add option to skip TLS verification for outgoing matrix client connections (#18)

* add option to skip TLS verification for outgoing matrix client connections * linting * cleanup log line Co-authored-by: Andrew Ferrazzutti <af_0_af@hotmail.com> * simplify branch Co-authored-by: Andrew Ferrazzutti <af_0_af@hotmail.com> --------- Co-authored-by: Andrew Ferrazzutti <af_0_af@hotmail.com>
2026-03-29 08:39:55 +00:00 · 2024-04-27 21:30:16 +02:00
parent d644762834
commit 4a295044a4
2 changed files with 24 additions and 5 deletions
--- a/README.md
+++ b/README.md
@@ -10,4 +10,8 @@ To start the service locally:
 $ LIVEKIT_URL="ws://somewhere" LIVEKIT_KEY=devkey LIVEKIT_SECRET=secret go run *.go
 ```

-The listening port is configurable via the `LK_JWT_PORT` environment variable.
+The listening port is configurable via the `LK_JWT_PORT` environment variable and defaults to 8080.
+
+## Disable TLS verification
+
+For testing and debugging (e.g., in the absence of trusted certificates while testing in a lab) you can disable TLS verification for outgoing matrix client connection by setting the environment variable `LIVEKIT_INSECURE_SKIP_VERIFY_TLS` to `YES_I_KNOW_WHAT_I_AM_DOING`.
--- a/main.go
+++ b/main.go
@@ -35,6 +35,7 @@ import (

 type Handler struct {
 	key, secret, lk_url string
+	skipVerifyTLS bool
 }

 type OpenIDTokenType struct {
@@ -55,13 +56,17 @@ type SFUResponse struct {
 }

 func exchangeOIDCToken(
-	ctx context.Context, token OpenIDTokenType,
+	ctx context.Context, token OpenIDTokenType, skipVerifyTLS bool,
 ) (*fclient.UserInfo, error) {
 	if token.AccessToken == "" || token.MatrixServerName == "" {
 		return nil, errors.New("Missing parameters in OIDC token")
 	}

-	client := fclient.NewClient(fclient.WithWellKnownSRVLookups(true))
+	if skipVerifyTLS {
+		log.Printf("!!! WARNING !!! Skipping TLS verification for matrix client connection to %s", token.MatrixServerName)
+	}
+	client := fclient.NewClient(fclient.WithWellKnownSRVLookups(true), fclient.WithSkipVerify(skipVerifyTLS))
+
 	// validate the openid token by getting the user's ID
 	userinfo, err := client.LookupUserInfo(
 		ctx, spec.ServerName(token.MatrixServerName), token.AccessToken,
@@ -125,7 +130,7 @@ func (h *Handler) handle(w http.ResponseWriter, r *http.Request) {
 			return
 		}

-		userInfo, err := exchangeOIDCToken(r.Context(), body.OpenIDToken)
+		userInfo, err := exchangeOIDCToken(r.Context(), body.OpenIDToken, h.skipVerifyTLS)
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
 			err = json.NewEncoder(w).Encode(gomatrix.RespError{
@@ -166,6 +171,15 @@ func (h *Handler) handle(w http.ResponseWriter, r *http.Request) {
 }

 func main() {
+	skipVerifyTLS := os.Getenv("LIVEKIT_INSECURE_SKIP_VERIFY_TLS") == "YES_I_KNOW_WHAT_I_AM_DOING"
+	if skipVerifyTLS {
+		log.Printf("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
+		log.Printf("!!! WARNING !!!  LIVEKIT_INSECURE_SKIP_VERIFY_TLS        !!! WARNING !!!")
+		log.Printf("!!! WARNING !!!  Allow to skip invalid TLS certificates  !!! WARNING !!!")
+		log.Printf("!!! WARNING !!!  Use only for testing or debugging       !!! WARNING !!!")
+		log.Println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
+	}
+
 	key := os.Getenv("LIVEKIT_KEY")
 	secret := os.Getenv("LIVEKIT_SECRET")
 	lk_url := os.Getenv("LIVEKIT_URL")
@@ -180,12 +194,13 @@ func main() {
 		lk_jwt_port = "8080"
 	}

-	log.Printf("LIVEKIT_KEY: %s and LIVEKIT_SECRET %s, LIVEKIT_URL %s", key, secret, lk_url)
+	log.Printf("LIVEKIT_KEY: %s, LIVEKIT_SECRET: %s, LIVEKIT_URL: %s, LK_JWT_PORT: %s", key, secret, lk_url, lk_jwt_port)

 	handler := &Handler{
 		key:    key,
 		secret: secret,
 		lk_url: lk_url,
+		skipVerifyTLS: skipVerifyTLS,
 	}

 	http.HandleFunc("/sfu/get", handler.handle)