Secure-by-default access control configuration
This release removes an insecure default that silently granted any federated Matrix user the right to trigger LiveKit room creation on the operator's SFU. LIVEKIT_FULL_ACCESS_HOMESERVERS no longer falls back to * wildcard implicitly and is now a required setting. the service refuses to start without it.
Alongside, the long-deprecated LIVEKIT_LOCAL_HOMESERVERS environment variable has been removed.
Warning
Action required before upgrading.
- Existing deployments that relied on the implicit
*wildcard default or onLIVEKIT_LOCAL_HOMESERVERSmust now setLIVEKIT_FULL_ACCESS_HOMESERVERSexplicitly. - Setting it to
*reproduces the old wildcard behavior, but listing the Matrix server name(s) of the homeserver(s) you intend to serve is strongly recommended. See the README for guidance.
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.5.0
Precompiled binaries
The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below.
What's Changed
- Log the errors that cause "Unable to create room on SFU" by @reversefold in #177
- Update module go.opentelemetry.io/otel to v1.41.0 [SECURITY] by @renovate[bot] in #178
- Update all non-major dependencies by @renovate[bot] in #179
- Update github.com/matrix-org/gomatrixserverlib digest to c9c4687 by @renovate[bot] in #182
- Update all non-major dependencies by @renovate[bot] in #183
- Require LIVEKIT_FULL_ACCESS_HOMESERVERS explicitly; drop wildcard default by @fkwp in #184
New Contributors
- @reversefold made their first contribution in #177
Full Changelog: v0.4.4...v0.5.0