Use base64 encoded hashes for room alias and participant ID (minimize identifying metadata sent to SFU) (#144)

* Encode room alias as unpadded base64 As recommended by the latest version of MSC4195. * Set participant ID to SHA-256 of user ID, device ID, and member ID To match the latest version of MSC4195.
2026-03-29 08:39:55 +00:00 · 2026-01-09 17:24:31 +01:00
parent 19019a3239
commit 7576f52bdc
2 changed files with 16 additions and 5 deletions
--- a/main.go
+++ b/main.go
@@ -10,6 +10,7 @@ import (
 	"context"
 	"crypto/sha256"
 	"crypto/tls"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -85,6 +86,8 @@ type ValidatableSFURequest interface {
    Validate() error
 }

+var unpaddedBase64 = base64.StdEncoding.WithPadding(base64.NoPadding)
+
 func (e *MatrixErrorResponse) Error() string { 
    return e.Err
 }
@@ -276,8 +279,13 @@ func (h *Handler) processSFURequest(r *http.Request, req *SFURequest) (*SFURespo
        map[bool]string{true: "full access", false: "restricted access"}[isFullAccessUser],
    )

-    lkIdentity := req.Member.ID
-	lkRoomAlias := fmt.Sprintf("%x", sha256.Sum256([]byte(req.RoomID + "|" + req.SlotID)))
+	lkIdentityRaw := userInfo.Sub + "|" + req.Member.ClaimedDeviceID + "|" + req.Member.ID
+	lkIdentityHash := sha256.Sum256([]byte(lkIdentityRaw))
+	lkIdentity := unpaddedBase64.EncodeToString(lkIdentityHash[:])
+
+    lkRoomAliasHash := sha256.Sum256([]byte(req.RoomID + "|" + req.SlotID))
+	lkRoomAlias := unpaddedBase64.EncodeToString(lkRoomAliasHash[:])
+
    token, err := getJoinToken(h.key, h.secret, lkRoomAlias, lkIdentity)
    if err != nil {
 		log.Printf("Error getting LiveKit token: %v", err)