fix: Properly setup DRM to support Airplay (muxinc#1245)

spuppo-mux · web-flow · commit 673b7ff6e056 · 2025-12-03T18:33:12.000-03:00
Closes [muxinc#183](muxinc/devextravaganza#183) I also reorganized the `onFpEncrypted` callback to get a better understanding of the code and compare it with the [FairPlay Streaming Overview](https://developer.apple.com/streaming/fps/FairPlayStreamingOverview.pdf). The main issue here was that we were ignoring the Apple TV SPC when generating the DRM license. This is reflected on the `session.addEventListener('message', ...)` changes. We were listening just once to this message, but more recent versions of Apple TV send new messages when using AirPlay. Therefore I modified that listener to ask for that license again and update the session for each new message.
diff --git a/packages/playback-core/src/index.ts b/packages/playback-core/src/index.ts
@@ -882,158 +882,184 @@ export const setupNativeFairplayDRM = (
   props: Partial<Pick<MuxMediaPropsInternal, 'playbackId' | 'tokens' | 'playbackToken' | 'customDomain' | 'drmTypeCb'>>,
   mediaEl: HTMLMediaElement
 ) => {
-  const onFpEncrypted = async (event: MediaEncryptedEvent) => {
-    try {
-      const initDataType = event.initDataType;
-      if (initDataType !== 'skd') {
-        console.error(`Received unexpected initialization data type "${initDataType}"`);
-        return;
-      }
-
-      if (!mediaEl.mediaKeys) {
-        const access = await navigator
-          .requestMediaKeySystemAccess('com.apple.fps', [
-            {
-              initDataTypes: [initDataType],
-              videoCapabilities: [{ contentType: 'application/vnd.apple.mpegurl', robustness: '' }],
-              distinctiveIdentifier: 'not-allowed',
-              persistentState: 'not-allowed',
-              sessionTypes: ['temporary'],
-            },
-          ])
-          .then((value) => {
-            props.drmTypeCb?.(DRMType.FAIRPLAY);
-            return value;
-          })
-          .catch(() => {
-            const message = i18n(
-              'Cannot play DRM-protected content with current security configuration on this browser. Try playing in another browser.'
-            );
-            // Should we flag this as a business exception?
-            const mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, true);
-            mediaError.errorCategory = MuxErrorCategory.DRM;
-            mediaError.muxCode = MuxErrorCode.ENCRYPTED_UNSUPPORTED_KEY_SYSTEM;
-            saveAndDispatchError(mediaEl, mediaError);
-          });
-
-        if (!access) return;
-
-        const keys = await access.createMediaKeys();
-
-        try {
-          const fairPlayAppCert = await getAppCertificate(toAppCertURL(props, 'fairplay')).catch((errOrResp) => {
-            if (errOrResp instanceof Response) {
-              const mediaError = getErrorFromResponse(errOrResp, MuxErrorCategory.DRM, props);
-              console.error('mediaError', mediaError?.message, mediaError?.context);
-              if (mediaError) {
-                return Promise.reject(mediaError);
-              }
-              // NOTE: This should never happen. Adding for exhaustiveness (CJP).
-              return Promise.reject(new Error('Unexpected error in app cert request'));
-            }
-            return Promise.reject(errOrResp);
-          });
-          await keys.setServerCertificate(fairPlayAppCert).catch(() => {
-            const message = i18n(
-              'Your server certificate failed when attempting to set it. This may be an issue with a no longer valid certificate.'
-            );
-            const mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, true);
-            mediaError.errorCategory = MuxErrorCategory.DRM;
-            mediaError.muxCode = MuxErrorCode.ENCRYPTED_UPDATE_SERVER_CERT_FAILED;
-            return Promise.reject(mediaError);
-          });
-          // @ts-ignore
-        } catch (error: Error | MediaError) {
-          saveAndDispatchError(mediaEl, error);
-          return;
-        }
-        await mediaEl.setMediaKeys(keys);
-      }
-
-      const initData = event.initData;
-      if (initData == null) {
-        console.error(`Could not start encrypted playback due to missing initData in ${event.type} event`);
-        return;
-      }
+  const setupMediaKeys = async (initDataType: string) => {
+    const access = await navigator
+      .requestMediaKeySystemAccess('com.apple.fps', [
+        {
+          initDataTypes: [initDataType],
+          videoCapabilities: [{ contentType: 'application/vnd.apple.mpegurl', robustness: '' }],
+          distinctiveIdentifier: 'not-allowed',
+          persistentState: 'not-allowed',
+          sessionTypes: ['temporary'],
+        },
+      ])
+      .then((value) => {
+        props.drmTypeCb?.(DRMType.FAIRPLAY);
+        return value;
+      })
+      .catch(() => {
+        const message = i18n(
+          'Cannot play DRM-protected content with current security configuration on this browser. Try playing in another browser.'
+        );
+        // Should we flag this as a business exception?
+        const mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, true);
+        mediaError.errorCategory = MuxErrorCategory.DRM;
+        mediaError.muxCode = MuxErrorCode.ENCRYPTED_UNSUPPORTED_KEY_SYSTEM;
+        saveAndDispatchError(mediaEl, mediaError);
+      });
 
-      const session = (mediaEl.mediaKeys as MediaKeys).createSession();
-      session.addEventListener('keystatuseschange', () => {
-        // recheck key statuses
-        // NOTE: As an improvement, we could also add checks for a status of 'expired' and
-        // attempt to renew the license here (CJP)
-        session.keyStatuses.forEach((mediaKeyStatus) => {
-          let mediaError;
-          if (mediaKeyStatus === 'internal-error') {
-            const message = i18n(
-              'The DRM Content Decryption Module system had an internal failure. Try reloading the page, upading your browser, or playing in another browser.'
-            );
-            mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, true);
-            mediaError.errorCategory = MuxErrorCategory.DRM;
-            mediaError.muxCode = MuxErrorCode.ENCRYPTED_CDM_ERROR;
-          } else if (mediaKeyStatus === 'output-restricted' || mediaKeyStatus === 'output-downscaled') {
-            const message = i18n(
-              'DRM playback is being attempted in an environment that is not sufficiently secure. User may see black screen.'
-            );
-            // NOTE: When encountered, this is a non-fatal error (though it's certainly interruptive of standard playback experience). (CJP)
-            mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, false);
-            mediaError.errorCategory = MuxErrorCategory.DRM;
-            mediaError.muxCode = MuxErrorCode.ENCRYPTED_OUTPUT_RESTRICTED;
-          }
+    if (!access) return;
 
-          if (mediaError) {
-            saveAndDispatchError(mediaEl, mediaError);
-          }
-        });
-      });
-      const message = await Promise.all([
-        session.generateRequest(initDataType, initData).catch(() => {
-          // eslint-disable-next-line no-shadow
-          const message = i18n(
-            'Failed to generate a DRM license request. This may be an issue with the player or your protected content.'
-          );
-          const mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, true);
-          mediaError.errorCategory = MuxErrorCategory.DRM;
-          mediaError.muxCode = MuxErrorCode.ENCRYPTED_GENERATE_REQUEST_FAILED;
-          saveAndDispatchError(mediaEl, mediaError);
-        }),
-        new Promise<MediaKeyMessageEvent['message']>((resolve) => {
-          session.addEventListener(
-            'message',
-            (messageEvent) => {
-              resolve(messageEvent.message);
-            },
-            { once: true }
-          );
-        }),
-      ]).then(([, messageEventMsg]) => messageEventMsg);
+    const keys = await access.createMediaKeys();
 
-      const response = await getLicenseKey(message, toLicenseKeyURL(props, 'fairplay')).catch((errOrResp) => {
+    try {
+      const fairPlayAppCert = await getAppCertificate(toAppCertURL(props, 'fairplay')).catch((errOrResp) => {
         if (errOrResp instanceof Response) {
           const mediaError = getErrorFromResponse(errOrResp, MuxErrorCategory.DRM, props);
           console.error('mediaError', mediaError?.message, mediaError?.context);
           if (mediaError) {
             return Promise.reject(mediaError);
           }
           // NOTE: This should never happen. Adding for exhaustiveness (CJP).
-          return Promise.reject(new Error('Unexpected error in license key request'));
+          return Promise.reject(new Error('Unexpected error in app cert request'));
         }
         return Promise.reject(errOrResp);
       });
-      await session.update(response).catch(() => {
-        // eslint-disable-next-line no-shadow
+      await keys.setServerCertificate(fairPlayAppCert).catch(() => {
         const message = i18n(
-          'Failed to update DRM license. This may be an issue with the player or your protected content.'
+          'Your server certificate failed when attempting to set it. This may be an issue with a no longer valid certificate.'
         );
         const mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, true);
         mediaError.errorCategory = MuxErrorCategory.DRM;
-        mediaError.muxCode = MuxErrorCode.ENCRYPTED_UPDATE_LICENSE_FAILED;
+        mediaError.muxCode = MuxErrorCode.ENCRYPTED_UPDATE_SERVER_CERT_FAILED;
         return Promise.reject(mediaError);
       });
       // @ts-ignore
     } catch (error: Error | MediaError) {
       saveAndDispatchError(mediaEl, error);
       return;
     }
+    await mediaEl.setMediaKeys(keys);
+  };
+
+  const updateMediaKeyStatus = (mediaKeyStatus: MediaKeyStatus) => {
+    let mediaError;
+    if (mediaKeyStatus === 'internal-error') {
+      const message = i18n(
+        'The DRM Content Decryption Module system had an internal failure. Try reloading the page, upading your browser, or playing in another browser.'
+      );
+      mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, true);
+      mediaError.errorCategory = MuxErrorCategory.DRM;
+      mediaError.muxCode = MuxErrorCode.ENCRYPTED_CDM_ERROR;
+    } else if (mediaKeyStatus === 'output-restricted' || mediaKeyStatus === 'output-downscaled') {
+      const message = i18n(
+        'DRM playback is being attempted in an environment that is not sufficiently secure. User may see black screen.'
+      );
+      // NOTE: When encountered, this is a non-fatal error (though it's certainly interruptive of standard playback experience). (CJP)
+      mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, false);
+      mediaError.errorCategory = MuxErrorCategory.DRM;
+      mediaError.muxCode = MuxErrorCode.ENCRYPTED_OUTPUT_RESTRICTED;
+    }
+
+    if (mediaError) {
+      saveAndDispatchError(mediaEl, mediaError);
+    }
+  };
+
+  const setupMediaKeySession = async (initDataType: string, initData: ArrayBuffer) => {
+    const session = (mediaEl.mediaKeys as MediaKeys).createSession();
+    const onKeyStatusChange = () => {
+      // recheck key statuses
+      // NOTE: As an improvement, we could also add checks for a status of 'expired' and
+      // attempt to renew the license here (CJP)
+      session.keyStatuses.forEach((keyStatus) => updateMediaKeyStatus(keyStatus));
+    };
+
+    const onMessage = async (event: MediaKeyMessageEvent) => {
+      const spc = event.message;
+      try {
+        const ckc = await getLicenseKey(spc, toLicenseKeyURL(props, 'fairplay'));
+
+        try {
+          // This is the same call whether we are local or AirPlay.
+          // Safari will forward CKC to Apple TV automatically.
+          await session.update(ckc);
+        } catch {
+          const message = i18n(
+            'Failed to update DRM license. This may be an issue with the player or your protected content.'
+          );
+          const mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, true);
+          mediaError.errorCategory = MuxErrorCategory.DRM;
+          mediaError.muxCode = MuxErrorCode.ENCRYPTED_UPDATE_LICENSE_FAILED;
+
+          saveAndDispatchError(mediaEl, mediaError);
+        }
+      } catch (errOrResp) {
+        if (errOrResp instanceof Response) {
+          const mediaError = getErrorFromResponse(errOrResp, MuxErrorCategory.DRM, props);
+          console.error('mediaError', mediaError?.message, mediaError?.context);
+
+          if (mediaError) {
+            saveAndDispatchError(mediaEl, mediaError);
+            return;
+          }
+
+          console.error('Unexpected error in license key request', errOrResp);
+          return;
+        }
+
+        console.error(errOrResp);
+      }
+    };
+
+    session.addEventListener('keystatuseschange', onKeyStatusChange);
+    session.addEventListener('message', onMessage);
+    mediaEl.addEventListener(
+      'teardown',
+      () => {
+        session.removeEventListener('keystatuseschange', onKeyStatusChange);
+        session.removeEventListener('message', onMessage);
+        session.close();
+      },
+      { once: true }
+    );
+
+    await session.generateRequest(initDataType, initData).catch((e) => {
+      console.error('Failed to generate license request', e);
+      const message = i18n(
+        'Failed to generate a DRM license request. This may be an issue with the player or your protected content.'
+      );
+      const mediaError = new MediaError(message, MediaError.MEDIA_ERR_ENCRYPTED, true);
+      mediaError.errorCategory = MuxErrorCategory.DRM;
+      mediaError.muxCode = MuxErrorCode.ENCRYPTED_GENERATE_REQUEST_FAILED;
+      return Promise.reject(mediaError);
+    });
+  };
+
+  const onFpEncrypted = async (event: MediaEncryptedEvent) => {
+    try {
+      const initDataType = event.initDataType;
+      if (initDataType !== 'skd') {
+        console.error(`Received unexpected initialization data type "${initDataType}"`);
+        return;
+      }
+
+      if (!mediaEl.mediaKeys) {
+        await setupMediaKeys(initDataType);
+      }
+
+      const initData = event.initData;
+      if (initData == null) {
+        console.error(`Could not start encrypted playback due to missing initData in ${event.type} event`);
+        return;
+      }
+
+      await setupMediaKeySession(initDataType, initData);
+      // @ts-ignore
+    } catch (error: Error | MediaError) {
+      saveAndDispatchError(mediaEl, error);
+      return;
+    }
   };
 
   addEventListenerWithTeardown(mediaEl, 'encrypted', onFpEncrypted);
