diff --git a/.ackrc b/.ackrc index 8052b27..4f9b7e2 100644 --- a/.ackrc +++ b/.ackrc @@ -1 +1,2 @@ --ignore-dir=bin +--ignore-dir=.claude diff --git a/.fdignore b/.fdignore index 10fabaa..a5755be 100644 --- a/.fdignore +++ b/.fdignore @@ -1,3 +1,4 @@ bin data media +.claude diff --git a/.gitignore b/.gitignore index fa073c3..5e5bb56 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ config media data relay +.claude diff --git a/README.md b/README.md index 543a98f..9e5357a 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ Zooid supports a few environment variables, which configure shared resources lik - `MEDIA` - where to store blossom media files. Defaults to `./media`. - `DATA` - where to store database files. Defaults to `./data`. - `API_HOST` - the hostname on which to expose the management API. If not set, the API is disabled. -- `API_WHITELIST` - a comma-separated list of nostr hex pubkeys authorized to use the management API. Required when `API_HOST` is set. +- `API_WHITELIST` - a comma-separated list of nostr hex pubkeys authorized to use the management API. - `PPROF_ADDR` - an http host to serve pprof stats on. ## Configuration @@ -133,7 +133,12 @@ A special `[roles.member]` heading may be used to configure policies for all rel - `api_key` - a key identifying this relay, assigned by the Livekit server. - `api_secret` - a secret key authenticating this relay, assigned by the Livekit server. -On your LiveKit server you should also set up a webhook that points to `https://yourrelay.com/.well-known/nip29/livekit/webhook`. This allows LiveKit to notify your relay when people join rooms so it can publish a kind 39004 event. +On your LiveKit server you should also set up a webhook so LiveKit can notify the relay when people join or leave rooms; the relay uses these notifications to publish a kind 39004 presence event. How you point the webhook depends on how many relays share a LiveKit project: + +- **One relay, or a dedicated LiveKit project per relay** — point the webhook at that relay's own `https://yourrelay.com/.well-known/nip29/livekit/webhook`. +- **Several relays sharing one LiveKit project** — point the webhook at the management API's `https://api.relayplatform.com/.well-known/nip29/livekit/webhook` instead. zooid stamps each room's metadata with the owning relay's `schema` when it creates the room, so this shared endpoint routes every event to the relay that owns the room. This requires `API_HOST` to be set. + +Either way the webhook is authenticated by LiveKit's own request signature (signed with the relay's `api_secret`) rather than NIP 98, so the shared endpoint is exempt from the `API_WHITELIST`. Configure LiveKit to sign webhooks with the same `api_key`/`api_secret` the relay uses, or the relay will reject them. ### Example @@ -176,7 +181,7 @@ can_manage = true ## API -When `API_HOST` and `API_WHITELIST` are configured, a JSON REST API is available for managing virtual relays remotely. All API requests must be authenticated using [NIP 98](https://github.com/nostr-protocol/nips/blob/master/98.md) HTTP AUTH. +When `API_HOST` is configured, a JSON REST API is available for managing virtual relays remotely. All API requests must be authenticated using [NIP 98](https://github.com/nostr-protocol/nips/blob/master/98.md) HTTP AUTH signed by a pubkey listed in `API_WHITELIST`. The API accepts JSON config objects and stores them as TOML files in the `CONFIG` directory. Configs are validated for required fields (`host`, `schema`, `secret`) and duplicate checking (`schema` and `host` must be unique across all relays). diff --git a/zooid/api.go b/zooid/api.go index 566224b..d875557 100644 --- a/zooid/api.go +++ b/zooid/api.go @@ -1,6 +1,7 @@ package zooid import ( + "bytes" "encoding/json" "errors" "fmt" @@ -37,6 +38,9 @@ func NewAPIHandler() *APIHandler { mux.HandleFunc("DELETE /relay/{id}", api.auth(api.deleteRelay)) mux.HandleFunc("GET /relay/{id}/members", api.auth(api.listRelayMembers)) + // Skip auth, the handler checks the webhook signature itself + mux.HandleFunc("POST /.well-known/nip29/livekit/webhook", api.livekitWebhook) + api.mux = mux return api @@ -361,3 +365,44 @@ func collectMembers(management *ManagementStore) []string { sort.Strings(members) return members } + +// LiveKit webhook + +// LiveKit webhooks are registered statically, so we add the relay's schema as metadata +// to the room and handle webhooks at the top level. +func (api *APIHandler) livekitWebhook(w http.ResponseWriter, r *http.Request) { + body, err := io.ReadAll(http.MaxBytesReader(w, r.Body, 1024*1024)) + if err != nil { + writeError(w, http.StatusBadRequest, "failed to read body") + return + } + + // Read the relay schema from the room metadata. This is parsed before + // verification, but the instance handler below re-checks the signature over + // the whole body (metadata included) with that relay's key, so a forged + // schema cannot pass. + var probe struct { + Room struct { + Metadata string `json:"metadata"` + } `json:"room"` + } + if err := json.Unmarshal(body, &probe); err != nil { + writeError(w, http.StatusBadRequest, "invalid webhook body") + return + } + + schema := strings.TrimSpace(probe.Room.Metadata) + if schema == "" { + writeError(w, http.StatusBadRequest, "missing room metadata") + return + } + + instance, ok := DispatchBySchema(schema) + if !ok { + writeError(w, http.StatusNotFound, "relay not found") + return + } + + r.Body = io.NopCloser(bytes.NewReader(body)) + instance.livekitWebhookHandler(w, r) +} diff --git a/zooid/lib.go b/zooid/lib.go index ac3e052..464e07f 100644 --- a/zooid/lib.go +++ b/zooid/lib.go @@ -28,6 +28,19 @@ func Dispatch(hostname string) (*Instance, bool) { return instance, exists } +func DispatchBySchema(schema string) (*Instance, bool) { + instancesMux.RLock() + defer instancesMux.RUnlock() + + for _, instance := range instancesByName { + if instance.Config.Schema == schema && !instance.Config.Inactive { + return instance, true + } + } + + return nil, false +} + func Start() { dataDir := Env("DATA") if err := os.MkdirAll(dataDir, 0755); err != nil {