[jitsi-users] Set user XMPP credentials in the URL search parameters


#1

Hi,

currently jitsi-meet supports a guest mode, where only authenticated users are allowed to create new conferences.
When jitsi-meet is unable to login anonymously it asks the user for credentials using a pop up window.

My proposal: use two extra search parameters *username=alice@example.com* and *password=S3cr3t*.

So for example a jitsi-meet URL will look like this:

  https://meet.jit.si/conference1?username=alice@example.com&password=S3cr3t

Or better:

  https://meet.jit.si/?room=conference&username=alice@example.com&password=S3cr3t

I have already used an implementation which patches jitsi-meet to extract the user credentials and set them in the right place to log in the user, when the anonymous mode fails.

Since last time I checked this implementation kind of collides when using the external Jitsi-meet API, which is incompatible whit search params, if you do not handle this with your own JS code...

There is currently a "token" implementation, but not much documentation about it...

Security considerations:
* Password in plain text, malicious (JS) code could read it.
* Jitsi-meet server without SSL will expose the credentials
* Malicious server admin could read credentials
* Password can be stolen easily
* If prosody uses a different authentication system (e.g. unique username based MAC codes), this could circumvent some security issues.
* Create a new conference and send the password and username in a POST request?

Opinions?

Kind regards,

Rainer