livekit-client 2.15.7 → 2.15.9

package/src/e2ee/worker/DataCryptor.ts

@@ -0,0 +1,147 @@
+import { workerLogger } from '../../logger';
+import { ENCRYPTION_ALGORITHM } from '../constants';
+import { CryptorError, CryptorErrorReason } from '../errors';
+import type { DecodeRatchetOptions, KeySet, RatchetResult } from '../types';
+import { deriveKeys } from '../utils';
+import type { ParticipantKeyHandler } from './ParticipantKeyHandler';
+
+export class DataCryptor {
+  private static sendCount = 0;
+
+  private static makeIV(timestamp: number) {
+    const iv = new ArrayBuffer(12);
+    const ivView = new DataView(iv);
+    const randomBytes = crypto.getRandomValues(new Uint32Array(1));
+    ivView.setUint32(0, randomBytes[0]);
+    ivView.setUint32(4, timestamp);
+    ivView.setUint32(8, timestamp - (DataCryptor.sendCount % 0xffff));
+    DataCryptor.sendCount++;
+
+    return iv;
+  }
+
+  static async encrypt(
+    data: Uint8Array,
+    keys: ParticipantKeyHandler,
+  ): Promise<{
+    payload: Uint8Array;
+    iv: Uint8Array;
+    keyIndex: number;
+  }> {
+    const iv = DataCryptor.makeIV(performance.now());
+    const keySet = await keys.getKeySet();
+    if (!keySet) {
+      throw new Error('No key set found');
+    }
+
+    const cipherText = await crypto.subtle.encrypt(
+      {
+        name: ENCRYPTION_ALGORITHM,
+        iv,
+      },
+      keySet.encryptionKey,
+      new Uint8Array(data),
+    );
+
+    return {
+      payload: new Uint8Array(cipherText),
+      iv: new Uint8Array(iv),
+      keyIndex: keys.getCurrentKeyIndex(),
+    };
+  }
+
+  static async decrypt(
+    data: Uint8Array,
+    iv: Uint8Array,
+    keys: ParticipantKeyHandler,
+    keyIndex: number = 0,
+    initialMaterial?: KeySet,
+    ratchetOpts: DecodeRatchetOptions = { ratchetCount: 0 },
+  ): Promise<{
+    payload: Uint8Array;
+  }> {
+    const keySet = await keys.getKeySet(keyIndex);
+    if (!keySet) {
+      throw new Error('No key set found');
+    }
+
+    try {
+      const plainText = await crypto.subtle.decrypt(
+        {
+          name: ENCRYPTION_ALGORITHM,
+          iv,
+        },
+        keySet.encryptionKey,
+        new Uint8Array(data),
+      );
+      return {
+        payload: new Uint8Array(plainText),
+      };
+    } catch (error: any) {
+      if (keys.keyProviderOptions.ratchetWindowSize > 0) {
+        if (ratchetOpts.ratchetCount < keys.keyProviderOptions.ratchetWindowSize) {
+          workerLogger.debug(
+            `DataCryptor: ratcheting key attempt ${ratchetOpts.ratchetCount} of ${
+              keys.keyProviderOptions.ratchetWindowSize
+            }, for data packet`,
+          );
+
+          let ratchetedKeySet: KeySet | undefined;
+          let ratchetResult: RatchetResult | undefined;
+          if ((initialMaterial ?? keySet) === keys.getKeySet(keyIndex)) {
+            // only ratchet if the currently set key is still the same as the one used to decrypt this frame
+            // if not, it might be that a different frame has already ratcheted and we try with that one first
+            ratchetResult = await keys.ratchetKey(keyIndex, false);
+
+            ratchetedKeySet = await deriveKeys(
+              ratchetResult.cryptoKey,
+              keys.keyProviderOptions.ratchetSalt,
+            );
+          }
+
+          const decryptedData = await DataCryptor.decrypt(
+            data,
+            iv,
+            keys,
+            keyIndex,
+            initialMaterial,
+            {
+              ratchetCount: ratchetOpts.ratchetCount + 1,
+              encryptionKey: ratchetedKeySet?.encryptionKey,
+            },
+          );
+
+          if (decryptedData && ratchetedKeySet) {
+            // before updating the keys, make sure that the keySet used for this frame is still the same as the currently set key
+            // if it's not, a new key might have been set already, which we don't want to override
+            if ((initialMaterial ?? keySet) === keys.getKeySet(keyIndex)) {
+              keys.setKeySet(ratchetedKeySet, keyIndex, ratchetResult);
+              // decryption was successful, set the new key index to reflect the ratcheted key set
+              keys.setCurrentKeyIndex(keyIndex);
+            }
+          }
+          return decryptedData;
+        } else {
+          /**
+           * Because we only set a new key once decryption has been successful,
+           * we can be sure that we don't need to reset the key to the initial material at this point
+           * as the key has not been updated on the keyHandler instance
+           */
+
+          workerLogger.warn('DataCryptor: maximum ratchet attempts exceeded');
+          throw new CryptorError(
+            `DataCryptor: valid key missing for participant ${keys.participantIdentity}`,
+            CryptorErrorReason.InvalidKey,
+            keys.participantIdentity,
+          );
+        }
+      } else {
+        throw new CryptorError(
+          `DataCryptor: Decryption failed: ${error.message}`,
+          CryptorErrorReason.InvalidKey,
+          keys.participantIdentity,
+        );
+      }
+    }
+  }
+}

package/src/e2ee/worker/ParticipantKeyHandler.ts

@@ -23,11 +23,12 @@ export class ParticipantKeyHandler extends (EventEmitter as new () => TypedEvent
 
   private decryptionFailureCounts: Array<number>;
 
-  private keyProviderOptions: KeyProviderOptions;
-
   private ratchetPromiseMap: Map<number, Promise<RatchetResult>>;
 
-  private participantIdentity: string;
+  readonly participantIdentity: string;
+
+  /** @internal */
+  readonly keyProviderOptions: KeyProviderOptions;
 
   /**
    * true if the current key has not been marked as invalid

package/src/e2ee/worker/e2ee.worker.ts

@@ -5,7 +5,9 @@ import { KEY_PROVIDER_DEFAULTS } from '../constants';
 import { CryptorErrorReason } from '../errors';
 import { CryptorEvent, KeyHandlerEvent } from '../events';
 import type {
+  DecryptDataResponseMessage,
   E2EEWorkerMessage,
+  EncryptDataResponseMessage,
   ErrorMessage,
   InitAck,
   KeyProviderOptions,
@@ -14,6 +16,7 @@ import type {
   RatchetResult,
   ScriptTransformOptions,
 } from '../types';
+import { DataCryptor } from './DataCryptor';
 import { FrameCryptor, encryptionEnabledMap } from './FrameCryptor';
 import { ParticipantKeyHandler } from './ParticipantKeyHandler';
 
@@ -81,6 +84,50 @@ onmessage = (ev) => {
           data.codec,
         );
         break;
+
+      case 'encryptDataRequest':
+        const {
+          payload: encryptedPayload,
+          iv,
+          keyIndex,
+        } = await DataCryptor.encrypt(
+          data.payload,
+          getParticipantKeyHandler(data.participantIdentity),
+        );
+        console.log('encrypted payload', {
+          original: data.payload,
+          encrypted: encryptedPayload,
+          iv,
+        });
+        postMessage({
+          kind: 'encryptDataResponse',
+          data: {
+            payload: encryptedPayload,
+            iv,
+            keyIndex,
+            uuid: data.uuid,
+          },
+        } satisfies EncryptDataResponseMessage);
+        break;
+
+      case 'decryptDataRequest':
+        const { payload: decryptedPayload } = await DataCryptor.decrypt(
+          data.payload,
+          data.iv,
+          getParticipantKeyHandler(data.participantIdentity),
+          data.keyIndex,
+        );
+        console.log('decrypted payload', {
+          original: data.payload,
+          decrypted: decryptedPayload,
+          iv: data.iv,
+        });
+        postMessage({
+          kind: 'decryptDataResponse',
+          data: { payload: decryptedPayload, uuid: data.uuid },
+        } satisfies DecryptDataResponseMessage);
+        break;
+
       case 'setKey':
         if (useSharedKey) {
           await setSharedKey(data.key, data.keyIndex);

package/src/e2ee/worker/sifPayload.ts

@@ -2,25 +2,29 @@ import type { VideoCodec } from '../..';
 
 //  Payload definitions taken from https://github.com/livekit/livekit/blob/master/pkg/sfu/downtrack.go#L104
 
-export const VP8KeyFrame8x8 = new Uint8Array([
+export const VP8KeyFrame8x8: Uint8Array = new Uint8Array([
   0x10, 0x02, 0x00, 0x9d, 0x01, 0x2a, 0x08, 0x00, 0x08, 0x00, 0x00, 0x47, 0x08, 0x85, 0x85, 0x88,
   0x85, 0x84, 0x88, 0x02, 0x02, 0x00, 0x0c, 0x0d, 0x60, 0x00, 0xfe, 0xff, 0xab, 0x50, 0x80,
 ]);
 
-export const H264KeyFrame2x2SPS = new Uint8Array([
+export const H264KeyFrame2x2SPS: Uint8Array = new Uint8Array([
   0x67, 0x42, 0xc0, 0x1f, 0x0f, 0xd9, 0x1f, 0x88, 0x88, 0x84, 0x00, 0x00, 0x03, 0x00, 0x04, 0x00,
   0x00, 0x03, 0x00, 0xc8, 0x3c, 0x60, 0xc9, 0x20,
 ]);
 
-export const H264KeyFrame2x2PPS = new Uint8Array([0x68, 0x87, 0xcb, 0x83, 0xcb, 0x20]);
+export const H264KeyFrame2x2PPS: Uint8Array = new Uint8Array([0x68, 0x87, 0xcb, 0x83, 0xcb, 0x20]);
 
-export const H264KeyFrame2x2IDR = new Uint8Array([
+export const H264KeyFrame2x2IDR: Uint8Array = new Uint8Array([
   0x65, 0x88, 0x84, 0x0a, 0xf2, 0x62, 0x80, 0x00, 0xa7, 0xbe,
 ]);
 
-export const H264KeyFrame2x2 = [H264KeyFrame2x2SPS, H264KeyFrame2x2PPS, H264KeyFrame2x2IDR];
+export const H264KeyFrame2x2: Uint8Array[] = [
+  H264KeyFrame2x2SPS,
+  H264KeyFrame2x2PPS,
+  H264KeyFrame2x2IDR,
+];
 
-export const OpusSilenceFrame = new Uint8Array([
+export const OpusSilenceFrame: Uint8Array = new Uint8Array([
   0xf8, 0xff, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

package/src/index.ts

@@ -1,5 +1,11 @@
 import { Mutex } from '@livekit/mutex';
-import { DataPacket_Kind, DisconnectReason, SubscriptionError, TrackType } from '@livekit/protocol';
+import {
+  DataPacket_Kind,
+  DisconnectReason,
+  Encryption_Type,
+  SubscriptionError,
+  TrackType,
+} from '@livekit/protocol';
 import { LogLevel, LoggerNames, getLogger, setLogExtension, setLogLevel } from './logger';
 import DefaultReconnectPolicy from './room/DefaultReconnectPolicy';
 import type { ReconnectContext, ReconnectPolicy } from './room/ReconnectPolicy';
@@ -33,15 +39,18 @@ import {
   createAudioAnalyser,
   getEmptyAudioStreamTrack,
   getEmptyVideoStreamTrack,
+  isAudioCodec,
   isAudioTrack,
   isBrowserSupported,
   isLocalParticipant,
   isLocalTrack,
   isRemoteParticipant,
   isRemoteTrack,
+  isVideoCodec,
   isVideoTrack,
   supportsAV1,
   supportsAdaptiveStream,
+  supportsAudioOutputSelection,
   supportsDynacast,
   supportsVP9,
 } from './room/utils';
@@ -58,6 +67,8 @@ export * from './room/errors';
 export * from './room/events';
 export * from './room/track/Track';
 export * from './room/track/create';
+export * from './room/token-source/TokenSource';
+export * from './room/token-source/types';
 export { facingModeFromDeviceLabel, facingModeFromLocalTrack } from './room/track/facingMode';
 export * from './room/track/options';
 export * from './room/track/processor/types';
@@ -79,6 +90,7 @@ export {
   ConnectionState,
   CriticalTimers,
   DataPacket_Kind,
+  Encryption_Type,
   DefaultReconnectPolicy,
   DisconnectReason,
   LocalAudioTrack,
@@ -110,12 +122,15 @@ export {
   setLogLevel,
   supportsAV1,
   supportsAdaptiveStream,
+  supportsAudioOutputSelection,
   supportsDynacast,
   supportsVP9,
   Mutex,
+  isAudioCodec,
   isAudioTrack,
   isLocalTrack,
   isRemoteTrack,
+  isVideoCodec,
   isVideoTrack,
   isLocalParticipant,
   isRemoteParticipant,

package/src/logger.ts

@@ -12,6 +12,7 @@ export enum LogLevel {
 export enum LoggerNames {
   Default = 'livekit',
   Room = 'livekit-room',
+  TokenSource = 'livekit-token-source',
   Participant = 'livekit-participant',
   Track = 'livekit-track',
   Publication = 'livekit-track-publication',

package/src/options.ts

@@ -87,18 +87,31 @@ export interface InternalRoomOptions {
 
   webAudioMix: boolean | WebAudioSettings;
 
+  // /**
+  //  * @deprecated Use `encryption` field instead.
+  //  */
+  e2ee?: E2EEOptions;
+
   /**
    * @experimental
+   * Options for enabling end-to-end encryption.
    */
-  e2ee?: E2EEOptions;
+  encryption?: E2EEOptions;
 
   loggerName?: string;
+
+  /**
+   * @experimental
+   * only supported on LiveKit Cloud
+   * and LiveKit OSS >= 1.9.2
+   */
+  singlePeerConnection: boolean;
 }
 
 /**
  * Options for when creating a new room
  */
-export interface RoomOptions extends Partial<InternalRoomOptions> {}
+export interface RoomOptions extends Partial<Omit<InternalRoomOptions, 'encryption'>> {}
 
 /**
  * @internal

package/src/room/PCTransport.ts

@@ -167,7 +167,7 @@ export default class PCTransport extends EventEmitter {
       sdpParsed.media.forEach((media) => {
         const mid = getMidString(media.mid!);
         if (media.type === 'audio') {
-          // mung sdp for opus bitrate settings
+          // munge sdp for opus bitrate settings
           this.trackBitrates.some((trackbr): boolean => {
             if (!trackbr.transceiver || mid != trackbr.transceiver.mid) {
               return false;
@@ -297,7 +297,7 @@ export default class PCTransport extends EventEmitter {
       sdpParsed.media.forEach((media) => {
         ensureIPAddrMatchVersion(media);
         if (media.type === 'audio') {
-          ensureAudioNackAndStereo(media, [], []);
+          ensureAudioNackAndStereo(media, ['all'], []);
         } else if (media.type === 'video') {
           this.trackBitrates.some((trackbr): boolean => {
             if (!media.msid || !trackbr.cid || !media.msid.includes(trackbr.cid)) {
@@ -380,6 +380,10 @@ export default class PCTransport extends EventEmitter {
     return this.pc.addTransceiver(mediaStreamTrack, transceiverInit);
   }
 
+  addTransceiverOfKind(kind: 'audio' | 'video', transceiverInit: RTCRtpTransceiverInit) {
+    return this.pc.addTransceiver(kind, transceiverInit);
+  }
+
   addTrack(track: MediaStreamTrack) {
     if (!this._pc) {
       throw new UnexpectedConnectionState('PC closed, cannot add track');
@@ -623,7 +627,7 @@ function ensureAudioNackAndStereo(
       });
     }
 
-    if (stereoMids.includes(mid)) {
+    if (stereoMids.includes(mid) || (stereoMids.length === 1 && stereoMids[0] === 'all')) {
       media.fmtp.some((fmtp): boolean => {
         if (fmtp.payload === opusPayload) {
           if (!fmtp.config.includes('stereo=1')) {

package/src/room/PCTransportManager.ts

@@ -17,10 +17,11 @@ export enum PCTransportState {
   CLOSED,
 }
 
+type PCMode = 'subscriber-primary' | 'publisher-primary' | 'publisher-only';
 export class PCTransportManager {
   public publisher: PCTransport;
 
-  public subscriber: PCTransport;
+  public subscriber?: PCTransport;
 
   public peerConnectionTimeout: number = roomConnectOptionDefaults.peerConnectionTimeout;
 
@@ -39,7 +40,7 @@ export class PCTransportManager {
   public onStateChange?: (
     state: PCTransportState,
     pubState: RTCPeerConnectionState,
-    subState: RTCPeerConnectionState,
+    subState?: RTCPeerConnectionState,
   ) => void;
 
   public onIceCandidate?: (ev: RTCIceCandidate, target: SignalTarget) => void;
@@ -64,38 +65,40 @@ export class PCTransportManager {
 
   private loggerOptions: LoggerOptions;
 
-  constructor(
-    rtcConfig: RTCConfiguration,
-    subscriberPrimary: boolean,
-    loggerOptions: LoggerOptions,
-  ) {
+  constructor(rtcConfig: RTCConfiguration, mode: PCMode, loggerOptions: LoggerOptions) {
     this.log = getLogger(loggerOptions.loggerName ?? LoggerNames.PCManager);
     this.loggerOptions = loggerOptions;
 
-    this.isPublisherConnectionRequired = !subscriberPrimary;
-    this.isSubscriberConnectionRequired = subscriberPrimary;
+    this.isPublisherConnectionRequired = mode !== 'subscriber-primary';
+    this.isSubscriberConnectionRequired = mode === 'subscriber-primary';
     this.publisher = new PCTransport(rtcConfig, loggerOptions);
-    this.subscriber = new PCTransport(rtcConfig, loggerOptions);
+    if (mode !== 'publisher-only') {
+      this.subscriber = new PCTransport(rtcConfig, loggerOptions);
+      this.subscriber.onConnectionStateChange = this.updateState;
+      this.subscriber.onIceConnectionStateChange = this.updateState;
+      this.subscriber.onSignalingStatechange = this.updateState;
+      this.subscriber.onIceCandidate = (candidate) => {
+        this.onIceCandidate?.(candidate, SignalTarget.SUBSCRIBER);
+      };
+      // in subscriber primary mode, server side opens sub data channels.
+      this.subscriber.onDataChannel = (ev) => {
+        this.onDataChannel?.(ev);
+      };
+      this.subscriber.onTrack = (ev) => {
+        this.onTrack?.(ev);
+      };
+    }
 
     this.publisher.onConnectionStateChange = this.updateState;
-    this.subscriber.onConnectionStateChange = this.updateState;
     this.publisher.onIceConnectionStateChange = this.updateState;
-    this.subscriber.onIceConnectionStateChange = this.updateState;
     this.publisher.onSignalingStatechange = this.updateState;
-    this.subscriber.onSignalingStatechange = this.updateState;
     this.publisher.onIceCandidate = (candidate) => {
       this.onIceCandidate?.(candidate, SignalTarget.PUBLISHER);
     };
-    this.subscriber.onIceCandidate = (candidate) => {
-      this.onIceCandidate?.(candidate, SignalTarget.SUBSCRIBER);
-    };
-    // in subscriber primary mode, server side opens sub data channels.
-    this.subscriber.onDataChannel = (ev) => {
-      this.onDataChannel?.(ev);
-    };
-    this.subscriber.onTrack = (ev) => {
+    this.publisher.onTrack = (ev) => {
       this.onTrack?.(ev);
     };
+
     this.publisher.onOffer = (offer, offerId) => {
       this.onPublisherOffer?.(offer, offerId);
     };
@@ -117,11 +120,6 @@ export class PCTransportManager {
     this.updateState();
   }
 
-  requireSubscriber(require = true) {
-    this.isSubscriberConnectionRequired = require;
-    this.updateState();
-  }
-
   createAndSendPublisherOffer(options?: RTCOfferOptions) {
     return this.publisher.createAndSendOffer(options);
   }
@@ -148,12 +146,14 @@ export class PCTransportManager {
         }
       }
     }
-    await Promise.all([this.publisher.close(), this.subscriber.close()]);
+    await Promise.all([this.publisher.close(), this.subscriber?.close()]);
     this.updateState();
   }
 
   async triggerIceRestart() {
-    this.subscriber.restartingIce = true;
+    if (this.subscriber) {
+      this.subscriber.restartingIce = true;
+    }
     // only restart publisher if it's needed
     if (this.needsPublisher) {
       await this.createAndSendPublisherOffer({ iceRestart: true });
@@ -164,7 +164,7 @@ export class PCTransportManager {
     if (target === SignalTarget.PUBLISHER) {
       await this.publisher.addIceCandidate(candidate);
     } else {
-      await this.subscriber.addIceCandidate(candidate);
+      await this.subscriber?.addIceCandidate(candidate);
     }
   }
 
@@ -173,17 +173,17 @@ export class PCTransportManager {
       ...this.logContext,
       RTCSdpType: sd.type,
       sdp: sd.sdp,
-      signalingState: this.subscriber.getSignallingState().toString(),
+      signalingState: this.subscriber?.getSignallingState().toString(),
     });
     const unlock = await this.remoteOfferLock.lock();
     try {
-      const success = await this.subscriber.setRemoteDescription(sd, offerId);
+      const success = await this.subscriber?.setRemoteDescription(sd, offerId);
       if (!success) {
         return undefined;
       }
 
       // answer the offer
-      const answer = await this.subscriber.createAndSetAnswer();
+      const answer = await this.subscriber?.createAndSetAnswer();
       return answer;
     } finally {
       unlock();
@@ -192,7 +192,7 @@ export class PCTransportManager {
 
   updateConfiguration(config: RTCConfiguration, iceRestart?: boolean) {
     this.publisher.setConfiguration(config);
-    this.subscriber.setConfiguration(config);
+    this.subscriber?.setConfiguration(config);
     if (iceRestart) {
       this.triggerIceRestart();
     }
@@ -252,6 +252,10 @@ export class PCTransportManager {
     return this.publisher.addTransceiver(track, transceiverInit);
   }
 
+  addPublisherTransceiverOfKind(kind: 'audio' | 'video', transceiverInit: RTCRtpTransceiverInit) {
+    return this.publisher.addTransceiverOfKind(kind, transceiverInit);
+  }
+
   addPublisherTrack(track: MediaStreamTrack) {
     return this.publisher.addTrack(track);
   }
@@ -277,7 +281,7 @@ export class PCTransportManager {
     if (this.isPublisherConnectionRequired) {
       transports.push(this.publisher);
     }
-    if (this.isSubscriberConnectionRequired) {
+    if (this.isSubscriberConnectionRequired && this.subscriber) {
       transports.push(this.subscriber);
     }
     return transports;
@@ -311,7 +315,7 @@ export class PCTransportManager {
       this.onStateChange?.(
         this.state,
         this.publisher.getConnectionState(),
-        this.subscriber.getConnectionState(),
+        this.subscriber?.getConnectionState(),
       );
     }
   };