Merge pull request #3840 from jitsi/prosody-token-wildcard-subdomain

supports a '*' in the sub claim to allow access to any room

resources/prosody-plugins/token/util.lib.lua

@@ -357,11 +357,20 @@ function Util:verify_room(session, room_address)
             room_to_check = room_node;
         end
     else
+        -- no wildcard, so check room against authorized room in token
         room_to_check = auth_room;
     end
 
     local auth_domain = session.jitsi_meet_domain;
+    local subdomain_to_check;
     if target_subdomain then
+        if auth_domain == '*' then
+            -- check for wildcard in JWT claim, allow access if found
+            subdomain_to_check = target_subdomain;
+        else
+            -- no wildcard in JWT claim, so check subdomain against sub in token
+            subdomain_to_check = auth_domain;
+        end
         -- from this point we depend on muc_domain_base,
         -- deny access if option is missing
         if not self.muc_domain_base then
@@ -370,12 +379,19 @@ function Util:verify_room(session, room_address)
         end
 
         return room_address_to_verify == jid.join(
-            "["..auth_domain.."]"..string.lower(room_to_check), self.muc_domain);
+            "["..subdomain_to_check.."]"..string.lower(room_to_check), self.muc_domain);
     else
+        if auth_domain == '*' then
+            -- check for wildcard in JWT claim, allow access if found
+            subdomain_to_check = self.muc_domain;
+        else
+            -- no wildcard in JWT claim, so check subdomain against sub in token
+            subdomain_to_check = self.muc_domain_prefix.."."..auth_domain;
+        end
         -- we do not have a domain part (multidomain is not enabled)
         -- verify with info from the token
         return room_address_to_verify == jid.join(
-            string.lower(room_to_check), self.muc_domain_prefix.."."..auth_domain);
+            string.lower(room_to_check), subdomain_to_check);
     end
 end