feat(jwt) log jwt validation errors
This commit is contained in:
parent
f50872285d
commit
3a8bd852b2
|
@ -11,6 +11,7 @@ import { reloadNow } from '../../app/actions';
|
||||||
import { openDisplayNamePrompt } from '../../display-name';
|
import { openDisplayNamePrompt } from '../../display-name';
|
||||||
import { showErrorNotification } from '../../notifications';
|
import { showErrorNotification } from '../../notifications';
|
||||||
import { CONNECTION_ESTABLISHED, CONNECTION_FAILED, connectionDisconnected } from '../connection';
|
import { CONNECTION_ESTABLISHED, CONNECTION_FAILED, connectionDisconnected } from '../connection';
|
||||||
|
import { validateJwt } from '../jwt';
|
||||||
import { JitsiConferenceErrors } from '../lib-jitsi-meet';
|
import { JitsiConferenceErrors } from '../lib-jitsi-meet';
|
||||||
import { MEDIA_TYPE } from '../media';
|
import { MEDIA_TYPE } from '../media';
|
||||||
import {
|
import {
|
||||||
|
@ -247,6 +248,26 @@ function _connectionEstablished({ dispatch }, next, action) {
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Logs jwt validation errors from xmpp and from the client-side validator.
|
||||||
|
*
|
||||||
|
* @param {string} message -The error message from xmpp.
|
||||||
|
* @param {Object} state - The redux state.
|
||||||
|
* @returns {void}
|
||||||
|
*/
|
||||||
|
function _logJwtErrors(message, state) {
|
||||||
|
const { jwt } = state['features/base/jwt'];
|
||||||
|
|
||||||
|
if (!jwt) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const errorKeys = validateJwt(jwt);
|
||||||
|
|
||||||
|
message && logger.error(`JWT error: ${message}`);
|
||||||
|
errorKeys.length && logger.error('JWT parsing error:', errorKeys);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Notifies the feature base/conference that the action
|
* Notifies the feature base/conference that the action
|
||||||
* {@code CONNECTION_FAILED} is being dispatched within a specific redux
|
* {@code CONNECTION_FAILED} is being dispatched within a specific redux
|
||||||
|
@ -262,6 +283,8 @@ function _connectionEstablished({ dispatch }, next, action) {
|
||||||
* @returns {Object} The value returned by {@code next(action)}.
|
* @returns {Object} The value returned by {@code next(action)}.
|
||||||
*/
|
*/
|
||||||
function _connectionFailed({ dispatch, getState }, next, action) {
|
function _connectionFailed({ dispatch, getState }, next, action) {
|
||||||
|
_logJwtErrors(action.error.message, getState());
|
||||||
|
|
||||||
const result = next(action);
|
const result = next(action);
|
||||||
|
|
||||||
if (typeof beforeUnloadHandler !== 'undefined') {
|
if (typeof beforeUnloadHandler !== 'undefined') {
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
/**
|
||||||
|
* The list of supported meeting features to enable/disable through jwt.
|
||||||
|
*/
|
||||||
|
export const MEET_FEATURES = [
|
||||||
|
'branding',
|
||||||
|
'calendar',
|
||||||
|
'callstats',
|
||||||
|
'livestreaming',
|
||||||
|
'lobby',
|
||||||
|
'moderation',
|
||||||
|
'outbound-call',
|
||||||
|
'recording',
|
||||||
|
'room',
|
||||||
|
'transcription'
|
||||||
|
];
|
|
@ -1,7 +1,11 @@
|
||||||
/* @flow */
|
/* @flow */
|
||||||
|
|
||||||
|
import jwtDecode from 'jwt-decode';
|
||||||
|
|
||||||
import { parseURLParams } from '../util';
|
import { parseURLParams } from '../util';
|
||||||
|
|
||||||
|
import { MEET_FEATURES } from './constants';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Retrieves the JSON Web Token (JWT), if any, defined by a specific
|
* Retrieves the JSON Web Token (JWT), if any, defined by a specific
|
||||||
* {@link URL}.
|
* {@link URL}.
|
||||||
|
@ -26,3 +30,108 @@ export function getJwtName(state: Object) {
|
||||||
|
|
||||||
return user?.name;
|
return user?.name;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks whether a given timestamp is a valid UNIX timestamp in seconds.
|
||||||
|
* We convert to miliseconds during the check since `Date` works with miliseconds for UNIX timestamp values.
|
||||||
|
*
|
||||||
|
* @param {any} timestamp - A UNIX timestamp in seconds as stored in the jwt.
|
||||||
|
* @returns {boolean} - Whether the timestamp is indeed a valid UNIX timestamp or not.
|
||||||
|
*/
|
||||||
|
function isValidUnixTimestamp(timestamp: any) {
|
||||||
|
return typeof timestamp === 'number' && timestamp * 1000 === new Date(timestamp * 1000).getTime();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns a list with all validation errors for the given jwt.
|
||||||
|
*
|
||||||
|
* @param {string} jwt - The jwt.
|
||||||
|
* @returns {Array<string>} - An array containing all jwt validation errors.
|
||||||
|
*/
|
||||||
|
export function validateJwt(jwt: string) {
|
||||||
|
const errors = [];
|
||||||
|
|
||||||
|
if (!jwt) {
|
||||||
|
return errors;
|
||||||
|
}
|
||||||
|
|
||||||
|
const currentTimestamp = new Date().getTime();
|
||||||
|
|
||||||
|
try {
|
||||||
|
const header = jwtDecode(jwt, { header: true });
|
||||||
|
const payload = jwtDecode(jwt);
|
||||||
|
|
||||||
|
if (!header || !payload) {
|
||||||
|
errors.push('- Missing header or payload');
|
||||||
|
|
||||||
|
return errors;
|
||||||
|
}
|
||||||
|
|
||||||
|
const { kid } = header;
|
||||||
|
|
||||||
|
// if Key ID is missing, we return the error immediately without further validations.
|
||||||
|
if (!kid) {
|
||||||
|
errors.push('- Key ID(kid) missing');
|
||||||
|
|
||||||
|
return errors;
|
||||||
|
}
|
||||||
|
|
||||||
|
// JaaS only
|
||||||
|
if (kid.startsWith('vpaas-magic-cookie')) {
|
||||||
|
if (kid.substring(0, header.kid.indexOf('/')) !== payload.sub) {
|
||||||
|
errors.push('- Key ID(kid) does not match sub');
|
||||||
|
}
|
||||||
|
if (payload.aud !== 'jitsi') {
|
||||||
|
errors.push('- invalid `aud` value. It should be `jitsi`');
|
||||||
|
}
|
||||||
|
|
||||||
|
if (payload.iss !== 'chat') {
|
||||||
|
errors.push('- invalid `iss` value. It should be `chat`');
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!payload.context?.features) {
|
||||||
|
errors.push('- `features` object is missing from the payload');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!isValidUnixTimestamp(payload.nbf)) {
|
||||||
|
errors.push('- invalid `nbf` value');
|
||||||
|
} else if (currentTimestamp < payload.nbf * 1000) {
|
||||||
|
errors.push('- `nbf` value is in the future');
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!isValidUnixTimestamp(payload.exp)) {
|
||||||
|
errors.push('- invalid `exp` value');
|
||||||
|
} else if (currentTimestamp > payload.exp * 1000) {
|
||||||
|
errors.push('- token is expired');
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!payload.context) {
|
||||||
|
errors.push('- `context` object is missing from the payload');
|
||||||
|
} else if (payload.context.features) {
|
||||||
|
const { features } = payload.context;
|
||||||
|
|
||||||
|
Object.keys(features).forEach(feature => {
|
||||||
|
if (MEET_FEATURES.includes(feature)) {
|
||||||
|
const featureValue = features[feature];
|
||||||
|
|
||||||
|
// cannot use truthy or falsy because we need the exact value and type check.
|
||||||
|
if (
|
||||||
|
featureValue !== true
|
||||||
|
&& featureValue !== false
|
||||||
|
&& featureValue !== 'true'
|
||||||
|
&& featureValue !== 'false'
|
||||||
|
) {
|
||||||
|
errors.push(`- Invalid value for feature: ${feature}`);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
errors.push(`- Invalid feature: ${feature}`);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
} catch (e) {
|
||||||
|
errors.push(e ? e.message : '- unspecified jwt error');
|
||||||
|
}
|
||||||
|
|
||||||
|
return errors;
|
||||||
|
}
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
export * from './actions';
|
export * from './actions';
|
||||||
export * from './actionTypes';
|
export * from './actionTypes';
|
||||||
export * from './functions';
|
export * from './functions';
|
||||||
|
export * from './constants';
|
||||||
|
|
Loading…
Reference in New Issue