Verified meetings (experimental): passkey-based host identity#1
Open
predatorray wants to merge 4 commits into
Open
Verified meetings (experimental): passkey-based host identity#1predatorray wants to merge 4 commits into
predatorray wants to merge 4 commits into
Conversation
Let a host prove their identity to guests with a passkey, defeating the peer-id squatting that's otherwise possible since the host's PeerJS id is derived from the meeting code. - Trust chain: invite URL pins SHA-256 of the host identity key; the passkey signs an ephemeral session key once per meeting (one biometric prompt); the session key signs each guest's fresh nonce. - Off by default behind a "Verified meeting" experimental toggle; the non-verified path is unchanged. - Guests get a waiting room + auto-join when the host isn't present yet. - Host and guests can open a Host identity dialog to compare the SSH-style fingerprint out-of-band (catches a tampered invite link). - One reusable passkey identity, synced across the host's devices. Limitation (documented in docs/verified-meetings.md): provides host authentication, not yet a fully app-layer-authenticated channel, so an active relay MITM is out of scope for this experimental cut. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The shared invite link is the guest link (no host=1), so a verified host who created a link ahead of time — or left and came back — was stranded in the waiting room as a guest with no way to host. - Waiting room now offers "Host this meeting"; claiming runs the passkey ceremony against the identity pinned in the URL and switches into hosting. - Verified guests fall back to the waiting room (and retry) on a connect timeout, instead of hanging on "Joining…" when the broker holds a stale registration for a host that just left. - Re-hosting retries the peer-id claim for a short grace window while the broker releases the previous registration. - e2e: drive a real passkey via the CDP virtual authenticator and cover the create-link-ahead / host-it-later flow. - README + docs updated. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Ordinary (non-verified) meetings dead-ended at "Meeting not found" when the host had left, so a host couldn't re-host using the invite link — unlike verified meetings. The unhosted error screen now offers a "Host this meeting" button that remounts as host and claims the code (no passkey needed). - e2e: a guest can host an ordinary meeting that has no host. - README: note re-hosting from the invite link. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Ordinary (non-verified) meetings now match verified ones: a guest who opens a meeting before the host is present sees "Waiting for the host" and auto-joins once a host goes live, instead of dead-ending on "Couldn't join the meeting". - MeetingClient: all guests (not just verified) route to the waiting room + retry on peer-unavailable / connect timeout; emit a `joined` event on connect. - useMeeting: guests go live on joined/verified rather than when the broker connects, avoiding a flash of empty room before the waiting room. - MeetingPage: the waiting room's "Host this meeting" now works for ordinary meetings too; dropped the dead error-screen button and unused i18n key. - Tests: peer-unavailable now asserts waiting+retry, added an auto-join test, switched MeetingClient tests to fake timers; non-verified e2e expects the waiting room. README updated. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an experimental, off-by-default "Verified meeting" feature: a host proves their identity to guests with a passkey (WebAuthn), so guests can refuse to join an impostor. This closes the squatting hole inherent to the deterministic host peer-id (
rendezvous-<code>) on the public broker.Trust chain a guest checks before sending any data:
Both sides can open a Host identity dialog to compare the SSH-style fingerprint out-of-band (catches a tampered link). See
docs/verified-meetings.mdfor the full protocol, threat model, and limitations.What's included
src/crypto), passkey identity + handshake (src/peer/hostIdentity.ts,src/peer/verification.ts), wire messages, and the experimental toggle.Limitations (documented)
Testing
CI=truebuild green.🤖 Generated with Claude Code