A serious issue: WebRTC inevitably exposes server user account information, so a time-sensitive mechanism is needed to prevent unauthorized access and continuous use. I'm unsure how this project's mechanism works and how we should configure it.

[introspection3]

A serious issue: WebRTC inevitably exposes server user account information, so a time-sensitive mechanism is needed to prevent unauthorized access and continuous use. I'm unsure how this project's mechanism works and how we should configure it. Additionally, dynamic maintenance of usernames and passwords is also required.

[JoTurk]

Can you explain more what is the issue? if it's a security or a sensitive issue and you don't want to say details you can email me jo@pion.ly or email pion's security group security@pion.ly.

[introspection3]

The TURN server address and account information used by WebRTC must be provided to the client, which means that anyone on Earth could use the TURN server for free through the exposed account information.
@JoTurk

[JoTurk]

Pion/turn let's you control the allocations per user, you can make sure that only authenticated users have access, We have a simple example here https://github.com/pion/turn/blob/master/examples/turn-server/simple-quota/main.go

We have a #help channel in our discord if you need any more help, thank you.

[introspection3]

No,You don't know the whole situation or its seriousness.
Coturn can use user-quota for the maximum concurrent connections per username, max-bps for the maximum bandwidth per connection, and --use-auth-secret with ttl to meet basic requirements. I don't know if your project supports this.

[JoTurk]

@introspection3 you can implement all of this in pion turn, please look at the code I linked https://github.com/pion/turn/blob/master/examples/turn-server/simple-quota/main.go#L59-L118
for bandwidth quota please take a look at https://github.com/pion/turn/blob/master/examples/turn-server/bw-quota/main.go

[fippo]

quoting 2013's https://datatracker.ietf.org/doc/html/draft-uberti-behave-turn-rest-00#section-1:

TURN provides a mechanism to control access via [RFC5389] long-term
credentials that are provided as part of the TURN protocol. It is
expected that these credentials will be kept secret; if the
credentials are discovered, the TURN server could be used by
unauthorized users or applications. However, in web applications,
ensuring this secrecy is typically impossible.

https://github.com/pion/turn/tree/master/examples/lt-cred-generator shows a credential generator and its usage.

[JoTurk]

https://github.com/pion/turn/tree/master/examples/lt-cred-generator shows a credential generator and its usage.

Thank you for linking this, Also this example can be used with Pion's AuthHandler to limit credential to specific source address or to limit how many source addresses a single credential can bind to.

https://github.com/pion/turn/blob/f45251c282039f462b72f0593490bcef1409caeb/internal/auth/auth.go#L15C6-L15C23