broken currently don't use OBS WON'T CHOOCH

John Rogers · John Rogers · commit 32f249f0733c · 2025-03-07T12:02:56.000Z
diff --git a/backend/.env.template b/backend/.env.template
@@ -3,6 +3,7 @@ PORT=5001
 DATABASE_URL=postgresql://colourstream:your_secure_password_here@colourstream-postgres:5432/colourstream
 OME_API_URL=http://origin:8081
 OME_API_ACCESS_TOKEN=your_ovenmedia_api_token_here
+OME_WEBHOOK_SECRET=your_ovenmedia_webhook_secret_here
 OBS_WS_HOST=localhost
 OBS_WS_PORT=4455
 JWT_SECRET=your_jwt_secret_here
diff --git a/backend/src/index.ts b/backend/src/index.ts
@@ -10,6 +10,7 @@ import obsRoutes from './routes/obs';
 import omenRoutes from './routes/omen';
 import securityRoutes from './routes/security';
 import healthRoutes from './routes/health';
+import omeWebhookRoutes from './routes/omeWebhook';
 import { logger } from './utils/logger';
 import { initializePassword } from './utils/initPassword';
 import mirotalkRoutes from './routes/mirotalk';
@@ -71,6 +72,7 @@ app.use(`${basePath}/obs`, obsRoutes);
 app.use(`${basePath}/omen`, omenRoutes);
 app.use(`${basePath}/security`, securityRoutes);
 app.use('/api/mirotalk', mirotalkRoutes);
+app.use(`${basePath}/ome-webhook`, omeWebhookRoutes);
 
 // Error handling
 app.use(errorHandler);
diff --git a/backend/src/routes/omeWebhook.ts b/backend/src/routes/omeWebhook.ts
@@ -0,0 +1,98 @@
+import { Request, Response } from 'express';
+import express from 'express';
+import prisma from '../lib/prisma';
+import { logger } from '../utils/logger';
+// import crypto from 'crypto';
+
+const router = express.Router();
+
+/**
+ * Generate a signature for stream authentication
+ * Kept for future use but currently not used
+ */
+/*
+function generateSignature(streamKey: string): string {
+  const secret = process.env.OME_SIGNATURE_SECRET || 'colourstream-signature-key';
+  return crypto.createHmac('sha1', secret).update(streamKey).digest('hex');
+}
+*/
+
+/**
+ * OvenMediaEngine Webhook for validating stream keys
+ * For details see: https://airensoft.gitbook.io/ovenmediaengine/access-control/admission-webhooks
+ */
+router.post('/admission', async (req: Request, res: Response) => {
+  try {
+    const body = req.body;
+    logger.info('AdmissionWebhook received request', { body });
+
+    // Protocol and URL analysis
+    if (
+      body.request &&
+      body.request.url &&
+      body.request.direction === 'incoming' &&
+      body.request.status === 'opening'
+    ) {
+      const request = body.request;
+      const url = new URL(request.url);
+      const pathParts = url.pathname.split('/');
+      const streamKey = pathParts[pathParts.length - 1];
+      
+      logger.info('Processing stream key', { streamKey });
+      
+      // Development mode bypass - allow any stream key
+      if (process.env.NODE_ENV !== 'production') {
+        logger.warn('DEVELOPMENT MODE: Allowing any stream key for testing', { streamKey });
+        
+        return res.json({
+          allowed: true,
+          new_url: request.url,
+          lifetime: 3600,
+          reason: 'Development mode - all streams allowed'
+        });
+      }
+
+      // Find an active room with this stream key
+      const room = await prisma.room.findFirst({
+        where: {
+          streamKey: streamKey,
+          expiryDate: {
+            gt: new Date()
+          }
+        }
+      });
+
+      if (!room) {
+        logger.warn('Stream key not found in database', { streamKey });
+        return res.json({
+          allowed: false,
+          reason: 'Invalid stream key'
+        });
+      }
+
+      logger.info('Valid stream key for room', { roomId: room.id, streamKey });
+      
+      return res.json({
+        allowed: true,
+        new_url: request.url
+      });
+    } else if (body.request && body.request.status === 'closing') {
+      // Stream is closing - just acknowledge
+      return res.json({ allowed: true });
+    } else {
+      logger.warn('Invalid webhook request format', { body });
+      return res.status(400).json({
+        allowed: false,
+        reason: 'Invalid request format'
+      });
+    }
+  } catch (error) {
+    logger.error('Error in admission webhook', { error });
+    return res.status(500).json({
+      allowed: false,
+      reason: 'Internal server error'
+    });
+  }
+});
+
+export default router; 
diff --git a/global.env.template b/global.env.template
@@ -24,6 +24,7 @@ BASE_PATH=/api
 OME_LIVE_DOMAIN=live.colourstream.example.com
 OME_VIDEO_DOMAIN=video.colourstream.example.com
 OME_API_ACCESS_TOKEN=your_ome_api_token_here
+OME_WEBHOOK_SECRET=your_ome_webhook_secret_here
 
 # MiroTalk Configuration
 HOST_PROTECTED=true
diff --git a/ovenmediaengine/origin_conf/Server.xml b/ovenmediaengine/origin_conf/Server.xml
@@ -119,6 +119,16 @@
 				</TLS>
 			</Host>
 
+			<AdmissionWebhooks>
+				<ControlServerUrl>http://backend:5001/api/ome-webhook/admission</ControlServerUrl>
+				<SecretKey>${env:OME_WEBHOOK_SECRET:}</SecretKey>
+				<Timeout>3000</Timeout>
+				<Enables>
+					<Providers>rtmp,webrtc,srt</Providers>
+					<Publishers>webrtc,llhls,thumbnail</Publishers>
+				</Enables>
+			</AdmissionWebhooks>
+
 			<CrossDomains>
 				<Url>*</Url>
 			</CrossDomains>
