JWT room validation

Hello I am trying to add JWT room validation. I am able to create tokens without any problem. Inside Jitsi JWT structure there is a property called room as stated here lib-jitsi-meet/tokens.md at master · jitsi/lib-jitsi-meet · GitHub But it seems to do nothing, Ive created a room lets say its called room1 and a room 2. I create a JWT for a user who can access room1, but the same JWT token works for entering room 2. I would like to avoid these behaviour.

Just to rule out the obvious, it is not possible to join room2 without a token, correct?

Can you share how your token payload looks like?

{
            "aud": "*",
            "context": {
                "user": {
                    "id": "-MGd_ofvC9guWvmND_Ce",
                    "name": "user_name",
                    "avatar": "user_avatar",
                    "email": "user_email",
                    "moderator": "true"
                },
                "features": {
                    "livestreaming": "true",
                    "recording": "true",
                    "transcription": "true",
                    "outbound-call": "true"
                }
            },
            "iss": "my-iss",
            "room": "room1",//If this value is room2 I would like to avoid this JWT from working
            "sub": "meets.example.com",
            "exp": 1623226847,
            "nbf": 1623216037
        }

Hello @shawn this is my payload

At first glance, token looks ok. And you’re sure you’ve enabled token auth correctly? As in room2 not accessible if you don’t pass in a jwt?

Yes Im sure everything is setup correctly, this token is for my self hosted project. Just to test and be sure that this it is working as expected I opened an account in 8X8 Jaas to test with Jitsi own cloud services and followed their installation process until generating my JWT in my application. I used their services and it has the same behaviour. The room property in a JWT doesnt seem to restrict access to a room. So I think it needs a modification in prosody or somewhere, but I dont know where to start. Maybe on, mod_auth_token.lua but Im kind of lost on how to get the token params and validate that token.room == myroomname if it isnt just return auth error.

I’m not doubting your overall setup. I’m just trying to tease out whether your issue is that JWT auth is not working at all, or whether it is working (i.e. users cannot access rooms without a valid token) but it is just not respecting the “room” field and allowing any room with a valid token.

You should not need to modify the prosody modules. It already handles room checks.

Can you share your prosody config? In particular, the bits mentioned in the manual-plugin-configuration part of the docs.

Exactly, if user doesnt provide jwt it fails. Everything about the jwt validation is working as expected but it is just this behaviour about not respecting the “room” field and allowing any room with a valid token I want to change. Idk if thi is not implemented on jitsi or there is something Im missing to activate.

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "meets.XXX.io";

external_service_secret = "ouUpow6tdEhknyzy";
external_services = {
     { type = "stun", host = "meets.XXX.io", port = 3478 },
     { type = "turn", host = "meets.XXX.io", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "meets.XXX.io", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

VirtualHost "meets.XXX.io"
    -- enabled = false -- Remove this line to enable this host
    storage="none"
    authentication = "token"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    app_id="XXX"
    app_secret="XXX"
    allow_empty_token=false
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/meets.XXX.io.key";
        certificate = "/etc/prosody/certs/meets.XXX.io.crt";
    }
    speakerstats_component = "speakerstats.meets.XXX.io"
    conference_duration_component = "conferenceduration.meets.XXX.io"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        --"external_services";
        "conference_duration";
        "muc_lobby_rooms";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.meets.XXX.io"
    main_muc = "conference.meets.XXX.io"
    -- muc_lobby_whitelist = { "recorder.meets.XXX.io" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.meets.XXX.io" "muc"
    storage = "none"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "token_verification";
    }
    admins = { "focus@auth.meets.XXX.io" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.meets.XXX.io" "muc"
    storage = "none"
    modules_enabled = {
        "ping";
    }
    admins = { "focus@auth.meets.XXX.io", "jvb@auth.meets.XXX.io" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.meets.XXX.io"
    ssl = {
        key = "/etc/prosody/certs/auth.meets.XXX.io.key";
        certificate = "/etc/prosody/certs/auth.meets.XXX.io.crt";
    }
    authentication = "internal_hashed"

-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.meets.XXX.io" "client_proxy"
    target_address = "focus@auth.meets.XXX.io"

Component "speakerstats.meets.XXX.io" "speakerstats_component"
    muc_component = "conference.meets.XXX.io"

Component "conferenceduration.meets.XXX.io" "conference_duration_component"
    muc_component = "conference.meets.XXX.io"

Component "lobby.meets.XXX.io" "muc"
    storage = "none"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true

I do not spot anything obviously wrong with your config, but I am far from an expert so this might not mean anything.

For sure this is already implemented. It is working as expected on my deployment.

If you’re curious, this is the point in the user vertification where the room check is done – jitsi-meet/mod_token_verification.lua at master · jitsi/jitsi-meet · GitHub – and the verify_room function that calls is implemented here – jitsi-meet/util.lib.lua at master · jitsi/jitsi-meet · GitHub.

Oh… hold on. I might have spotted something questionable in the code. Maybe.

Can you config which version of Jitsi you have installed?

So on your deployment it is working as I described? Thats weird. Then I am missing something or a module needs to be activated.


ii  jitsi-meet                             2.0.5870-1                                      all          WebRTC JavaScript video conferences
ii  jitsi-meet-prosody                     1.0.4985-1                                      all          Prosody configuration for Jitsi Meet
ii  jitsi-meet-tokens                      1.0.4985-1                                      all          Prosody token authentication plugin for Jitsi Meet
ii  jitsi-meet-web                         1.0.4985-1                                      all          WebRTC JavaScript video conferences
ii  jitsi-meet-web-config                  1.0.4985-1                                      all          Configuration for web serving of Jitsi Meet
ii  jitsi-videobridge2                     2.1-492-g5edaf7dd-1                             all          WebRTC compatible Selective Forwarding Unit (SFU)

These are my versions, can you show me what versions are you using please? I used the cmd

dpkg -l | grep jitsi

Just to compare if I have all the packages installed and with the same version

it looks ok. The code that I assumed looked a bit odd came after the version you are using. So unless you’ve manually copied the module from master recently you should not be affected. (I misread, not a bug after all)

I’m afraid I’ve run out of ideas. Hopefully someone more experienced will be able to help.

Anything interesting in your prosody logs around that time an auth happens?

Im kind of confused, I thought it wasnt implemented in Jitsi but reading this code shows me clearly the room is getting validated. But in my deployment its like every token I create goes with a wildcard ‘*’, even if I specify the “room” field.

Can you check your token content in jwt.io

Hello @emrah, everything seems good with my token. It is exactly as the one I posted in one of my replies. I did a fresh installation yesterday, reinstalling ubuntu and doing a clean installation of Jitsi. But I have the same problem. One thing I noticed is that in my prosody logs I have this.

Traceback[c2s]: /usr/lib/prosody/util/cache.lua:66: table index is nil
stack traceback:
        /usr/lib/prosody/util/cache.lua:66: in function 'set'
        /usr/lib/prosody/modules/muc/mod_muc.lua:177: in function 'track_room'
        /usr/lib/prosody/modules/muc/mod_muc.lua:205: in function </usr/lib/prosody/modules/muc/mod_muc.lua:192>
        (...tail calls...)
        /usr/lib/prosody/modules/muc/mod_muc.lua:434: in function '?'
        /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75>
        (...tail calls...)
        /usr/lib/prosody/core/stanza_router.lua:180: in function 'core_post_stanza'
        /usr/lib/prosody/core/stanza_router.lua:127: in function 'core_process_stanza'
        /usr/lib/prosody/modules/mod_c2s.lua:284: in function 'func'
        /usr/lib/prosody/util/async.lua:127: in function </usr/lib/prosody/util/async.lua:125>

It say something about track_room idk if this has something to do with it.

@emrah @shawn Got it working following this tutorial for the fresh installation on Ubuntu 18.04 https://doganbros.com/index.php/jitsi/jitsi-installation-with-jwt-support-on-ubuntu-18-04-lts/ And for the errors about the table index is nil. I had to change my storage from null to memory in the prosody domain configuration file. My rooms are getting autheticated now and if I create a token with another room name it kicks the user from it.

Useful links:

Install the correct prosody version: Prosody package repository – Prosody IM

Add the Jitsi Package Repository: Self-Hosting Guide - Debian/Ubuntu server · Jitsi Meet Handbook

3 Likes

:+1:t4: