jiti-meet/resources/prosody-plugins/mod_auth_token.lua

-- Token authentication
-- Copyright (C) 2021-present 8x8, Inc.

local formdecode = require "util.http".formdecode;
local generate_uuid = require "util.uuid".generate;
local new_sasl = require "util.sasl".new;
local sasl = require "util.sasl";
local token_util = module:require "token/util".new(module);
local sessions = prosody.full_sessions;

-- no token configuration
if token_util == nil then
    return;
end

module:depends("jitsi_session");

-- define auth provider
local provider = {};

local host = module.host;

-- Extract 'token' param from URL when session is created
function init_session(event)
	local session, request = event.session, event.request;
	local query = request.url.query;

	if query ~= nil then
        local params = formdecode(query);

        -- The following fields are filled in the session, by extracting them
        -- from the query and no validation is being done.
        -- After validating auth_token will be cleaned in case of error and few
        -- other fields will be extracted from the token and set in the session

        session.auth_token = query and params.token or nil;
    end
end

module:hook_global("bosh-session", init_session);
module:hook_global("websocket-session", init_session);

function provider.test_password(username, password)
	return nil, "Password based auth not supported";
end

function provider.get_password(username)
	return nil;
end

function provider.set_password(username, password)
	return nil, "Set password not supported";
end

function provider.user_exists(username)
	return nil;
end

function provider.create_user(username, password)
	return nil;
end

function provider.delete_user(username)
	return nil;
end

function provider.get_sasl_handler(session)

	local function get_username_from_token(self, message)

        -- retrieve custom public key from server and save it on the session
        local pre_event_result = prosody.events.fire_event("pre-jitsi-authentication-fetch-key", session);
        if pre_event_result ~= nil and pre_event_result.res == false then
            log("warn",
                "Error verifying token on pre authentication stage:%s, reason:%s", pre_event_result.error, pre_event_result.reason);
            session.auth_token = nil;
            return pre_event_result.res, pre_event_result.error, pre_event_result.reason;
        end

        local res, error, reason = token_util:process_and_verify_token(session);
        if res == false then
            log("warn",
                "Error verifying token err:%s, reason:%s", error, reason);
            session.auth_token = nil;
            return res, error, reason;
        end

        local shouldAllow = prosody.events.fire_event("jitsi-access-ban-check", session);
        if shouldAllow == false then
            log("warn", "user is banned")
            return false, "not-allowed", "user is banned";
        end

        local customUsername
            = prosody.events.fire_event("pre-jitsi-authentication", session);

        if (customUsername) then
            self.username = customUsername;
        elseif (session.previd ~= nil) then
            for _, session1 in pairs(sessions) do
                if (session1.resumption_token == session.previd) then
                    self.username = session1.username;
                    break;
                end
            end
        else
            self.username = message;
        end

        local post_event_result = prosody.events.fire_event("post-jitsi-authentication", session);
        if post_event_result ~= nil and post_event_result.res == false then
            log("warn",
                "Error verifying token on post authentication stage :%s, reason:%s", post_event_result.error, post_event_result.reason);
            session.auth_token = nil;
            return post_event_result.res, post_event_result.error, post_event_result.reason;
        end

        return res;
	end

	return new_sasl(host, { anonymous = get_username_from_token });
end

module:provides("auth", provider);

local function anonymous(self, message)

	local username = generate_uuid();

	-- This calls the handler created in 'provider.get_sasl_handler(session)'
	local result, err, msg = self.profile.anonymous(self, username, self.realm);

	if result == true then
		if (self.username == nil) then
			self.username = username;
		end
		return "success";
	else
		return "failure", err, msg;
	end
end

sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00			`-- Token authentication`
feat: jitsi_session: extracts URL parameters from BOSH or WS into session Co-authored-by: Saúl Ibarra Corretgé <saghul@jitsi.org> 2021-05-13 03:02:51 +00:00			`-- Copyright (C) 2021-present 8x8, Inc.`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00
Add basic ASAP support to mod_auth_token See: http://s2sauth.bitbucket.org/ 2016-08-23 19:42:49 +00:00			`local formdecode = require "util.http".formdecode;`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`local generate_uuid = require "util.uuid".generate;`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00			`local new_sasl = require "util.sasl".new;`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`local sasl = require "util.sasl";`
Moves token related code into util so it can be reused. 2017-05-03 21:48:49 +00:00			`local token_util = module:require "token/util".new(module);`
feat(mod_auth_token): add support for 'previd' query param The 'previd' query parameter will be use to match user id of the session being resumed when the smacks module and token authentication are enabled in Prosody. Otherwise user gets new random id every time and this doesn't work with the smacks module. 2020-03-09 18:50:12 +00:00			`local sessions = prosody.full_sessions;`
Moves token related code into util so it can be reused. 2017-05-03 21:48:49 +00:00
			`-- no token configuration`
			`if token_util == nil then`
			`return;`
			`end`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00
feat: jitsi_session: extracts URL parameters from BOSH or WS into session Co-authored-by: Saúl Ibarra Corretgé <saghul@jitsi.org> 2021-05-13 03:02:51 +00:00			`module:depends("jitsi_session");`

Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00			`-- define auth provider`
			`local provider = {};`

New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`local host = module.host;`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00
initial session for bosh and websockets (#5006) * hook on websocket events * initial session for bosh and websockets 2020-01-24 14:59:29 +00:00			`-- Extract 'token' param from URL when session is created`
			`function init_session(event)`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`local session, request = event.session, event.request;`
			`local query = request.url.query;`
Moves token related code into util so it can be reused. 2017-05-03 21:48:49 +00:00
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`if query ~= nil then`
Stores the room name from the bosh url into the session. 2017-07-15 03:08:41 +00:00			`local params = formdecode(query);`
Lobby required displayname (#7197) * ref: Rename jitsi_bosh_query_room to jitsi_web_query_room. This is no longer bosh only and is available for both bosh and websocket sessions. * feat: Adds feature to disco-info indicating that display name is required. * feat: Adds option to disable checking whether display name is required. * ref: Clears auth_token when verification fails. * squash: Fixing comments. * squash: Updates to latest lib-jitsi-meet. 2020-06-30 13:15:08 +00:00
			`-- The following fields are filled in the session, by extracting them`
fix(misc) fix typos Found via `codespell -q 3 -S ./lang -L miliseconds` 2022-07-14 07:10:08 +00:00			`-- from the query and no validation is being done.`
Lobby required displayname (#7197) * ref: Rename jitsi_bosh_query_room to jitsi_web_query_room. This is no longer bosh only and is available for both bosh and websocket sessions. * feat: Adds feature to disco-info indicating that display name is required. * feat: Adds option to disable checking whether display name is required. * ref: Clears auth_token when verification fails. * squash: Fixing comments. * squash: Updates to latest lib-jitsi-meet. 2020-06-30 13:15:08 +00:00			`-- After validating auth_token will be cleaned in case of error and few`
			`-- other fields will be extracted from the token and set in the session`

Stores the room name from the bosh url into the session. 2017-07-15 03:08:41 +00:00			`session.auth_token = query and params.token or nil;`
			`end`
initial session for bosh and websockets (#5006) * hook on websocket events * initial session for bosh and websockets 2020-01-24 14:59:29 +00:00			`end`

debian: updates around coturn package and order of install (#5729) * debian: Update coturn udp port to non-privileged one. * debian: Turnserver config requires jitsi-meet-web-config files. * doc: Updates doc, removing `--no-install-recommends`. * debian: Moves checks and configs to default to prosody 0.11. * debian: Disable room locking on internal muc. * add scripts for deploying coturn with certbot * turnserver: Removes unused variable showing error. * debian: updates let's encrypt and coturn scripts. * debian: Detect failure to retrieve external ip address. * debian: Always configure turn when the turnserver package is installed. Co-authored-by: Julien Fastré <julien.fastre@champs-libres.coop> 2020-04-08 18:06:49 +00:00			`module:hook_global("bosh-session", init_session);`
			`module:hook_global("websocket-session", init_session);`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00
			`function provider.test_password(username, password)`
			`return nil, "Password based auth not supported";`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00			`end`

			`function provider.get_password(username)`
			`return nil;`
			`end`

			`function provider.set_password(username, password)`
			`return nil, "Set password not supported";`
			`end`

			`function provider.user_exists(username)`
			`return nil;`
			`end`

			`function provider.create_user(username, password)`
			`return nil;`
			`end`

			`function provider.delete_user(username)`
			`return nil;`
			`end`

New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`function provider.get_sasl_handler(session)`

			`local function get_username_from_token(self, message)`
Installs required basexx when token package is installed. Fixes #1870. Adds some debug messages when token verification fails for some reason. 2017-08-08 13:48:18 +00:00
Add pre and post validation for users that want to use their own public keys 2020-08-11 14:29:34 +00:00			`-- retrieve custom public key from server and save it on the session`
Solve review issues and add retries for http call 2020-08-14 12:06:14 +00:00			`local pre_event_result = prosody.events.fire_event("pre-jitsi-authentication-fetch-key", session);`
			`if pre_event_result ~= nil and pre_event_result.res == false then`
			`log("warn",`
			`"Error verifying token on pre authentication stage:%s, reason:%s", pre_event_result.error, pre_event_result.reason);`
			`session.auth_token = nil;`
			`return pre_event_result.res, pre_event_result.error, pre_event_result.reason;`
Installs required basexx when token package is installed. Fixes #1870. Adds some debug messages when token verification fails for some reason. 2017-08-08 13:48:18 +00:00			`end`
Fires event before setting username, allows listeners to override it. This is a hook to override the username that will be used when authenticating token users (which are using anonymous login with auto-generated username). 2017-07-15 03:12:56 +00:00
Add pre and post validation for users that want to use their own public keys 2020-08-11 14:29:34 +00:00			`local res, error, reason = token_util:process_and_verify_token(session);`
Solve review issues and add retries for http call 2020-08-14 12:06:14 +00:00			`if res == false then`
			`log("warn",`
			`"Error verifying token err:%s, reason:%s", error, reason);`
			`session.auth_token = nil;`
			`return res, error, reason;`
			`end`
Add pre and post validation for users that want to use their own public keys 2020-08-11 14:29:34 +00:00
call module that checks the jwt against the access service 2021-10-04 10:19:41 +00:00			`local shouldAllow = prosody.events.fire_event("jitsi-access-ban-check", session);`
			`if shouldAllow == false then`
			`log("warn", "user is banned")`
			`return false, "not-allowed", "user is banned";`
			`end`

Fires event before setting username, allows listeners to override it. This is a hook to override the username that will be used when authenticating token users (which are using anonymous login with auto-generated username). 2017-07-15 03:12:56 +00:00			`local customUsername`
			`= prosody.events.fire_event("pre-jitsi-authentication", session);`

			`if (customUsername) then`
			`self.username = customUsername;`
feat(mod_auth_token): add support for 'previd' query param The 'previd' query parameter will be use to match user id of the session being resumed when the smacks module and token authentication are enabled in Prosody. Otherwise user gets new random id every time and this doesn't work with the smacks module. 2020-03-09 18:50:12 +00:00			`elseif (session.previd ~= nil) then`
			`for _, session1 in pairs(sessions) do`
			`if (session1.resumption_token == session.previd) then`
			`self.username = session1.username;`
			`break;`
			`end`
feat(ci) add luacheck 2023-01-24 13:58:43 +00:00			`end`
Fires event before setting username, allows listeners to override it. This is a hook to override the username that will be used when authenticating token users (which are using anonymous login with auto-generated username). 2017-07-15 03:12:56 +00:00			`else`
			`self.username = message;`
			`end`

Solve review issues and add retries for http call 2020-08-14 12:06:14 +00:00			`local post_event_result = prosody.events.fire_event("post-jitsi-authentication", session);`
			`if post_event_result ~= nil and post_event_result.res == false then`
			`log("warn",`
			`"Error verifying token on post authentication stage :%s, reason:%s", post_event_result.error, post_event_result.reason);`
			`session.auth_token = nil;`
			`return post_event_result.res, post_event_result.error, post_event_result.reason;`
Add pre and post validation for users that want to use their own public keys 2020-08-11 14:29:34 +00:00			`end`

Fires event before setting username, allows listeners to override it. This is a hook to override the username that will be used when authenticating token users (which are using anonymous login with auto-generated username). 2017-07-15 03:12:56 +00:00			`return res;`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`end`

			`return new_sasl(host, { anonymous = get_username_from_token });`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00			`end`

			`module:provides("auth", provider);`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00
			`local function anonymous(self, message)`

			`local username = generate_uuid();`

			`-- This calls the handler created in 'provider.get_sasl_handler(session)'`
			`local result, err, msg = self.profile.anonymous(self, username, self.realm);`

			`if result == true then`
feat(mod_auth_token): add support for 'previd' query param The 'previd' query parameter will be use to match user id of the session being resumed when the smacks module and token authentication are enabled in Prosody. Otherwise user gets new random id every time and this doesn't work with the smacks module. 2020-03-09 18:50:12 +00:00			`if (self.username == nil) then`
			`self.username = username;`
			`end`
mod_auth_token: Add semicolons Remove unnecessary cjson config 2016-08-29 14:39:47 +00:00			`return "success";`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`else`
mod_auth_token: Add semicolons Remove unnecessary cjson config 2016-08-29 14:39:47 +00:00			`return "failure", err, msg;`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`end`
			`end`

			`sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);`