my-sea voice Phase C: WebRTC mesh signaling app + TURN endpoint + voice-btn wiring + coturn infra — TDD

Phase C (final) of the my-sea invite → spectator → voice blueprint. Self- hosted WebRTC mesh voice, built room-general but wired for my-sea only; epic 6-seat rooms reuse the same consumer later (key on Room.id). Media never touches the server — only signaling is relayed. Built from the blueprint's distilled spec (disco-voice-mesh.pdf unreadable in-env: no poppler/pypdf). - C1: new apps/voice/ — RoomVoiceConsumer (AsyncJsonWebsocketConsumer): signaling-only relay (room group voice.<room_id> + per-peer peer.<uuid>; hello→present handshake, offer/answer/ice routed by target/source, left on disconnect). room_id is a STRING kwarg (mysea-<owner_id> now). _can_join gates: mysea → owner OR present invitee (token deposited, not left); epic UUID → seated gamer (later). routing.py ws/voice/<str:room_id>/; asgi.py aggregates epic + voice urlpatterns under AuthMiddlewareStack. voice-mesh.js: VoiceRoom client (getUserMedia AEC/NS/AGC, mesh RTCPeerConnection, newcomer-offers handshake, tuneOpus SDP munge = inbandfec+dtx+40kbps cap, mute via getAudioTracks().enabled), lazy-loaded. - C2: apps/api VoiceTURNCredentialsAPI at /api/voice/turn-credentials/ — coturn use-auth-secret REST scheme: username=<expiry>:<user_id>, credential=base64(HMAC-SHA1(username, COTURN_SHARED_SECRET)) + stun/turn iceServers + ttl. Authenticated-only. 4 ITs (HMAC shape, auth gate). - C3: settings COTURN_SHARED_SECRET / COTURN_TURN_HOST / COTURN_REALM / COTURN_TTL env block. - C4: #id_voice_btn wiring — _burger.html renders .active + data-room-id when voice_active; burger-btn.js bindVoiceBtn (active click → lazy-load voice-mesh.js → join / toggle-mute; inactive → existing 2-pulse flash). my_sea (owner) + my_sea_visit (spectator) views compute voice_active (open 24h window) + voice_room_id=mysea-<owner_id>; spectator page now includes the burger. 4 voice-context ITs. - C5: infra/coturn.conf.j2 (use-auth-secret, the external-ip footgun, relay port range, TLS 5349, peer-IP lockdown) + infra/coturn-playbook.yaml (dedicated droplet, PySwiss-style split: install coturn, template conf, ufw 3478/5349/49152-65535, systemd enable) + [coturn] inventory placeholder. *** Manual ops step: provision the droplet + fill inventory before voice works on staging/prod; CI/local need none of it. *** - C6: 8 channels ITs (@tag channels) — connect/auth/_can_join gate (owner, present invitee, stranger, not-present, anon) + hello/present handshake + offer routing + left-on-disconnect. Scope-injected; TransactionTestCase. - JS: VoiceMeshSpec.js (tuneOpus) + voice-mesh.js registered in SpecRunner. 1440 IT/UT green; voice channels IT + full Jasmine + voice-btn FT green. Voice infra is code-complete — provision the coturn droplet to go live. Code architected by Disco DeDisco <discodedisco@outlook.com> Git commit message Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 13:57:09 -04:00
parent d0c39b51b6
commit 41217d5438
26 changed files with 957 additions and 2 deletions
--- a/src/apps/api/tests/integrated/test_turn_credentials.py
+++ b/src/apps/api/tests/integrated/test_turn_credentials.py
@@ -0,0 +1,55 @@
+"""ITs for the WebRTC mesh TURN-credentials endpoint — Phase C of
+[[my-sea-invite-voice-blueprint]]. Verifies the coturn `use-auth-secret`
+REST scheme (HMAC-SHA1 username/credential) + auth gating.
+"""
+
+import base64
+import hashlib
+import hmac
+
+from django.test import TestCase, override_settings
+from django.urls import reverse
+
+from apps.lyric.models import User
+
+
+@override_settings(
+    COTURN_SHARED_SECRET="testsecret",
+    COTURN_TURN_HOST="turn.test",
+    COTURN_TTL=86400,
+)
+class TURNCredentialsTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="turn@test.io", username="turner")
+        self.url = reverse("api_turn_credentials")
+
+    def test_requires_authentication(self):
+        resp = self.client.get(self.url)
+        self.assertIn(resp.status_code, (401, 403))
+
+    def test_returns_ice_servers_and_ttl(self):
+        self.client.force_login(self.user)
+        data = self.client.get(self.url).json()
+        self.assertEqual(data["ttl"], 86400)
+        urls = [s for srv in data["iceServers"] for s in srv["urls"]]
+        self.assertTrue(any(u.startswith("stun:turn.test") for u in urls))
+        self.assertTrue(any("turn:turn.test" in u and "transport=udp" in u for u in urls))
+        self.assertTrue(any("turn:turn.test" in u and "transport=tcp" in u for u in urls))
+
+    def test_username_is_expiry_colon_user_id(self):
+        self.client.force_login(self.user)
+        data = self.client.get(self.url).json()
+        expiry_str, _, uid = data["username"].partition(":")
+        self.assertTrue(expiry_str.isdigit())
+        self.assertEqual(uid, str(self.user.id))
+
+    def test_credential_is_hmac_sha1_of_username(self):
+        self.client.force_login(self.user)
+        data = self.client.get(self.url).json()
+        expected = base64.b64encode(
+            hmac.new(b"testsecret", data["username"].encode(), hashlib.sha1).digest()
+        ).decode()
+        self.assertEqual(data["credential"], expected)
+        # The TURN iceServer entry carries the same credential.
+        turn = [s for s in data["iceServers"] if "credential" in s][0]
+        self.assertEqual(turn["credential"], expected)