User authenticated with token can create rooms even with other name than passed in token

I have setup jitsi and prosody in a way to let users that authenticated via JWT to create rooms and guest could join if they have the link, without providing the JWT. It works perfectly, but if the authenticated user tries to create any other room, he will be able to do it, even being restricted with the token_verification module at conference.domain.com component. Am i missing something? My configurations is setted up like this:

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

asap_accepted_issuers = { "jitsi", "domain" }

VirtualHost "jitsi.domain.com"
        authentication = "token";
        app_id="###";
        app_secret="###";

        allow_empty_token = false;
        ssl = {
                key = "/etc/prosody/certs/jitsi.domain.com.key";
                certificate = "/etc/prosody/certs/jitsi.domain.com.crt";
        }
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; 
        }
        c2s_require_encryption = false

Component "conference.jitsi.domain.com" "muc"
    storage = "null"
    modules_enabled = { "token_verification" }
    restrict_room_creation = true
admins = { "focus@auth.jitsi.domain.com" }

Component "jitsi-videobridge.jitsi.domain.com"
    component_secret = "###"

VirtualHost "auth.jitsi.domain.com"
    ssl = {
        key = "/etc/prosody/certs/auth.jitsi.domain.com.key";
        certificate = "/etc/prosody/certs/auth.jitsi.domain.com.crt";
    }
    authentication = "internal_plain"
    c2s_require_encryption = false

VirtualHost "guest.jitsi.domain.com"
    authentication = "token"
    app_id="###";
    app_secret="###";
    c2s_require_encryption = false
    allow_empty_token = true;

Component "focus.jitsi.domain.com"
    component_secret = "###"

I added the domain at the jicofo init arguments, analising it seems that it uses the already authenticated session id of the user and then uses the auth domain to create a room and the guest to join. It’s related with this post: https://community.jitsi.org/t/jwt-tokens-and-guest-access/18119

You are mixing both auth mechanisms, you need to remove the guest virtualhost and its configs and set allow_empty_token = true; this is the guest mode of jwt.

1 Like

Setting like this makes users without token create rooms too, just typing jitsi.domain.com/roomname will create a room without any restriction

Yep, this is allow empty token. JWT does not have such restriction … in case of secure-domain its jicofo restricting this, but jicofo has no idea about jwt …
You can implement this easily with a simple prosody module.
If there is no token and there is no such room created: reject request. There are plenty of examples in prosody module with jitsi-meet, like:


Here you can get room name from the url and check whether it exists. Room obtain like: https://github.com/jitsi/jitsi-meet/blob/d12afc5c071184a61c8e42578be21e84ef9b6324/resources/prosody-plugins/mod_muc_size.lua#L141

Okay, so that worked pretty well about restricting creation of more rooms, but there’s a little problem: if an user without token tries to enter an nonexistent room, it will prompt directly the username and password, instead of showing the message that the host hasn’t already joined and so, it wont keep trying to reconnect. Is it because there is no guest domain or maybe it could not reach the phase of pre-joining the room and create an session id?

So the short answer is this is not implemented.

So the flow is the following, when a client is open it connects to xmpp server using bosh(A) and sends an IQ message to jicofo for a request to join a room. Jicofo is the one creating the room and when it returns a positive answer to client, the client joins the room.

The host flow, works that jicofo answers with ‘not-authorized’ so the client waits and use the same IQ every 5 seconds till the host arrives and a positive answer is received: https://github.com/jitsi/lib-jitsi-meet/blob/5a9fc76739bcf0bed50676c7be160f688f3a19b5/modules/xmpp/moderator.js#L435

There is no such logic for jwt and if you had added the regection logic in bosh-session, you are basically rejecting the initial xmpp connection(A) the quickest way is to send a specific error reason or something you can differentiate this situation and add a custom code in lib-jitsi-meet to retry this every 5 seconds … and probably you can reuse same events and logic as the already existing logic for secure domain and make it work …

Hi,
would you share your solution? I’ve a similar problem: Allow users with tokens to create rooms and let guests (without token) join an alrady created room but not create new ones.
Since lua is new to me, I’ve don’t know really, where to start.

1 Like

Hello @rverst and everyone else looking for a solution for this,

since I stumbled upon this post today, trying to achieve the same as you:
Please see this issue on github about this: https://github.com/jitsi/docker-jitsi-meet/issues/143
Specifically the change in this pullrequest: https://github.com/jitsi/jitsi-meet/pull/5025

The added line in mod_auth_token.lua will provide exactly what you need.

1 Like

I actually don’t have access to the workaround that I made, the only thing I remember it was a configuration at the jicofo properties file :confused:

Hello @Jaffex, I can’t get it working. Is it possible to achieve this with docker-jitsi-meet?

Hey @Rustam_Akhmedov, yes, it should work with the latest docker image.


can any one solve this error?

Check your prosody for errors.

I have it working configuring this way.

@Jaffex
Users once authenticated with one token for a specific room are still able to open any other room without jwt. Just using domain.jitsi.co/roomname.
This is happening because of the sessionId variable in the localStorage. I am using the IFrame API so I can’t seem to delete the sessionId from localStorage other than using some hacky ways.

I am also using this with docker-jitsi-meet. How did you get around the session id issue? Any help would be appreciated.