Anonymous user should not have rights to create a new room

[lebaudantoine]

Bug Report

Problematic behavior Anonymous user can create a new room by navigating to random path. It's a big problem. We desire to control who can create room for performance and scaling issues.

An anonymous user should be able to only see the homepage or join an existing room by its link.

Expected behavior/code A check in the backend /room/:id is missing. Ask the LiveKit server through the LiveKit SDK to know whether the requested room has already been created if the user is not logged-in while requesting an access token to the room.

[lebaudantoine]

Message posted on their slack:

Hello, I am using the LiveKit Python SDK and running the LiveKit server with its default configurations. When creating VideoGrants, I want to set the room_create grant to true only if the user is logged in through my backend. An anonymous user should be able to join an existing room but not create new ones. However, the room_create grant seems to have no effect. Here are relevant parts of my code:

video_grants = VideoGrants(
    room=room,
    room_create=not user.is_anonymous,
    room_join=True,
    can_publish_sources=[
        "camera",
        "microphone",
        "screen_share",
        "screen_share_audio",
    ],
)

I have inspected the generated JWT using jwt.io to ensure the grant is properly set. From my understanding, based on the default configurations of the LiveKit server:

# allow rooms to be automatically created when participants join, defaults to true
# room:
# auto_create: false

It appears that the room_create grant has no effect because the room_join grant takes precedence over it. I might be missing something. I have tried to find more documentation but with no success. If you have any references or insights, please feel free to point me in the right direction. Do I need to disable auto_create and manually create room before generating the acces_token? Thank you!