Handles '*' as room name in jwt.
Allows '*' in jwt to allow connecting to any room.
This commit is contained in:
parent
8a01067b62
commit
00afc32b6b
|
@ -49,7 +49,7 @@ local function verify_user(session, stanza)
|
||||||
"Will verify token for user: %s, room: %s ", user_jid, stanza.attr.to);
|
"Will verify token for user: %s, room: %s ", user_jid, stanza.attr.to);
|
||||||
if not token_util:verify_room(session, stanza.attr.to) then
|
if not token_util:verify_room(session, stanza.attr.to) then
|
||||||
log("error", "Token %s not allowed to join: %s",
|
log("error", "Token %s not allowed to join: %s",
|
||||||
tostring(session.auth_token), tostring(session.jitsi_meet_room));
|
tostring(session.auth_token), tostring(stanza.attr.to));
|
||||||
session.send(
|
session.send(
|
||||||
st.error_reply(
|
st.error_reply(
|
||||||
stanza, "cancel", "not-allowed", "Room and token mismatched"));
|
stanza, "cancel", "not-allowed", "Room and token mismatched"));
|
||||||
|
|
|
@ -263,7 +263,7 @@ function Util:verify_room(session, room_address)
|
||||||
if not self.enableDomainVerification then
|
if not self.enableDomainVerification then
|
||||||
-- if auth_room is missing, this means user is anonymous (no token for
|
-- if auth_room is missing, this means user is anonymous (no token for
|
||||||
-- its domain) we let it through, jicofo is verifying creation domain
|
-- its domain) we let it through, jicofo is verifying creation domain
|
||||||
if auth_room and room ~= string.lower(auth_room) then
|
if auth_room and room ~= string.lower(auth_room) and auth_room ~= '*' then
|
||||||
return false;
|
return false;
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -271,10 +271,29 @@ function Util:verify_room(session, room_address)
|
||||||
end
|
end
|
||||||
|
|
||||||
local room_address_to_verify = jid.bare(room_address);
|
local room_address_to_verify = jid.bare(room_address);
|
||||||
|
local room_node = jid.node(room_address);
|
||||||
-- parses bare room address, for multidomain expected format is:
|
-- parses bare room address, for multidomain expected format is:
|
||||||
-- [subdomain]roomName@conference.domain
|
-- [subdomain]roomName@conference.domain
|
||||||
local target_subdomain, target_room
|
local target_subdomain, target_room = room_node:match("^%[([^%]]+)%](.+)$");
|
||||||
= room_address_to_verify:match("^%[([^%]]+)%](.+)$");
|
|
||||||
|
-- if we have '*' as room name in token, this means all rooms are allowed
|
||||||
|
-- so we will use the actual name of the room when constructing strings
|
||||||
|
-- to verify subdomains and domains to simplify checks
|
||||||
|
local room_to_check;
|
||||||
|
if auth_room == '*' then
|
||||||
|
-- authorized for accessing any room assign to room_to_check the actual
|
||||||
|
-- room name
|
||||||
|
if target_room ~= nil then
|
||||||
|
-- we are in multidomain mode and we were able to extract room name
|
||||||
|
room_to_check = target_room;
|
||||||
|
else
|
||||||
|
-- no target_room, room_address_to_verify does not contain subdomain
|
||||||
|
-- so we get just the node which is the room name
|
||||||
|
room_to_check = room_node;
|
||||||
|
end
|
||||||
|
else
|
||||||
|
room_to_check = auth_room;
|
||||||
|
end
|
||||||
|
|
||||||
local auth_domain = session.jitsi_meet_domain;
|
local auth_domain = session.jitsi_meet_domain;
|
||||||
if target_subdomain then
|
if target_subdomain then
|
||||||
|
@ -286,12 +305,12 @@ function Util:verify_room(session, room_address)
|
||||||
end
|
end
|
||||||
|
|
||||||
return room_address_to_verify == jid.join(
|
return room_address_to_verify == jid.join(
|
||||||
"["..auth_domain.."]"..string.lower(auth_room), self.muc_domain);
|
"["..auth_domain.."]"..string.lower(room_to_check), self.muc_domain);
|
||||||
else
|
else
|
||||||
-- we do not have a domain part (multidomain is not enabled)
|
-- we do not have a domain part (multidomain is not enabled)
|
||||||
-- verify with info from the token
|
-- verify with info from the token
|
||||||
return room_address_to_verify == jid.join(
|
return room_address_to_verify == jid.join(
|
||||||
string.lower(auth_room), self.muc_domain_prefix.."."..auth_domain);
|
string.lower(room_to_check), self.muc_domain_prefix.."."..auth_domain);
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue