Skip to content

Restrict access to LiveKit SFU by differentiating full-access and restricted Matrix users for room creation #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 27 commits into from
Jul 29, 2025
Merged

Restrict access to LiveKit SFU by differentiating full-access and restricted Matrix users for room creation #67

merged 27 commits into from
Jul 29, 2025

Conversation

@fkwp
Copy link
Contributor

@fkwp fkwp commented Feb 24, 2025
edited
Loading

Closes: #95

To ensure the proper and secure use of infrastructure

  • Add ability to differentiate between full-access and restricted users
    • Full-access users are Matrix users of homeservers belonging to the same or related deployment alongside the MatrixRTC backend,
    • All other Matrix users are considered as restricted users.
  • Give different access to the LiveKit SFU dependent on the users origin
    • Full-access users
      • JWT service will automatically create LiveKit SFU rooms if required.
    • Restricted users
      • Access to LiveKit SFU is restricted for remote users.
      • Remote users can join existing LiveKit SFU rooms, but missing rooms will not be automatically created to ensure the proper and secure use of infrastructure.

Note due to the SFU selection algorithm and the order of events this will NOT limit or prevent video conferences across Matrix federation.

Homeservers of full-access users are defined by the LIVEKIT_LOCAL_HOMESERVERS LIVEKIT_FULL_ACCESS_HOMESERVERS environment variable via a comma separated list. It supports * as a wildcard to give full-access to users from all homeservers.

Note this requires MatrixRTC client implementation with more robust handling of SFU error cases. Hence, for now we recommend using it with LIVEKIT_FULL_ACCESS_HOMESERVERS=*

@fkwp fkwp requested a review from a team as a code owner February 24, 2025 14:32
@fkwp fkwp requested a review from robintown February 24, 2025 14:32
@fkwp fkwp marked this pull request as draft February 24, 2025 14:36
@fkwp fkwp force-pushed the fkwp/add_different_permissions branch 2 times, most recently from 2d8d17f to 5191cd9 Compare February 26, 2025 14:27
@fkwp fkwp changed the title Fkwp/add different permissions Restrict access to LiveKit for users not on the same homeserver Feb 26, 2025
@fkwp fkwp changed the base branch from main to fkwp/consistent_nameing February 26, 2025 14:53
Base automatically changed from fkwp/consistent_nameing to main February 26, 2025 18:05
@fkwp fkwp force-pushed the fkwp/add_different_permissions branch from 36391d5 to 56e20c5 Compare April 2, 2025 16:54
@fkwp fkwp mentioned this pull request Apr 10, 2025
Closed
@networkException networkException mentioned this pull request May 18, 2025
Open
1 task
@pReya
Copy link

pReya commented Jul 2, 2025

@fkwp Do you know why this hasn't been merged, yet? As a spectator I can't tell what's still missing to get this merged.

@fkwp
Copy link
Contributor Author

fkwp commented Jul 15, 2025

@fkwp Do you know why this hasn't been merged, yet? As a spectator I can't tell what's still missing to get this merged.

This is currently blocked by a missing MatrixRTC client implementation which requires more robust handling of SFU error cases.

@fkwp fkwp force-pushed the fkwp/add_different_permissions branch from 4aad0f3 to ff1502b Compare July 24, 2025 17:31
@fkwp fkwp requested review from BillCarsonFr and removed request for robintown July 24, 2025 17:33
BillCarsonFr
BillCarsonFr previously approved these changes Jul 28, 2025
View reviewed changes
Copy link
Member

@BillCarsonFr BillCarsonFr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the readme Installation section is outdated and miss the new -e LIVEKIT_FULL_ACCESS_HOMESERVERS = (per my understanding it is required)

Other than that, just some nits

@fkwp
Copy link
Contributor Author

fkwp commented Jul 28, 2025

I think the readme Installation section is outdated and miss the new -e LIVEKIT_FULL_ACCESS_HOMESERVERS = (per my understanding it is required)

Other than that, just some nits

Updated the readme 8cfc4db

currently its defaulting to * such that it is not a breaking change. Going forward we should change it.

@fkwp fkwp marked this pull request as ready for review July 28, 2025 17:29
@fkwp fkwp requested a review from BillCarsonFr July 28, 2025 17:29
BillCarsonFr
BillCarsonFr approved these changes Jul 29, 2025
View reviewed changes
Copy link
Member

@BillCarsonFr BillCarsonFr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.

@fkwp fkwp enabled auto-merge (squash) July 29, 2025 08:33
@fkwp fkwp merged commit 114f0f4 into main Jul 29, 2025
4 checks passed
@fkwp fkwp deleted the fkwp/add_different_permissions branch July 29, 2025 08:34
@fkwp fkwp changed the title Restrict access to LiveKit for users not on the same homeserver Restrict access to LiveKit SFU by differentiating full-access and restricted Matrix users for room creation Jul 29, 2025
@Josue-T Josue-T mentioned this pull request Aug 1, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BillCarsonFr BillCarsonFr BillCarsonFr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow restricting the set of home servers for which tokens are issued

4 participants

@fkwp @pReya @BillCarsonFr