From 5a76f83f65649a3108244fd5d514bf23487414a1 Mon Sep 17 00:00:00 2001 From: Benjamin Pracht Date: Tue, 10 Feb 2026 14:28:43 -0800 Subject: [PATCH 1/6] Redact ice server credentials in logs --- protobufs/livekit_rtc.proto | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/protobufs/livekit_rtc.proto b/protobufs/livekit_rtc.proto index 1e88cbe68..015200d13 100644 --- a/protobufs/livekit_rtc.proto +++ b/protobufs/livekit_rtc.proto @@ -48,7 +48,7 @@ message SignalRequest { // Simulate conditions, for client validations SimulateScenario simulate = 13; // client triggered ping to server - int64 ping = 14; // deprecated by ping_req (message Ping) + int64 ping = 14; // deprecated by ping_req (message Ping) // update a participant's own metadata, name, or attributes // requires canUpdateOwnParticipantMetadata permission UpdateParticipantMetadata update_metadata = 15; @@ -102,7 +102,7 @@ message SignalResponse { // server initiated track unpublish TrackUnpublishedResponse track_unpublished = 17; // respond to ping - int64 pong = 18; // deprecated by pong_resp (message Pong) + int64 pong = 18; // deprecated by pong_resp (message Pong) // sent when client reconnects ReconnectResponse reconnect = 19; // respond to Ping @@ -152,7 +152,7 @@ message AddTrackRequest { // true to add track and initialize to muted bool muted = 6; // true if DTX (Discontinuous Transmission) is disabled for audio - bool disable_dtx = 7 [deprecated = true]; // deprecated in favor of audio_features + bool disable_dtx = 7 [deprecated = true]; // deprecated in favor of audio_features TrackSource source = 8; repeated VideoLayer layers = 9; @@ -161,7 +161,7 @@ message AddTrackRequest { // server ID of track, publish new codec to exist track string sid = 11; - bool stereo = 12 [deprecated = true]; // deprecated in favor of audio_features + bool stereo = 12 [deprecated = true]; // deprecated in favor of audio_features // true if RED (Redundant Encoding) is disabled for audio bool disable_red = 13; @@ -268,7 +268,7 @@ message TrackUnpublishedResponse { } message SessionDescription { - string type = 1; // "answer" | "offer" | "pranswer" | "rollback" + string type = 1; // "answer" | "offer" | "pranswer" | "rollback" string sdp = 2; uint32 id = 3; map mid_to_track_id = 4; @@ -330,9 +330,9 @@ message UpdateLocalVideoTrack { message LeaveRequest { // indicates action clients should take on receiving this message enum Action { - DISCONNECT = 0; // should disconnect - RESUME = 1; // should attempt a resume with `reconnect=1` in join URL - RECONNECT = 2; // should attempt a reconnect, i. e. no `reconnect=1` + DISCONNECT = 0; // should disconnect + RESUME = 1; // should attempt a resume with `reconnect=1` in join URL + RECONNECT = 2; // should attempt a reconnect, i. e. no `reconnect=1` } // sent when server initiates the disconnect due to server-restart @@ -371,8 +371,14 @@ message UpdateParticipantMetadata { message ICEServer { repeated string urls = 1; - string username = 2; - string credential = 3; + string username = 2 [ + (logger.redact) = true, + (logger.redact_format) = "" + ]; + string credential = 3 [ + (logger.redact) = true, + (logger.redact_format) = "" + ]; } message SpeakersChanged { @@ -591,7 +597,7 @@ message JoinRequest { string metadata = 3 [ (logger.redact) = true, (logger.redact_format) = "" - ]; // if not empty, will overwrite `metadata` in token + ]; // if not empty, will overwrite `metadata` in token // will set keys provided via this // will overwrite if the same key is in the token @@ -617,7 +623,7 @@ message WrappedJoinRequest { } Compression compression = 1; - bytes join_request = 2; // marshalled JoinRequest + potentially compressed + bytes join_request = 2; // marshalled JoinRequest + potentially compressed } message MediaSectionsRequirement { From 5eb03e3e976c0f3804113f932b7fe7df0ba28354 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 10 Feb 2026 22:35:42 +0000 Subject: [PATCH 2/6] generated protobuf --- livekit/livekit_rtc.pb.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/livekit/livekit_rtc.pb.go b/livekit/livekit_rtc.pb.go index 15825729e..7e7b20ea2 100644 --- a/livekit/livekit_rtc.pb.go +++ b/livekit/livekit_rtc.pb.go @@ -5219,12 +5219,12 @@ const file_livekit_rtc_proto_rawDesc = "" + "request_id\x18\x04 \x01(\rR\trequestId\x1a=\n" + "\x0fAttributesEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"[\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\xab\x01\n" + "\tICEServer\x12\x12\n" + - "\x04urls\x18\x01 \x03(\tR\x04urls\x12\x1a\n" + - "\busername\x18\x02 \x01(\tR\busername\x12\x1e\n" + + "\x04urls\x18\x01 \x03(\tR\x04urls\x12B\n" + + "\busername\x18\x02 \x01(\tB&\x88\xec,\x01\x92\xec,\x1eR\busername\x12F\n" + "\n" + - "credential\x18\x03 \x01(\tR\n" + + "credential\x18\x03 \x01(\tB&\x88\xec,\x01\x92\xec,\x1eR\n" + "credential\"C\n" + "\x0fSpeakersChanged\x120\n" + "\bspeakers\x18\x01 \x03(\v2\x14.livekit.SpeakerInfoR\bspeakers\"/\n" + From 172fe88fa6868c4be2e9db8f7f5b0be5c07d5189 Mon Sep 17 00:00:00 2001 From: Benjamin Pracht Date: Tue, 10 Feb 2026 19:57:32 -0800 Subject: [PATCH 3/6] No size for redacted username/pwd --- protobufs/livekit_rtc.proto | 2 -- 1 file changed, 2 deletions(-) diff --git a/protobufs/livekit_rtc.proto b/protobufs/livekit_rtc.proto index 015200d13..d1f35a68d 100644 --- a/protobufs/livekit_rtc.proto +++ b/protobufs/livekit_rtc.proto @@ -373,11 +373,9 @@ message ICEServer { repeated string urls = 1; string username = 2 [ (logger.redact) = true, - (logger.redact_format) = "" ]; string credential = 3 [ (logger.redact) = true, - (logger.redact_format) = "" ]; } From 42a803acbec7cc299e28d1e622ecfee3ab9ab879 Mon Sep 17 00:00:00 2001 From: Benjamin Pracht Date: Tue, 10 Feb 2026 20:02:33 -0800 Subject: [PATCH 4/6] typo --- protobufs/livekit_rtc.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/protobufs/livekit_rtc.proto b/protobufs/livekit_rtc.proto index d1f35a68d..5d1c17146 100644 --- a/protobufs/livekit_rtc.proto +++ b/protobufs/livekit_rtc.proto @@ -372,10 +372,10 @@ message UpdateParticipantMetadata { message ICEServer { repeated string urls = 1; string username = 2 [ - (logger.redact) = true, + (logger.redact) = true ]; string credential = 3 [ - (logger.redact) = true, + (logger.redact) = true ]; } From 26d90c10ffb3a280ba06ba0f7d314939dce2de61 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 11 Feb 2026 04:03:26 +0000 Subject: [PATCH 5/6] generated protobuf --- livekit/livekit_rtc.pb.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/livekit/livekit_rtc.pb.go b/livekit/livekit_rtc.pb.go index 7e7b20ea2..ff3fe6f5f 100644 --- a/livekit/livekit_rtc.pb.go +++ b/livekit/livekit_rtc.pb.go @@ -5219,12 +5219,12 @@ const file_livekit_rtc_proto_rawDesc = "" + "request_id\x18\x04 \x01(\rR\trequestId\x1a=\n" + "\x0fAttributesEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + - "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\xab\x01\n" + + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"g\n" + "\tICEServer\x12\x12\n" + - "\x04urls\x18\x01 \x03(\tR\x04urls\x12B\n" + - "\busername\x18\x02 \x01(\tB&\x88\xec,\x01\x92\xec,\x1eR\busername\x12F\n" + + "\x04urls\x18\x01 \x03(\tR\x04urls\x12 \n" + + "\busername\x18\x02 \x01(\tB\x04\x88\xec,\x01R\busername\x12$\n" + "\n" + - "credential\x18\x03 \x01(\tB&\x88\xec,\x01\x92\xec,\x1eR\n" + + "credential\x18\x03 \x01(\tB\x04\x88\xec,\x01R\n" + "credential\"C\n" + "\x0fSpeakersChanged\x120\n" + "\bspeakers\x18\x01 \x03(\v2\x14.livekit.SpeakerInfoR\bspeakers\"/\n" + From e092f0ded2d495a3197c39f05685952f0e76642e Mon Sep 17 00:00:00 2001 From: Benjamin Pracht Date: Tue, 10 Feb 2026 20:08:49 -0800 Subject: [PATCH 6/6] changes Redact ice server credentials from logs to enhance security. --- .changeset/calm-snails-fix.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/calm-snails-fix.md diff --git a/.changeset/calm-snails-fix.md b/.changeset/calm-snails-fix.md new file mode 100644 index 000000000..882749991 --- /dev/null +++ b/.changeset/calm-snails-fix.md @@ -0,0 +1,5 @@ +--- +"@livekit/protocol": patch +--- + +Redact ice server credentials in logs