From 8ba69b35dfa479a69e910e48ca3bfd731362bbac Mon Sep 17 00:00:00 2001
From: Abhishek Kumar <abhishek@a6k.me>
Date: Tue, 3 Feb 2026 11:34:44 +0530
Subject: [PATCH] add turn credentials and config

---
 api/routes/turn_credentials.py | 28 ++++++++++++++++++++++++----
 config/coturn/turnserver.conf  |  4 ++--
 docker-compose-local.yaml      |  8 +++++++-
 3 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/api/routes/turn_credentials.py b/api/routes/turn_credentials.py
index b377d24..599d55d 100644
--- a/api/routes/turn_credentials.py
+++ b/api/routes/turn_credentials.py
@@ -24,6 +24,7 @@ from loguru import logger
 from pydantic import BaseModel
 
 from api.constants import (
+    ENVIRONMENT,
     TURN_CREDENTIAL_TTL,
     TURN_HOST,
     TURN_PORT,
@@ -31,6 +32,7 @@ from api.constants import (
     TURN_TLS_PORT,
 )
 from api.db.models import UserModel
+from api.enums import Environment
 from api.services.auth.depends import get_user
 
 router = APIRouter(prefix="/turn", tags=["turn"])
@@ -88,10 +90,28 @@ def generate_turn_credentials(user_id: str, ttl: int = TURN_CREDENTIAL_TTL) -> d
     ).decode("utf-8")
 
     # Build TURN URIs
-    uris = [
-        f"turn:{TURN_HOST}:{TURN_PORT}",  # TURN over UDP
-        f"turn:{TURN_HOST}:{TURN_PORT}?transport=tcp",  # TURN over TCP
-    ]
+    # Note: aiortc only uses the FIRST valid TURN URI, so ordering matters.
+    # Priority:
+    #   1. TURNS (TLS) if configured - most secure
+    #   2. TURN TCP for LOCAL env (macOS Docker compatibility)
+    #   3. TURN UDP for production (more efficient)
+    uris = []
+
+    # Add non-TLS TURN as fallback, ordered by environment
+    if ENVIRONMENT == Environment.LOCAL.value:
+        uris.extend(
+            [
+                f"turn:{TURN_HOST}:{TURN_PORT}?transport=tcp",  # TCP for macOS Docker
+                f"turn:{TURN_HOST}:{TURN_PORT}",  # UDP fallback
+            ]
+        )
+    else:
+        uris.extend(
+            [
+                f"turn:{TURN_HOST}:{TURN_PORT}",  # UDP preferred for other environments
+                f"turn:{TURN_HOST}:{TURN_PORT}?transport=tcp",  # TCP fallback
+            ]
+        )
 
     # Add TLS URIs if TLS port is configured
     if TURN_TLS_PORT:
diff --git a/config/coturn/turnserver.conf b/config/coturn/turnserver.conf
index 8af1051..666bf69 100644
--- a/config/coturn/turnserver.conf
+++ b/config/coturn/turnserver.conf
@@ -82,8 +82,8 @@ new-log-timestamp
 # For cloud deployments (AWS, GCP), set external IP explicitly:
 # external-ip=<PUBLIC_IP>/<PRIVATE_IP>
 
-# Uncomment to restrict to specific listening IPs:
-# listening-ip=0.0.0.0
+# Explicitly bind to all interfaces (required for Docker port mapping)
+listening-ip=0.0.0.0
 
 # =============================================================================
 # STUN Configuration
diff --git a/docker-compose-local.yaml b/docker-compose-local.yaml
index 9047a50..28ba69b 100644
--- a/docker-compose-local.yaml
+++ b/docker-compose-local.yaml
@@ -62,12 +62,18 @@ services:
     image: coturn/coturn:4.8.0
     container_name: coturn
     restart: unless-stopped
-    network_mode: host
+    ports:
+      - "3478:3478/udp"      # TURN/STUN UDP
+      - "3478:3478/tcp"      # TURN/STUN TCP
+      - "5349:5349/tcp"      # TURNS (TLS)
+      - "49152-49200:49152-49200/udp"  # Relay ports
     volumes:
       - ./config/coturn/turnserver.conf:/etc/coturn/turnserver.conf:ro
     command:
       - "-c"
       - "/etc/coturn/turnserver.conf"
+    networks:
+      - app-network
 
 volumes:
   postgres_data: