python-tdd/src/apps/api/tests/integrated/test_turn_credentials.py

"""ITs for the WebRTC mesh TURN-credentials endpoint — Phase C of
[[my-sea-invite-voice-blueprint]]. Verifies the coturn `use-auth-secret`
REST scheme (HMAC-SHA1 username/credential) + auth gating.
"""

import base64
import hashlib
import hmac

from django.test import TestCase, override_settings
from django.urls import reverse

from apps.lyric.models import User


@override_settings(
    COTURN_SHARED_SECRET="testsecret",
    COTURN_TURN_HOST="turn.test",
    COTURN_TTL=86400,
)
class TURNCredentialsTest(TestCase):
    def setUp(self):
        self.user = User.objects.create(email="turn@test.io", username="turner")
        self.url = reverse("api_turn_credentials")

    def test_requires_authentication(self):
        resp = self.client.get(self.url)
        self.assertIn(resp.status_code, (401, 403))

    def test_returns_ice_servers_and_ttl(self):
        self.client.force_login(self.user)
        data = self.client.get(self.url).json()
        self.assertEqual(data["ttl"], 86400)
        urls = [s for srv in data["iceServers"] for s in srv["urls"]]
        self.assertTrue(any(u.startswith("stun:turn.test") for u in urls))
        self.assertTrue(any("turn:turn.test" in u and "transport=udp" in u for u in urls))
        self.assertTrue(any("turn:turn.test" in u and "transport=tcp" in u for u in urls))

    def test_username_is_expiry_colon_user_id(self):
        self.client.force_login(self.user)
        data = self.client.get(self.url).json()
        expiry_str, _, uid = data["username"].partition(":")
        self.assertTrue(expiry_str.isdigit())
        self.assertEqual(uid, str(self.user.id))

    def test_credential_is_hmac_sha1_of_username(self):
        self.client.force_login(self.user)
        data = self.client.get(self.url).json()
        expected = base64.b64encode(
            hmac.new(b"testsecret", data["username"].encode(), hashlib.sha1).digest()
        ).decode()
        self.assertEqual(data["credential"], expected)
        # The TURN iceServer entry carries the same credential.
        turn = [s for s in data["iceServers"] if "credential" in s][0]
        self.assertEqual(turn["credential"], expected)
my-sea voice Phase C: WebRTC mesh signaling app + TURN endpoint + voice-btn wiring + coturn infra — TDD Phase C (final) of the my-sea invite → spectator → voice blueprint. Self- hosted WebRTC mesh voice, built room-general but wired for my-sea only; epic 6-seat rooms reuse the same consumer later (key on Room.id). Media never touches the server — only signaling is relayed. Built from the blueprint's distilled spec (disco-voice-mesh.pdf unreadable in-env: no poppler/pypdf). - C1: new apps/voice/ — RoomVoiceConsumer (AsyncJsonWebsocketConsumer): signaling-only relay (room group voice.<room_id> + per-peer peer.<uuid>; hello→present handshake, offer/answer/ice routed by target/source, left on disconnect). room_id is a STRING kwarg (mysea-<owner_id> now). _can_join gates: mysea → owner OR present invitee (token deposited, not left); epic UUID → seated gamer (later). routing.py ws/voice/<str:room_id>/; asgi.py aggregates epic + voice urlpatterns under AuthMiddlewareStack. voice-mesh.js: VoiceRoom client (getUserMedia AEC/NS/AGC, mesh RTCPeerConnection, newcomer-offers handshake, tuneOpus SDP munge = inbandfec+dtx+40kbps cap, mute via getAudioTracks().enabled), lazy-loaded. - C2: apps/api VoiceTURNCredentialsAPI at /api/voice/turn-credentials/ — coturn use-auth-secret REST scheme: username=<expiry>:<user_id>, credential=base64(HMAC-SHA1(username, COTURN_SHARED_SECRET)) + stun/turn iceServers + ttl. Authenticated-only. 4 ITs (HMAC shape, auth gate). - C3: settings COTURN_SHARED_SECRET / COTURN_TURN_HOST / COTURN_REALM / COTURN_TTL env block. - C4: #id_voice_btn wiring — _burger.html renders .active + data-room-id when voice_active; burger-btn.js bindVoiceBtn (active click → lazy-load voice-mesh.js → join / toggle-mute; inactive → existing 2-pulse flash). my_sea (owner) + my_sea_visit (spectator) views compute voice_active (open 24h window) + voice_room_id=mysea-<owner_id>; spectator page now includes the burger. 4 voice-context ITs. - C5: infra/coturn.conf.j2 (use-auth-secret, the external-ip footgun, relay port range, TLS 5349, peer-IP lockdown) + infra/coturn-playbook.yaml (dedicated droplet, PySwiss-style split: install coturn, template conf, ufw 3478/5349/49152-65535, systemd enable) + [coturn] inventory placeholder. * Manual ops step: provision the droplet + fill inventory before voice works on staging/prod; CI/local need none of it. * - C6: 8 channels ITs (@tag channels) — connect/auth/_can_join gate (owner, present invitee, stranger, not-present, anon) + hello/present handshake + offer routing + left-on-disconnect. Scope-injected; TransactionTestCase. - JS: VoiceMeshSpec.js (tuneOpus) + voice-mesh.js registered in SpecRunner. 1440 IT/UT green; voice channels IT + full Jasmine + voice-btn FT green. Voice infra is code-complete — provision the coturn droplet to go live. Code architected by Disco DeDisco <discodedisco@outlook.com> Git commit message Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-27 13:57:09 -04:00			`"""ITs for the WebRTC mesh TURN-credentials endpoint — Phase C of`
			[[my-sea-invite-voice-blueprint]]. Verifies the coturn `use-auth-secret`
			`REST scheme (HMAC-SHA1 username/credential) + auth gating.`
			`"""`

			`import base64`
			`import hashlib`
			`import hmac`

			`from django.test import TestCase, override_settings`
			`from django.urls import reverse`

			`from apps.lyric.models import User`


			`@override_settings(`
			`COTURN_SHARED_SECRET="testsecret",`
			`COTURN_TURN_HOST="turn.test",`
			`COTURN_TTL=86400,`
			`)`
			`class TURNCredentialsTest(TestCase):`
			`def setUp(self):`
			`self.user = User.objects.create(email="turn@test.io", username="turner")`
			`self.url = reverse("api_turn_credentials")`

			`def test_requires_authentication(self):`
			`resp = self.client.get(self.url)`
			`self.assertIn(resp.status_code, (401, 403))`

			`def test_returns_ice_servers_and_ttl(self):`
			`self.client.force_login(self.user)`
			`data = self.client.get(self.url).json()`
			`self.assertEqual(data["ttl"], 86400)`
			`urls = [s for srv in data["iceServers"] for s in srv["urls"]]`
			`self.assertTrue(any(u.startswith("stun:turn.test") for u in urls))`
			`self.assertTrue(any("turn:turn.test" in u and "transport=udp" in u for u in urls))`
			`self.assertTrue(any("turn:turn.test" in u and "transport=tcp" in u for u in urls))`

			`def test_username_is_expiry_colon_user_id(self):`
			`self.client.force_login(self.user)`
			`data = self.client.get(self.url).json()`
			`expiry_str, _, uid = data["username"].partition(":")`
			`self.assertTrue(expiry_str.isdigit())`
			`self.assertEqual(uid, str(self.user.id))`

			`def test_credential_is_hmac_sha1_of_username(self):`
			`self.client.force_login(self.user)`
			`data = self.client.get(self.url).json()`
			`expected = base64.b64encode(`
			`hmac.new(b"testsecret", data["username"].encode(), hashlib.sha1).digest()`
			`).decode()`
			`self.assertEqual(data["credential"], expected)`
			`# The TURN iceServer entry carries the same credential.`
			`turn = [s for s in data["iceServers"] if "credential" in s][0]`
			`self.assertEqual(turn["credential"], expected)`