diff --git a/resources/prosody-plugins/token/util.lib.lua b/resources/prosody-plugins/token/util.lib.lua index f9577687a..72df4ec8a 100644 --- a/resources/prosody-plugins/token/util.lib.lua +++ b/resources/prosody-plugins/token/util.lib.lua @@ -357,11 +357,20 @@ function Util:verify_room(session, room_address) room_to_check = room_node; end else + -- no wildcard, so check room against authorized room in token room_to_check = auth_room; end local auth_domain = session.jitsi_meet_domain; + local subdomain_to_check; if target_subdomain then + if auth_domain == '*' then + -- check for wildcard in JWT claim, allow access if found + subdomain_to_check = target_subdomain; + else + -- no wildcard in JWT claim, so check subdomain against sub in token + subdomain_to_check = auth_domain; + end -- from this point we depend on muc_domain_base, -- deny access if option is missing if not self.muc_domain_base then @@ -370,12 +379,19 @@ function Util:verify_room(session, room_address) end return room_address_to_verify == jid.join( - "["..auth_domain.."]"..string.lower(room_to_check), self.muc_domain); + "["..subdomain_to_check.."]"..string.lower(room_to_check), self.muc_domain); else + if auth_domain == '*' then + -- check for wildcard in JWT claim, allow access if found + subdomain_to_check = self.muc_domain; + else + -- no wildcard in JWT claim, so check subdomain against sub in token + subdomain_to_check = self.muc_domain_prefix.."."..auth_domain; + end -- we do not have a domain part (multidomain is not enabled) -- verify with info from the token return room_address_to_verify == jid.join( - string.lower(room_to_check), self.muc_domain_prefix.."."..auth_domain); + string.lower(room_to_check), subdomain_to_check); end end