We use Coturn in production at mesibo. We are implementing enhancements to protect against amplification and other attacks. This issue is regarding validating TURN credentials against an IP address.

We generate dynamic TURN credentials valid for specific IPs and other criteria. The IP check allows restricting TURN credentials to be valid only for that IP, providing various security benefits.

However, the database driver's get_user_key() callback currently does not receive the client's IP address or port information.

Proposed Solution

Extend the get_user_key() callback signature to include client connection information:

int get_user_key(uint8_t *usname, uint8_t *realm, hmackey_t key,
                 const char *client_ip,      // NEW: client source IP
                 uint16_t client_port,       // NEW: client source port
                 ...);

This would allow database implementations to validate that credentials are used from an authorized IP.

Is there existing work on this feature? If not, would such a change be acceptable upstream? We're happy to contribute this enhancement if you find it useful.