Lobby + JWT issue with moderator rejoining the meeting

Vinayvvk_viji · November 11, 2020, 2:37am

When the moderator uses JWT and setups lobby room, I see a bug where Moderator is also taken to prejoin screen to request 'Ask to join".

Here is the sequence of events:

Moderator joins a room with JWT token
Moderator turns on Lobby
Guest joins the room. Requests for “to be joined” into the meeting.
Moderator allows the guest to join the room
Now the moderator hangs up the call.
However, the guest is still in the room
Moderator tries to join the call with the same JWT token used earlier.
He’s taken to a prejoin screen where now he has to request “Ask to join”. This seems to be a bug!!!

step 8 doesn’t happen if the guest had also vacated the meeting room before the moderator tried to rejoin. If there was no one already in the room only then moderator with JWT is logged into the room.

If not, in the console.log I see this error:

2020-11-11T02:33:20.629Z [conference.js] <_onConferenceFailed>: CONFERENCE FAILED: conference.connectionError.membersOnly 493-579-3823@lobby.jitsi.jwt.live Logger.js:154:22

2020-11-11T02:33:20.633Z [features/base/connection] <h/</</<>: conference.connectionError.membersOnly Logger.js:154:22

Please let me know if this is a known bug and a solution exists.

damencho · November 11, 2020, 2:42am

This is how lobby works, with or without jwt. The workaround for this is the moderator to set a password to the room, so he can bypass lobby with it when needed.

Vinayvvk_viji · November 11, 2020, 3:14am

@damencho, understood. Thanks for your help.

However, is there anyway I can override existing behaviour - meaning, if I see a user with jwt token for the room when lobby is enabled, take him directly into the room ?

Basically I want to bypass the prejoin screen as soon as I see jwt token.

damencho · November 11, 2020, 3:50am

You need changes in jitsi-meet, which can just check whether jwt is been decoded correctly and cannot validate the token.
You will skip pre-join using jwt then you need to bypass lobby you can modify it here add one more rule after the whitelisting:

github.com

jitsi/jitsi-meet/blob/12c835dd919ee6da0b0dfc198cce819035a72e82/resources/prosody-plugins/mod_muc_lobby_rooms.lua#L344


    return;
end
local invitee = event.stanza.attr.from;
local invitee_bare_jid = jid_bare(invitee);
local _, invitee_domain = jid_split(invitee);
local whitelistJoin = false;
-- whitelist participants
if whitelist:contains(invitee_domain) or whitelist:contains(invitee_bare_jid) then
    whitelistJoin = true;
end
local password = join:get_child_text('password', MUC_NS);
if password and room:get_password() and password == room:get_password() then
    whitelistJoin = true;
end
if whitelistJoin then
    local affiliation = room:get_affiliation(invitee);
    if not affiliation or affiliation == 0 then

You can do it by checking session.auth_token is it not nil …

Vinayvvk_viji · November 11, 2020, 5:10am

@damencho, something like this?

 diff --git a/resources/prosody-plugins/mod_muc_lobby_rooms.lua b/resources/prosody-plugins/mod_muc_lobby_rooms.lua
index af5332d19..41c41fe65 100644
--- a/resources/prosody-plugins/mod_muc_lobby_rooms.lua
+++ b/resources/prosody-plugins/mod_muc_lobby_rooms.lua
@@ -344,6 +344,12 @@ process_host_module(main_muc_component_config, function(host_module, host)
             whitelistJoin = true;
         end

+        local session = event.origin;
+        if session.auth_token ~= nil then
+            module:log("info","Vinay: session.auth_token = %s",session.auth_token);
+            whitelistJoin = true;
+        end
+
         local password = join:get_child_text('password', MUC_NS);
         if password and room:get_password() and password == room:get_password() then
             whitelistJoin = true;

I restarted prosody and jicofo but I don’t see this change. Sorry, this is my first attempt at changing the prosody plugin file. Please help.

damencho · November 11, 2020, 12:21pm

Any errors in prosody logs?
Make sure those are the files used by your deployment …

Vinayvvk_viji · November 11, 2020, 11:34pm

@damencho, spot on. My deployment was using the plugins from /usr/share/jitsi-meet. So, I pointed the prosody to my local deployment, restarted prosody, jicofo and jvb. Host with JWT was able to rejoin the meeting bypassing the pre-join screen.

You are a life savior. Thanks a ton.

Gkleinereva · January 14, 2022, 11:27pm

Vinay’s solution will let anyone with a valid JWT bypass the lobby, regardless of their moderation status. We’re using the token_affiliation prosody plugin to determine moderation status, so I adapted Vinay’s code to let moderators bypass the lobby, but send non-moderators to the lobby. Here’s the code if it would help anyone else.

        -- whitelist participants
        if whitelist:contains(invitee_domain) or whitelist:contains(invitee_bare_jid) then
            whitelistJoin = true;
        end

        -- begin gkleinereva addition
        local context_user = event.origin.jitsi_meet_context_user;
        if context_user then
            if context_user["affiliation"] == "owner" then
                whitelistJoin = true;
            elseif context_user["affiliation"] == "moderator" then
                whitelistJoin = true;
            elseif context_user["affiliation"] == "teacher" then
                whitelistJoin = true;
            end
        end
        -- end gkleinereva addition

        local password = join:get_child_text('password', MUC_NS);
        if password and room:get_password() and password == room:get_password() then
            whitelistJoin = true;
        end