Avoid all viewers gaining access to stream key?

[AJDowds]

Whenever a user streams they provide a stream key which ends up being the stream name and whenever someone consumes a stream, they make a request to a URL which includes this stream name. Meaning any viewer has access to any streamers stream key and could hijack the stream.

How are we supposed to tackle this?

e.g.

• I begin a stream with server: rtmp://mydomain.com/live and stream key: mysecretkey
• A user accesses my stream via the client/browser and looks at their network traffic where they see that they're making a request to mysecretkey.flv
• The user now has access to the streamers key

[AlexUrrutia]

You should use authentication

[AJDowds]

I've looked at the authentication section of the docs: https://github.com/illuspas/Node-Media-Server?tab=readme-ov-file#authentication

I can't really make sense of what they're trying to explain here, perhaps some translation issue or something. In the end it suggests that a final request URL of e.g. rtmp://192.168.0.10/live/stream?sign=1503458721-80c1d1ad2e0c2ab63eebb50eed64201a needs to be used but I don't understand how that fits into the OBS stream settings.

Does this mean that the streamer would still provide a stream key which ends up being their stream name? but the URL that each streamer enters into the server input would be unique to them?

[AJDowds]

HashValue = md5("/live/stream-1503458721-nodemedia2017privatekey”)

is this saying that for each streamer, they would have a unique URL that they stream to which would include a hash of the above where stream is their stream name, the number following it (1503458721) is the expiry and the string following that (nodemedia2017privatekey) is some global secret defined within the node-media-server config?