Skip to content

API for getting TURN creds #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

API for getting TURN creds #31

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
db0788b
API for getting TURN creds
chemmagate Oct 9, 2019
9af5bcd
param
chemmagate Oct 15, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions source/includes/_api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,7 @@ var iceServers = [


## callstats.stopPrecallTests()

```javascript
callstats.stopPrecallTests();
```
Expand All @@ -337,3 +338,22 @@ var callAttributes = {
`pc` | Required | Object | RTCPeerConnection associated with this connection.
`conferenceID` | Required | String (256 bytes) | It is generated by the origin server.
`callAttributes` | Required | JSON | Contains information about the call.

## callstats.getTurnCredentials()

```javascript
callstats.getTurnCredentials(appId, appSecret)
.then((iceServers) => {
var pc_config = {'iceTransports': 'all','iceServers': iceServers};
var pc = new RTCPeerConnection(pc_config, {optional: [{DtlsSrtpKeyAgreement: true}]});
})
.catch((err) => {

});
Copy link

@lennart-csio lennart-csio Oct 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesnt this API make it very easy to abuse?
anyone could just go to the code of a supported app in browser and extract this line with all needed credentials. this could then be used anywhere while the app has to pay us?

Copy link

@karthikbr82 karthikbr82 Oct 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lennart-csio No, This is api is not accessible by everyone.

We have a postgress flag for the appID called taasEnabled, This flag has to be true to obtain turnCredentials.

At the moment there is no way to set the flag without contacting us.

Copy link

@karthikbr82 karthikbr82 Oct 9, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be we can add "Contact us for enabling turn usage" in the documentation to prevent the confusion.

Copy link

@karthikbr82 karthikbr82 Oct 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does say already "This is an on-demand feature, please contact [email protected] for enabling this feature. "

Copy link

@lennart-csio lennart-csio Oct 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@karthikbr82 yes, i see. however, if there is an app that is taasEnabled and has this integrated, then any user can extract the line from the source code and use it himself without the app knowing

Copy link

@karthikbr82 karthikbr82 Oct 10, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lennart-csio Exactly, Noting can be hidden in javascript. It was possible to do get the same when we were sending the credentials in recomenedConfig callback. Users can also extract turn credentials from authenticate response which we use for PCT. Or user can also write a peerconnection SHIM and extract iceServers from pcConfig.

Copy link
Author

@chemmagate chemmagate Oct 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lennart-csio @karthikbr82

Aren't the credentials rotating?

Copy link

@lennart-csio lennart-csio Oct 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes they are

```
- This API will fetch the TURN credentials from callstats.io without enabling callstats.io monitoring. This is an on-demand feature, please contact [email protected] for enabling this feature.

Params | Argument | Type | Description
----------- | ----------- | -------- | ----------
appId | Required | String | Application ID is obtained from callstats.io
appSecret | Required | String | Application secret is obtained from callstats.io.