Welcome Page exopses jwt tokens

Hi everyone,

i just set up a self hosted jitsi server with jwt token support. So to join any room, the user needs a valid jwt token specifically for that room. This all seems to work very well for me.

But I just noticed: There is this list of recent rooms on the welcome page and when I click on one, the link contains the jwt token that was used to create/join the room! This means even though I set up authentication via jwt tokens, anyone can join any room.
I know I can disable the welcome page but I still find it concerning that that the jwt tokens are saved and even exposed.

  • The content of the welcome page depends on the user. Nobody can get your token because their welcome page is different.

  • You can put an expire time into the token

to add more details, the saved entries on the welcome page are saved in the browser local storage. So this information is available to users connected on the same computer.

This could be a real problem only on computers accessed from a public access, such as a library.

If such problem could be of concern, it’s advised to either disable the saving of this information at the server level (config.js, doNotStoreRoom: false) OR to advice users to empty browser data after logging out.

Okay that makes sense, I should have spent some more time investigating :wink:
Thank you!