User authenticated with token can create rooms even with other name than passed in token

I have setup jitsi and prosody in a way to let users that authenticated via JWT to create rooms and guest could join if they have the link, without providing the JWT. It works perfectly, but if the authenticated user tries to create any other room, he will be able to do it, even being restricted with the token_verification module at conference.domain.com component. Am i missing something? My configurations is setted up like this:

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

asap_accepted_issuers = { "jitsi", "domain" }

VirtualHost "jitsi.domain.com"
        authentication = "token";
        app_id="###";
        app_secret="###";

        allow_empty_token = false;
        ssl = {
                key = "/etc/prosody/certs/jitsi.domain.com.key";
                certificate = "/etc/prosody/certs/jitsi.domain.com.crt";
        }
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; 
        }
        c2s_require_encryption = false

Component "conference.jitsi.domain.com" "muc"
    storage = "null"
    modules_enabled = { "token_verification" }
    restrict_room_creation = true
admins = { "focus@auth.jitsi.domain.com" }

Component "jitsi-videobridge.jitsi.domain.com"
    component_secret = "###"

VirtualHost "auth.jitsi.domain.com"
    ssl = {
        key = "/etc/prosody/certs/auth.jitsi.domain.com.key";
        certificate = "/etc/prosody/certs/auth.jitsi.domain.com.crt";
    }
    authentication = "internal_plain"
    c2s_require_encryption = false

VirtualHost "guest.jitsi.domain.com"
    authentication = "token"
    app_id="###";
    app_secret="###";
    c2s_require_encryption = false
    allow_empty_token = true;

Component "focus.jitsi.domain.com"
    component_secret = "###"

I added the domain at the jicofo init arguments, analising it seems that it uses the already authenticated session id of the user and then uses the auth domain to create a room and the guest to join. It’s related with this post: https://community.jitsi.org/t/jwt-tokens-and-guest-access/18119

You are mixing both auth mechanisms, you need to remove the guest virtualhost and its configs and set allow_empty_token = true; this is the guest mode of jwt.

Setting like this makes users without token create rooms too, just typing jitsi.domain.com/roomname will create a room without any restriction

Yep, this is allow empty token. JWT does not have such restriction … in case of secure-domain its jicofo restricting this, but jicofo has no idea about jwt …
You can implement this easily with a simple prosody module.
If there is no token and there is no such room created: reject request. There are plenty of examples in prosody module with jitsi-meet, like:


Here you can get room name from the url and check whether it exists. Room obtain like: https://github.com/jitsi/jitsi-meet/blob/d12afc5c071184a61c8e42578be21e84ef9b6324/resources/prosody-plugins/mod_muc_size.lua#L141

Okay, so that worked pretty well about restricting creation of more rooms, but there’s a little problem: if an user without token tries to enter an nonexistent room, it will prompt directly the username and password, instead of showing the message that the host hasn’t already joined and so, it wont keep trying to reconnect. Is it because there is no guest domain or maybe it could not reach the phase of pre-joining the room and create an session id?

So the short answer is this is not implemented.

So the flow is the following, when a client is open it connects to xmpp server using bosh(A) and sends an IQ message to jicofo for a request to join a room. Jicofo is the one creating the room and when it returns a positive answer to client, the client joins the room.

The host flow, works that jicofo answers with ‘not-authorized’ so the client waits and use the same IQ every 5 seconds till the host arrives and a positive answer is received: https://github.com/jitsi/lib-jitsi-meet/blob/5a9fc76739bcf0bed50676c7be160f688f3a19b5/modules/xmpp/moderator.js#L435

There is no such logic for jwt and if you had added the regection logic in bosh-session, you are basically rejecting the initial xmpp connection(A) the quickest way is to send a specific error reason or something you can differentiate this situation and add a custom code in lib-jitsi-meet to retry this every 5 seconds … and probably you can reuse same events and logic as the already existing logic for secure domain and make it work …