FIX: add flag to control whether to check room claim in JWT validation

jibri queue component stop checking room validation in token Jibri queue component debug output when bad token is found
2020-08-12 14:43:34 -05:00 · 2020-08-12 14:43:34 -05:00 · d05fa32413
parent 3da7798e9f
commit d05fa32413
2 changed files with 22 additions and 10 deletions
--- a/resources/prosody-plugins/mod_jibri_queue_component.lua
+++ b/resources/prosody-plugins/mod_jibri_queue_component.lua
@ -62,8 +62,11 @@ token_util:set_asap_accepted_issuers(ASAPAcceptedIssuers);
 local ASAPAcceptedAudiences
    = module:get_option_array('asap_accepted_audiences',{'*'});

-    module:log("info", "ASAP Accepted Audiences %s", ASAPAcceptedAudiences);
-    token_util:set_asap_accepted_audiences(ASAPAcceptedAudiences);
+module:log("info", "ASAP Accepted Audiences %s", ASAPAcceptedAudiences);
+token_util:set_asap_accepted_audiences(ASAPAcceptedAudiences);
+
+-- do not require room to be set on tokens for jibri queue
+token_util:set_asap_require_room_claim(false);

 local ASAPTTL
    = module:get_option_number("asap_ttl", 3600);
@ -410,14 +413,15 @@ function verify_token(token, room_jid, session)
    local verified, reason, message = token_util:process_and_verify_token(session);
    if not verified then
        log("warn", "not a valid token %s: %s", tostring(reason), tostring(message));
+        log("debug", "invalid token %s", token);
        return false;
    end

-    if not token_util:verify_room(session, room_jid) then
-        log("warn", "Token %s not allowed to access: %s",
-            tostring(token), tostring(room_jid));
-        return false;
-    end
+    -- if not token_util:verify_room(session, room_jid) then
+    --     log("warn", "Token %s not allowed to access: %s",
+    --         tostring(token), tostring(room_jid));
+    --     return false;
+    -- end

    return true;
 end
--- a/resources/prosody-plugins/token/util.lib.lua
+++ b/resources/prosody-plugins/token/util.lib.lua
@ -92,6 +92,8 @@ function Util.new(module)
    --array of accepted audiences: by default only includes our appId
    self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'})

+    self.requireRoomClaim = module:get_option_boolean('asap_require_room_claim', true);
+
    if self.asapKeyServer and not have_async then
        module:log("error", "requires a version of Prosody with util.async");
        return nil;
@ -112,6 +114,10 @@ function Util:set_asap_accepted_audiences(acceptedAudiences)
    self.acceptedAudiences = acceptedAudiences;
 end

+function Util:set_asap_require_room_claim(checkRoom)
+    self.requireRoomClaim = checkRoom;
+end
+
 --- Returns the public key by keyID
 -- @param keyId the key ID to request
 -- @return the public key (the content of requested resource) or nil
@ -222,9 +228,11 @@ function Util:verify_token(token, secret)
        return nil, issCheckErr;
    end

-    local roomClaim = claims["room"];
-    if roomClaim == nil then
-        return nil, "'room' claim is missing";
+    if self.requireRoomClaim then
+        local roomClaim = claims["room"];
+        if roomClaim == nil then
+            return nil, "'room' claim is missing";
+        end
    end

    local audClaim = claims["aud"];