Add top-level livekit webhook

.ackrc

@@ -1 +1,2 @@
 --ignore-dir=bin
+--ignore-dir=.claude

.fdignore

@@ -1,3 +1,4 @@
 bin
 data
 media
+.claude

.gitignore

@@ -4,3 +4,4 @@ config
 media
 data
 relay
+.claude

README.md

@@ -50,7 +50,7 @@ Zooid supports a few environment variables, which configure shared resources lik
 - `MEDIA` - where to store blossom media files. Defaults to `./media`.
 - `DATA` - where to store database files. Defaults to `./data`.
 - `API_HOST` - the hostname on which to expose the management API. If not set, the API is disabled.
-- `API_WHITELIST` - a comma-separated list of nostr hex pubkeys authorized to use the management API. Required when `API_HOST` is set.
+- `API_WHITELIST` - a comma-separated list of nostr hex pubkeys authorized to use the management API.
 - `PPROF_ADDR` - an http host to serve pprof stats on.
 
 ## Configuration
@@ -133,7 +133,12 @@ A special `[roles.member]` heading may be used to configure policies for all rel
 - `api_key` - a key identifying this relay, assigned by the Livekit server.
 - `api_secret` - a secret key authenticating this relay, assigned by the Livekit server.
 
-On your LiveKit server you should also set up a webhook that points to `https://yourrelay.com/.well-known/nip29/livekit/webhook`. This allows LiveKit to notify your relay when people join rooms so it can publish a kind 39004 event.
+On your LiveKit server you should also set up a webhook so LiveKit can notify the relay when people join or leave rooms; the relay uses these notifications to publish a kind 39004 presence event. How you point the webhook depends on how many relays share a LiveKit project:
+
+- **One relay, or a dedicated LiveKit project per relay** — point the webhook at that relay's own `https://yourrelay.com/.well-known/nip29/livekit/webhook`.
+- **Several relays sharing one LiveKit project** — point the webhook at the management API's `https://api.relayplatform.com/.well-known/nip29/livekit/webhook` instead. zooid stamps each room's metadata with the owning relay's `schema` when it creates the room, so this shared endpoint routes every event to the relay that owns the room. This requires `API_HOST` to be set.
+
+Either way the webhook is authenticated by LiveKit's own request signature (signed with the relay's `api_secret`) rather than NIP 98, so the shared endpoint is exempt from the `API_WHITELIST`. Configure LiveKit to sign webhooks with the same `api_key`/`api_secret` the relay uses, or the relay will reject them.
 
 ### Example
 
@@ -176,7 +181,7 @@ can_manage = true
 
 ## API
 
-When `API_HOST` and `API_WHITELIST` are configured, a JSON REST API is available for managing virtual relays remotely. All API requests must be authenticated using [NIP 98](https://github.com/nostr-protocol/nips/blob/master/98.md) HTTP AUTH.
+When `API_HOST` is configured, a JSON REST API is available for managing virtual relays remotely. All API requests must be authenticated using [NIP 98](https://github.com/nostr-protocol/nips/blob/master/98.md) HTTP AUTH signed by a pubkey listed in `API_WHITELIST`.
 
 The API accepts JSON config objects and stores them as TOML files in the `CONFIG` directory. Configs are validated for required fields (`host`, `schema`, `secret`) and duplicate checking (`schema` and `host` must be unique across all relays).
 

zooid/api.go

@@ -1,6 +1,7 @@
 package zooid
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -37,6 +38,9 @@ func NewAPIHandler() *APIHandler {
 	mux.HandleFunc("DELETE /relay/{id}", api.auth(api.deleteRelay))
 	mux.HandleFunc("GET /relay/{id}/members", api.auth(api.listRelayMembers))
 
+	// Skip auth, the handler checks the webhook signature itself
+	mux.HandleFunc("POST /.well-known/nip29/livekit/webhook", api.livekitWebhook)
+
 	api.mux = mux
 
 	return api
@@ -361,3 +365,44 @@ func collectMembers(management *ManagementStore) []string {
 	sort.Strings(members)
 	return members
 }
+
+// LiveKit webhook
+
+// LiveKit webhooks are registered statically, so we add the relay's schema as metadata
+// to the room and handle webhooks at the top level.
+func (api *APIHandler) livekitWebhook(w http.ResponseWriter, r *http.Request) {
+	body, err := io.ReadAll(http.MaxBytesReader(w, r.Body, 1024*1024))
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "failed to read body")
+		return
+	}
+
+	// Read the relay schema from the room metadata. This is parsed before
+	// verification, but the instance handler below re-checks the signature over
+	// the whole body (metadata included) with that relay's key, so a forged
+	// schema cannot pass.
+	var probe struct {
+		Room struct {
+			Metadata string `json:"metadata"`
+		} `json:"room"`
+	}
+	if err := json.Unmarshal(body, &probe); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid webhook body")
+		return
+	}
+
+	schema := strings.TrimSpace(probe.Room.Metadata)
+	if schema == "" {
+		writeError(w, http.StatusBadRequest, "missing room metadata")
+		return
+	}
+
+	instance, ok := DispatchBySchema(schema)
+	if !ok {
+		writeError(w, http.StatusNotFound, "relay not found")
+		return
+	}
+
+	r.Body = io.NopCloser(bytes.NewReader(body))
+	instance.livekitWebhookHandler(w, r)
+}

zooid/groups.go

@@ -227,6 +227,10 @@ func (g *GroupStore) HasAccess(h string, pubkey nostr.PubKey) bool {
 }
 
 func (g *GroupStore) IsGroupEvent(event nostr.Event) bool {
+	if !g.Config.Groups.Enabled {
+		return false
+	}
+
 	if slices.Contains(nip29.MetadataEventKinds, event.Kind) {
 		return true
 	}

zooid/lib.go

@@ -28,6 +28,19 @@ func Dispatch(hostname string) (*Instance, bool) {
 	return instance, exists
 }
 
+func DispatchBySchema(schema string) (*Instance, bool) {
+	instancesMux.RLock()
+	defer instancesMux.RUnlock()
+
+	for _, instance := range instancesByName {
+		if instance.Config.Schema == schema && !instance.Config.Inactive {
+			return instance, true
+		}
+	}
+
+	return nil, false
+}
+
 func Start() {
 	dataDir := Env("DATA")
 	if err := os.MkdirAll(dataDir, 0755); err != nil {

zooid/livekit.go

@@ -50,7 +50,7 @@ func generateLivekitServerToken(apiKey, apiSecret string) string {
 	return jwt
 }
 
-func ensureLivekitRoom(apiKey, apiSecret, serverURL, roomName string) error {
+func ensureLivekitRoom(apiKey, apiSecret, serverURL, roomName, metadata string) error {
 	roomKey := serverURL + "'" + roomName
 
 	livekitRoomsMu.RLock()
@@ -63,8 +63,10 @@ func ensureLivekitRoom(apiKey, apiSecret, serverURL, roomName string) error {
 	httpURL := strings.Replace(strings.Replace(serverURL, "wss://", "https://", 1), "ws://", "http://", 1)
 	url := fmt.Sprintf("%s/twirp/livekit.RoomService/CreateRoom", httpURL)
 
+	// Use the relay's schema as room metadata so we can use the same livekit creds for multiple relay
 	reqBody, _ := json.Marshal(map[string]interface{}{
 		"name":     roomName,
+		"metadata": metadata,
 	})
 
 	req, err := http.NewRequest("POST", url, bytes.NewBuffer(reqBody))
@@ -214,7 +216,7 @@ func (instance *Instance) livekitTokenHandler(w http.ResponseWriter, r *http.Req
 		return
 	}
 
-	if err := ensureLivekitRoom(cfg.APIKey, cfg.APISecret, cfg.ServerURL, groupId); err != nil {
+	if err := ensureLivekitRoom(cfg.APIKey, cfg.APISecret, cfg.ServerURL, groupId, instance.Config.Schema); err != nil {
 		http.Error(w, "failed to create room", http.StatusInternalServerError)
 		return
 	}

zooid/management.go

@@ -1,7 +1,9 @@
 package zooid
 
 import (
+  "slices"
 	"context"
+	"errors"
 	"fiatjaf.com/nostr"
 	"fiatjaf.com/nostr/khatru"
 	"fiatjaf.com/nostr/nip86"
@@ -127,10 +129,6 @@ func (m *ManagementStore) PubkeyIsBanned(pubkey nostr.PubKey) bool {
 
 // Admins
 
-func (m *ManagementStore) IsAdmin(pubkey nostr.PubKey) bool {
-	return m.Config.IsOwner(pubkey) || m.Config.IsSelf(pubkey)
-}
-
 func (m *ManagementStore) GetAdmins() []nostr.PubKey {
 	members := make([]nostr.PubKey, 0)
 
@@ -147,6 +145,10 @@ func (m *ManagementStore) GetAdmins() []nostr.PubKey {
 	return members
 }
 
+func (m *ManagementStore) IsAdmin(pubkey nostr.PubKey) bool {
+	return slices.Contains(m.GetAdmins(), pubkey)
+}
+
 // Membership
 
 func (m *ManagementStore) GetMembers() []nostr.PubKey {
@@ -195,6 +197,10 @@ func (m *ManagementStore) AddMember(pubkey nostr.PubKey) error {
 }
 
 func (m *ManagementStore) RemoveMember(pubkey nostr.PubKey) error {
+	if m.IsAdmin(pubkey) {
+		return errors.New("Can't remove permanent admins from relay.")
+	}
+
 	membersEvent := m.Events.GetOrCreateRelayMembersList()
 
 	if membersEvent.Tags.FindWithValue("member", pubkey.Hex()) != nil {