How do I prevent two users with the same JWT from logging in?

Visualbench · February 19, 2022, 2:12pm

Hello, I create JWT tokens with a unique ID for each token and pass them to jitsi meet.
I want to prevent two users with the same JWT id to login.
Is this possible?

Sample JWT token:

{
  "iss": "2abd469fed1bac30cd28c9bf",
  "sub": "***********",
  "iat": 1645279678,
  "nbf": 1645279678,
  "exp": 1645283278,
  "aud": "abcd",
  "moderator": true,
  "room": "*********",
  "context": {
    "user": {
      "name": "Test",
      "email": "abcd@xyz.com",
      "id": "ZDbgT8TTqrHENG3FF",
      "rid": "TestRoom"
    }
  }
}

damencho · February 19, 2022, 2:26pm

There is no such feature, but it is possible with custom prosody modules.
For example this checks for outgoing calls initiated by the same user in other rooms, you can use it as an example to look for the same user connected to another room,

github.com

jitsi/jitsi-meet/blob/59e51f107e442a3f29176cc9c286ff68f9b21e86/resources/prosody-plugins/mod_filter_iq_rayo.lua#L141

      
        
            elseif muc and rawget(muc,"live_rooms") then
                -- We're running >=0.11 (new MUC API)
                rooms = muc.live_rooms();
            elseif muc and rawget(muc,"each_room") then
                -- We're running trunk<0.11 (each_room is later [DEPRECATED])
                rooms = muc.each_room(true);
            end
            
            
-- now lets iterate over rooms and occupants and search for
            -- call initiated by the user
            if rooms then
                for room in rooms do
                    for _, occupant in room:each_occupant() do
                        for _, presence in occupant:each_session() do
            
            
                local initiator = presence:get_child('initiator', 'http://jitsi.org/protocol/jigasi');
            
            
                local found_user = false;
                            local found_group = false;
            
            
                if initiator then

Visualbench · February 19, 2022, 3:01pm

Thank you for the reply, I forgot to mention that I want to prevent two users with the same JWT id from logging into the same room. (The participants might get the same ID because one participant can share his link to the other)

damencho · February 19, 2022, 3:16pm

People should not be sharing their jwt.

Visualbench · February 19, 2022, 3:24pm

Yeah, I wanted to prevent the sharing of links between participants in the first place. I tried it but had no luck and so I want to prevent it in Jitsi meet by identifying the JWT ID and prohibiting them to join the meeting.

Could you please help me in doing this?

Visualbench · February 19, 2022, 4:34pm

@damencho Can you please guide me on what function to modify in prosody to validate the duplicate JWTs and get the list of the participants present in the room that the user is trying to join?

damencho · February 19, 2022, 5:39pm

You need to create your own custom module and implement your logic there.
You can start from here Developing Prosody modules – Prosody IM
and then use the example I provided to implement your logic.

Visualbench · February 20, 2022, 6:09am

Thank You @damencho. I am able to find that the verification of JWT happens in “token/util.lib.lua” in the “verify_room” function. Can you help me to get the list of participants in the room?

P.S:- I have no Idea about prosody… Please help

github.com

jitsi/jitsi-meet/blob/59e51f107e442a3f29176cc9c286ff68f9b21e86/resources/prosody-plugins/token/util.lib.lua#L334

      
        
            --- Verifies room name and domain if necesarry.
            -- Checks configs and if necessary checks the room name extracted from
            -- room_address against the one saved in the session when token was verified.
            -- Also verifies domain name from token against the domain in the room_address,
            -- if enableDomainVerification is enabled.
            -- @param session the current session
            -- @param room_address the whole room address as received
            -- @return returns true in case room was verified or there is no need to verify
            --         it and returns false in case verification was processed
            --         and was not successful
            function Util:verify_room(session, room_address)
                if self.allowEmptyToken and session.auth_token == nil then
                    module:log(
                        "debug",
                        "Skipped room token verification - empty tokens are allowed");
                    return true;
                end
            
            
    -- extract room name using all chars, except the not allowed ones
                local room,_,_ = jid.split(room_address);
                if room == nil then

damencho · February 20, 2022, 2:17pm

Have you checked the link I sent earlier?

Visualbench · February 20, 2022, 3:34pm

Yes, I have checked it @damencho. Can you help me with where to insert that code?
I don’t have knowledge about prosody so I am sorry if I am troubling you.

emrah · February 20, 2022, 3:43pm

This doesn’t seem like a simple help request. You ask someone to code your specific requirement for free.

Visualbench · February 21, 2022, 1:58pm

@emrah If you don’t mind, could you please code it for me?

damencho · February 21, 2022, 2:00pm

This is a request you can put in the paid section in the forum.