Jwt tokens not respecting the exp field

I have been running Jitsi with jwt tokens for almost 2 years now without any problems, and all the fields in the token were working as intended.

While testing one of the old tokens to log into a session, I noticed that the old sessions with an ‘exp’ field that already expired are still working.

For example, a token with exp field set to ‘1584590400’ which expired more than 6 months ago still works!

This is the list of current Jitsi versions installed:

jitsi-archive-keyring/stable 1.0.1 all
jitsi-meet/stable 2.0.5076-1 all [upgradable from: 2.0.4468-1]
jitsi-meet-prosody/stable 1.0.4428-1 all [upgradable from: 1.0.4025-1]
jitsi-meet-tokens/stable 1.0.4428-1 all [upgradable from: 1.0.3216-1]
jitsi-meet-turnserver/stable 1.0.4428-1 all
jitsi-meet-web/stable 1.0.4428-1 all [upgradable from: 1.0.4025-1]
jitsi-meet-web-config/stable 1.0.4428-1 all [upgradable from: 1.0.4025-1]
jitsi-upload-integrations/stable 0.15.15-1 all
jitsi-videobridge/stable 1126-1 amd64 [residual-config]
jitsi-videobridge2/stable 2.1-351-g0bfaac1c-1 all [upgradable from: 2.1-183-gdbddd169-1]

Any ideas where can I debug and look for why this happening?

This is done here: https://github.com/jitsi/jitsi-meet/blob/master/resources/prosody-plugins/token/util.lib.lua#L188
And the validation is done here: https://github.com/jitsi/lua-jwt/blob/master/src/jwt/jws.lua#L39
Which goes in openssl somewhere … So this is all the info I can dig in quickly.

Thanks @damencho, it looks like the ‘exp’ field is not being verified anymore?

That is why the tokens are not expiring anymore, but this does not make sense, as if someone has the token then it will never expire!

Am I missing something?

I think that is working, I recently had a problem with that … Not sure why it does not work for you

The code page which you sent me does not validate the ‘exp’ field in the token, maybe that was removed in a recent update?

No, this had not been updated for several years now, the validation happens inside openssl library there https://github.com/jitsi/lua-jwt/blob/master/src/jwt/jws.lua#L6

I tried creating new tokens with the expired ‘exp’ field but all of them work, example:
{
“context”: {
“user”: {
“name”: “XXXX XXXXXX”,
“email”: “XXXXX@mydomain.com
}
},
“sub”: “vc.mydomain.com”,
“iss”: “XXXXX”,
“room”: “BRXXXXLINF9KR”,
“aud”: “XXXXX”,
“exp”: 1584590400
}

Any ideas where I can go from here?

I just tested it with your value and I get:

This is my prosody configuration:

VirtualHost “vc.mydomain.com
authentication = “token”;
app_id=“XXXXX”;
app_secret=“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”;
allow_empty_token = true;
disable_room_name_constraints = true;
ssl = {
key = “/etc/prosody/certs/vc.mydomain.com.key”;
certificate = “/etc/prosody/certs/vc.mydomain.com.crt”;
}
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
“muc_size”;
“muc_allowners”;
}

    c2s_require_encryption = false;
    consider_bosh_secure = true;

Could it be that ‘allow_empty_token = true;’ is causing this behavior?

No, I’m testing with the same. Can you show your token, masking whatever you want?

Is the server clock OK?

Thanks @damencho, but what is ‘token masking’?

Time is perfectly synchronized with an NTP server.

I missed a comma. I mean, show us your token and mask any private information in it.

Sorry @damencho, the token is shown below:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsibmFtZSI6IlhYWCIsImVtYWlsIjoiWFhAWFhYLmNvbSJ9fSwic3ViIjoidmMuWFhYWC5jYSIsImlzcyI6ImhhbW1vZCIsInJvb20iOiJCUkhBTUVMSU5GOUtSIiwiYXVkIjoiT3NhbWEiLCJleHAiOjE1ODQ1OTA0MDB9.u46w_7O7UV_2TPUYTyeXRrxTcuBb8aPzT5evoiy9SB0

By the way, I noticed that any token works, even if it invalid!!

How do you pass it?

https://vc.mydomain.com/room?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsibmFtZSI6IlhYWCIsImVtYWlsIjoiWFhAWFhYLmNvbSJ9fSwic3ViIjoidmMuWFhYWC5jYSIsImlzcyI6ImhhbW1vZCIsInJvb20iOiJCUkhBTUVMSU5GOUtSIiwiYXVkIjoiT3NhbWEiLCJleHAiOjE1ODQ1OTA0MDB9.u46w_7O7UV_2TPUYTyeXRrxTcuBb8aPzT5evoiy9SB0

I tried many possibilities but I couldn’t reproduce the same error for the stable packages. The authentication is always failed when the exp is outdated.

I am suspecting that the ‘allow_empty_token=True’ is forcing the token verification to be disabled!

I will try it after hours and see how that goes.

I tried this too but it works as expected. Do you allow guest login?