From 05bb87be965771faf150fe1ea9f38e0992401768 Mon Sep 17 00:00:00 2001
From: Kyle Carberry <kyle@carberry.com>
Date: Tue, 4 May 2021 15:19:29 +0000
Subject: [PATCH] feat: Add authentication to TURN

---
 internal/cmd/tunnel.go | 10 +++++++---
 wsnet/auth.go          | 21 +++++++++++++++++++++
 2 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 wsnet/auth.go

diff --git a/internal/cmd/tunnel.go b/internal/cmd/tunnel.go
index b21819e2..fc59ddaa 100644
--- a/internal/cmd/tunnel.go
+++ b/internal/cmd/tunnel.go
@@ -104,14 +104,18 @@ type tunnneler struct {
 }
 
 func (c *tunnneler) start(ctx context.Context) error {
+	username, password, err := wsnet.TURNCredentials(c.token)
+	if err != nil {
+		return xerrors.Errorf("failed to parse credentials from token")
+	}
 	server := webrtc.ICEServer{
 		URLs:           []string{wsnet.TURNEndpoint(c.brokerAddr)},
-		Username:       "insecure",
-		Credential:     "pass",
+		Username:       username,
+		Credential:     password,
 		CredentialType: webrtc.ICECredentialTypePassword,
 	}
 
-	err := wsnet.DialICE(server, nil)
+	err = wsnet.DialICE(server, nil)
 	if errors.Is(err, wsnet.ErrInvalidCredentials) {
 		return xerrors.Errorf("failed to authenticate your user for this workspace")
 	}
diff --git a/wsnet/auth.go b/wsnet/auth.go
new file mode 100644
index 00000000..94ffa59d
--- /dev/null
+++ b/wsnet/auth.go
@@ -0,0 +1,21 @@
+package wsnet
+
+import (
+	"crypto/sha256"
+	"errors"
+	"strings"
+)
+
+// TURNCredentials returns a username and password pair
+// for a Coder token.
+func TURNCredentials(token string) (username, password string, err error) {
+	str := strings.SplitN(token, "-", 2)
+	if len(str) != 2 {
+		err = errors.New("invalid token format")
+		return
+	}
+	username = str[0]
+	hash := sha256.Sum256([]byte(str[1]))
+	password = string(hash[:])
+	return
+}