fix(jwt-validation): validate `kid` value only for JaaS
- add some missing meet features
This commit is contained in:
parent
79939f108c
commit
a582f1c191
|
@ -11,5 +11,7 @@ export const MEET_FEATURES = [
|
||||||
'outbound-call',
|
'outbound-call',
|
||||||
'recording',
|
'recording',
|
||||||
'room',
|
'room',
|
||||||
|
'screen-sharing',
|
||||||
|
'sip-outbound-call',
|
||||||
'transcription'
|
'transcription'
|
||||||
];
|
];
|
||||||
|
|
|
@ -67,6 +67,17 @@ export function validateJwt(jwt: string) {
|
||||||
return errors;
|
return errors;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const {
|
||||||
|
aud,
|
||||||
|
context,
|
||||||
|
exp,
|
||||||
|
iss,
|
||||||
|
nbf,
|
||||||
|
sub
|
||||||
|
} = payload;
|
||||||
|
|
||||||
|
// JaaS only
|
||||||
|
if (sub && sub.startsWith('vpaas-magic-cookie')) {
|
||||||
const { kid } = header;
|
const { kid } = header;
|
||||||
|
|
||||||
// if Key ID is missing, we return the error immediately without further validations.
|
// if Key ID is missing, we return the error immediately without further validations.
|
||||||
|
@ -76,40 +87,39 @@ export function validateJwt(jwt: string) {
|
||||||
return errors;
|
return errors;
|
||||||
}
|
}
|
||||||
|
|
||||||
// JaaS only
|
if (kid.substring(0, kid.indexOf('/')) !== sub) {
|
||||||
if (kid.startsWith('vpaas-magic-cookie')) {
|
|
||||||
if (kid.substring(0, header.kid.indexOf('/')) !== payload.sub) {
|
|
||||||
errors.push('- Key ID(kid) does not match sub');
|
errors.push('- Key ID(kid) does not match sub');
|
||||||
}
|
}
|
||||||
if (payload.aud !== 'jitsi') {
|
|
||||||
|
if (aud !== 'jitsi') {
|
||||||
errors.push('- invalid `aud` value. It should be `jitsi`');
|
errors.push('- invalid `aud` value. It should be `jitsi`');
|
||||||
}
|
}
|
||||||
|
|
||||||
if (payload.iss !== 'chat') {
|
if (iss !== 'chat') {
|
||||||
errors.push('- invalid `iss` value. It should be `chat`');
|
errors.push('- invalid `iss` value. It should be `chat`');
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!payload.context?.features) {
|
if (!context?.features) {
|
||||||
errors.push('- `features` object is missing from the payload');
|
errors.push('- `features` object is missing from the payload');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isValidUnixTimestamp(payload.nbf)) {
|
if (!isValidUnixTimestamp(nbf)) {
|
||||||
errors.push('- invalid `nbf` value');
|
errors.push('- invalid `nbf` value');
|
||||||
} else if (currentTimestamp < payload.nbf * 1000) {
|
} else if (currentTimestamp < nbf * 1000) {
|
||||||
errors.push('- `nbf` value is in the future');
|
errors.push('- `nbf` value is in the future');
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isValidUnixTimestamp(payload.exp)) {
|
if (!isValidUnixTimestamp(exp)) {
|
||||||
errors.push('- invalid `exp` value');
|
errors.push('- invalid `exp` value');
|
||||||
} else if (currentTimestamp > payload.exp * 1000) {
|
} else if (currentTimestamp > exp * 1000) {
|
||||||
errors.push('- token is expired');
|
errors.push('- token is expired');
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!payload.context) {
|
if (!context) {
|
||||||
errors.push('- `context` object is missing from the payload');
|
errors.push('- `context` object is missing from the payload');
|
||||||
} else if (payload.context.features) {
|
} else if (context.features) {
|
||||||
const { features } = payload.context;
|
const { features } = context;
|
||||||
|
|
||||||
Object.keys(features).forEach(feature => {
|
Object.keys(features).forEach(feature => {
|
||||||
if (MEET_FEATURES.includes(feature)) {
|
if (MEET_FEATURES.includes(feature)) {
|
||||||
|
|
Loading…
Reference in New Issue