Prevent multiple users to enter with the same JWT

Francisk · January 4, 2023, 11:34am

Is there still no way of preventing multiple users from joining the same MUC with the same JWT?
This is just to prevent a user to join a conference with multiple instances using the same JWT.

Would this be achievable editing this function?

github.com

jitsi/jitsi-meet/blob/master/resources/prosody-plugins/mod_token_verification.lua#L48


      
          	tostring(token_util.allowEmptyToken));
          
          
-- option to disable room modification (sending muc config form) for guest that do not provide token
          local require_token_for_moderation;
          local function load_config()
              require_token_for_moderation = module:get_option_boolean("token_verification_require_token_for_moderation");
          end
          load_config();
          
          
-- verify user and whether he is allowed to join a room based on the token information
          local function verify_user(session, stanza)
          	log("debug", "Session token: %s, session room: %s",
          		tostring(session.auth_token),
          		tostring(session.jitsi_meet_room));
          
          
	-- token not required for admin users
          	local user_jid = stanza.attr.from;
          	if is_admin(user_jid) then
          		log("debug", "Token not required from admin user: %s", user_jid);
          		return true;
          	end

Thank you in advance.

damencho · January 4, 2023, 11:42am

Yes you can add a user context with user ID in the jwt and deny access when user is already there. You need to write that custom module. But when doing that mind that users will not be able to reconnect for a minute or two if they loose connection.

Francisk · January 4, 2023, 1:58pm

Can you provide a link to read more about this “user context”?

damencho · January 4, 2023, 2:07pm

github.com

jitsi/lib-jitsi-meet/blob/master/doc/tokens.md#token-identifiers-structure-optional

# JSON Web Token (JWT) authentication Prosody plugin

This plugin implements a **Prosody authentication provider** that verifies a client connection based on a JWT
described in [RFC7519]. It allows use of an external form of authentication with _lib-jitsi-meet_.
Once your user authenticates you need to generate the JWT as described in the RFC and pass it to your client app.
Once it connects with a valid token, it is considered authenticated by the jitsi-meet system.

During configuration, you can choose between two JWT validation methods:

* Shared Secret Validation or
* Public Key Validation 

In both cases you will need to provide the _application ID_ that identifies the client.

For the **Shared Secret Validation** an _application secret_ is shared by both the server (Prosody) and the JWT
generation. Take a look at an example structure in [Example Structure > Shared Secret Validation](#shared-secret-validation).
Like described in the RFC, the _shared secret_ is used to compute a HMAC hash value which allows authentication of the 
generated token. There are many existing libraries which can be used to implement token generation. More info can be 
found here: [http://jwt.io/#libraries-io]

This file has been truncated. show original

Francisk · January 4, 2023, 2:58pm

Ahh, I was generating the jwt using this https://jitok.emrah.com/, it already sets the context on the jwt.
My main problem is how to get a list of users that are already in the call in that pre-join event so I could make the verification?

damencho · January 4, 2023, 3:08pm

You can get inspired by this: jitsi-meet/mod_filter_iq_rayo.lua at 0ad52a06ce1cfc2f3f7417551af972f9130edd81 · jitsi/jitsi-meet · GitHub
Searches all other rooms for a particular session, from each session you can get the session.jitsi_meet_context_user["id"] and check based on that.

Francisk · January 4, 2023, 3:16pm

I’ll try! Thanks for always helping with examples and very rapidly!

Francisk · January 4, 2023, 5:22pm

Got it to work using an email field!!

One more thing, in the stanzas from the users in the rooms when I do the loop to check all rooms, there is the email field, it was injected into the stanza somehow, but I cannot find it where, I’d rather be using an ID. Do you happen to have an idea where this injection might happen?

damencho · January 4, 2023, 7:46pm

In the presence as the initiator

github.com

jitsi/jitsi-meet/blob/0ad52a06ce1cfc2f3f7417551af972f9130edd81/resources/prosody-plugins/mod_filter_iq_rayo.lua#L146


      
              rooms = muc.each_room(true);
          end
          
          
-- now lets iterate over rooms and occupants and search for
          -- call initiated by the user
          if rooms then
              for room in rooms do
                  for _, occupant in room:each_occupant() do
                      for _, presence in occupant:each_session() do
          
          
                local initiator = presence:get_child('initiator', 'http://jitsi.org/protocol/jigasi');
          
          
                local found_user = false;
                          local found_group = false;
          
          
                if initiator then
                              initiator:maptags(function (tag)
                                  if tag.name == "header"
                                      and tag.attr.name == OUT_INITIATOR_USER_ATTR_NAME then
                                      found_user = tag.attr.value == context_user;
                                  elseif tag.name == "header"

Francisk · January 5, 2023, 10:35am

That wasn’t quite what I meant, but I found this module, enabled it and got it to inject the presence stanza with the context. But somewhere there is a line of code injecting just the email on my prosody, I have yet to find it ahah

github.com

jitsi/jitsi-meet/blob/master/resources/prosody-plugins/mod_presence_identity.lua

local stanza = require "util.stanza";
local update_presence_identity = module:require "util".update_presence_identity;

-- For all received presence messages, if the jitsi_meet_context_(user|group)
-- values are set in the session, then insert them into the presence messages
-- for that session.
function on_message(event)
    if event and event["stanza"] then
      if event.origin and event.origin.jitsi_meet_context_user then

          update_presence_identity(
              event.stanza,
              event.origin.jitsi_meet_context_user,
              event.origin.jitsi_meet_context_group
          );

      end
    end
end

This file has been truncated. show original

Anyway, thank you for your help!

Francisk · January 11, 2023, 9:35am

I’ve managed to do what I wanted to, but actually what is the default time since a user loses internet connection until he is actually “kicked” out of the room? Do you know where we can configure that value?

damencho · January 11, 2023, 12:32pm

For bosh that is 60 seconds and you can change it on server side, but for client side you need to rebuild one fo the dependencies of lib-jitsi-meet and use that to rebuild it.
You can change the websocket one both client side and serverside.