Possible security issue with room passwords and possible fix

Hi,
we have successfully installed Jitsi in 3 servers by now but found a possible security issue and wanted to know your opinion.
In the last install we used Jitsi for 1-on-1 conferences. Both participants authenticate via JWT but just one of them (via this Lua plugin https://github.com/nvonahsen/jitsi-token-moderation-plugin) is the moderator.
The problem resides in this situation: if the moderator wants to set a password for the room he needs to be logged in but, in the meanwhile, the other participant can log in to the room when no password is still set. If the moderator is not a Jitsi expert he thinks the password is mandatory but, in fact, the second participant went in with no password at all.
How would you face this situation?

  • On Jitsi core maybe a configuration field called something like PASSWORD_FORCE in interface_config.js could disconnect everybody from a ROOM if a password is set and they have not given it to Jitsi. This solution would be very nice because it could be configured as per-room via Javascript API. What would a Jitsi mobile-app user see? would it be user friendly?
  • Maybe we could code that solution with a Lua-prosody plugin but in that case either the password is always necessary or it is only mandatory for users logging into the room after the password was set. Also I don’t think it would be easy to accomplish a per-room solution. Would it be Jitsi mobile-app user-friendly?
  • This can be coded via Javascript if Jitsi was used only via API but it wouldn’t be a working solution for Jitsi mobile-app users.
  • Can you think of any other aproach we can try or code?
    Many thanks in advance.

Hi @damencho , I’ve seen you are a high level Jitsi folk. Could you give me any hint on this?
We’ll offer to the community any advance (even piece of code) we make about this issue.