API for getting TURN creds #31
Conversation
| }) | ||
| .catch((err) => { | ||
|
|
||
| }); |
There was a problem hiding this comment.
doesnt this API make it very easy to abuse?
anyone could just go to the code of a supported app in browser and extract this line with all needed credentials. this could then be used anywhere while the app has to pay us?
There was a problem hiding this comment.
@lennart-csio No, This is api is not accessible by everyone.
We have a postgress flag for the appID called taasEnabled, This flag has to be true to obtain turnCredentials.
At the moment there is no way to set the flag without contacting us.
There was a problem hiding this comment.
May be we can add "Contact us for enabling turn usage" in the documentation to prevent the confusion.
There was a problem hiding this comment.
It does say already "This is an on-demand feature, please contact sales@callstats.io for enabling this feature. "
There was a problem hiding this comment.
@karthikbr82 yes, i see. however, if there is an app that is taasEnabled and has this integrated, then any user can extract the line from the source code and use it himself without the app knowing
There was a problem hiding this comment.
@lennart-csio Exactly, Noting can be hidden in javascript. It was possible to do get the same when we were sending the credentials in recomenedConfig callback. Users can also extract turn credentials from authenticate response which we use for PCT. Or user can also write a peerconnection SHIM and extract iceServers from pcConfig.
There was a problem hiding this comment.
Aren't the credentials rotating?
|
@karthikbr82 there same question, why not merge this? |
No description provided.