[Enhancement] Support external TURN with static auth secret

[Sommerwiesel]

What problem is solved by the new feature
Increased security
Support modern turn servers

Describe the feature
The files and doc on this github only tell about how to use an external TURN server that uses the ancient, by coturn unrecommended lt-cred mechanism (username + secret).

My coturn runs in (according to coturn docs officially recommended) static-auth-secret mode.

Sadly, I cannot figure out how to make pairdrop use my coturn as TURNS Server with static auth secret.
If I omit the username in the rtc json pairdrop throws an error that it needs an username.
This makes me think pairdrop doesn't even support static-auth secret.

Please support static-auth secret for external turn.
You should possible also deprecate the old lt-cred authentification.
It's neither safe nor recommended.

In case it's already supported, please document on how to set it up using the rtc_config.json, because I can't seem to figure it out on my own.

[schlagmichdoch]

You are correct that currently only static credentials are supported via the lt-cred mechanism as this was the easiest to implement to begin with. Beware, that any information you put into rtc-config.json will be public as its content is sent to clients as is to be used as the configuration of all RTCPeerConnection.

It's a good idea to implement expiring credentials via the static-auth-secret mode in the future but this requires a new API to derive credentials from the static-auth-secret and some logic to restart the signaling process once the credentials are expired (e.g. after 24h?). In Firefox the setting of configurations of existing RTCPeerConnections is only supported since 2022 though so for older versions we might have to come up with a polyfill which completely reinstantiates existing RTCPeerConnections or tells the user to reload the page.

I guess the creation of credentials would then look similar to this: https://stackoverflow.com/a/35767224/14678591
The username will then include the timestamp when the credentials expire. As an admin you will then only have to set the static-auth-secret via a new env var like RTC_STATIC_AUTH_SECRET or similar.

Beware though that there are lots of issues with higher priority so this will probably not be deployed until v2.2.

[Sommerwiesel]

Hey @schlagmichdoch and sorry for late reply, last weeks have been rough for my health.

Thanks for your detailed answer and explaination on why it's more complicated than I thought.
I totally understand why it's not a priority right now.

I'm currently hosting a lot of services such as pairdrop and by now almost all of them have fully deprecated the lt cred mechanism for turn authentication, so I kinda had to change my coturn to static auth secret.

Following user input (from those who use my pairdrop instance), I have disabled TURN for now (as most people don't use it over WAN) and will simply wait until you added support for static auth secret.

Thanks again and Cheers,
Marvin