Stream Restriction by authorize domains or ip addresses?
- Thread starter Homer
- Start date
Currently WCS does not support domain restriction.
We will inform you once it is implemented.
For authentication, you can generate temporary short-living tokens and pass the tokens to play() method. You can also authorize by IP address.
Example:
1. You play a stream.
Code:
session.createStream({name: 'stream1',display: myDisplay, custom:{token:'abcdef-1000ms-alive'}}).play();http://your-web-server.com/api/playStream
Content-Type: application/json
Code:
{
"name": "stream1",
"custom": {token:'abcdef-1000ms-alive'},
"sessionId": "192.168.88.22/10.0.0.1"
}3. Your web server answers with HTTP status 403 Forbidden to reject playback.
Or your web server answers with HTTP 200 OK to permit playback.
You can learn more from our REST Methods docs:
https://flashphoner.com/docs/wcs5/wcs_docs/html/en/wcs-rest-methods
Starting from the following builds
Web SDK
https://flashphoner.com/downloads/b...2681597f499580ba3210ee73cdc78e20251dd3.tar.gz
Server 2436
You can pass parameter 'token' to roomApi.connect() method.
Example:
Code:
connection = Flashphoner.roomApi.connect({urlServer: url, username: username, token: '12345'}).on(SESSION_STATUS.FAILED, function(session){
setStatus('#status', session.status());
onLeft();
}).on(SESSION_STATUS.DISCONNECTED, function(session) {
setStatus('#status', session.status());
onLeft();
}).on(SESSION_STATUS.ESTABLISHED, function(session) {
setStatus('#status', session.status());
joinRoom();
});Example:
Code:
URL:http://localhost:9091/RoomApp/connect
OBJECT:
{
"nodeId" : "ET3IqW3xNOdbMzy8xarh4LwBCz7JetSz@192.168.88.59",
"appKey" : "roomApp",
"sessionId" : "/192.168.88.254:51050/192.168.88.59:8443",
"useWsTunnel" : false,
"useWsTunnelPacketization2" : false,
"useBase64BinaryEncoding" : false,
"mediaProviders" : [ "WebRTC", "MSE", "WSPlayer" ],
"clientVersion" : "0.5.24",
"clientOSVersion" : "5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
"clientBrowserVersion" : "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
"custom" : {
"login" : "222",
"token" : "12345"
}
}1) Authenticate connections by the passed token and return 403 Forbidden if access is unauthorized.
2) Delegate and forward REST request to internal address http://localhost:9091/RoomApp/connect if connection is authorized.
Docs
https://flashphoner.com/docs/wcs5/wcs_docs/html/en/wcs-rest-methods/
Yes you have to update the URL using CLI.
For example, change
http://localhost:9091/RoomApp
to
http://your-web-server/RoomApp
Once this update is done, your room application will be broken because you did not implement forwarding to original URL http://localhost:9091/RoomApp.
So you have to implement the forwarding before update.
1. Implement forwarding and test.
Example:
If you receive REST/HTTP JSON request to your URL http://your-web-server/RoomApp/connect, you forward this request to http://localhost:9091/RoomApp as is.
If you receive REST/HTTP JSON response from http://localhost:9091/RoomApp/connect, you forward this response to WCS server as is.
2. Change URL to http://your-web-server/RoomApp in CLI
You don't need to restart WCS server to apply changes.
For example, change
http://localhost:9091/RoomApp
to
http://your-web-server/RoomApp
Once this update is done, your room application will be broken because you did not implement forwarding to original URL http://localhost:9091/RoomApp.
So you have to implement the forwarding before update.
1. Implement forwarding and test.
Example:
If you receive REST/HTTP JSON request to your URL http://your-web-server/RoomApp/connect, you forward this request to http://localhost:9091/RoomApp as is.
If you receive REST/HTTP JSON response from http://localhost:9091/RoomApp/connect, you forward this response to WCS server as is.
2. Change URL to http://your-web-server/RoomApp in CLI
You don't need to restart WCS server to apply changes.
Yes you can do that using CLI:
Result:
Code:
update app -k roomApp2 roomApp
Code:
> show apps
owner name appKey id URL
----------------------------------------------------------------------------------
admin flashChatApp flashChatApp 6 http://localhost:9091/ChatApp
admin conferenceApp conferenceApp 10 http://localhost:9091/ConferenceApp
admin sfu sfu 13 http://localhost:9091/EchoApp
admin clickToCallApp clickToCallApp 12 http://localhost:9091/ClickToCallApp
admin qaApp qaApp 3 http://localhost:9091/QAApp
admin chatRoomApp roomApp2 9 http://localhost:9091/RoomApp
admin chatRoomApp flashRoomApp 5 http://localhost:9091/RoomApp
admin wcs3App wcs3App 2 http://localhost:9091/EchoApp
admin websocketChatApp websocketChatApp 7 http://localhost:9091/ChatApp
admin callApp callApp 11 http://localhost:9091/CallApp
admin defaultApp defaultApp 1 http://localhost:9091/EchoApp
admin flashStreamingApp flashStreamingApp 4 http://localhost:9091/EchoApp
admin chatRoomApp chatRoomApp 8 http://localhost:9091/ChatRoomAppThanks for your reply, but isn't the appKey "roomApp" fixed in the Flashphoner-JavaScript-API for the roomApp?
I'm looking for a way to register more than one roomApp with the CLI and to configure on client-side which I want to use by the appKey. I think there's an option "appKey" for the method "Flashphoner.createSession" but not for "Flashphoner.roomApi.connect".
I'm looking for a way to register more than one roomApp with the CLI and to configure on client-side which I want to use by the appKey. I think there's an option "appKey" for the method "Flashphoner.createSession" but not for "Flashphoner.roomApi.connect".
We have fixed this in latest Web SDK build
https://flashphoner.com/downloads/b...ad5be146c7d0272bae4c03c48bce733a7bcfb4.tar.gz
Now you can pass appKey parameter:
Example:
https://flashphoner.com/downloads/b...ad5be146c7d0272bae4c03c48bce733a7bcfb4.tar.gz
Now you can pass appKey parameter:
Example:
Code:
connection = Flashphoner.roomApi.connect({urlServer: url, username: username, appKey: 'roomApp'}).on(SESSION_STATUS.FAILED, function(session){
setStatus('#status', session.status());
onLeft();
}).on(SESSION_STATUS.DISCONNECTED, function(session) {
setStatus('#status', session.status());
onLeft();
}).on(SESSION_STATUS.ESTABLISHED, function(session) {
setStatus('#status', session.status());
joinRoom();
});We have added passthrough "Origin"-header to REST in latest server build. Example:
You can now use "origin"-field on REST side to restrict access by domain.
Code:
URL:http://localhost:9091/EchoApp/connect
OBJECT:
{
"nodeId" : "4pAdCKlDJ87jZMR5oEOvtE3ymhuUzFeb@192.168.10.10",
"appKey" : "defaultApp",
"sessionId" : "/192.168.10.20:56725/192.168.10.10:8443",
"useWsTunnel" : false,
"useWsTunnelPacketization2" : false,
"useBase64BinaryEncoding" : false,
"mediaProviders" : [ "WebRTC", "WSPlayer" ],
"clientVersion" : "0.5.23",
"clientOSVersion" : "5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36",
"clientBrowserVersion" : "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36",
"origin" : "https://192.168.10.10"
}cwiggins999
Member
I'm also looking at how to implement the custom REST server for authentication on connect. Been reading through the documentation at https://flashphoner.com/docs/wcs5/wcs_docs/html/en/wcs-rest-methods/. If I only want to "override" the connect method for my app, do I still have to forward all other needed REST methods to the "localhost" server individually?
You can enable / disable REST methods using CLI
Here you add 'connect' method only. So other methods will not be invoked.
Or you can attach all available methods:
Or remove all
https://flashphoner.com/docs/wcs5/w...thods/index.html?controlling_rest_methods.htm
Code:
add-app-rest-method myApp connectOr you can attach all available methods:
Code:
add-app-rest-method -a myApp
Code:
remove app-rest-method -a myAppcwiggins999
Member
So if I remove all methods, would my app continue to function, just without the "supporting" calls to the localhost REST server?
cwiggins999
Member
I should probably elaborate on what I need to implement. I need to send an RTMP stream to WC5 (currently doing that via FFMpeg or Wirecaster) and have that viewable by WebRTC clients. That is all working well. I'd like to include an authentication token on the RTMP stream URL and have that used when the RTMP stream connects to WC5. From what I see when calling the "stream/find_all" method, the appkey being used for the RTMP feed is "flashStreamingApp". So I would either need to create my own app that handled the RTMP stream or override the connect method for flashStreamingApp. Is this correct? Can I create my own app? Currently my RTMP output is something like "rtmp://<myhostIP>:1935/live/BigBuck".
Hello
You can pass authentication directly in the RTMP URL
Example:
1. RTMP connection URL
Stream name
2. As you can see, WCS server sends REST /connect with custom object {"name":"value"}
Therefore the token can be passed to REST and you can authenticate it.
You can pass authentication directly in the RTMP URL
Example:
1. RTMP connection URL
Code:
rtmp://192.168.88.59/live?name=value
Code:
stream2229Therefore the token can be passed to REST and you can authenticate it.
Code:
URL:http://localhost:9091/EchoApp/connect
OBJECT:
{
"nodeId" : "ET3IqW3xNOdbMzy8xarh4LwBCz7JetSz@192.168.88.59",
"appKey" : "flashStreamingApp",
"sessionId" : "70d58925-f646-4099-ad2e-926040d6d06f",
"useWsTunnel" : false,
"useWsTunnelPacketization2" : false,
"useBase64BinaryEncoding" : false,
"custom" : {
"name" : "value"
}
}Attachments
If you are using ffmpeg, you can pass the custom object directly.
Example:
So having the custom object you can verify passed token and authenticate / reject the connection.
Example:
Code:
ffmpeg -re -i /tmp/VIDEO2findingnews.mp4 -acodec aac -vcodec libx264 -f flv -ar 44100 -rtmp_conn "O:1 NS:appKey:flashStreamingApp NS:name:12121212 NS:stream:12121212 NO:custom:O:1 NS:auth:22222222 NS:stream:3333333 O:0 O:0" rtmp://192.168.33.200:1935/12121212cwiggins999
Member
Thanks - I had already seen where I could pass the custom values into WCS via RTMP. My questions are more about how the apps are set up and the REST methods are configured - I'm having difficulty understanding how that mapping works:
1. Is "flashStreamingApp" the only way to send an RTMP stream to WC5? Can I set up my own app to receive RTMP?
2. For "flashStreamingApp" or my own app, can I configure only the "connect" method to go to my REST server, and have all the other methods use your default REST service at http://localhost:9091/EchoApp ?
3. If I create a new app and don't do "add app-rest-method -a myApp", will WCS still function as it should? Trying to understand if the REST methods are required or are optional for developers who need to intercept the WCS calls for various reasons.
I hope this makes sense. Thanks!
Chuck
1. Is "flashStreamingApp" the only way to send an RTMP stream to WC5? Can I set up my own app to receive RTMP?
2. For "flashStreamingApp" or my own app, can I configure only the "connect" method to go to my REST server, and have all the other methods use your default REST service at http://localhost:9091/EchoApp ?
3. If I create a new app and don't do "add app-rest-method -a myApp", will WCS still function as it should? Trying to understand if the REST methods are required or are optional for developers who need to intercept the WCS calls for various reasons.
I hope this makes sense. Thanks!
Chuck
Hello,
Application other than "flashStreamingApp" can be used for Flash streaming but that application should use FlashStreaming handlers.
Only required methods (e.g., only "connect" method) can be reconfigured. Other methods can be forwarded to the original application URL. Only those methods, which would be required for the functionality, have to be added to the application.
Please see below the procedure for using a new added application.
Log in to command line
Set up new application
1. Add new application
2. Set FlashStreaming handlers as the classes for direct calls and callback
3. Add methods to the application
Specifying the application appKey when connecting
Here both WCS and web server are on 192.168.1.5.
With the attached API example, connection will be rejected if the token is not "12345".
Application other than "flashStreamingApp" can be used for Flash streaming but that application should use FlashStreaming handlers.
Only required methods (e.g., only "connect" method) can be reconfigured. Other methods can be forwarded to the original application URL. Only those methods, which would be required for the functionality, have to be added to the application.
Please see below the procedure for using a new added application.
Log in to command line
Code:
ssh -p 2000 admin@localhost1. Add new application
Code:
add app myApp myAppKey http://192.168.1.5/rest/my_api
Code:
update app -m com.flashphoner.server.client.handler.wcs4.FlashStreamingHandler myAppKey
update app -c com.flashphoner.server.client.handler.wcs4.FlashStreamingCallbackHandler myAppKey
Code:
add app-rest-method -a myApp
Code:
ffmpeg -re -y -rtbufsize 1k -i /tmp/video.avi -preset ultrafast -acodec aac -vcodec h264 -strict -2 -f flv -rtmp_conn "O:1 NS:appKey:myAppKey NS:token:12345" rtmp://192.168.1.5:1935/live/stream1With the attached API example, connection will be rejected if the token is not "12345".