npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@l7mp/stunner-auth-lib

v0.9.6

Published

STUN/TURN credentials generation for STUNner

Downloads

4

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

rg0nowrg0nowvidarhunvidarhun

Keywords

STUNnerSTUNTURNWebRTC

Readme

@l7mp/stunner-auth-lib

A library to generate ICE configuration and TURN credentials for the STUNner Kubernetes ingress gateway for WebRTC.

const auth = require('@l7mp/stunner-auth-lib');

var credentials = auth.getStunnerCredentials({
    auth_type: 'longterm',
    secret: 'my-shared-secret',
    duration: 24*60*60,  // credentials valid for one day
});

Installation

Install from NPM.

npm install @l7mp/stunner-auth-lib

Usage

The intended use is to ease the generation of STUN/TURN credentials and ICE server configuration stanza in the WebRTC application server. The application server can send these back to the WebRTC clients during the WebSocket/JSON call setup process. Clients can then use the STUN/TURN credentials and ICE server configuration received from the application server to authenticate with STUNner, in order to reach the WebRTC media plane deployed into Kubernetes behind STUNner.

The library will automatically parse the current STUNner configuration from the Kubernetes control plane if available. Otherwise, it falls back to taking configuration from environment variables.

STUNner authentication architecture

Configuration

The library depends on a valid STUNner configuration for generating STUN/TURN credentials, which is typically generated by the STUNner Kubernetes Gateway Operator. The STUNner configuration is rendered into a Kubernetes ConfigMap, which is then picked up by the STUNner dataplane to ingest WebRTC media into the Kubernetes cluster. Suppose that this ConfigMap is named stunnerd-config (this is the default name). The below Kubernetes pod template snippet shows how to map this configuration into your WebRTC application server.

...
spec:
  containers:
    - name: <my-application-server>
      image: <my-application-server-image>
      ...
      env:
        - name: STUNNER_CONFIG_FILENAME
          value: "/etc/stunnerd/stunnerd.conf"
      volumeMounts:
        - name: stunnerd-config-volume
          mountPath: /etc/stunnerd
          readOnly: true
  ...
  volumes:
    - name: stunnerd-config-volume
      configMap:
        name: stunnerd-config
...

From this point, the STUNner configuration, as actually existing in the stunnerd-config ConfigMap, will be mapped into the application server pod's filesystem under the path /etc/stunnerd/stunnerd.conf and the full path will be available in the STUNNER_CONFIG_FILENAME environment variable. The library will pick up this configuration and use it to generate the STUN/TURN credentials and full ICE server configurations necessary to reach STUNner.

Every time you change the STUNner configuration through the Kubernetes Gateway API, the new configuration will be immediately mapped into the filesystem of your application server. When called, the library will re-parse the active configuration from the filesystem and the new settings will immediately take effect: new client requests will receive up-to-date STUN/TURN credentials.

If no valid configuration file is found, the library falls back to the standalone mode.

Generating ICE configuration

The recommended usage is generating the ICE configuration along with the STUNner credentials in a single step and sending it back the WebRTC clients during call setup.

  • Generate a full ICE configuration object on the WebRTC application server.

    const auth = require('@l7mp/stunner-auth-lib');
...
var ICE_config = auth.getIceConfig();
console.log(ICE_config);

    Output:

    {
  iceServers: [
    {
      url: 'turn:1.2.3.4:3478?transport=udp',
      username: 'my-user',
      credential: 'my-password'
    }
  ],
  iceTransportPolicy: 'relay'
}

  • Send the generated ICE configuration back to the clients during the WebSocket/JSON call setup process (e.g., during user registration) and use this configuration in the clients to initialize the WebRTC PeerConnection.

    var ICE_config = ...; // read ICE configuration from the WebSocket/JSON connection 
var pc = new RTCPeerConnection(ICE_config);

You can override the path to the STUNner configuration file (and other options) when calling the function.

var ICE_config = auth.getIceConfig({config_file: <MY_STUNNER_CONFIG_FILENAME>});

Generating STUN/TURN credentials

Alternatively, you can simply generate a new STUN/TURN long-term credentials that you can use for authenticating with STUNner.

var cred = auth.getStunnerCredentials({
    duration: 24 * 60 * 60,  // lifetime the longterm credential is effective
});
console.log(`STUNner credentials: ${cred.username} / ${cred.credential}`);

Output:

STUNner credentials: 1652118264 / nRU+Iz2ENeP2Y3sDXzSRsFRDs8s=

Fallback to standalone mode

Some may favor running STUNner in the standalone mode in order to be able to manually customize the STUNner dataplane instead of relying on the operator to render the configuration. The library automatically falls back to using the standalone mode when no configuration file is available under the path specified by the STUNNER_CONFIG_FILENAME environment variable. For this, the application server needs to have access to the following environment variables.

  • STUNNER_PUBLIC_ADDR (no default, must be customized): STUNner public IP address.
  • STUNNER_PUBLIC_PORT (default: 3478): STUNner public port.
  • STUNNER_REALM (default: stunner.l7mp.io): STUN/TURN realm.
  • STUNNER_AUTH_TYPE (default: plaintext): STUNner authentication mode; either plaintext or longterm.
  • STUNNER_USERNAME (default: user): username for plaintext authentication.
  • STUNNER_PASSWORD (default: pass): password for plaintext authentication.
  • STUNNER_SHARED_SECRET (default: secret): the shared secret for longterm authentication.

For most configuration parameters the library specifies sane defaults, which can be overridden by the environment variables (i.e., the STUNner configuration), which can in turn be further overridden in the function arguments specified on the library calls.

The below code will generate a full ICE configuration object in the fallback mode using the specified overrides.

const auth = require('@l7mp/stunner-auth-lib');
...
var ICE_config = auth.getIceConfig({
  address: '1.2.3.4',            // ovveride STUNNER_PUBLIC_ADDR
  port: 3478,                    // ovveride STUNNER_PUBLIC_PORT
  auth_type: 'plaintext',        // override STUNNER_AUTH_TYPE
  username: 'my-user',           // override STUNNER_USERNAME
  password: 'my-password',       // override STUNNER_PASSWORD
  ice_transport_policy: 'relay', // override STUNNER_ICE_TRANSPORT_POLICY
});
console.log(ICE_config);

The below will generate a new set of STUN/TURN long-term credentials, again using manual overrides.

var cred = auth.getStunnerCredentials({
    auth_type: 'longterm',   // override STUNNER_AUTH_TYPE
    secret: 'my-secret',     // override STUNNER_SHARED_SECRET
    duration: 24 * 60 * 60,  // lifetime the longterm credential is effective
});
console.log(`STUNner credentials: ${cred.username} / ${cred.credential}`);

Output:

STUNner credentials: 1652118264 / nRU+Iz2ENeP2Y3sDXzSRsFRDs8s=

Note that all manual overrides are available in the default mode as well.

Caveats

  • In order for the library to be able to read the STUNner configuration, the corresponding ConfigMap (i.e., stunnerd-config) and the application server must live in the same Kubernetes namespace (Kubernetes does not allow a ConfigMap to be mapped into a pod that exists in a different namespace). See the STUNner examples on how to configure the STUNner Kubernetes Gateway Operator to render the configuration into an arbitrary namespace from where your application server can pick it up.

  • If you change the STUNner credentials from the Kubernetes Gateway API then active clients, which have already received an ICE configuration that is now being rendered invalid by your change, will need to go through the authentication process (receive a new ICE configuration, re-request TURN permissions again from STUNner, etc.) again. Otherwise, they will time out on the next TURN permission refresh cycle. Currently it is the responsibility of the application server to orchestrate this process. As a rule of thumb, try to avoid resetting the authentication settings when active users are authenticated with STUNner.

Help

STUNner development is coordinated in Discord, send us an email to ask an invitation.

License

Copyright 2021-2022 by its authors. Some rights reserved. See AUTHORS.

MIT License - see LICENSE for full text.

Acknowledgments

Initial code adopted from @rojo2/turn-credentials.