Remove turn strict auth

Screego already secures the turn connections via credentials that are
generated on demand. The strict auth can cause problems when screego is
deployed via docker or some other container deployment.

config/config.go

@@ -45,9 +45,8 @@ type Config struct {
 	Secret                []byte `split_words:"true"`
 	SessionTimeoutSeconds int    `default:"0" split_words:"true"`
 
-	TurnAddress    string `default:":3478" required:"true" split_words:"true"`
-	TurnStrictAuth bool   `default:"true" split_words:"true"`
-	TurnPortRange  string `split_words:"true"`
+	TurnAddress   string `default:":3478" required:"true" split_words:"true"`
+	TurnPortRange string `split_words:"true"`
 
 	TurnExternalIP     []string `split_words:"true"`
 	TurnExternalPort   string   `default:"3478" split_words:"true"`
@@ -217,10 +216,18 @@ func Get() (Config, []FutureLog) {
 			Msg:   "Less than 40 ports are available for turn. When using multiple TURN connections this may not be enough",
 		})
 	}
+	logs = append(logs, logDeprecated()...)
 
 	return config, logs
 }
 
+func logDeprecated() []FutureLog {
+	if os.Getenv("SCREEGO_TURN_STRICT_AUTH") != "" {
+		return []FutureLog{{Level: zerolog.WarnLevel, Msg: "The setting SCREEGO_TURN_STRICT_AUTH has been removed."}}
+	}
+	return nil
+}
+
 func getExecutableOrWorkDir() (string, *FutureLog) {
 	dir, err := getExecutableDir()
 	// when using `go run main.go` the executable lives in th temp directory therefore the env.development

screego.config.development

@@ -2,4 +2,3 @@ SCREEGO_SECRET=secure
 SCREEGO_LOG_LEVEL=debug
 SCREEGO_CORS_ALLOWED_ORIGINS=http://localhost:3000
 SCREEGO_USERS_FILE=./users
-SCREEGO_TURN_STRICT_AUTH=false

screego.config.example

@@ -40,12 +40,6 @@ SCREEGO_TURN_ADDRESS=0.0.0.0:3478
 #   50000:55000
 SCREEGO_TURN_PORT_RANGE=
 
-# If true, the TURN server will compare the remote IP of the request with the
-# remote ip of the existing WebSocket connection and deny access if it doesn't
-# match. Disable this feature, if you use some kind of proxy which changes the
-# remote ip.
-SCREEGO_TURN_STRICT_AUTH=true
-
 # If set, screego will not start TURN server and instead use an external TURN server.
 # When using a dual stack setup define both IPv4 & IPv6 separated by a comma.
 # Execute the following command on the server where you host TURN server

turn/server.go

@@ -22,9 +22,8 @@ type Server interface {
 }
 
 type InternalServer struct {
-	lock       sync.RWMutex
-	strictAuth bool
-	lookup     map[string]Entry
+	lock   sync.RWMutex
+	lookup map[string]Entry
 }
 
 type ExternalServer struct {
@@ -92,10 +91,7 @@ func newInternalServer(conf config.Config) (Server, error) {
 		return nil, fmt.Errorf("tcp: could not listen on %s: %s", conf.TurnAddress, err)
 	}
 
-	svr := &InternalServer{
-		lookup:     map[string]Entry{},
-		strictAuth: conf.TurnStrictAuth,
-	}
+	svr := &InternalServer{lookup: map[string]Entry{}}
 
 	gen := &Generator{
 		RelayAddressGenerator: generator(conf),
@@ -153,16 +149,6 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([]
 	a.lock.RLock()
 	defer a.lock.RUnlock()
 
-	var connectedIP net.IP
-	switch addr := addr.(type) {
-	case *net.UDPAddr:
-		connectedIP = addr.IP
-	case *net.TCPAddr:
-		connectedIP = addr.IP
-	default:
-		log.Error().Interface("type", fmt.Sprintf("%T", addr)).Msg("unknown addr type")
-		return nil, false
-	}
 	entry, ok := a.lookup[username]
 
 	if !ok {
@@ -170,13 +156,6 @@ func (a *InternalServer) authenticate(username, realm string, addr net.Addr) ([]
 		return nil, false
 	}
 
-	authIP := entry.addr
-
-	if a.strictAuth && !connectedIP.Equal(authIP) {
-		log.Debug().Interface("allowedIp", addr.String()).Interface("connectingIp", entry.addr.String()).Msg("TURN strict auth check failed")
-		return nil, false
-	}
-
 	log.Debug().Interface("addr", addr.String()).Str("realm", realm).Msg("TURN authenticated")
 	return entry.password, true
 }