-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limiting who can stream to an instance #140
Comments
Webhooks would be much better. This way a custom backend in any language can authorize publish and view events easily. |
I agree. Would you be interested in helping start this @mpisat ? Maybe you set a URL per instance. Then have a JSON body with event and other data |
I will try to implement something, test it, and if I'm satisfied with the result, I'll send a MR. |
I have this one and provided a simple go backend to receive webhooks (and allow them) root@sin:~/broadcast-box# ./broadcast-box on Go mock backend side: if it is set to deny you can be creative and provide queryparams to streamkey for view authorization, but it will require further code changes. I can send an MR if code quality is acceptable. |
Hello, I just found this project and would be interested in a variant with exactly this webhook implementation. I wanted to implement something like this MR myself and open a M, but found this issue and the code @mpisat already implemented. Whats the current status of this? It seems a bit abandoned.... I would then be interesting in providing an example implementation for such a authentication backend, but it would depend on the webhook integration. |
Hi @neilschark project isn’t abandoned I am actively working on it! Are you interested in adding webhook support? I would love to review and merge it! |
@neilschark you can use my fork if you want. for publishing it works out of the box. for playback, well, it requires more work. |
Yes, I would be interested to help with an integration. My current plan is to use the Webhook implementation @mpisat started and add a webserver for the authentication, which is just a reference implementation to use out of the box. Unfortunately I have no knowledge in frontend development, so the frontend must be done by someone else. I would only start with an implementation to limit streaming to the server, not limiting watching of a stream. I will open a PR when I am ready. |
Fantastic @neilschark ! You don’t even need to make a reference server. Just add a env variable the request should be JSON with details of the request I think? Src IP, user angent and maybe just stream key for now? |
If you just want the webhook implementation, you can use this mr https://github.com/mpisat/broadcast-box/pull/1/files by @mpisat Maybe he could create a proper PR in this project. I have an idea building a small reference implementation which uses OAuth2 for simple user management in go based on pocketbase, so that an admin of broadcast-box wouldn't have to provide his own backend for that, but could if he would choose to. I hope to have a pr ready soon, where we could then discuss if the idea is good or not. |
I can modify PR to limit it to only publishers if needed. |
@mpisat I would love to see both! Sorry I didn’t know you had done this work, I will do a better job of reviewing PRs in the future :( |
I didn't send PR to your repo, I wasn't sure if my solution was acceptable, so I keep it in my fork. I probably need to modify it a bit to make it optional. right now it expects WEBHOOK_URL |
Just looked at your repo, the code looks really good! I would love to get this merged |
I can send a PR but it will require a backend service for WEBHOOK_URL |
Discussed with @Sean-Der on Discord so raising here to discuss further and welcome suggestions from others.
The ask was whether there's anything in place or that can be easily added to limit who can stream to an instance of Broadcast Box as presently if someone can connect to watch something they can also stream to it which could quite easily be abused.
One such idea was about adding a query parameter which is a token set, potentially, as an environment variable so that only when they match will the input stream be allowed. An alternative suggestion from Sean was of the possibility of using nginx and how it may have other advantages for serving static content too
The text was updated successfully, but these errors were encountered: