@zero-server/sdk 0.9.8 → 0.9.10

package/README.md

@@ -12,7 +12,7 @@
 
 <p align="center">
   <a href="https://github.com/tonywied17/zero-server/actions"><img src="https://img.shields.io/github/actions/workflow/status/tonywied17/zero-server/ci.yml?branch=main&style=flat-square&logo=githubactions&logoColor=white&label=CI" alt="CI"></a>
-  <a href="https://github.com/tonywied17/zero-server/actions"><img src="https://img.shields.io/badge/tests-7777%20passing-brightgreen?style=flat-square&logo=vitest&logoColor=white" alt="tests"></a>
+  <a href="https://github.com/tonywied17/zero-server/actions"><img src="https://img.shields.io/badge/tests-7781%20passing-brightgreen?style=flat-square&logo=vitest&logoColor=white" alt="tests"></a>
   <a href="https://github.com/tonywied17/zero-server"><img src="https://img.shields.io/badge/coverage-95.85%25-brightgreen?style=flat-square&logo=vitest&logoColor=white" alt="coverage"></a>
   <a href="https://z-server.dev"><img src="https://img.shields.io/badge/docs-z--server.dev-00d8e0?style=flat-square&logo=readthedocs&logoColor=white" alt="docs"></a>
   <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/license-MIT-00d8e0?style=flat-square&logo=opensourceinitiative&logoColor=white" alt="MIT"></a>

package/lib/webrtc/signaling.js

@@ -5,6 +5,12 @@
  *   offer / answer / ICE traffic. Transport-agnostic — bind to `app.ws()`
  *   in production, an `EventEmitter` shim in tests.
  *
+ *   SDP validation is cross-browser by design: session-level
+ *   `a=fingerprint` / `a=ice-ufrag` / `a=ice-pwd` lines are accepted as a
+ *   fallback for media sections that omit their own copy (RFC 8839 §5.4,
+ *   RFC 8122 §5). This is required for Firefox interop — Firefox emits
+ *   `a=fingerprint` only at session level.
+ *
  * @example | Bind a hub to an `app.ws()` route with all production knobs
  *   const app = createApp();
  *   const hub = new SignalingHub({
@@ -83,6 +89,16 @@ function _countCandidatesInSdp(sdp)
  * Validate that an SDP has the required RFC 8829 attributes on every media
  * section and uses DTLS-SRTP transport.  Returns an error code string, or
  * `null` if the SDP is acceptable.
+ *
+ * Accepts both RTP/SAVPF audio/video sections (RFC 8829) and SCTP data-channel
+ * sections (RFC 8841 m=application ... UDP/DTLS/SCTP). When BUNDLE is in use
+ * (every browser since ~2018), only the first m-section is required to carry
+ * iceUfrag/icePwd; other bundled sections inherit them via a=group:BUNDLE.
+ *
+ * Session-level `a=fingerprint`, `a=ice-ufrag`, and `a=ice-pwd` lines are
+ * honoured: per RFC 8839 §5.4 and RFC 8122 §5 they apply to every media
+ * section that omits its own copy.  Firefox emits `a=fingerprint` only at
+ * session level, so this fallback is required for cross-browser interop.
  */
 function _validateSdpStructure(sdp)
 {
@@ -94,12 +110,49 @@ function _validateSdpStructure(sdp)
         return 'INVALID_SDP';
     }
     if (!desc.media || desc.media.length === 0) return 'INVALID_SDP';
+
+    // BUNDLE: collect bundled mids so per-section ice credentials are optional
+    // on every section except the first (the BUNDLE owner).
+    // Also collect session-level fingerprint / ice-ufrag / ice-pwd, which per
+    // RFC 8839 §5.4 and RFC 8122 §5 apply to every media section that omits
+    // its own copy (Firefox emits fingerprint only at session level).
+    const bundleMids = new Set();
+    let sessFingerprint = null, sessIceUfrag = null, sessIcePwd = null;
+    for (const a of desc.attributes || [])
+    {
+        if (a.key === 'group')
+        {
+            const parts = String(a.value || '').split(/\s+/);
+            if (parts[0] === 'BUNDLE')
+                for (let i = 1; i < parts.length; i++) bundleMids.add(parts[i]);
+        }
+        else if (a.key === 'fingerprint' && a.value) sessFingerprint = a.value;
+        else if (a.key === 'ice-ufrag'   && a.value) sessIceUfrag   = a.value;
+        else if (a.key === 'ice-pwd'     && a.value) sessIcePwd     = a.value;
+    }
+
+    let firstBundleMid = null;
     for (const m of desc.media)
     {
-        if (typeof m.proto !== 'string' || !/^UDP\/TLS\/RTP\/SAVPF?$/i.test(m.proto))
-            return 'INVALID_SDP';
-        if (!m.iceUfrag || !m.icePwd) return 'INVALID_SDP';
-        if (!m.fingerprint) return 'INVALID_SDP';
+        if (typeof m.proto !== 'string') return 'INVALID_SDP';
+
+        // RTP audio/video (RFC 8829) OR SCTP data channels (RFC 8841).
+        const isRtp  = /^UDP\/TLS\/RTP\/SAVPF?$/i.test(m.proto);
+        const isSctp = /^(UDP|TCP)\/DTLS\/SCTP$/i.test(m.proto);
+        if (!isRtp && !isSctp) return 'INVALID_SDP';
+
+        const fp    = m.fingerprint || sessFingerprint;
+        const ufrag = m.iceUfrag    || sessIceUfrag;
+        const pwd   = m.icePwd      || sessIcePwd;
+
+        if (!fp) return 'INVALID_SDP';
+
+        // ice-ufrag / ice-pwd: required on the BUNDLE owner; optional on
+        // every other bundled section (inherited per RFC 8843 §9.2).
+        const bundled = m.mid && bundleMids.has(m.mid);
+        if (bundled && firstBundleMid === null) firstBundleMid = m.mid;
+        const isBundleOwner = !bundled || m.mid === firstBundleMid;
+        if (isBundleOwner && (!ufrag || !pwd)) return 'INVALID_SDP';
     }
     return null;
 }
@@ -110,6 +163,10 @@ function _validateSdpStructure(sdp)
  * Central WebRTC signaling broker.  Owns rooms, attaches peers, validates
  * JSEP traffic, and emits `join` / `leave` / `error` lifecycle events.
  *
+ * Interop: SDP validation accepts session-level `a=fingerprint`,
+ * `a=ice-ufrag`, and `a=ice-pwd` as a fallback when a media section omits
+ * them (RFC 8839 §5.4 / RFC 8122 §5). Required for Firefox.
+ *
  * @class
  * @section Signaling
  *

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zero-server/sdk",
-  "version": "0.9.8",
+  "version": "0.9.10",
   "description": "Zero-dependency backend framework for Node.js - routing, ORM, auth, WebSocket, SSE, gRPC, observability, and 20+ middleware. Distributed as a single SDK and as scoped @zero-server/* packages.",
   "main": "index.js",
   "bin": {