903 Commits

Author SHA1 Message Date
cnderrauber 46e5caedbe Report average bitrates for whip ingress (#4634) 2026-07-01 17:06:49 +08:00
Raja Subramanian 1faab0c48e Add support for data blob (a. k. a. async participant attributes) (#4619)
* Async attributes on participant.

How it is different from existing participant attributes?
1. Async attribute can be added one at a time.
2. These are not included in `ParticipantInfo`.
3. Get an attribute bt participant identity and async attribute ID as
   and when needed.

* clean up

* get full definitions, not just ids

* listener OnDataTrackSchema

* name length config

* data blob

* deps

* static check

* Add missing request ID

* Update protocol commit

* Wire up StoreDataBlobResponse

* Pass request ID through in GetDataBlobResponse

* deps

* atomic

* sctp at 1.9.5

* remove proto clone

---------

Co-authored-by: Jacob Gelman <3182119+ladvoc@users.noreply.github.com>
2026-06-24 14:42:37 +05:30
Raja Subramanian 0cf53e2f0d Add option to force drain rtcService/agentService connections. (#4618)
When force: true, drain as fast as possible.
2026-06-23 16:10:50 +05:30
Raja Subramanian 1b69630a28 Prometheus metric for join latency. (#4616)
* Prometheus metric for join latency.

Also including a couple of other failures in the signal connection path
and moving the signal connected to after all that.

Not doing counters for the new signal failure paths. I should not have
done for the other two I added a little while ago also (
validation failure and start participant failure) as those are not
scalable to keep adding to node stats. Will probably remove those two
from node stats later. Can add those counters if they are useful.

* deprecate signal failed counters
2026-06-22 22:07:32 +05:30
Paul Wells b882ccc86d service: cap all metadata at 512 KiB; enforce on join, agent dispatch, and embedded agents (#4602)
* service: enforce metadata size limit in CreateRoom, bump default to 512 KiB

CreateRoom previously accepted any metadata size; only UpdateRoomMetadata
rejected oversized payloads. Mirror the same CheckMetadataSize check at
the CreateRoom API boundary so both entrypoints are bounded.

Default MaxMetadataSize moves from 64000 to 512 * 1024 to match the
practical needs of customers using room metadata for richer state. The
limit remains configurable via the existing limits.max_metadata_size knob.

* service: split room vs. participant metadata limit, enforce on join + agent dispatch

LimitConfig.MaxMetadataSize was shared between room metadata and
participant metadata. Last commit's bump to 512 KiB lifted both ceilings;
this restores the participant ceiling to 64 KB and introduces a separate
MaxRoomMetadataSize (default 512 KiB) for room metadata.

Additional enforcement:

- RoomManager.StartSession rejects joins whose JWT-grants metadata or
  attributes exceed the participant/attributes limits. The check was
  missing entirely from this path.
- AgentDispatchService.CreateDispatch and the embedded
  CreateRoomRequest.Agents path now validate metadata and attributes
  against the common 64 KB ceilings (previously unbounded).

NewAgentDispatchService gains a LimitConfig parameter; the two wire_gen
callsites are updated.

* service: collapse metadata size limit to single 512 KiB knob

Reverts the LimitConfig split introduced in the previous commit:
MaxRoomMetadataSize, CheckRoomMetadataSize, and the max_room_metadata_size
yaml key are removed. MaxMetadataSize moves back to 512 * 1024 and gates
all metadata uniformly — room (CreateRoom, UpdateRoomMetadata), participant
(UpdateParticipant, signal UpdateMetadata, JWT grants on join), and agent
dispatch (CreateDispatch + embedded RoomAgentDispatch).

MaxAttributesSize stays at 64 KB and continues to gate participant and
agent-dispatch attributes separately.

Test cases consolidated under the single knob.

* kb -> kib
2026-06-17 12:35:59 -07:00
Raja Subramanian 67ca7a12cf Record more RTC cancellation points. (#4600)
There are several places the participant can drop off after initiating a
connection attempt. Count those places as cancellation including when
participant is closed due to specific reasons.

Cancels should be discounted when determining RTC/ICE connectivity
success/failure percentage.
2026-06-17 20:43:29 +05:30
Paul Wells 12a023ae45 agent: thread attributes map from dispatch to job (#4598)
* agent: thread simulation flag from dispatch to job

Reads simulation from AgentDispatch / RoomAgentDispatch and copies it
onto Job in agent.LaunchJob and the inline room-agent path so workers
see the flag.

Stacked on top of livekit/protocol#1629.

* agent: replace simulation bool with attributes map

Threads the renamed attributes map (was bool simulation) from dispatch
to job and bumps the protocol pseudo-version.

* deps
2026-06-16 01:53:01 -07:00
David Colburn 1f3e06107b egress v2 api (#4592)
* egress v2

* reorganize
2026-06-12 15:17:02 -04:00
Raja Subramanian 688cc66ed8 Add API to get latest node stats. (#4589) 2026-06-11 19:31:39 +05:30
Trey Hakanson 233a226438 Add ability to run pprof on dedicated HTTP server (#4584)
This allows exposing the pprof/debug endpoints in a production
environment more easily, where it shouldn't be exposed publicly.
2026-06-10 21:23:39 -07:00
cnderrauber 816d37281d Add grants expiry to Auth context (#4581) 2026-06-10 17:44:58 +08:00
cnderrauber 7dc6877738 Preserve original expiry when refreshing token (#4580)
To avoid shortening the token expiration time during
refreshing cause client reconnect failed after network
down for a long time (>5min).
2026-06-10 14:51:10 +08:00
David Zhao e0815be27d chore: improve docker test shutdown reliability (#4576) 2026-06-08 08:27:15 -07:00
Dan Root bfd9deffd7 expose TCPFallbackRTTThreshold and AllowUDPUnstableFallback via config (#4556) 2026-06-08 22:07:08 +08:00
renovate[bot] dc8e0310ad Update go deps to v4 (#4482)
* Update go deps to v4

Generated by renovateBot

* update dockertest to v4

* fix

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: David Zhao <dz@livekit.io>
2026-06-07 23:07:40 -07:00
Raja Subramanian 835ef1b353 Metrics for participant active, i. e. fully established. (#4557)
* Metrics for participant active, i. e. fully established.

- Egress stub for v2 API
- Fix the participant canceled counter 🤦
- Add active counter -> this is increment when a participant becomes
  active, i. e. primary peer connection established. Can be used to
  monitor node wise connection establishment issues.
- Add singnalling validation fail counter.

With this, we have
- signalling validation fail
- signalling failed --> this is when the `startSession` fails
- signalling connected -> signalling is succesful and can send back
  joinResponse to client

on media connection side
- rtc_init -> start
- rtc_connected -> participant session created (joined)
- rtc_active -> primay peer connection established
- rtc_canceled -> could not proceed with RTC connection due to not being
  able to resume.

* signalling counters deps

* revert pion/webrtc to 4.2.12 to get SCTP without interleaving

* go back to pion/webrtc 4.2.11 and sctp 1.9.5
2026-06-03 19:50:19 +05:30
cnderrauber 356ae211a3 Config documentation for advertise_internal_ip and skip_external_ip_validation (#4552)
See https://github.com/livekit/mediatransportutil/pull/88
2026-06-01 14:37:08 +08:00
Paul Wells 2dd5e63207 telemetry: split webhook-processed hook out of NewTelemetryService (#4548)
* telemetry: split webhook-processed hook registration out of NewTelemetryService

NewTelemetryService used to register a notifier processed-hook on the inner
*telemetryService directly. That made it impossible for downstream wrappers
(e.g. cloud's TelemetryService that overrides Webhook to fan out to a v3
observability pipeline) to intercept webhook events without double-firing
the legacy emission.

Lift the registration into a new exported helper RegisterWebhookHook, and
have the standalone server's wire provider createTelemetryService call it
right after construction so behavior is unchanged for callers that don't
wrap the service.
2026-05-27 09:40:55 -07:00
Paul Wells 222177a9e4 service: prevent nil deref in validate with wrapped join request (#4547)
When a client hits /rtc/v[01]/validate with a base64 WrappedJoinRequest
whose embedded JoinRequest.ClientInfo is unset, validateInternal called
AugmentClientInfo with a nil *ClientInfo and panicked at ci.Address =
GetClientIP(req). The non-wrapped branch already allocates via
ParseClientInfo; do the same here so pi.Client always gets at least the
resolved client Address.
2026-05-26 08:34:15 -07:00
Raja Subramanian dd7580b454 Protect against nil clientInfo (#4546) 2026-05-26 20:32:11 +05:30
Ninad Pundalik 145689e627 Start tracking Twirp method request latency in prometheus too, not just in logs (#4545)
* Start tracking Twirp method request latency in prometheus too, not just datadog
* Simplify latency tracking, do it in the logger itself
2026-05-26 14:53:16 +05:30
Raja Subramanian 2e22911dcd Remove backwards compatibility support for TURN auth. (#4539)
This was indiecated in release v1.12.0 - https://github.com/livekit/livekit/releases/tag/v1.12.0
2026-05-22 17:00:42 +05:30
He Chen 77595d387a TEL-336: fix sip error categorization (#4528) 2026-05-18 15:44:44 -07:00
cnderrauber f303f499ef Always enable rtx codec (#4533)
Sfu will fallback to retransmit packet by media stream ssrc if rtx
is not negotiated (client doesn't have), so we should not disable
rtx explicitly (by codec config).

Fix #4519
2026-05-18 15:51:10 +08:00
cnderrauber 89faaeba82 Apply ttl check only when authenticate allocation creating (#4526)
* Apply ttl check only when authenticate allocation creating

TTL check could reject allocation/persmission refresh in
security enhancement #4505, cause long-live session disconnect
when turn credential is expired.
Only check ttl on allocation creating to prevent abusing leaked
credential but keep long-live session work.
2026-05-15 14:55:05 +08:00
Denys Smirnov 8b79ec9e47 Support SIP auth realm for inbound. (#4522) 2026-05-14 10:45:16 +02:00
networkException d123675008 feat: auto create rooms for tokens with the RoomCreate grant (#4320)
This patch updates the check for auto creating rooms to also
consider the RoomCreate grant per token instead of just the
global config option.

With this patch, applications can decide on their own whether
users or which users can auto create rooms. This allows
applications that rely on auto creation (saving an API call)
to co-exist with those who might want to mint tokens for
subscribe-only users.

Specifically LaSuite Meet relies on the auto create behavior,
however enabling the global config option would make a
MatrixRTC deployment vulnerable to abuse, as users on remote
homeservers get tokens in order to subscribe.
2026-05-13 11:25:08 +05:30
Théo Monnom 7a3e595bde apply room tags from JWT grant room configuration (#4518) 2026-05-12 21:21:42 -07:00
Raja Subramanian cf20c9cd05 Add expiry to TURN password. (#4515)
* Add expiry to TURN password.

Defaults to 5m. For backwards compatibility expiry = 0 skips adding it.

* fix variable shadowing
2026-05-09 12:15:01 +05:30
Paul Wells 12fff29a12 allow setting agent job assignment url (#4512) 2026-05-07 13:13:21 -07:00
Paul Wells 8fbc5adfce update protocol for protojson (#4510) 2026-05-07 00:55:00 -07:00
Raja Subramanian 3de6f517e5 Add TURN permission handler. (#4505)
* Add TURN permission handler.

- Turn off permissions to private/link local/multicast and internal IPs
- Add a list of CIDRs that can be used for more things to deny
  permission to.

* unused

* add config for allowing private IPs, used in testing

* add a TTL to user name and use it to auth

* allow list for restricted peer CIDRs
2026-05-06 23:43:11 +05:30
Denys Smirnov 8ffcef93b2 Update protocol to support SIP media config. (#4509) 2026-05-06 18:18:21 +02:00
Raja Subramanian c4fd71a5dd Fix sense check in DeltaInfo gathering (#4507) 2026-05-06 13:34:26 +05:30
Paul Wells 803999efad rename agent environment to deployment (#4506)
* rename agent environment to deployment

* deps
2026-05-05 14:19:40 -07:00
Paul Wells bacc21e6c0 add helper to check for agent worker endpoint (#4503) 2026-05-05 13:38:53 -07:00
Paul Wells 253f977d32 add duration seconds reporting (#4500)
* add duration seconds reporting

* deps

* deps
2026-05-02 06:19:23 -07:00
Paul Wells ffab3bd308 add agent environment (#4498)
* add agent environment

* lint

* psrpc error

* deps
2026-05-01 19:30:06 -07:00
Théo Monnom af1dcc8843 Add CloseWithReason to agent SignalConn interface (#4492) 2026-04-28 22:14:06 -07:00
David Chen 743d9c8b3a add support for client capabilities (#4461)
* update protocol version

* only check for client capabiltiy to strip packet trailer
2026-04-27 17:58:36 -07:00
Fabian Stehle f3b80b2886 fix: wrap IPv6 addresses in brackets in UDP TURN URLs (RFC 3986) (#4476)
`iceServersForParticipant` builds UDP TURN URLs by interpolating the
node IP directly into a format string:

    fmt.Sprintf("turn:%s:%d?transport=udp", ip, port)

When `NodeIP.V6` is set, `ToStringSlice()` includes the bare IPv6
address, producing URLs like:

    turn:2a05:d014:ee4:1201:7039:38c:f652:a252:443?transport=udp

RFC 3986 §3.2.2 requires IPv6 addresses in URIs to be enclosed in
square brackets. Without them the port is ambiguous and WebRTC clients
(e.g. libdatachannel) reject the URL with "Invalid ICE server port".

Use `net.JoinHostPort` which handles bracketing for IPv6 and is a
no-op for IPv4, producing well-formed URLs:

    turn:[2a05:d014:ee4:1201:7039:38c:f652:a252]:443?transport=udp
    turn:1.2.3.4:443?transport=udp
2026-04-24 14:28:25 +05:30
Anunay Maheshwari 1d804737f9 fix: limit join request and WHIP request body to http.DefaultMaxHeaderBytes (#4450)
* fix: CS-1665

* cleanup

* cleanup and testes

* updates
2026-04-16 01:12:33 +05:30
cnderrauber ce1bf47b5c Revert "fix: ensure num_participants is accurate in webhook events (#4265) (#…" (#4448)
This reverts commit cdb0769c38.
2026-04-13 22:21:22 +08:00
Onyeka Obi cdb0769c38 fix: ensure num_participants is accurate in webhook events (#4265) (#4422)
* fix: ensure num_participants is accurate in webhook events (#4265)

  Three fixes for stale/incorrect num_participants in webhook payloads:

  1. Move participant map insertion before MarkDirty in join path so
     updateProto() counts the new participant.
  2. Use fresh room.ToProto() for participant_joined webhook instead of
     a stale snapshot captured at session start.
  3. Remove direct NumParticipants-- in leave path (inconsistent with
     updateProto's IsDependent check), force immediate proto update,
     and wait for completion before triggering onClose callbacks.

* fix: use ToProtoConsistent for webhook events instead of forcing immediate updates
2026-04-13 09:26:14 +08:00
Raja Subramanian c91e79af35 Switch to stdlib maps, slices (#4445)
* Switch to stdlib maps, slices

* slices
2026-04-13 00:11:48 +05:30
David Zhao 4b3856125c chore: pin GH commits and switch to golangci-lint (#4444)
* chore: pin GH commits

* switch to golangci-lint-action

* fix lint issues
2026-04-11 13:04:22 -07:00
Paul Wells 88c77dc666 compute agent dispatch affinity from target load (#4442)
* compute agent dispatch affinity from target load

* fix test config
2026-04-09 13:49:43 -07:00
Raja Subramanian 8fe9937770 Log join duration. (#4433)
* Log join duration.

Also revert the "unresolved" init. Defeated the purpose of log resolver
as it was resolving with those values even if not forced. Instead set it
to "unresolved" if not set when forced.

Join duration is not reset if resolver is reset as that happens on
moving a participant and there is no new join duration in that case.

* explode
2026-04-05 14:01:43 +05:30
Raja Subramanian 050909e627 Enable data tracks by default. (#4429) 2026-04-04 00:54:48 +05:30
David Zhao 72c7e65c25 chore: log API key during worker registration (#4428) 2026-04-03 09:48:42 -07:00