b8eed72f96
Closes FUNCTIONAL_AUDIT.md §4 #1: WebRTC 1:1 calls had working signaling but no NAT traversal, so calls between two peers behind symmetric NAT (corporate firewalls, mobile carrier CGNAT, Incus container default networking) failed silently after the SDP exchange. Backend: - GET /api/v1/config/webrtc (public) returns {iceServers: [...]} built from WEBRTC_STUN_URLS / WEBRTC_TURN_URLS / *_USERNAME / *_CREDENTIAL env vars. Half-config (URLs without creds, or vice versa) deliberately omits the TURN block — a half-configured TURN surfaces auth errors at call time instead of falling back cleanly to STUN-only. - 4 handler tests cover the matrix. Frontend: - services/api/webrtcConfig.ts caches the config for the page lifetime and falls back to the historical hardcoded Google STUN if the fetch fails. - useWebRTC fetches at mount, hands iceServers synchronously to every RTCPeerConnection, exposes a {hasTurn, loaded} hint. - CallButton tooltip warns up-front when TURN isn't configured instead of letting calls time out silently. Ops: - infra/coturn/turnserver.conf — annotated template with the SSRF- safe denied-peer-ip ranges, prometheus exporter, TLS for TURNS, static lt-cred-mech (REST-secret rotation deferred to v1.1). - infra/coturn/README.md — Incus deploy walkthrough, smoke test via turnutils_uclient, capacity rules of thumb. - docs/ENV_VARIABLES.md gains a 13bis. WebRTC ICE servers section. Coturn deployment itself is a separate ops action — this commit lands the plumbing so the deploy can light up the path with zero code changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
117 lines
3.6 KiB
Go
117 lines
3.6 KiB
Go
package handlers
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"veza-backend-api/internal/config"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func newWebRTCRouter(cfg *config.Config) *gin.Engine {
|
|
gin.SetMode(gin.TestMode)
|
|
r := gin.New()
|
|
r.GET("/config/webrtc", GetWebRTCConfig(cfg))
|
|
return r
|
|
}
|
|
|
|
func decodeWebRTC(t *testing.T, w *httptest.ResponseRecorder) WebRTCConfigResponse {
|
|
t.Helper()
|
|
var resp WebRTCConfigResponse
|
|
require.NoError(t, json.NewDecoder(w.Body).Decode(&resp))
|
|
return resp
|
|
}
|
|
|
|
func TestGetWebRTCConfig_StunOnlyWhenNoTurn(t *testing.T) {
|
|
cfg := &config.Config{
|
|
WebRTCStunURLs: []string{"stun:stun.example.org:3478"},
|
|
}
|
|
r := newWebRTCRouter(cfg)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/config/webrtc", nil)
|
|
r.ServeHTTP(w, req)
|
|
|
|
require.Equal(t, http.StatusOK, w.Code)
|
|
resp := decodeWebRTC(t, w)
|
|
require.Len(t, resp.IceServers, 1)
|
|
assert.Equal(t, []string{"stun:stun.example.org:3478"}, resp.IceServers[0].URLs)
|
|
assert.Empty(t, resp.IceServers[0].Username)
|
|
assert.Empty(t, resp.IceServers[0].Credential)
|
|
}
|
|
|
|
func TestGetWebRTCConfig_EmitsTurnBlockWhenFullyConfigured(t *testing.T) {
|
|
cfg := &config.Config{
|
|
WebRTCStunURLs: []string{"stun:stun.example.org:3478"},
|
|
WebRTCTurnURLs: []string{"turn:turn.veza.local:3478", "turns:turn.veza.local:5349"},
|
|
WebRTCTurnUsername: "vezauser",
|
|
WebRTCTurnCredential: "shhhhh",
|
|
}
|
|
r := newWebRTCRouter(cfg)
|
|
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/config/webrtc", nil)
|
|
r.ServeHTTP(w, req)
|
|
|
|
require.Equal(t, http.StatusOK, w.Code)
|
|
resp := decodeWebRTC(t, w)
|
|
require.Len(t, resp.IceServers, 2)
|
|
|
|
assert.Equal(t, []string{"stun:stun.example.org:3478"}, resp.IceServers[0].URLs)
|
|
assert.Equal(t, []string{"turn:turn.veza.local:3478", "turns:turn.veza.local:5349"}, resp.IceServers[1].URLs)
|
|
assert.Equal(t, "vezauser", resp.IceServers[1].Username)
|
|
assert.Equal(t, "shhhhh", resp.IceServers[1].Credential)
|
|
}
|
|
|
|
func TestGetWebRTCConfig_OmitsTurnBlockWhenHalfConfigured(t *testing.T) {
|
|
// Half-configured TURN (URLs but no creds) is worse than missing —
|
|
// the browser would surface auth failures instead of falling back
|
|
// cleanly. The handler omits the block in that case.
|
|
cases := map[string]*config.Config{
|
|
"missing username": {
|
|
WebRTCStunURLs: []string{"stun:s.test:3478"},
|
|
WebRTCTurnURLs: []string{"turn:t.test:3478"},
|
|
WebRTCTurnCredential: "creds",
|
|
},
|
|
"missing credential": {
|
|
WebRTCStunURLs: []string{"stun:s.test:3478"},
|
|
WebRTCTurnURLs: []string{"turn:t.test:3478"},
|
|
WebRTCTurnUsername: "user",
|
|
},
|
|
"missing urls": {
|
|
WebRTCStunURLs: []string{"stun:s.test:3478"},
|
|
WebRTCTurnUsername: "user",
|
|
WebRTCTurnCredential: "creds",
|
|
},
|
|
}
|
|
for name, cfg := range cases {
|
|
t.Run(name, func(t *testing.T) {
|
|
r := newWebRTCRouter(cfg)
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/config/webrtc", nil)
|
|
r.ServeHTTP(w, req)
|
|
|
|
require.Equal(t, http.StatusOK, w.Code)
|
|
resp := decodeWebRTC(t, w)
|
|
assert.Len(t, resp.IceServers, 1, "only the STUN entry should be present when TURN is partial")
|
|
assert.Equal(t, []string{"stun:s.test:3478"}, resp.IceServers[0].URLs)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestGetWebRTCConfig_EmptyConfigReturnsEmptyIceServers(t *testing.T) {
|
|
cfg := &config.Config{} // no STUN, no TURN
|
|
r := newWebRTCRouter(cfg)
|
|
w := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/config/webrtc", nil)
|
|
r.ServeHTTP(w, req)
|
|
|
|
require.Equal(t, http.StatusOK, w.Code)
|
|
resp := decodeWebRTC(t, w)
|
|
assert.Empty(t, resp.IceServers)
|
|
}
|