Don't track JWT token at param and browser history

Hello. Is there any way (maybe someone have prosody module) to make an JWT auth without query param? It’s not secure to track it in a browser history. As a solution we can make a token lifetime as small as possible. But maybe there is some other ways to make it more secure.

1 Like

I found that jitsi client have this APP.store.getState()['features/base/jwt'] at redux store. Maybe that will help me or someone else.

Token value is passed as ‘token’ query paramater of BOSH URL

Yes, It works with

APP.store.dispatch(setJWT(token));

“setJWT is not defined”
What am I doing wrong?
Even setting the token directly in my local storage under “features/base/jwt” doesn’t work.

Hello. There is all fine with JWT in jitsi. You can check my implementation at https://github.com/aeternity/jitsi-meet/blob/acaf4260819720b72eeb80d97d728ea0f8482627/react/features/conference/components/web/Conference.js#L319
Not sure, but maybe if setJWT is not defined in you case, it means that you didn’t import this redux action https://github.com/aeternity/jitsi-meet/blob/acaf4260819720b72eeb80d97d728ea0f8482627/react/features/conference/components/web/Conference.js#L15

looks like you are not import setJWT action to yours file where you execute it.