This is the monolithic API server which hosts Zling's functions. It's written in Rust with the help of actix-web, mediasoup-rust and sqlx.
Zling is currently in development. Expect the API to change. API Docs are hosted by the server at /docs.
- Database: PostgreSQL (
sqlx) - Voice SFU:
mediasoup - HTTP:
actix-web - Websockets:
actix-ws
- Text messaging
- Voice chat
- File attachments
- Performant
- Fully documented with OpenAPI
Zling uses the nanoid crate to generate URL-safe NanoIDs, of the default length of 21.
Zling uses an access and refresh token architecture for authorization. It's similar in ways to the tokens used by OAuth2, but is not strictly compliant.
The database contains a table of all refresh tokens and their expiry, which is used to renew a token pair. The server does not keep track of all valid access tokens, as it determines an access token's authenticity with HMAC verification.
By default, Zling's server generates a random token signing key between restarts, which deauthenticates any existing access tokens your clients might be using. If you want access tokens to be valid between runs, you need to generate a token signing key to be used persistently.
Start the server with TOKEN_SIGNING_KEY unset to get a random token. You may
start the server with cargo run, cargo run --release, or just use the
pre-built binary.
$ cargo run
[...] Version: 0.1.0
[...] Generating new token signing key... (provide one with TOKEN_SIGNING_KEY)
[...] Token signing key: d8b9e886234d4500dont_use_this_readmes_key_in_productiona02f9f3bff03
*logs continue below*
Now, restart the server with TOKEN_SIGNING_KEY set to the generated token:
$ TOKEN_SIGNING_KEY=xxxxx cargo run --release
Now you can try logging in on a client, restarting the server, then accessing the server again from the client. If you did everything correctly, you won't have to log in again.
| Type | Example | Validity |
|---|---|---|
| Access Token | TksgHm2VlVGauu-idaO4w.ZGdKYQ.OHMHwz6l3XkHSYOSns8IHtxxi_sHBrzmYu0gqWZtcUs |
Short (~10 mins) |
| Refresh Token | TksgHm2VlVGauu-idaO4w.ZGs8iQ.1ZcETwSXSEqeB6O19C0J_GOgFg8UeHrVv56QmGsszHmUDSog |
Long (~3 days) |
You can issue yourself a token by signing in at the /auth/login endpoint with a username and password, and then call /auth/reissue with a refresh token to obtain new access & refresh tokens accordingly.
The format of tokens resembles JWT but is not compliant for the sake of shortness. Tokens are of the format:
xoKM4W7NDqHjK_V0g9s3y.ZFZDYw.iIuDsgiT4s2ehQ-3ATImimyPUoooTPC1ytqqQuPQSJU
AAAAAAAAAAAAAAAAAAAAA.BBBBBB.CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
user_id expiry signature
Where
expiry = BASE64URL(unix_timestamp.big_endian_bytes)
payload = user_id + "." + expiry
signature = BASE64URL(HMACSHA256_SIGN(payload, TOKEN_SIGNING_KEY))
token = payload + "." + signature
Note: user_id is not Base64 encoded as it is already url-safe.
Note: expiry is a Unix timestamp in seconds, encoded as a Base64Url string. Bytes are encoded in Big Endian (network order).
In the example:
user_id=xoKM4W7NDqHjK_V0g9s3yexpiry=BASE64URL_DECODE("ZFZDYw") = 0x64564363 = 1683374947 (big-endian) = Sat May 06 2023 12:09:07 GMT+0000
The server is configured through the following environment variables. See the options.rs file for details.
| Variable | Type | Default | Description |
|---|---|---|---|
NUM_WEB_WORKERS |
number |
4 |
Web worker threads that should be spawned. Set to number of availabe threads available for best performance. eg. NUM_WEB_WORKERS=$(nproc) |
BIND_ADDR |
ipv4:port |
127.0.0.1:8080 |
HTTP bind address. Set to 0.0.0.0:1234 to listen to any address on port 1234. |
SSL_ENABLE |
bool |
false |
Should an HTTPS server be started? Required: SSL_CERT_PATH, SSL_KEY_PATH |
SSL_ONLY |
bool |
false |
Should the HTTP server be disabled in favour of just the HTTPS server alone? Required: SSL_ENABLE |
SSL_BIND_ADDR |
ipv4:port |
127.0.0.1:8443 |
HTTPS bind address. Set to 0.0.0.0:8443 to listen to any address on port 8443. |
SSL_CERT_PATH |
path |
cert.pem |
Your TLS certificate file, required for HTTPS support. You can get one from Let's Encrypt using certbot for free. |
SSL_KEY_PATH |
path |
key.pem |
Your TLS private key file, required for HTTPS support. You can get one from Let's Encrypt using certbot for free. |
HANDLE_CORS |
bool |
true |
Attach necessary Cross Origin Access Control (CORS) headers to allow any website domain to make requests to this instance. Useful for when you want to use https://zlingapp.com as the app and add your instance to it. You can also do this with a reverse proxy like NGINX. |
| Variable | Type | Default | Description |
|---|---|---|---|
DB_HOST |
string |
localhost |
PostgreSQL hostname |
DB_PORT |
number |
5432 |
PostgreSQL port |
DB_USER |
string |
zling-backend |
PostgreSQL user |
DB_PASSWORD |
string |
dev |
Password for user |
DB_NAME |
string |
zling-backend |
Database name |
DB_POOL_MAX_CONNS |
number |
5 |
Max open query connections |
DB_RUN_MIGRATIONS |
bool |
true |
Should the necessary SQL migrations be run on server start? This is highly recommended as Zling is actively being updated and database schema may change. Only disable if you have your own system for making sure the database schema is up to date. |
| Variable | Type | Default | Description |
|---|---|---|---|
WRTC_PORTS |
range |
10000 |
Port range to start WebRTC servers on. Don't specify too many as each port starts its own WebRTC server! A recommended amount is 2-4. (eg. WRTC_PORTS=10000-10003) |
WRTC_ANNOUNCE_IP |
ipv4 |
127.0.0.1 |
Public IP with which WebRTC clients should seek a connection. It's important that this IP is your server's public IP and WRTC_PORTS are accessible on it, otherwise voice chat won't work. |
WRTC_ENABLE_UDP |
bool |
true |
Clients can use UDP to send voice packets? (recommended) |
WRTC_ENABLE_TCP |
bool |
true |
Clients can use UDP to send voice packets? (recommended for fallback as some networks disallow UDP altogether) |
WRTC_PREFER_UDP |
bool |
true |
Should UDP be preferred over TCP? (recommended) |
WRTC_PREFER_TCP |
bool |
false |
Should TCP be preferred over UDP? |
WRTC_INITIAL_AVAILABLE_OUTGOING_BITRATE |
number |
600000 |
Initial value for the outbound bitrate limit when negotiating WebRTC link speed. 600kbps as the default should suit most cases. |
| Variable | Type | Default | Description |
|---|---|---|---|
TOKEN_SIGNING_KEY |
hex string |
Randomly generated | Key used to sign access tokens, see above for format. |
| Variable | Type | Default | Description |
|---|---|---|---|
MEDIA_PATH |
path |
/var/tmp/zling-media |
Directory where user files like avatars and attachments should be stored. Ideally it should have a lot of capacity. |
Database migrations are handled simply with sqlx-cli and the /migrations directory. On the first sqlx migrate run, each .up file is run in succession according to their timestamp. On any subsequent run, only new migrations are run, allowing an existing database to be modified non-destructively. Additionally, any change can be reverted using sqlx revert, running the .down sql file. Any sortableInt_name.up.sql file can be used, but ideally create migrations using sqlx migrate add.