Jitsi Meet: .../mod_token_verification.lua

"Fossies" - the Fresh Open Source Software Archive

Member "jitsi-meet-7555/resources/prosody-plugins/mod_token_verification.lua" (28 Sep 2023, 4848 Bytes) of package /linux/misc/jitsi-meet-7555.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Lua source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file.

1 -- Token authentication 2 -- Copyright (C) 2021-present 8x8, Inc. 3 4 local log = module._log; 5 local host = module.host; 6 local st = require "util.stanza"; 7 local um_is_admin = require "core.usermanager".is_admin; 8 local jid_split = require 'util.jid'.split; 9 local jid_bare = require 'util.jid'.bare; 10 11 12 local function is_admin(jid) 13 return um_is_admin(jid, host); 14 end 15 16 local parentHostName = string.gmatch(tostring(host), "%w+.(%w.+)")(); 17 if parentHostName == nil then 18 module:log("error", "Failed to start - unable to get parent hostname"); 19 return; 20 end 21 22 local parentCtx = module:context(parentHostName); 23 if parentCtx == nil then 24 module:log("error", 25 "Failed to start - unable to get parent context for host: %s", 26 tostring(parentHostName)); 27 return; 28 end 29 30 local token_util = module:require "token/util".new(parentCtx); 31 32 -- no token configuration 33 if token_util == nil then 34 return; 35 end 36 37 module:log("debug", 38 "%s - starting MUC token verifier app_id: %s app_secret: %s allow empty: %s", 39 tostring(host), tostring(token_util.appId), tostring(token_util.appSecret), 40 tostring(token_util.allowEmptyToken)); 41 42 -- option to disable room modification (sending muc config form) for guest that do not provide token 43 local require_token_for_moderation; 44 -- option to allow domains to skip token verification 45 local allowlist; 46 local function load_config() 47 require_token_for_moderation = module:get_option_boolean("token_verification_require_token_for_moderation"); 48 allowlist = module:get_option_set('token_verification_allowlist', {}); 49 end 50 load_config(); 51 52 -- verify user and whether he is allowed to join a room based on the token information 53 local function verify_user(session, stanza) 54 module:log("debug", "Session token: %s, session room: %s", 55 tostring(session.auth_token), 56 tostring(session.jitsi_meet_room)); 57 58 -- token not required for admin users 59 local user_jid = stanza.attr.from; 60 if is_admin(user_jid) then 61 module:log("debug", "Token not required from admin user: %s", user_jid); 62 return true; 63 end 64 65 -- token not required for users matching allow list 66 local user_bare_jid = jid_bare(user_jid); 67 local _, user_domain = jid_split(user_jid); 68 69 -- allowlist for participants 70 if allowlist:contains(user_domain) or allowlist:contains(user_bare_jid) then 71 module:log("debug", "Token not required from user in allow list: %s", user_jid); 72 return true; 73 end 74 75 76 module:log("debug", 77 "Will verify token for user: %s, room: %s ", user_jid, stanza.attr.to); 78 if not token_util:verify_room(session, stanza.attr.to) then 79 module:log("error", "Token %s not allowed to join: %s", 80 tostring(session.auth_token), tostring(stanza.attr.to)); 81 session.send( 82 st.error_reply( 83 stanza, "cancel", "not-allowed", "Room and token mismatched")); 84 return false; -- we need to just return non nil 85 end 86 module:log("debug", "allowed: %s to enter/create room: %s", user_jid, stanza.attr.to); 87 return true; 88 end 89 90 module:hook("muc-room-pre-create", function(event) 91 local origin, stanza = event.origin, event.stanza; 92 module:log("debug", "pre create: %s %s", tostring(origin), tostring(stanza)); 93 if not verify_user(origin, stanza) then 94 return true; -- Returning any value other than nil will halt processing of the event 95 end 96 end, 99); 97 98 module:hook("muc-occupant-pre-join", function(event) 99 local origin, room, stanza = event.origin, event.room, event.stanza; 100 module:log("debug", "pre join: %s %s", tostring(room), tostring(stanza)); 101 if not verify_user(origin, stanza) then 102 return true; -- Returning any value other than nil will halt processing of the event 103 end 104 end, 99); 105 106 for event_name, method in pairs { 107 -- Normal room interactions 108 ["iq-set/bare/http://jabber.org/protocol/muc#owner:query"] = "handle_owner_query_set_to_room" ; 109 -- Host room 110 ["iq-set/host/http://jabber.org/protocol/muc#owner:query"] = "handle_owner_query_set_to_room" ; 111 } do 112 module:hook(event_name, function (event) 113 local session, stanza = event.origin, event.stanza; 114 115 -- if we do not require token we pass it through(default behaviour) 116 -- or the request is coming from admin (focus) 117 if not require_token_for_moderation or is_admin(stanza.attr.from) then 118 return; 119 end 120 121 -- jitsi_meet_room is set after the token had been verified 122 if not session.auth_token or not session.jitsi_meet_room then 123 session.send( 124 st.error_reply( 125 stanza, "cancel", "not-allowed", "Room modification disabled for guests")); 126 return true; 127 end 128 129 end, -1); -- the default prosody hook is on -2 130 end 131 132 module:hook_global('config-reloaded', load_config);