github element-hq/lk-jwt-service v0.3.0
on GitHub

one month ago

๐Ÿ”’ Restrict SFU Room Creation to Selected Homeservers

This update introduces a infrastructure control mechanism that differentiates between full-access and restricted Matrix users when accessing the LiveKit SFU.

โœจ What's New

User Differentiation -- Users are now classified into two access levels:

  • Full-access users: Matrix users whose homeservers are part of the same or a related deployment as the MatrixRTC backend.
  • Restricted users: All other users, typically federated users from external homeservers.

Access Behavior

  • โœ… Full-access users trigger automatic LiveKit SFU room creation via the JWT service when needed.
  • ๐Ÿšซ Restricted users can join existing LiveKit SFU rooms but cannot trigger automatic room creation.
  • ๐Ÿ” This ensures infrastructure resources are only created by user of known homeservers, preserving resource control.

Federation Compatibility

  • โš ๏ธ This change does not block video conferencing across Matrix federation.
  • Due to the SFU selection algorithm and event timing, federated calls may still occur, but without automatic SFU provisioning for restricted users.

๐Ÿ›  Configuration

  • Set LIVEKIT_FULL_ACCESS_HOMESERVERS (comma-separated) to define which homeservers are considered trusted. It supports * as a wildcard to grant full access to all users which is currently the default setting (e.g., LIVEKIT_FULL_ACCESS_HOMESERVERS=*).
  • The legacy LIVEKIT_LOCAL_HOMESERVERS variable is also still supported for compatibility during transition.
  • Additionally, you must disable LiveKit's automatic room creation in the SFU's config.yaml to enforce access control: 
room:  
  auto_create: false

๐Ÿงช Client Compatibility

  • This feature requires robust SFU error handling in MatrixRTC clients.
  • For now, we recommend setting LIVEKIT_FULL_ACCESS_HOMESERVERS=* (the current default setting) until client implementations are fully compliant to avoid unexpected behavior.

Docker image

The service is available as a Docker image from the GitHub Container Registry. 

docker pull ghcr.io/element-hq/lk-jwt-service:0.3.0

What's Changed

  • Fkwp/add license header by @fkwp in #94
  • Update GitHub Actions by @renovate[bot] in #99
  • Update module golang.org/x/net to v0.38.0 [SECURITY] by @renovate[bot] in #97
  • Update dependency go to v1.24.2 by @renovate[bot] in #98
  • Update dependency go to v1.24.3 by @renovate[bot] in #101
  • Update actions/setup-go action to v5.5.0 by @renovate[bot] in #102
  • Update golangci/golangci-lint-action action to v8 by @renovate[bot] in #103
  • Update docker/build-push-action action to v6.18.0 by @renovate[bot] in #105
  • Update github.com/matrix-org/gomatrixserverlib digest to c70b213 by @renovate[bot] in #104
  • Update README.md by @escix in #87
  • Update module github.com/pion/interceptor to v0.1.39 [SECURITY] by @renovate[bot] in #106
  • Update dependency go to v1.24.4 by @renovate[bot] in #109
  • Update github.com/matrix-org/gomatrixserverlib digest to 904c8f0 by @renovate[bot] in #108
  • Restrict access to LiveKit SFU by differentiating full-access and restricted Matrix users for room creation by @fkwp in #67

Full Changelog: v0.2.3...v0.3.0

Check out latest releases or
releases around element-hq/lk-jwt-service v0.3.0

Don't miss a new lk-jwt-service release

NewReleases is sending notifications on new releases.

Get notifications