Skip to content

Reuse the same ID for both auth-less and auth-ful INVITEs #488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Reuse the same ID for both auth-less and auth-ful INVITEs #488

wants to merge 11 commits into from

Conversation

@alexlivekit
Copy link
Contributor

@alexlivekit alexlivekit commented Oct 20, 2025

See this thread for more details. Main point:

When we authenticate for the purposes of a SIP session (when credentials are not being cached), the following happens:

  • client -> livekit : I want to start a call (INVITE)
  • client <- livekit : You need to authenticate (SIP-407 Unauthorized).
    • This may count as a failure.
    • The 407 response contains an auth challenge.
  • client -> livekit : I want to start a call (INVITE), this time with the credentials.
    • This call has the exact same callid as the first one.
    • It also contains the auth response.
  • client -> livekit : credentials look good, I'll forward your call request (SIP-100 Trying).

If we happen to count the 407 response as a failed call, and we generate unique SCL_* ids for both.

@alexlivekit alexlivekit requested a review from a team as a code owner October 20, 2025 21:30
alexlivekit
alexlivekit commented Oct 20, 2025
View reviewed changes
pkg/sip/inbound.go
inviteOKRetryAttemptsNoACK = 2
inviteOkAckLateTimeout = inviteOkRetryIntervalMax

inviteCredentialValidity = 60 * time.Minute // Allow reuse of credentials for 1h
Copy link
Contributor Author

@alexlivekit alexlivekit Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure this is smart, might want to extend this to max_call_duration or something.

Also, keep in mind that this is per Call-ID for now, so new calls would still need re-auth.

pkg/sip/inbound.go
tr := callTransportFromReq(req)
legTr := legTransportFromReq(req)
log := s.log.WithValues(
"callID", callID,
Copy link
Contributor Author

@alexlivekit alexlivekit Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The one log line that will not have callID now is "Bad request", when validation fails.

@alexlivekit alexlivekit changed the title Reuse the same ID for both auth-less and auth-ful INVITEs TEL-222: Reuse the same ID for both auth-less and auth-ful INVITEs Oct 20, 2025
alexlivekit
alexlivekit commented Oct 20, 2025
View reviewed changes
pkg/sip/outbound.go
if err != nil {
return nil, fmt.Errorf("invalid challenge %q: %w", challengeStr, err)
}
toHeader := resp.To()
Copy link
Contributor Author

@alexlivekit alexlivekit Oct 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we're doing the right validation on the inbound side, the outbound side E2E test caught this error!
But this also means out clients might run into the same issue, in case some of them are not spec-compliant.

dennwc
dennwc reviewed Oct 21, 2025
View reviewed changes
pkg/sip/inbound.go Outdated
log: log,
s: s,
id: id,
id: "unassigned",
Copy link
Contributor

@dennwc dennwc Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be helpful if it logs/panics if something tries to read this unassigned ID.

Copy link
Contributor Author

@alexlivekit alexlivekit Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rather not add shims or verification for this. Unless it's real clean, I'd rather leave it blank. Would that be better in your opinion?

@alexlivekit alexlivekit changed the title TEL-222: Reuse the same ID for both auth-less and auth-ful INVITEs Reuse the same ID for both auth-less and auth-ful INVITEs Oct 21, 2025
@alexlivekit alexlivekit marked this pull request as draft October 22, 2025 23:33
@alexlivekit alexlivekit marked this pull request as ready for review October 23, 2025 07:45
dennwc
dennwc reviewed Oct 23, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dennwc dennwc dennwc left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alexlivekit @dennwc