Hello!
Is it possible to listen (catch) room publishers when knowing only admin_secret or TURN credentials?
I am wondering, because one fired employee somehow can listen our rooms. He had only access to repository with configurations, where this data located.
TURN has nothing to do with it. If by admin secret you mean the Admin API secret, then yes, they can do a lot with that: they can definitely do a “list” on the VideoRoom to list rooms, and from there query the list of publshers. Just change the Admin API secret, in that case.
Notice that a list of rooms and who’s in can normally also be performed simply using the Janus API. You can hide the list of rooms making them private (but then you wouldn’t be able to query them either, unless you make use of the VideoRoom admin key). For regular users, you may want to either start using auth tokens (so that they can’t start talking to Janus unless they go through some auth service of yours) or put Janus behind a wrapper where you control the signalling.
You mentioned “query the list of publishers”, but can they actually listen these publishers, not only observe they exist?
Once you know the room and publisher ID, you can create a subscription to it. That’s why I mentioned auth tokens for the Janus API can help. Enabling the requirement to provide private_id can also help (a user would need to join as a publisher, even without publishing, before they can subscribe, and you could add ACL or pins as a requirement to join as publisher). Please refer to the VideoRoom documentation for more info.
Thanks for your answers.
We already have signalling wrapper around Janus, where there is validation when user join and configure.
So, is it still possible to bypass signalling server and do subscription via vanilla JS’s which are in html directory in your repository?
I don’t know how you implemented or protected the wrapper, or how you configured the Janus transports or the network around it. Make sure only your wrapper can talk to Janus and that won’t be an issue.
Wrapper and Janus are behind docker firewall, so they are not published. Only /admin endpoint exposed via Nginx.
As far I understand, there is no possibility to attach to plugin/handle via admin api. Our transport (websockets) are not exposed.
Then maybe they’re using rtp_forward to relay the publisher’s media externally?
I don’t think so, that should be too smart for them. But I can keep this in mind. Does rtp_forwarding have logs and can I dig some logs to check whether it was it?
Fyi we have debug_level = 5