From e533b33f246f75f1431acaf6e6c8b3fc1105928a Mon Sep 17 00:00:00 2001
From: Luke Curley <kixelated@gmail.com>
Date: Mon, 30 Jun 2025 11:24:15 -0700
Subject: [PATCH 1/2] Maybe update to the new auth scheme.

---
 .env.development             |  1 -
 .env.production              |  3 ---
 env.d.ts                     |  1 -
 infra/input.tf               |  4 ++--
 infra/pub.yml.tpl            |  2 +-
 infra/relay.yml.tpl          | 11 ++++++++---
 src/components/watch.tsx     |  2 +-
 src/pages/watch/[name].astro |  2 +-
 src/pages/watch/index.astro  |  2 +-
 9 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/.env.development b/.env.development
index e15501e..d0c22d8 100644
--- a/.env.development
+++ b/.env.development
@@ -1,3 +1,2 @@
 PUBLIC_RELAY_SCHEME="http"
 PUBLIC_RELAY_HOST="localhost:4443"
-PUBLIC_DEMO_TOKEN=""
diff --git a/.env.production b/.env.production
index e52e0d1..a04c130 100644
--- a/.env.production
+++ b/.env.production
@@ -1,5 +1,2 @@
 PUBLIC_RELAY_SCHEME="https"
 PUBLIC_RELAY_HOST="relay.quic.video"
-
-# cargo run --bin moq-token -- --key root.jwk sign --path "demo" --subscribe "" > demo.jwt
-PUBLIC_DEMO_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwYXRoIjoiZGVtbyIsInB1YiI6bnVsbCwicHViISI6bnVsbCwic3ViIjoiIiwiZXhwIjpudWxsLCJpYXQiOm51bGx9.xeSMuPLRqmjkRLtcraXnvwqmYDK_BuU2ooZOWisL_aE"
diff --git a/env.d.ts b/env.d.ts
index bbea681..b573170 100644
--- a/env.d.ts
+++ b/env.d.ts
@@ -3,7 +3,6 @@
 interface ImportMetaEnv {
 	readonly PUBLIC_RELAY_SCHEME: "http" | "https";
 	readonly PUBLIC_RELAY_HOST: string;
-	readonly PUBLIC_DEMO_TOKEN: string;
 }
 
 interface ImportMeta {
diff --git a/infra/input.tf b/infra/input.tf
index 03ca954..c9628c4 100644
--- a/infra/input.tf
+++ b/infra/input.tf
@@ -20,12 +20,12 @@ variable "domain" {
 
 variable "docker_relay" {
   description = "Docker image for moq-relay"
-  default     = "docker.io/kixelated/moq-relay:0.7.5"
+  default     = "docker.io/kixelated/moq-relay:0.7.6"
 }
 
 variable "docker_hang" {
   description = "Docker image for hang"
-  default     = "docker.io/kixelated/hang:0.1.7"
+  default     = "docker.io/kixelated/hang:0.1.8"
 }
 
 # cargo run --bin moq-token -- --key root.jwk generate
diff --git a/infra/pub.yml.tpl b/infra/pub.yml.tpl
index 13c6aab..b39cf26 100644
--- a/infra/pub.yml.tpl
+++ b/infra/pub.yml.tpl
@@ -20,7 +20,7 @@ write_files:
         -e REGION=${region} \
         --entrypoint hang-bbb \
         ${docker_image} \
-        publish "https://relay.quic.video/${demo_token}.jwt"
+        publish "https://relay.quic.video/demo/bbb.hang?jwt=${demo_token}"
 
       ExecStop=docker stop hang-bbb
 
diff --git a/infra/relay.yml.tpl b/infra/relay.yml.tpl
index 376df5e..641d21a 100644
--- a/infra/relay.yml.tpl
+++ b/infra/relay.yml.tpl
@@ -75,9 +75,14 @@ write_files:
       [auth]
       key = "/etc/moq/root.jwk"
 
-      [auth.path]
-      anon = ""
-      hang = ""
+      [auth.path.demo]
+      public = { read = true }
+
+      [auth.path.anon]
+      key = ""
+
+      [auth.path.hang]
+      key = ""
 
     permissions: "0644"
     owner: root
diff --git a/src/components/watch.tsx b/src/components/watch.tsx
index fa457c1..50b4b19 100644
--- a/src/components/watch.tsx
+++ b/src/components/watch.tsx
@@ -6,7 +6,7 @@ export default function (props: { name: string; token?: string }) {
 	// The signed token is only needed for the demo/ prefix just to prevent abuse.
 	// All other broadcasts go to anon/ which is super easy to spoof.
 	const url = new URL(
-		`${import.meta.env.PUBLIC_RELAY_SCHEME}://${import.meta.env.PUBLIC_RELAY_HOST}/${props.token ? `${props.token}.jwt` : `${props.name}.hang`}`,
+		`${import.meta.env.PUBLIC_RELAY_SCHEME}://${import.meta.env.PUBLIC_RELAY_HOST}/${props.name}${props.token ? `?jwt=${props.token}` : ""}`,
 	);
 
 	return (
diff --git a/src/pages/watch/[name].astro b/src/pages/watch/[name].astro
index 96592a6..34ffcb7 100644
--- a/src/pages/watch/[name].astro
+++ b/src/pages/watch/[name].astro
@@ -16,5 +16,5 @@ import Layout from "@/layouts/global.astro";
 		Watching a <strong>PUBLIC</strong> broadcast. Pls report any abuse on <a href="https://discord.gg/FCYF3p99mr" rel="noreferrer" target="_blank">Discord</a>.
 	</p>
 
-	<Watch client:only="solid-js" name={`anon/${name}`} />
+	<Watch client:only="solid-js" name={`anon/${name}.hang`} />
 </Layout>
diff --git a/src/pages/watch/index.astro b/src/pages/watch/index.astro
index fb32ed8..69ec86b 100644
--- a/src/pages/watch/index.astro
+++ b/src/pages/watch/index.astro
@@ -9,5 +9,5 @@ import Layout from "@/layouts/global.astro";
 <Layout title={`Watch - Demo`} description="Watch a (fake) live broadcast.">
 	<Issues />
 
-	<Watch client:only="solid-js" name="demo/bbb" token={import.meta.env.PUBLIC_DEMO_TOKEN} />
+	<Watch client:only="solid-js" name="demo/bbb.hang" />
 </Layout>

From cbdc98b8606766fb47a03a81482765899079a508 Mon Sep 17 00:00:00 2001
From: Luke Curley <kixelated@gmail.com>
Date: Mon, 30 Jun 2025 11:46:22 -0700
Subject: [PATCH 2/2] New auth scheme?

---
 infra/input.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra/input.tf b/infra/input.tf
index c9628c4..dc9d5ee 100644
--- a/infra/input.tf
+++ b/infra/input.tf
@@ -36,7 +36,7 @@ variable "root_key" {
 
 # A token used to publish demo/bbb.hang
 # This is very manual/crude, but I don't want someone to hijack the broadcast.
-# cargo run --bin moq-token -- --key root.jwk sign --path "demo" --publish "" > demo.jwt
+# cargo run --bin moq-token -- --key root.jwk sign --path "demo/bbb.hang" --publish "" > demo.jwt
 variable "demo_token" {
   description = "demo token"
   sensitive   = true