jiti-meet/react/features/base/jwt/functions.js

/* @flow */

import jwtDecode from 'jwt-decode';

import { parseURLParams } from '../util';

import { MEET_FEATURES } from './constants';

/**
 * Retrieves the JSON Web Token (JWT), if any, defined by a specific
 * {@link URL}.
 *
 * @param {URL} url - The {@code URL} to parse and retrieve the JSON Web Token
 * (JWT), if any, from.
 * @returns {string} The JSON Web Token (JWT), if any, defined by the specified
 * {@code url}; otherwise, {@code undefined}.
 */
export function parseJWTFromURLParams(url: URL = window.location) {
    return parseURLParams(url, true, 'search').jwt;
}

/**
 * Returns the user name after decoding the jwt.
 *
 * @param {Object} state - The app state.
 * @returns {string}
 */
export function getJwtName(state: Object) {
    const { user } = state['features/base/jwt'];

    return user?.name;
}

/**
 * Checks whether a given timestamp is a valid UNIX timestamp in seconds.
 * We convert to miliseconds during the check since `Date` works with miliseconds for UNIX timestamp values.
 *
 * @param {any} timestamp - A UNIX timestamp in seconds as stored in the jwt.
 * @returns {boolean} - Whether the timestamp is indeed a valid UNIX timestamp or not.
 */
function isValidUnixTimestamp(timestamp: any) {
    return typeof timestamp === 'number' && timestamp * 1000 === new Date(timestamp * 1000).getTime();
}

/**
 * Returns a list with all validation errors for the given jwt.
 *
 * @param {string} jwt - The jwt.
 * @returns {Array<string>} - An array containing all jwt validation errors.
 */
export function validateJwt(jwt: string) {
    const errors = [];

    if (!jwt) {
        return errors;
    }

    const currentTimestamp = new Date().getTime();

    try {
        const header = jwtDecode(jwt, { header: true });
        const payload = jwtDecode(jwt);

        if (!header || !payload) {
            errors.push('- Missing header or payload');

            return errors;
        }

        const { kid } = header;

        // if Key ID is missing, we return the error immediately without further validations.
        if (!kid) {
            errors.push('- Key ID(kid) missing');

            return errors;
        }

        // JaaS only
        if (kid.startsWith('vpaas-magic-cookie')) {
            if (kid.substring(0, header.kid.indexOf('/')) !== payload.sub) {
                errors.push('- Key ID(kid) does not match sub');
            }
            if (payload.aud !== 'jitsi') {
                errors.push('- invalid `aud` value. It should be `jitsi`');
            }

            if (payload.iss !== 'chat') {
                errors.push('- invalid `iss` value. It should be `chat`');
            }

            if (!payload.context?.features) {
                errors.push('- `features` object is missing from the payload');
            }
        }

        if (!isValidUnixTimestamp(payload.nbf)) {
            errors.push('- invalid `nbf` value');
        } else if (currentTimestamp < payload.nbf * 1000) {
            errors.push('- `nbf` value is in the future');
        }

        if (!isValidUnixTimestamp(payload.exp)) {
            errors.push('- invalid `exp` value');
        } else if (currentTimestamp > payload.exp * 1000) {
            errors.push('- token is expired');
        }

        if (!payload.context) {
            errors.push('- `context` object is missing from the payload');
        } else if (payload.context.features) {
            const { features } = payload.context;

            Object.keys(features).forEach(feature => {
                if (MEET_FEATURES.includes(feature)) {
                    const featureValue = features[feature];

                    // cannot use truthy or falsy because we need the exact value and type check.
                    if (
                        featureValue !== true
                        && featureValue !== false
                        && featureValue !== 'true'
                        && featureValue !== 'false'
                    ) {
                        errors.push(`- Invalid value for feature: ${feature}`);
                    }
                } else {
                    errors.push(`- Invalid feature: ${feature}`);
                }
            });
        }
    } catch (e) {
        errors.push(e ? e.message : '- unspecified jwt error');
    }

    return errors;
}
Fix the initialization of the (external) API The counterpart of the external API in the Jitsi Meet Web app uses the search URL param jwt to heuristically detect that the Web app is very likely embedded (as an iframe) and, consequently, needs to forcefully enable itself. It was looking at whether there was a JSON Web Token (JWT) but that logic got broken when the JWT support was rewritten because the check started happening before the search URL param jwt was parsed. 2017-05-26 22:11:33 +00:00			`/* @flow */`

feat(jwt) log jwt validation errors 2021-03-17 09:30:42 +00:00			`import jwtDecode from 'jwt-decode';`

feat(reload): Preserve local track mute state. 2020-05-07 22:26:37 +00:00			`import { parseURLParams } from '../util';`
Fix the initialization of the (external) API The counterpart of the external API in the Jitsi Meet Web app uses the search URL param jwt to heuristically detect that the Web app is very likely embedded (as an iframe) and, consequently, needs to forcefully enable itself. It was looking at whether there was a JSON Web Token (JWT) but that logic got broken when the JWT support was rewritten because the check started happening before the search URL param jwt was parsed. 2017-05-26 22:11:33 +00:00
feat(jwt) log jwt validation errors 2021-03-17 09:30:42 +00:00			`import { MEET_FEATURES } from './constants';`

Fix the initialization of the (external) API The counterpart of the external API in the Jitsi Meet Web app uses the search URL param jwt to heuristically detect that the Web app is very likely embedded (as an iframe) and, consequently, needs to forcefully enable itself. It was looking at whether there was a JSON Web Token (JWT) but that logic got broken when the JWT support was rewritten because the check started happening before the search URL param jwt was parsed. 2017-05-26 22:11:33 +00:00			`/**`
			`* Retrieves the JSON Web Token (JWT), if any, defined by a specific`
			`* {@link URL}.`
			`*`
			`* @param {URL} url - The {@code URL} to parse and retrieve the JSON Web Token`
			`* (JWT), if any, from.`
			`* @returns {string} The JSON Web Token (JWT), if any, defined by the specified`
			`* {@code url}; otherwise, {@code undefined}.`
			`*/`
			`export function parseJWTFromURLParams(url: URL = window.location) {`
			`return parseURLParams(url, true, 'search').jwt;`
			`}`
feat(prejoin): Add name from jwt to prejoin screen 2020-10-26 11:53:44 +00:00
			`/**`
			`* Returns the user name after decoding the jwt.`
			`*`
			`* @param {Object} state - The app state.`
			`* @returns {string}`
			`*/`
			`export function getJwtName(state: Object) {`
feat: Profile tab does not depend on isGuest. Introduced a config property to disable profile. 2020-11-05 17:35:03 +00:00			`const { user } = state['features/base/jwt'];`
feat(prejoin): Add name from jwt to prejoin screen 2020-10-26 11:53:44 +00:00
fix(prejoin): Don't overwrite display name with '' 2021-03-10 19:36:32 +00:00			`return user?.name;`
feat(prejoin): Add name from jwt to prejoin screen 2020-10-26 11:53:44 +00:00			`}`
feat(jwt) log jwt validation errors 2021-03-17 09:30:42 +00:00
			`/**`
			`* Checks whether a given timestamp is a valid UNIX timestamp in seconds.`
			* We convert to miliseconds during the check since `Date` works with miliseconds for UNIX timestamp values.
			`*`
			`* @param {any} timestamp - A UNIX timestamp in seconds as stored in the jwt.`
			`* @returns {boolean} - Whether the timestamp is indeed a valid UNIX timestamp or not.`
			`*/`
			`function isValidUnixTimestamp(timestamp: any) {`
			`return typeof timestamp === 'number' && timestamp * 1000 === new Date(timestamp * 1000).getTime();`
			`}`

			`/**`
			`* Returns a list with all validation errors for the given jwt.`
			`*`
			`* @param {string} jwt - The jwt.`
			`* @returns {Array<string>} - An array containing all jwt validation errors.`
			`*/`
			`export function validateJwt(jwt: string) {`
			`const errors = [];`

			`if (!jwt) {`
			`return errors;`
			`}`

			`const currentTimestamp = new Date().getTime();`

			`try {`
			`const header = jwtDecode(jwt, { header: true });`
			`const payload = jwtDecode(jwt);`

			`if (!header \|\| !payload) {`
			`errors.push('- Missing header or payload');`

			`return errors;`
			`}`

			`const { kid } = header;`

			`// if Key ID is missing, we return the error immediately without further validations.`
			`if (!kid) {`
			`errors.push('- Key ID(kid) missing');`

			`return errors;`
			`}`

			`// JaaS only`
			`if (kid.startsWith('vpaas-magic-cookie')) {`
			`if (kid.substring(0, header.kid.indexOf('/')) !== payload.sub) {`
			`errors.push('- Key ID(kid) does not match sub');`
			`}`
			`if (payload.aud !== 'jitsi') {`
			errors.push('- invalid `aud` value. It should be `jitsi`');
			`}`

			`if (payload.iss !== 'chat') {`
			errors.push('- invalid `iss` value. It should be `chat`');
			`}`

			`if (!payload.context?.features) {`
			errors.push('- `features` object is missing from the payload');
			`}`
			`}`

			`if (!isValidUnixTimestamp(payload.nbf)) {`
			errors.push('- invalid `nbf` value');
			`} else if (currentTimestamp < payload.nbf * 1000) {`
			errors.push('- `nbf` value is in the future');
			`}`

			`if (!isValidUnixTimestamp(payload.exp)) {`
			errors.push('- invalid `exp` value');
			`} else if (currentTimestamp > payload.exp * 1000) {`
			`errors.push('- token is expired');`
			`}`

			`if (!payload.context) {`
			errors.push('- `context` object is missing from the payload');
			`} else if (payload.context.features) {`
			`const { features } = payload.context;`

			`Object.keys(features).forEach(feature => {`
			`if (MEET_FEATURES.includes(feature)) {`
			`const featureValue = features[feature];`

			`// cannot use truthy or falsy because we need the exact value and type check.`
			`if (`
			`featureValue !== true`
			`&& featureValue !== false`
			`&& featureValue !== 'true'`
			`&& featureValue !== 'false'`
			`) {`
			errors.push(`- Invalid value for feature: ${feature}`);
			`}`
			`} else {`
			errors.push(`- Invalid feature: ${feature}`);
			`}`
			`});`
			`}`
			`} catch (e) {`
			`errors.push(e ? e.message : '- unspecified jwt error');`
			`}`

			`return errors;`
			`}`