + }, + "packageRules": [ + { + "groupName": "GitHub Actions", + "matchDepTypes": ["action"], + "pinDigests": true + } + ], + "minimumReleaseAge": "5 days" +} diff --git a/lk-jwt-service/tests/key b/lk-jwt-service/tests/key new file mode 100644 index 0000000..25f83e1 --- /dev/null +++ b/lk-jwt-service/tests/key @@ -0,0 +1 @@ +from_file_oquusheiheiw4Iegah8te3Vienguus5a diff --git a/lk-jwt-service/tests/keysecret.yaml b/lk-jwt-service/tests/keysecret.yaml new file mode 100644 index 0000000..29d1c7b --- /dev/null +++ b/lk-jwt-service/tests/keysecret.yaml @@ -0,0 +1 @@ +keysecret_iethuB2LeLiNuishiaKeephei9jaatio: keysecret_xefaingo4oos6ohla9phiMieBu3ohJi2 diff --git a/lk-jwt-service/tests/secret b/lk-jwt-service/tests/secret new file mode 100644 index 0000000..58bf88f --- /dev/null +++ b/lk-jwt-service/tests/secret @@ -0,0 +1 @@ +from_file_vohmahH3eeyieghohSh3kee8feuPhaim