Rotating y-webrtc password to revoke access

I want users to be added and removed from yjs documents. Once removed, the user shouldn’t have access to the document after a reasonable time (e.g. no access after max 1h after removal).
To add users, the “password” field of y-webrtc looks like a good solution: a new user would receive the password and could then join the room. Yet, once the user receives the password access is basically granted forever.
Regularly rotating the password (e.g. every hour) could kick out users who shouldn’t have any longer access to the document… but I’m struggling how to make this happen in y-webrtc: it would likely require to send the password ID (e.g. the number of the password that was used for encrypting) together with the encrypted messages. If y-webrtc sees a new password ID, it would have to park the message, try to get the new password, and then decrypt the message with it.
Did anyone implement password rotation in y-webrtc? Are there better approaches to revoke/limit access to y-webrtc documents?

1 Like