Skip to content

consistent error class ServerError, test suite#744

Open
davidzhao wants to merge 2 commits into
mainfrom
dz/api-tests
Open

consistent error class ServerError, test suite#744
davidzhao wants to merge 2 commits into
mainfrom
dz/api-tests

Conversation

@davidzhao

Copy link
Copy Markdown
Member

ServerError is now the error base class. we've also kept TwirpError as an alias.

also added full api smoke test suite

ServerError is now the error base class. we've also kept TwirpError as
an alias.

also added full api smoke test suite
@davidzhao davidzhao requested a review from a team July 5, 2026 14:02

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

Open in Devin Review

Comment on lines 133 to 135
client_timeout = aiohttp.ClientTimeout(
total=timeout if timeout else DEFAULT_RINGING_TIMEOUT
)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 accept_whatsapp_call timeout lacks the RINGING_TIMEOUT_MARGIN used by SIP service

The accept_whatsapp_call method uses DEFAULT_RINGING_TIMEOUT (30s) as the request timeout when wait_until_answered is set, without adding RINGING_TIMEOUT_MARGIN (2s). In contrast, the SIP service's create_sip_participant uses ring + RINGING_TIMEOUT_MARGIN to ensure the HTTP request outlasts the ringing window. If the server takes exactly 30s to ring, the connector request could time out at the boundary. This is pre-existing behavior (unchanged by this PR) but the inconsistency is worth noting since the PR cleaned up the DialRequest union that previously included AcceptWhatsAppCallRequest.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 new potential issue.

Open in Devin Review

session: aiohttp.ClientSession instance to use for requests, if not provided, a new one will be created
"""
url = url or os.getenv("LIVEKIT_URL")
token = token or os.getenv("LIVEKIT_TOKEN")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Environment token silently overrides explicitly-provided API key and secret credentials

A token read from the LIVEKIT_TOKEN environment variable (os.getenv("LIVEKIT_TOKEN") at livekit-api/livekit/api/livekit_api.py:52) takes precedence over explicitly-passed api_key/api_secret parameters, so callers who intentionally authenticate with key/secret will silently use a stale or wrong-scoped token instead.

Impact: Users with LIVEKIT_TOKEN set in their environment (e.g. from another tool) get silent auth failures or wrong permissions when they explicitly pass key/secret.

Mechanism: env-var token wins over explicit key/secret due to unconditional precedence

At livekit_api.py:52, token = token or os.getenv("LIVEKIT_TOKEN") reads the env var whenever the token parameter is not explicitly passed. Then at line 81, if token: unconditionally injects the token into all services, overriding key/secret-based JWT generation (livekit-api/livekit/api/_service.py:31). There is no check for whether key/secret were explicitly provided.

The fix should either: (a) only read LIVEKIT_TOKEN from the environment when api_key/api_secret are also not provided, or (b) only set svc._token when key/secret are absent (i.e., token mode was intentionally chosen).

Prompt for agents
In livekit_api.py __init__, the line `token = token or os.getenv("LIVEKIT_TOKEN")` unconditionally reads the LIVEKIT_TOKEN env var. Later, `if token:` injects it into all services, overriding key/secret auth. The problem is that when a user explicitly passes api_key and api_secret but does NOT pass token, a LIVEKIT_TOKEN env var will silently override their explicit credentials.

The fix should ensure that the env-var token is only used when key/secret are not available. One approach: only read LIVEKIT_TOKEN from the environment when api_key/api_secret are not provided (either explicitly or via their own env vars). For example, move the token env-var read after the key/secret resolution and gate it:

  if not api_key or not api_secret:
      token = token or os.getenv("LIVEKIT_TOKEN")

Alternatively, only set svc._token when api_key/api_secret are empty strings (meaning token mode was chosen).
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant