jiti-meet/resources/prosody-plugins/mod_auth_token.lua

-- Token authentication
-- Copyright (C) 2015 Atlassian

local formdecode = require "util.http".formdecode;
local generate_uuid = require "util.uuid".generate;
local new_sasl = require "util.sasl".new;
local sasl = require "util.sasl";
local token_util = module:require "token/util".new(module);
local sessions = prosody.full_sessions;

-- no token configuration
if token_util == nil then
    return;
end

-- define auth provider
local provider = {};

local host = module.host;

-- Extract 'token' param from URL when session is created
function init_session(event)
	local session, request = event.session, event.request;
	local query = request.url.query;

	if query ~= nil then
        local params = formdecode(query);
        session.auth_token = query and params.token or nil;
        -- previd is used together with https://modules.prosody.im/mod_smacks.html
        -- the param is used to find resumed session and re-use anonymous(random) user id
        -- (see get_username_from_token)
        session.previd = query and params.previd or nil;

        -- The room name and optional prefix from the bosh query
        session.jitsi_bosh_query_room = params.room;
        session.jitsi_bosh_query_prefix = params.prefix or "";
    end
end

module:hook_global("bosh-session", init_session);
module:hook_global("websocket-session", init_session);

function provider.test_password(username, password)
	return nil, "Password based auth not supported";
end

function provider.get_password(username)
	return nil;
end

function provider.set_password(username, password)
	return nil, "Set password not supported";
end

function provider.user_exists(username)
	return nil;
end

function provider.create_user(username, password)
	return nil;
end

function provider.delete_user(username)
	return nil;
end

function provider.get_sasl_handler(session)

	local function get_username_from_token(self, message)
        local res, error, reason = token_util:process_and_verify_token(session);

        if (res == false) then
            log("warn",
                "Error verifying token err:%s, reason:%s", error, reason);
            return res, error, reason;
        end

        local customUsername
            = prosody.events.fire_event("pre-jitsi-authentication", session);

        if (customUsername) then
            self.username = customUsername;
        elseif (session.previd ~= nil) then
            for _, session1 in pairs(sessions) do
                if (session1.resumption_token == session.previd) then
                    self.username = session1.username;
                    break;
                end
        	end
        else
            self.username = message;
        end

        return res;
	end

	return new_sasl(host, { anonymous = get_username_from_token });
end

module:provides("auth", provider);

local function anonymous(self, message)

	local username = generate_uuid();

	-- This calls the handler created in 'provider.get_sasl_handler(session)'
	local result, err, msg = self.profile.anonymous(self, username, self.realm);

	if result == true then
		if (self.username == nil) then
			self.username = username;
		end
		return "success";
	else
		return "failure", err, msg;
	end
end

sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00			`-- Token authentication`
			`-- Copyright (C) 2015 Atlassian`

Add basic ASAP support to mod_auth_token See: http://s2sauth.bitbucket.org/ 2016-08-23 19:42:49 +00:00			`local formdecode = require "util.http".formdecode;`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`local generate_uuid = require "util.uuid".generate;`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00			`local new_sasl = require "util.sasl".new;`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`local sasl = require "util.sasl";`
Moves token related code into util so it can be reused. 2017-05-03 21:48:49 +00:00			`local token_util = module:require "token/util".new(module);`
feat(mod_auth_token): add support for 'previd' query param The 'previd' query parameter will be use to match user id of the session being resumed when the smacks module and token authentication are enabled in Prosody. Otherwise user gets new random id every time and this doesn't work with the smacks module. 2020-03-09 18:50:12 +00:00			`local sessions = prosody.full_sessions;`
Moves token related code into util so it can be reused. 2017-05-03 21:48:49 +00:00
			`-- no token configuration`
			`if token_util == nil then`
			`return;`
			`end`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00
			`-- define auth provider`
			`local provider = {};`

New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`local host = module.host;`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00
initial session for bosh and websockets (#5006) * hook on websocket events * initial session for bosh and websockets 2020-01-24 14:59:29 +00:00			`-- Extract 'token' param from URL when session is created`
			`function init_session(event)`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`local session, request = event.session, event.request;`
			`local query = request.url.query;`
Moves token related code into util so it can be reused. 2017-05-03 21:48:49 +00:00
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`if query ~= nil then`
Stores the room name from the bosh url into the session. 2017-07-15 03:08:41 +00:00			`local params = formdecode(query);`
			`session.auth_token = query and params.token or nil;`
feat(mod_auth_token): add support for 'previd' query param The 'previd' query parameter will be use to match user id of the session being resumed when the smacks module and token authentication are enabled in Prosody. Otherwise user gets new random id every time and this doesn't work with the smacks module. 2020-03-09 18:50:12 +00:00			`-- previd is used together with https://modules.prosody.im/mod_smacks.html`
			`-- the param is used to find resumed session and re-use anonymous(random) user id`
			`-- (see get_username_from_token)`
			`session.previd = query and params.previd or nil;`
Stores the room name from the bosh url into the session. 2017-07-15 03:08:41 +00:00
updates bosh to support optional prefix use optional prefix in poltergeist room lookup 2019-05-16 19:23:36 +00:00			`-- The room name and optional prefix from the bosh query`
Stores the room name from the bosh url into the session. 2017-07-15 03:08:41 +00:00			`session.jitsi_bosh_query_room = params.room;`
updates bosh to support optional prefix use optional prefix in poltergeist room lookup 2019-05-16 19:23:36 +00:00			`session.jitsi_bosh_query_prefix = params.prefix or "";`
Stores the room name from the bosh url into the session. 2017-07-15 03:08:41 +00:00			`end`
initial session for bosh and websockets (#5006) * hook on websocket events * initial session for bosh and websockets 2020-01-24 14:59:29 +00:00			`end`

debian: updates around coturn package and order of install (#5729) * debian: Update coturn udp port to non-privileged one. * debian: Turnserver config requires jitsi-meet-web-config files. * doc: Updates doc, removing `--no-install-recommends`. * debian: Moves checks and configs to default to prosody 0.11. * debian: Disable room locking on internal muc. * add scripts for deploying coturn with certbot * turnserver: Removes unused variable showing error. * debian: updates let's encrypt and coturn scripts. * debian: Detect failure to retrieve external ip address. * debian: Always configure turn when the turnserver package is installed. Co-authored-by: Julien Fastré <julien.fastre@champs-libres.coop> 2020-04-08 18:06:49 +00:00			`module:hook_global("bosh-session", init_session);`
			`module:hook_global("websocket-session", init_session);`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00
			`function provider.test_password(username, password)`
			`return nil, "Password based auth not supported";`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00			`end`

			`function provider.get_password(username)`
			`return nil;`
			`end`

			`function provider.set_password(username, password)`
			`return nil, "Set password not supported";`
			`end`

			`function provider.user_exists(username)`
			`return nil;`
			`end`

			`function provider.create_user(username, password)`
			`return nil;`
			`end`

			`function provider.delete_user(username)`
			`return nil;`
			`end`

New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`function provider.get_sasl_handler(session)`

			`local function get_username_from_token(self, message)`
Installs required basexx when token package is installed. Fixes #1870. Adds some debug messages when token verification fails for some reason. 2017-08-08 13:48:18 +00:00			`local res, error, reason = token_util:process_and_verify_token(session);`

			`if (res == false) then`
			`log("warn",`
			`"Error verifying token err:%s, reason:%s", error, reason);`
On token verification failure return error, reason and stop processing. This was broken with commit c1fb1a7defd00873e8f9c23ab1d99e054148181c, which splits the result in order to print the error reason and in case of error was not returning the error and the message to prosody internals. 2017-10-26 19:01:21 +00:00			`return res, error, reason;`
Installs required basexx when token package is installed. Fixes #1870. Adds some debug messages when token verification fails for some reason. 2017-08-08 13:48:18 +00:00			`end`
Fires event before setting username, allows listeners to override it. This is a hook to override the username that will be used when authenticating token users (which are using anonymous login with auto-generated username). 2017-07-15 03:12:56 +00:00
			`local customUsername`
			`= prosody.events.fire_event("pre-jitsi-authentication", session);`

			`if (customUsername) then`
			`self.username = customUsername;`
feat(mod_auth_token): add support for 'previd' query param The 'previd' query parameter will be use to match user id of the session being resumed when the smacks module and token authentication are enabled in Prosody. Otherwise user gets new random id every time and this doesn't work with the smacks module. 2020-03-09 18:50:12 +00:00			`elseif (session.previd ~= nil) then`
			`for _, session1 in pairs(sessions) do`
			`if (session1.resumption_token == session.previd) then`
			`self.username = session1.username;`
			`break;`
			`end`
			`end`
Fires event before setting username, allows listeners to override it. This is a hook to override the username that will be used when authenticating token users (which are using anonymous login with auto-generated username). 2017-07-15 03:12:56 +00:00			`else`
			`self.username = message;`
			`end`

			`return res;`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`end`

			`return new_sasl(host, { anonymous = get_username_from_token });`
Adds Prosody plugin for token authentication. 2015-11-02 21:02:50 +00:00			`end`

			`module:provides("auth", provider);`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00
			`local function anonymous(self, message)`

			`local username = generate_uuid();`

			`-- This calls the handler created in 'provider.get_sasl_handler(session)'`
			`local result, err, msg = self.profile.anonymous(self, username, self.realm);`

			`if result == true then`
feat(mod_auth_token): add support for 'previd' query param The 'previd' query parameter will be use to match user id of the session being resumed when the smacks module and token authentication are enabled in Prosody. Otherwise user gets new random id every time and this doesn't work with the smacks module. 2020-03-09 18:50:12 +00:00			`if (self.username == nil) then`
			`self.username = username;`
			`end`
mod_auth_token: Add semicolons Remove unnecessary cjson config 2016-08-29 14:39:47 +00:00			`return "success";`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`else`
mod_auth_token: Add semicolons Remove unnecessary cjson config 2016-08-29 14:39:47 +00:00			`return "failure", err, msg;`
New JWT token impl that does not require token verification in Jicofo and uses anonymous authentication method(token goes as BOSH query param). Adds 'allow_empty_token" config option. 2015-12-22 18:51:43 +00:00			`end`
			`end`

			`sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);`