Plans for terminating stream viewers?

[mpisat]

I have a cool demo of ovenmediaengine where I can demonstrate origin <-> edge and basic authentication with WebHookAdmissions for publish and playback.
I can terminate publishers easily, it disconnects their OBS (or ffmpeg). But there is no way to terminate viewers who are also using token to authenticate, for example:

https://xx.xx.com:3334/live/test3/llhls.m3u8?token=a36c2d7e-f6f1-4dd4-a366-8e4b6edf9fd9
and backend is responsible for allowing / disallowing playback.

It'd be great to have this feature in my opinion. I can disconnect users from FE with a websocket connection but it won't be secure. Server should be able to terminate view sessions just like it can kick streams offline in my opinion.

[nums]

For that use case, I think using nginx proxy with a secure link plugin or a thing like can do that.
For WebRTC, yes, it should be on OME with closing the client's websocket connection on the server side.

[mpisat]

LL-HLS / HLS can be solved but for WebRTC I can't think of any workarounds :)

[NXFinity]

I assume you're using 'Access Control', just setup API signaling that then terminates the 'View Session' and clears out any active tokens.

[mpisat]

I'm using https://docs.ovenmediaengine.com/access-control/admission-webhooks -- so that my backend can control who can publish and who can play.
I couldn't find a way to terminate active viewing session with Rest API

[NXFinity]

So what you are looking for is the 'STREAM TERMINATION'

  ome.on('publish_done', (streamId) => {
    // Handle stream closure logic here
  });

You essentially listen for events from OME and once you've got that signal, you generate logic to do what you want it to do.

  function handleStreamClosure(streamId) {
    removeViewToken(streamId);
  }

Depending on how you publish, would be how you remove. Mine just listens for 'publish_done' and terminates the view session, by closing down the page.

This is an example simplified version of what I do.

if (request.status === 'closing') {
streamDoc.isLive = false;
streamDoc.endedAt = new Date();
await streamDoc.save();
return res.json({ allowed: true });
}

Once stream has ended, I set the state to isLive = False, my Frontend then handles the clearing out of any tokens.

[NXFinity]

This is what I created for Nest.js

  async admission(body: any, request: any, res: any): Promise<any> {
    // Extract the streamKey from the URL
    const url = new URL(body.request.url);
    const streamKey = url.pathname.split('/').pop();

    const stream = await this.findByStreamKey(streamKey);
    if (!stream) {
      return res.status(200).json({ allowed: false });
    }

    // Check the status of the request to determine if the stream is going online or offline
    if (body.request.status === 'opening') {
      // The stream is going online
      stream.isLive = true;
    } else if (body.request.status === 'closing') {
      // The stream is going offline
      stream.isLive = false;
    }
  }

[mpisat]

Oh, but I'm looking to terminate some viewers while keeping others on an active stream, without killing the stream publish (which will disconnect everyone).
I can use frontend to handle disconnect command (from a custom websocket) to terminate webrtc / ll-hls but it wouldn't be secure.

[NXFinity]

Oh that's easy.

In my 'Frontend' for 'Admin' on the 'View Channel' I have 'Viewer List' which I can click on the user and ban them, it essentially blocks their 'User ID' for that 'View Channel'. You can set this into the Admissions, to check for 'Banned ID' either based globally or channel based.

Mind me asking what you're trying to build? As it might be worth looking at my project 😉😉😉😉😉

I'm doing this and more.

[mpisat]

OvenMediaEngine with AdmissionWebhooks only checks authorization once before stream publish or playback. So, when I start viewing a stream with ?token= and it is approved by my backend, even if I remove it, viewer can keep viewing the stream (webrtc/ll-hls) until it's offline.

What I want is to have ability to kick viewers from a live stream, where they shouldn't be able to reconnect to live stream back (that one is easy since token is revoked).

I'm trying to build a demo that showcases OME's capabilities, and it requires termination of publishers and viewers. With livekit I'm able to kick people off the room (and by using short lived JWT tokens, it works well).

It'd be great if OME also gains ability to terminate individual viewers.

[getroot]

This isn't actually part of our current plan. Managing sessions directly in OME would be a big step, and so far, the broadcast industry hasn’t really asked for this kind of feature. That said, it’s definitely an interesting idea.

Are there many use cases where you need to directly kick out a playing session? For preview streams, we already support setting a session lifetime through SignedPolicy or AdmissionWebhooks. In online meeting scenarios, it makes sense to have a kick feature to remove a specific user from a room. But since OME is mostly used for broadcasting, we haven't seen much need for that.

At the service level, I can imagine not issuing a playback URL to restrict access. But if you could share more about situations where you need to immediately disconnect an active viewer, that would help broaden my perspective.

[mpisat]

Imagine you have a tiktok / twitch like site, where one publisher consumed by several viewers. Members are authorized by ?token= on playback start. If publisher wants to kick them from their live stream, playback must disconnect. With WebRTC, playback remains connected. I can invalidate playback token, prevent user from reconnecting to chat, but if you can't kick live viewers out then this won't work.

There are certain categories of services rely on this feature, for example almost all cam sites (+18, legal).

SignedPolicy is cool but it's not going to work when you want to terminate an active view session.

[getroot]

Yes, it seems like a good idea. I'll add this to our backlog and implement it in the future. Thanks for the good idea.