Setting token or secret key to access trun server from javascript code

[ROOPESH THAKKAR]

Hi there,

I  am working on a Screen Share project using WebRTC and TURN server. For backend I am using Asp.Net MVC.

I am passing my TURN server user name and password from my javascript file,  I feel it is not safe as any one can get the user name and password and may misuse the server resource.

Javascript code 

var configuration = {

                'iceServers': [

                    {

                        'urls': 'turn:turn.xxxx.com:3478',

                        'username': 'xxxxxxxr',

                        'credential': 'xxxxxx'

                    },

                    { 'urls': 'stun:turn.xxxxxx.com:3478' }                   

                ]

            };

            peerConnections[ = new RTCPeerConnection(configuration);

I want to know, is there any other way of doing it safely, either using tokens or any secret key or any other way. 

if anyone knows the correct and safe way, please respond with details.

Thanks

Roopesh

[Julio Spinelli]

Hi, find it intriguing that nobody has replied to you. 

I am no 😢 expert in coturn but  may be able to help you. 

First, you can enable the REST API support and then create the username password combinations yourself in your webrtc/signaling sockets server code as explained here,

But that doesn't prevent an attacker from mimicking your clients code and obtaining the credentials from your wewbrtc server, thus you'd need some form of validating the client-side user before the server issues those shared secret credentials, I am working on that part in my mind right now, 

You could randomly challenge the client's user for information that only them could know, and only then allow the server to issue the credentials to the client. Read these two questions aand answers including the comments and you'll have it. 

Rest api and the sourceone

If somebody else emailed you directly with other suggestions, please share,

Thanks and best luck!