I’m developing a web app and a completely custom UI using the Jitsi Meet API (lib-jitsi-meet.js) with my Docker Jitsi Meet installation, and I want to make sure I’m thinking through things properly.
I am disabling access to the web UI that ships with Jitsi, and I have included an Access-Control-Allow-Origin header in my nginx configuration to allow requests only from my web app’s domain. So my question is…
Having done those things, if I control access to Jitsi features (e.g. moderator status, etc.) completely from my custom web app - i.e. without using any of Jitsi’s built-in authentication (internal, JWT, etc), am I jeopardizing security? In other words, I’d like to authenticate and manage access to Jitsi entirely from my web app.
It seems such a setup would permit access to Jitsi only through my web app (which is what I want), but I want to make sure I’m thinking through all the security implications. Does anyone see any glaring security oversights with a setup like this?
Any input or insights would be appreciated!