fix: stop leaking TURN secret to browser clients
All checks were successful
Build / Build & release (push) Successful in 13m40s
All checks were successful
Build / Build & release (push) Successful in 13m40s
WASTE_CONFIG.turnSecret was shipped in plaintext config.js and used to compute coturn HMAC credentials client-side in browser.ts. Anyone reading the PWA's JS could read the secret and mint unlimited long-lived TURN credentials, turning the relay into an open proxy. The anchor now mints short-lived (1h) credentials server-side via a new GET /turn-credentials endpoint (-turn-secret flag), mirroring what the daemon already does. The browser fetches credentials instead of holding the secret. Daemon mode was unaffected (already server-side). Docs updated to drop turnSecret from config.js examples, document the new nginx route, and instruct anyone with an old config.js to rotate the coturn secret since it was previously exposed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -151,9 +151,13 @@ entries from all applicable share roots, with relative `path` fields
|
||||
**Status:** implemented (browser mode + daemon mode)
|
||||
**Affects:** ICE server configuration only, no wire changes
|
||||
|
||||
The browser adapter reads `WASTE_CONFIG.turnURL` and `WASTE_CONFIG.turnSecret`
|
||||
and adds a TURN server to the WebRTC `ICEServers` list. Credentials are
|
||||
generated using HMAC-SHA1 of the username (coturn `use-auth-secret` scheme).
|
||||
The browser adapter reads `WASTE_CONFIG.turnURL` and fetches short-lived
|
||||
credentials from the anchor's `GET /turn-credentials` endpoint (derived from
|
||||
`WASTE_CONFIG.signalURL`, or overridden via `WASTE_CONFIG.turnCredentialsURL`).
|
||||
The anchor computes the credential using HMAC-SHA1 of the username (coturn
|
||||
`use-auth-secret` scheme) — the shared secret itself is never sent to the
|
||||
browser. Daemon mode does the equivalent computation locally, since the
|
||||
daemon already holds `-turn-secret` server-side.
|
||||
|
||||
YAW/2 §0 explicitly declines TURN ("No relay (TURN)"). This extension is
|
||||
opt-in via server configuration and does not affect peers that omit it.
|
||||
|
||||
Reference in New Issue
Block a user