@zero-server/sdk 0.9.9 → 0.9.10

package/README.md

@@ -12,7 +12,7 @@
 
 <p align="center">
   <a href="https://github.com/tonywied17/zero-server/actions"><img src="https://img.shields.io/github/actions/workflow/status/tonywied17/zero-server/ci.yml?branch=main&style=flat-square&logo=githubactions&logoColor=white&label=CI" alt="CI"></a>
-  <a href="https://github.com/tonywied17/zero-server/actions"><img src="https://img.shields.io/badge/tests-7780%20passing-brightgreen?style=flat-square&logo=vitest&logoColor=white" alt="tests"></a>
+  <a href="https://github.com/tonywied17/zero-server/actions"><img src="https://img.shields.io/badge/tests-7781%20passing-brightgreen?style=flat-square&logo=vitest&logoColor=white" alt="tests"></a>
   <a href="https://github.com/tonywied17/zero-server"><img src="https://img.shields.io/badge/coverage-95.85%25-brightgreen?style=flat-square&logo=vitest&logoColor=white" alt="coverage"></a>
   <a href="https://z-server.dev"><img src="https://img.shields.io/badge/docs-z--server.dev-00d8e0?style=flat-square&logo=readthedocs&logoColor=white" alt="docs"></a>
   <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/license-MIT-00d8e0?style=flat-square&logo=opensourceinitiative&logoColor=white" alt="MIT"></a>

package/lib/webrtc/signaling.js

@@ -5,6 +5,12 @@
  *   offer / answer / ICE traffic. Transport-agnostic — bind to `app.ws()`
  *   in production, an `EventEmitter` shim in tests.
  *
+ *   SDP validation is cross-browser by design: session-level
+ *   `a=fingerprint` / `a=ice-ufrag` / `a=ice-pwd` lines are accepted as a
+ *   fallback for media sections that omit their own copy (RFC 8839 §5.4,
+ *   RFC 8122 §5). This is required for Firefox interop — Firefox emits
+ *   `a=fingerprint` only at session level.
+ *
  * @example | Bind a hub to an `app.ws()` route with all production knobs
  *   const app = createApp();
  *   const hub = new SignalingHub({
@@ -88,6 +94,11 @@ function _countCandidatesInSdp(sdp)
  * sections (RFC 8841 m=application ... UDP/DTLS/SCTP). When BUNDLE is in use
  * (every browser since ~2018), only the first m-section is required to carry
  * iceUfrag/icePwd; other bundled sections inherit them via a=group:BUNDLE.
+ *
+ * Session-level `a=fingerprint`, `a=ice-ufrag`, and `a=ice-pwd` lines are
+ * honoured: per RFC 8839 §5.4 and RFC 8122 §5 they apply to every media
+ * section that omits its own copy.  Firefox emits `a=fingerprint` only at
+ * session level, so this fallback is required for cross-browser interop.
  */
 function _validateSdpStructure(sdp)
 {
@@ -102,13 +113,22 @@ function _validateSdpStructure(sdp)
 
     // BUNDLE: collect bundled mids so per-section ice credentials are optional
     // on every section except the first (the BUNDLE owner).
+    // Also collect session-level fingerprint / ice-ufrag / ice-pwd, which per
+    // RFC 8839 §5.4 and RFC 8122 §5 apply to every media section that omits
+    // its own copy (Firefox emits fingerprint only at session level).
     const bundleMids = new Set();
+    let sessFingerprint = null, sessIceUfrag = null, sessIcePwd = null;
     for (const a of desc.attributes || [])
     {
-        if (a.key !== 'group') continue;
-        const parts = String(a.value || '').split(/\s+/);
-        if (parts[0] !== 'BUNDLE') continue;
-        for (let i = 1; i < parts.length; i++) bundleMids.add(parts[i]);
+        if (a.key === 'group')
+        {
+            const parts = String(a.value || '').split(/\s+/);
+            if (parts[0] === 'BUNDLE')
+                for (let i = 1; i < parts.length; i++) bundleMids.add(parts[i]);
+        }
+        else if (a.key === 'fingerprint' && a.value) sessFingerprint = a.value;
+        else if (a.key === 'ice-ufrag'   && a.value) sessIceUfrag   = a.value;
+        else if (a.key === 'ice-pwd'     && a.value) sessIcePwd     = a.value;
     }
 
     let firstBundleMid = null;
@@ -121,14 +141,18 @@ function _validateSdpStructure(sdp)
         const isSctp = /^(UDP|TCP)\/DTLS\/SCTP$/i.test(m.proto);
         if (!isRtp && !isSctp) return 'INVALID_SDP';
 
-        if (!m.fingerprint) return 'INVALID_SDP';
+        const fp    = m.fingerprint || sessFingerprint;
+        const ufrag = m.iceUfrag    || sessIceUfrag;
+        const pwd   = m.icePwd      || sessIcePwd;
+
+        if (!fp) return 'INVALID_SDP';
 
         // ice-ufrag / ice-pwd: required on the BUNDLE owner; optional on
         // every other bundled section (inherited per RFC 8843 §9.2).
         const bundled = m.mid && bundleMids.has(m.mid);
         if (bundled && firstBundleMid === null) firstBundleMid = m.mid;
         const isBundleOwner = !bundled || m.mid === firstBundleMid;
-        if (isBundleOwner && (!m.iceUfrag || !m.icePwd)) return 'INVALID_SDP';
+        if (isBundleOwner && (!ufrag || !pwd)) return 'INVALID_SDP';
     }
     return null;
 }
@@ -139,6 +163,10 @@ function _validateSdpStructure(sdp)
  * Central WebRTC signaling broker.  Owns rooms, attaches peers, validates
  * JSEP traffic, and emits `join` / `leave` / `error` lifecycle events.
  *
+ * Interop: SDP validation accepts session-level `a=fingerprint`,
+ * `a=ice-ufrag`, and `a=ice-pwd` as a fallback when a media section omits
+ * them (RFC 8839 §5.4 / RFC 8122 §5). Required for Firefox.
+ *
  * @class
  * @section Signaling
  *

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zero-server/sdk",
-  "version": "0.9.9",
+  "version": "0.9.10",
   "description": "Zero-dependency backend framework for Node.js - routing, ORM, auth, WebSocket, SSE, gRPC, observability, and 20+ middleware. Distributed as a single SDK and as scoped @zero-server/* packages.",
   "main": "index.js",
   "bin": {