JWT authentication with optional moderation

mynameisbrendan · May 4, 2020, 11:56am

Hi,

I am looking for some guidance on how best to achieve my desired use case.

I have a self-hosted jitsi instance that I use via API from my website. The use case is that website members can join large calls for scheduled events, but there is no presenter or moderation required for the event to happen.

Currently with JWT authentication all users are moderators which has some challenges I need to resolve.

I would like the ability for a moderator to join the event via a password or private token if required
All other users to be guests (no access to kick out button etc)
Event to start and complete with no moderation (if no moderation is required)

The reason I use JWT authentication is to restrict access from my website only. Would it be better to not use tokens for guests (enableUserRolesBasedOnToken), but restrict IP access from my webserver, or limit access to API only?

Thanks all in advance! I have already learned a lot from this community.

damencho · May 4, 2020, 4:44pm

You can turn it on and enable allow_empty_token so guest can connect with no token.

mlynchdev · May 4, 2020, 6:04pm

Wait so if we require JWT auth for accessing the server it defaults all entrants to moderator?

mlynchdev · May 4, 2020, 6:08pm

Can this be avoided? Or that’s the current functionality. And allowing users to enter as guests would be only option to restrict moderator access?

damencho · May 4, 2020, 10:47pm

Yep, this is how it is currently working. Search the forum someone proposed a change that you can add a field in the token to set moderator or not.

mynameisbrendan · May 5, 2020, 12:05am

Thanks, I can confirm that this works to allow guests to join but unfortunately, it breaks some other requirements:

The ability for an event to run unmoderated
Block access to all rooms if not coming from my website

I did see the post about moderator tokens, but it does not solve requirement #1 here unless I can also allow guests to start a room?
My understanding is that a default setup without the secure domain will just make the first guest a moderator anyway?

damencho · May 5, 2020, 12:10am

Yes.

mynameisbrendan · May 7, 2020, 7:18am

I have setup the token moderation plugin (link below) and I believe this has resolved all of my challenges.

Any user can start or join a call and only receive guest access
A moderator can also join the call and receive moderator access (kick/mute etc)
The call will start and also continue with no moderators present
JWT authentication is still being used so access is restricted

I will continue to test and post any updates if I learn of any limitations.

voipsecurity · May 8, 2020, 6:39pm

Hey guys. We also setup this moderator plugin and it’s working great.

hannstel · May 14, 2020, 10:01am

What is the version of your Prosody?
have you applied the muc_owner_allow_kick.patch patch to prosody?
Can you share your prosody and jicofo configurations?

mynameisbrendan · May 14, 2020, 11:18am

It is a fresh installation following the instructions below, no additional patches or configurations.

github.com

christiancuri/Docs/blob/master/Jitsi Meet Installation.md




# Install lua and dependencies

Enter in sudo user

```bash
sudo su
```

Run the follow script to install lua and her dependencies, and prosody with fixes.
After finish, VM will be restarted
```bash
cd &&
apt-get update -y &&
apt-get install gcc -y &&
apt-get install unzip -y &&
apt-get install lua5.2 -y &&
apt-get install liblua5.2 -y &&

This file has been truncated. show original

hannstel · May 14, 2020, 12:00pm

thanks for the reply
just to confirm, what is your OS and its version, and your Prosody version?

mynameisbrendan · May 14, 2020, 12:16pm

Ubuntu 18.04.3 and Prosody 11.5

hannstel · May 14, 2020, 12:30pm

and you did not encounter any difficulty in Luarocks installation for Lua5.2 for Ubuntu 18.04?

mynameisbrendan · May 14, 2020, 12:55pm

Nope. Fresh server and i followed those instructions line by line

hannstel · May 14, 2020, 1:10pm

you are a great help, thanks for the confirmation