From ddb244cf8de42ed60c9fea92e1eb8a132e1d366b Mon Sep 17 00:00:00 2001 From: Matthieu Pignolet Date: Thu, 25 Sep 2025 22:38:50 +0200 Subject: [PATCH 1/5] feat: allow binding of arbitrary addresses This generally helps when the user wants to listen to [::1] or 127.0.0.0/8 Signed-off-by: Matthieu Pignolet --- main.go | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/main.go b/main.go index b90b256..3ac6509 100644 --- a/main.go +++ b/main.go @@ -11,7 +11,6 @@ import ( "crypto/tls" "encoding/json" "errors" - "fmt" "log" "net/http" "os" @@ -130,7 +129,7 @@ func exchangeOpenIdUserInfo( if skipVerifyTLS { log.Printf("!!! WARNING !!! Skipping TLS verification for matrix client connection to %s", token.MatrixServerName) // Disable TLS verification on the default HTTP Transport for the well-known lookup - http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{ InsecureSkipVerify: true } + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} } client := fclient.NewClient(fclient.WithWellKnownSRVLookups(true), fclient.WithSkipVerify(skipVerifyTLS)) @@ -164,7 +163,6 @@ func (h *Handler) prepareMux() *http.ServeMux { return mux } - func (h *Handler) healthcheck(w http.ResponseWriter, r *http.Request) { log.Printf("Health check from %s", r.RemoteAddr) @@ -244,7 +242,7 @@ func (h *Handler) handle(w http.ResponseWriter, r *http.Request) { // TODO: is DeviceID required? If so then we should have validated at the start of the request processing lkIdentity := userInfo.Sub + ":" + sfuAccessRequest.DeviceID - token, err := getJoinToken(h.key, h.secret, sfuAccessRequest.Room, lkIdentity) + token, err := getJoinToken(h.key, h.secret, sfuAccessRequest.Room, lkIdentity) if err != nil { w.WriteHeader(http.StatusInternalServerError) err = json.NewEncoder(w).Encode(gomatrix.RespError{ @@ -262,16 +260,16 @@ func (h *Handler) handle(w http.ResponseWriter, r *http.Request) { creationStart := time.Now().Unix() room, err := roomClient.CreateRoom( context.Background(), &livekit.CreateRoomRequest{ - Name: sfuAccessRequest.Room, - EmptyTimeout: 5 * 60, // 5 Minutes to keep the room open if no one joins - DepartureTimeout: 20, // number of seconds to keep the room after everyone leaves - MaxParticipants: 0, // 0 == no limitation + Name: sfuAccessRequest.Room, + EmptyTimeout: 5 * 60, // 5 Minutes to keep the room open if no one joins + DepartureTimeout: 20, // number of seconds to keep the room after everyone leaves + MaxParticipants: 0, // 0 == no limitation }, ) if err != nil { log.Printf("Unable to create room %s. Error message: %v", sfuAccessRequest.Room, err) - + w.WriteHeader(http.StatusInternalServerError) err = json.NewEncoder(w).Encode(gomatrix.RespError{ ErrCode: "M_UNKNOWN", @@ -284,11 +282,11 @@ func (h *Handler) handle(w http.ResponseWriter, r *http.Request) { } // Log the room creation time and the user info - isNewRoom := room.GetCreationTime() >= creationStart && room.GetCreationTime() <= time.Now().Unix() + isNewRoom := room.GetCreationTime() >= creationStart && room.GetCreationTime() <= time.Now().Unix() log.Printf( "%s LiveKit room sid: %s (alias: %s) for full-access Matrix user %s (LiveKit identity: %s)", map[bool]string{true: "Created", false: "Using"}[isNewRoom], - room.Sid, sfuAccessRequest.Room, userInfo.Sub , lkIdentity, + room.Sid, sfuAccessRequest.Room, userInfo.Sub, lkIdentity, ) } @@ -323,7 +321,7 @@ func main() { } fullAccessHomeservers := os.Getenv("LIVEKIT_FULL_ACCESS_HOMESERVERS") - + if len(fullAccessHomeservers) == 0 { // For backward compatibility we also check for LIVEKIT_LOCAL_HOMESERVERS // TODO: Remove this backward compatibility in the near future. @@ -339,12 +337,12 @@ func main() { } } - lkJwtPort := os.Getenv("LIVEKIT_JWT_PORT") - if lkJwtPort == "" { - lkJwtPort = "8080" + lkJwtBind := os.Getenv("LIVEKIT_JWT_BIND") + if lkJwtBind == "" { + lkJwtBind = ":8080" } - log.Printf("LIVEKIT_URL: %s, LIVEKIT_JWT_PORT: %s", lkUrl, lkJwtPort) + log.Printf("LIVEKIT_URL: %s, LIVEKIT_JWT_BIND: %s", lkUrl, lkJwtBind) log.Printf("LIVEKIT_FULL_ACCESS_HOMESERVERS: %v", fullAccessHomeservers) handler := &Handler{ @@ -355,5 +353,5 @@ func main() { fullAccessHomeservers: strings.Split(fullAccessHomeservers, ","), } - log.Fatal(http.ListenAndServe(fmt.Sprintf(":%s", lkJwtPort), handler.prepareMux())) -} \ No newline at end of file + log.Fatal(http.ListenAndServe(lkJwtBind, handler.prepareMux())) +} From 7f04584987529baf87db1239cbbaad9177ee2384 Mon Sep 17 00:00:00 2001 From: Matthieu Pignolet Date: Fri, 26 Sep 2025 07:47:38 +0200 Subject: [PATCH 2/5] fix: update the documentation to reflect the environment variables changes Signed-off-by: Matthieu Pignolet --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ea0d386..a860533 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ Set environment variables to configure the service: | `LIVEKIT_KEY` / `LIVEKIT_KEY_FROM_FILE` | API key or file path for LiveKit SFU | ✅ Yes | | `LIVEKIT_SECRET` / `LIVEKIT_SECRET_FROM_FILE` | API secret or file path for LiveKit SFU | ✅ Yes | | `LIVEKIT_KEY_FILE` | File path with `APIkey: secret` format | ⚠️ mutually exclusive with `LIVEKIT_KEY` and `LIVEKIT_SECRET` | -| `LIVEKIT_JWT_PORT` | Port to listen on (default: `8080`) | ❌ No | +| `LIVEKIT_JWT_BIND` | Address to bind the server to (default: `:8080`) | ❌ No | | `LIVEKIT_FULL_ACCESS_HOMESERVERS` | Comma-separated list of fully authorized homeservers (`*` for all) | ❌ Default: `*` | > [!IMPORTANT] From 339229b7debeb159d2262e7a96bee82dd0049ea4 Mon Sep 17 00:00:00 2001 From: Matthieu Pignolet Date: Fri, 26 Sep 2025 17:07:27 +0200 Subject: [PATCH 3/5] feat: added `LIVEKIT_JWT_PORT` back for backwards-compatiblity (mutually exclusive with the `LIVEKIT_JWT_BIND` environment variable) Signed-off-by: Matthieu Pignolet --- README.md | 1 + main.go | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a860533..64a0a6c 100644 --- a/README.md +++ b/README.md @@ -131,6 +131,7 @@ Set environment variables to configure the service: | `LIVEKIT_SECRET` / `LIVEKIT_SECRET_FROM_FILE` | API secret or file path for LiveKit SFU | ✅ Yes | | `LIVEKIT_KEY_FILE` | File path with `APIkey: secret` format | ⚠️ mutually exclusive with `LIVEKIT_KEY` and `LIVEKIT_SECRET` | | `LIVEKIT_JWT_BIND` | Address to bind the server to (default: `:8080`) | ❌ No | +| `LIVEKIT_JWT_PORT` | Port to bind the server to (default: `8080`) | ⚠️ Ignored if used in combination with `LIVEKIT_JWT_BIND` | | `LIVEKIT_FULL_ACCESS_HOMESERVERS` | Comma-separated list of fully authorized homeservers (`*` for all) | ❌ Default: `*` | > [!IMPORTANT] diff --git a/main.go b/main.go index 3ac6509..6134699 100644 --- a/main.go +++ b/main.go @@ -11,6 +11,7 @@ import ( "crypto/tls" "encoding/json" "errors" + "fmt" "log" "net/http" "os" @@ -339,7 +340,12 @@ func main() { lkJwtBind := os.Getenv("LIVEKIT_JWT_BIND") if lkJwtBind == "" { - lkJwtBind = ":8080" + lkJwtPort := os.Getenv("LIVEKIT_JWT_PORT") + if lkJwtPort == "" { + lkJwtPort = "8080" + } + + lkJwtBind = fmt.Sprintf(":%s", lkJwtPort) } log.Printf("LIVEKIT_URL: %s, LIVEKIT_JWT_BIND: %s", lkUrl, lkJwtBind) From 88416f150be5e6924d67a63b47d60f430e3724a2 Mon Sep 17 00:00:00 2001 From: Matthieu Pignolet Date: Fri, 17 Oct 2025 10:47:54 +0200 Subject: [PATCH 4/5] feat: add a warning when using `LIVEKIT_JWT_PORT` --- main.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/main.go b/main.go index 6134699..822eb57 100644 --- a/main.go +++ b/main.go @@ -343,6 +343,8 @@ func main() { lkJwtPort := os.Getenv("LIVEKIT_JWT_PORT") if lkJwtPort == "" { lkJwtPort = "8080" + } else { + log.Printf("!!! LIVEKIT_JWT_PORT is deprecated, please use LIVEKIT_JWT_BIND instead !!!") } lkJwtBind = fmt.Sprintf(":%s", lkJwtPort) From 713ab30671b78cf0b725b025310d68b24625f4f7 Mon Sep 17 00:00:00 2001 From: Matthieu Pignolet Date: Fri, 17 Oct 2025 10:50:32 +0200 Subject: [PATCH 5/5] feat: disallow using `LIVEKIT_JWT_BIND` and `LIVEKIT_JWT_PORT` together as they are mutually exclusive --- main.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/main.go b/main.go index 822eb57..7ae87b3 100644 --- a/main.go +++ b/main.go @@ -339,8 +339,9 @@ func main() { } lkJwtBind := os.Getenv("LIVEKIT_JWT_BIND") + lkJwtPort := os.Getenv("LIVEKIT_JWT_PORT") + if lkJwtBind == "" { - lkJwtPort := os.Getenv("LIVEKIT_JWT_PORT") if lkJwtPort == "" { lkJwtPort = "8080" } else { @@ -348,6 +349,8 @@ func main() { } lkJwtBind = fmt.Sprintf(":%s", lkJwtPort) + } else if lkJwtPort != "" { + log.Fatal("LIVEKIT_JWT_BIND and LIVEKIT_JWT_PORT environment variables must not be set together") } log.Printf("LIVEKIT_URL: %s, LIVEKIT_JWT_BIND: %s", lkUrl, lkJwtBind)