Add Livekit server integration

zooid/api.go

@@ -1,7 +1,6 @@
 package zooid
 
 import (
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -40,7 +39,7 @@ func (api *APIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 
 	// Authenticate the request using NIP-98
-	pubkey, err := api.authenticateNIP98(r)
+	pubkey, err := validateNIP98Auth(r)
 	if err != nil {
 		writeError(w, http.StatusUnauthorized, err.Error())
 		return
@@ -93,65 +92,6 @@ func writeJSON(w http.ResponseWriter, status int, data map[string]string) {
 	json.NewEncoder(w).Encode(data)
 }
 
-// authenticateNIP98 validates NIP-98 HTTP AUTH
-func (api *APIHandler) authenticateNIP98(r *http.Request) (nostr.PubKey, error) {
-	authHeader := r.Header.Get("Authorization")
-	if authHeader == "" {
-		return nostr.PubKey{}, fmt.Errorf("missing authorization header")
-	}
-
-	parts := strings.SplitN(authHeader, " ", 2)
-	if len(parts) != 2 || strings.ToLower(parts[0]) != "nostr" {
-		return nostr.PubKey{}, fmt.Errorf("invalid authorization header format")
-	}
-
-	eventJSON, err := base64.StdEncoding.DecodeString(parts[1])
-	if err != nil {
-		return nostr.PubKey{}, fmt.Errorf("invalid base64 encoding: %w", err)
-	}
-
-	var event nostr.Event
-	if err := json.Unmarshal(eventJSON, &event); err != nil {
-		return nostr.PubKey{}, fmt.Errorf("invalid event json: %w", err)
-	}
-
-	if event.Kind != nostr.KindHTTPAuth {
-		return nostr.PubKey{}, fmt.Errorf("invalid event kind: expected %d, got %d", nostr.KindHTTPAuth, event.Kind)
-	}
-
-	if !event.VerifySignature() {
-		return nostr.PubKey{}, fmt.Errorf("invalid event signature")
-	}
-
-	expectedURL := fmt.Sprintf("%s://%s%s", scheme(r), r.Host, r.URL.Path)
-	var hasURL, hasMethod bool
-
-	for _, tag := range event.Tags {
-		if len(tag) < 2 {
-			continue
-		}
-		switch tag[0] {
-		case "u":
-			if tag[1] == expectedURL {
-				hasURL = true
-			}
-		case "method":
-			if strings.ToUpper(tag[1]) == r.Method {
-				hasMethod = true
-			}
-		}
-	}
-
-	if !hasURL {
-		return nostr.PubKey{}, fmt.Errorf("event missing or invalid u tag")
-	}
-	if !hasMethod {
-		return nostr.PubKey{}, fmt.Errorf("event missing or invalid method tag")
-	}
-
-	return event.PubKey, nil
-}
-
 // scheme returns the URL scheme based on the request
 func scheme(r *http.Request) string {
 	if r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https" {

zooid/config.go

@@ -49,6 +49,12 @@ type Config struct {
 		Enabled bool `toml:"enabled" json:"enabled"`
 	} `toml:"blossom" json:"blossom"`
 
+	Livekit struct {
+		ServerURL string `toml:"server_url" json:"server_url"`
+		APIKey    string `toml:"api_key" json:"api_key"`
+		APISecret string `toml:"api_secret" json:"api_secret"`
+	} `toml:"livekit" json:"livekit"`
+
 	Roles map[string]Role `toml:"roles" json:"roles"`
 
 	// Private/parsed values

zooid/groups.go

@@ -322,6 +322,13 @@ func (g *GroupStore) CheckWrite(event nostr.Event) string {
 		}
 	}
 
+	if HasTag(meta.Tags, "no-text") &&
+		!slices.Contains(nip29.ModerationEventKinds, event.Kind) &&
+		event.Kind != nostr.KindSimpleGroupJoinRequest &&
+		event.Kind != nostr.KindSimpleGroupLeaveRequest {
+		return "blocked: this group does not allow text events"
+	}
+
 	if HasTag(meta.Tags, "closed") && !g.HasAccess(h, event.PubKey) {
 		return "restricted: you are not a member of that group"
 	}

zooid/instance.go

@@ -113,6 +113,8 @@ func MakeInstance(filename string) (*Instance, error) {
 
 	router.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("static"))))
 
+	router.HandleFunc("GET /.well-known/nip29/livekit/{groupId}", instance.livekitTokenHandler)
+
 	// Initialize the database
 
 	if err := instance.Events.Init(); err != nil {

zooid/livekit.go

@@ -0,0 +1,132 @@
+package zooid
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+	"sync"
+
+	"fiatjaf.com/nostr"
+	"github.com/livekit/protocol/auth"
+)
+
+var (
+	livekitHTTPClient = &http.Client{}
+	livekitRooms      = make(map[string]bool)
+	livekitRoomsMu    sync.RWMutex
+)
+
+type TokenEndpointResponse struct {
+	ServerURL        string `json:"server_url"`
+	ParticipantToken string `json:"participant_token"`
+}
+
+func generateLivekitToken(apiKey, apiSecret, room string, pubkey nostr.PubKey) string {
+	at := auth.NewAccessToken(apiKey, apiSecret)
+	at.SetVideoGrant(&auth.VideoGrant{
+		RoomJoin: true,
+		Room:     room,
+	})
+	at.SetIdentity(pubkey.Hex())
+
+	jwt, _ := at.ToJWT()
+	return jwt
+}
+
+func generateLivekitServerToken(apiKey, apiSecret string) string {
+	at := auth.NewAccessToken(apiKey, apiSecret)
+	at.SetVideoGrant(&auth.VideoGrant{
+		RoomCreate: true,
+		RoomList:   true,
+		RoomAdmin:  true,
+	})
+
+	jwt, _ := at.ToJWT()
+	return jwt
+}
+
+func ensureLivekitRoom(apiKey, apiSecret, serverURL, roomName string) error {
+	livekitRoomsMu.RLock()
+	if livekitRooms[roomName] {
+		livekitRoomsMu.RUnlock()
+		return nil
+	}
+	livekitRoomsMu.RUnlock()
+
+	httpURL := strings.Replace(strings.Replace(serverURL, "wss://", "https://", 1), "ws://", "http://", 1)
+	url := fmt.Sprintf("%s/twirp/livekit.RoomService/CreateRoom", httpURL)
+
+	reqBody, _ := json.Marshal(map[string]interface{}{
+		"name": roomName,
+	})
+
+	req, err := http.NewRequest("POST", url, bytes.NewBuffer(reqBody))
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer "+generateLivekitServerToken(apiKey, apiSecret))
+
+	resp, err := livekitHTTPClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusConflict {
+		livekitRoomsMu.Lock()
+		livekitRooms[roomName] = true
+		livekitRoomsMu.Unlock()
+		return nil
+	}
+
+	return fmt.Errorf("failed to create room: %s", resp.Status)
+}
+
+func (instance *Instance) livekitTokenHandler(w http.ResponseWriter, r *http.Request) {
+	cfg := instance.Config.Livekit
+	if cfg.APIKey == "" {
+		http.NotFound(w, r)
+		return
+	}
+
+	groupId := r.PathValue("groupId")
+
+	pubkey, err := validateNIP98Auth(r)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
+		return
+	}
+
+	meta, found := instance.Groups.GetMetadata(groupId)
+	if !found {
+		http.Error(w, "group not found", http.StatusNotFound)
+		return
+	}
+
+	if !HasTag(meta.Tags, "livekit") {
+		http.Error(w, "livekit not enabled for this group", http.StatusForbidden)
+		return
+	}
+
+	if !instance.Groups.HasAccess(groupId, pubkey) {
+		http.Error(w, "not a group member", http.StatusForbidden)
+		return
+	}
+
+	if err := ensureLivekitRoom(cfg.APIKey, cfg.APISecret, cfg.ServerURL, groupId); err != nil {
+		http.Error(w, "failed to create room", http.StatusInternalServerError)
+		return
+	}
+
+	token := generateLivekitToken(cfg.APIKey, cfg.APISecret, groupId, pubkey)
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(TokenEndpointResponse{
+		ServerURL:        cfg.ServerURL,
+		ParticipantToken: token,
+	})
+}

zooid/util.go

@@ -1,10 +1,15 @@
 package zooid
 
 import (
-	"fiatjaf.com/nostr"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
 	"math/rand"
+	"net/http"
 	"slices"
 	"strings"
+
+	"fiatjaf.com/nostr"
 )
 
 const (
@@ -147,3 +152,61 @@ func IsEmptyEvent(event nostr.Event) bool {
 
 	return event.ID == zeroID
 }
+
+func validateNIP98Auth(r *http.Request) (nostr.PubKey, error) {
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		return nostr.PubKey{}, fmt.Errorf("missing authorization header")
+	}
+
+	parts := strings.SplitN(authHeader, " ", 2)
+	if len(parts) != 2 || strings.ToLower(parts[0]) != "nostr" {
+		return nostr.PubKey{}, fmt.Errorf("invalid authorization header format")
+	}
+
+	eventJSON, err := base64.StdEncoding.DecodeString(parts[1])
+	if err != nil {
+		return nostr.PubKey{}, fmt.Errorf("invalid base64 encoding: %w", err)
+	}
+
+	var event nostr.Event
+	if err := json.Unmarshal(eventJSON, &event); err != nil {
+		return nostr.PubKey{}, fmt.Errorf("invalid event json: %w", err)
+	}
+
+	if event.Kind != nostr.KindHTTPAuth {
+		return nostr.PubKey{}, fmt.Errorf("invalid event kind: expected %d, got %d", nostr.KindHTTPAuth, event.Kind)
+	}
+
+	if !event.VerifySignature() {
+		return nostr.PubKey{}, fmt.Errorf("invalid event signature")
+	}
+
+	expectedURL := fmt.Sprintf("%s://%s%s", scheme(r), r.Host, r.URL.Path)
+	var hasURL, hasMethod bool
+
+	for _, tag := range event.Tags {
+		if len(tag) < 2 {
+			continue
+		}
+		switch tag[0] {
+		case "u":
+			if tag[1] == expectedURL {
+				hasURL = true
+			}
+		case "method":
+			if strings.ToUpper(tag[1]) == r.Method {
+				hasMethod = true
+			}
+		}
+	}
+
+	if !hasURL {
+		return nostr.PubKey{}, fmt.Errorf("event missing or invalid u tag")
+	}
+	if !hasMethod {
+		return nostr.PubKey{}, fmt.Errorf("event missing or invalid method tag")
+	}
+
+	return event.PubKey, nil
+}