fix(jwt-validation): validate `kid` value only for JaaS

- add some missing meet features
This commit is contained in:
hmuresan 2021-05-05 12:21:22 +03:00 committed by Horatiu Muresan
parent 79939f108c
commit a582f1c191
2 changed files with 32 additions and 20 deletions

View File

@ -11,5 +11,7 @@ export const MEET_FEATURES = [
'outbound-call', 'outbound-call',
'recording', 'recording',
'room', 'room',
'screen-sharing',
'sip-outbound-call',
'transcription' 'transcription'
]; ];

View File

@ -67,6 +67,17 @@ export function validateJwt(jwt: string) {
return errors; return errors;
} }
const {
aud,
context,
exp,
iss,
nbf,
sub
} = payload;
// JaaS only
if (sub && sub.startsWith('vpaas-magic-cookie')) {
const { kid } = header; const { kid } = header;
// if Key ID is missing, we return the error immediately without further validations. // if Key ID is missing, we return the error immediately without further validations.
@ -76,40 +87,39 @@ export function validateJwt(jwt: string) {
return errors; return errors;
} }
// JaaS only if (kid.substring(0, kid.indexOf('/')) !== sub) {
if (kid.startsWith('vpaas-magic-cookie')) {
if (kid.substring(0, header.kid.indexOf('/')) !== payload.sub) {
errors.push('- Key ID(kid) does not match sub'); errors.push('- Key ID(kid) does not match sub');
} }
if (payload.aud !== 'jitsi') {
if (aud !== 'jitsi') {
errors.push('- invalid `aud` value. It should be `jitsi`'); errors.push('- invalid `aud` value. It should be `jitsi`');
} }
if (payload.iss !== 'chat') { if (iss !== 'chat') {
errors.push('- invalid `iss` value. It should be `chat`'); errors.push('- invalid `iss` value. It should be `chat`');
} }
if (!payload.context?.features) { if (!context?.features) {
errors.push('- `features` object is missing from the payload'); errors.push('- `features` object is missing from the payload');
} }
} }
if (!isValidUnixTimestamp(payload.nbf)) { if (!isValidUnixTimestamp(nbf)) {
errors.push('- invalid `nbf` value'); errors.push('- invalid `nbf` value');
} else if (currentTimestamp < payload.nbf * 1000) { } else if (currentTimestamp < nbf * 1000) {
errors.push('- `nbf` value is in the future'); errors.push('- `nbf` value is in the future');
} }
if (!isValidUnixTimestamp(payload.exp)) { if (!isValidUnixTimestamp(exp)) {
errors.push('- invalid `exp` value'); errors.push('- invalid `exp` value');
} else if (currentTimestamp > payload.exp * 1000) { } else if (currentTimestamp > exp * 1000) {
errors.push('- token is expired'); errors.push('- token is expired');
} }
if (!payload.context) { if (!context) {
errors.push('- `context` object is missing from the payload'); errors.push('- `context` object is missing from the payload');
} else if (payload.context.features) { } else if (context.features) {
const { features } = payload.context; const { features } = context;
Object.keys(features).forEach(feature => { Object.keys(features).forEach(feature => {
if (MEET_FEATURES.includes(feature)) { if (MEET_FEATURES.includes(feature)) {