I can access a room my token should not give me access to if I ignore the errors

I am setting up a jitsi server with my own client-side page using lib-jitsi-meet.
I used a Ubuntu 20.04 LTS with https://github.com/christiancuri/Docs/blob/master/Jitsi%20Meet%20Installation.md as instructions.
(I had to bend some things to install libssl1.0-dev)
I have successfully installed jitsi-meet-tokens.

With a valid token I am able to access the server and with an invalid token I am not able to access.
When I specify a room in the token I can access that room.
So far so good.

The problem is: When I specify a room in the token I can still access other rooms.

Details: If the token says rooma and I access roomb then I can’t access it via the default jitsi implementation.
But the lib-jitsi-meet gives me the following errors/events:
conference.auth_status_changed false
conference.failed

conference.roleChanged “5edb3190”, “none”
conference.joined

conference.roleChanged “5edb3190”, “moderator”

Afterwards I get conference.userJoined and conference.trackAdded events and I can add tracks.
So it seems I got some error messages and joined the room.

As expected on the server side I get the error in /var/log/prosody/prosody.log:
Jun 22 17:31:09 conference.srv-dc-jitsi:token_verification error Token eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJhdWQiOiJqaXRzaSIsImlzcyI6ImNhaXdvcmxkIiwic3ViIjoiY29uZmVyZW5jZSIsImV4cCI6MTU5MjkzMzQ2NSwicm9vbSI6ImRpZmZlcmVudFJvb20xOTg3ODMifQ.Qpn5bfajpA4Bi8q18pB-xwIC9yOkvxqDQbh9fyH6fdQTwP5-gzrX78dp68URJl24-BKqUzTA75xjQcAHkFChqQ not allowed to join: mkjbwytqdlplnubgrlefrhmivorwunexdggezjfkuiwxxeodfvpihsh29501@conference.srv-dc-jitsi/5edb3190

My /etc/prosody/conf.avail/srv-dc-jitsi.cfg.lua file is:

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "srv-dc-jitsi";

turncredentials_secret = "JU3SmcgYZLRDxJH5";

turncredentials = {
  { type = "stun", host = "srv-dc-jitsi", port = "4446" },
  { type = "turn", host = "srv-dc-jitsi", port = "4446", transport = "udp" },
  { type = "turns", host = "srv-dc-jitsi", port = "443", transport = "tcp" }
};

cross_domain_bosh = true;
consider_bosh_secure = true;

VirtualHost "srv-dc-jitsi"
        -- enabled = false -- Remove this line to enable this host
        --authentication = "anonymous"
        authentication = "token"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        app_id="someapp"
        app_secret="SB2EgchHbUrfYv6VUJOTINdd8kwpIs2m3QzKDxIZZJSfOMkT2sbq1VxczXypf9z1yBCa4EAJk13beiyzcpvF0YbNDra3gsqgOpfw"
        allow_empty_token = false
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/srv-dc-jitsi.key";
                certificate = "/etc/prosody/certs/srv-dc-jitsi.crt";
        }
        speakerstats_component = "speakerstats.srv-dc-jitsi"
        conference_duration_component = "conferenceduration.srv-dc-jitsi"
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
        }
        c2s_require_encryption = false

Component "conference.srv-dc-jitsi" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "token_verification";
    }
    admins = { "focus@auth.srv-dc-jitsi" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.srv-dc-jitsi" "muc"
    storage = "memory"
    modules_enabled = {
      "ping";
    }
    admins = { "focus@auth.srv-dc-jitsi", "jvb@auth.srv-dc-jitsi" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.srv-dc-jitsi"
    ssl = {
        key = "/etc/prosody/certs/auth.srv-dc-jitsi.key";
        certificate = "/etc/prosody/certs/auth.srv-dc-jitsi.crt";
    }
    authentication = "internal_plain"

Component "focus.srv-dc-jitsi"
    component_secret = "Qd@nxkS5"

And an example token is:

{
  "typ": "JWT",
  "alg": "HS512"
}
{
  "aud": "jitsi",
  "iss": "someapp",
  "sub": "conference",
  "exp": 1592920923,
  "room": "fudqvdolxovegnqxpehkqozdbpuortxpkgckvlfnyqsseerfkhtszaq29501717061"
}

In summary:
I can access a room my token should not give me access to if I ignore the errors.
Is that a bug or did I configure something wrong?

Same here. JWT token authentication itself works as expected, but the limitation on the conference rooms doesn’t prevent joining not authorized rooms. It detects that it is the wrong room
(“Token … not allowed to join”) but doesn’t stop access to the room.

Is there a special configuration parameter needed to do so, or a fix/workaround possible? The token authentication should really be able to avoid unauthorized access to other rooms…