feat: Adds event for parsed jwt and check for required token.context (#…

…13973)

* squash: Remove tabs.

* feat: Adds a check for context required in jwt.

* feat: Adds an event to notify for parsed jwt.

resources/prosody-plugins/mod_auth_token.lua

@@ -22,10 +22,10 @@ local host = module.host;
 
 -- Extract 'token' param from URL when session is created
 function init_session(event)
-	local session, request = event.session, event.request;
-	local query = request.url.query;
+    local session, request = event.session, event.request;
+    local query = request.url.query;
 
-	if query ~= nil then
+    if query ~= nil then
         local params = formdecode(query);
 
         -- The following fields are filled in the session, by extracting them
@@ -41,32 +41,32 @@ module:hook_global("bosh-session", init_session);
 module:hook_global("websocket-session", init_session);
 
 function provider.test_password(username, password)
-	return nil, "Password based auth not supported";
+    return nil, "Password based auth not supported";
 end
 
 function provider.get_password(username)
-	return nil;
+    return nil;
 end
 
 function provider.set_password(username, password)
-	return nil, "Set password not supported";
+    return nil, "Set password not supported";
 end
 
 function provider.user_exists(username)
-	return nil;
+    return nil;
 end
 
 function provider.create_user(username, password)
-	return nil;
+    return nil;
 end
 
 function provider.delete_user(username)
-	return nil;
+    return nil;
 end
 
 function provider.get_sasl_handler(session)
 
-	local function get_username_from_token(self, message)
+    local function get_username_from_token(self, message)
 
         -- retrieve custom public key from server and save it on the session
         local pre_event_result = prosody.events.fire_event("pre-jitsi-authentication-fetch-key", session);
@@ -116,28 +116,28 @@ function provider.get_sasl_handler(session)
         end
 
         return res;
-	end
+    end
 
-	return new_sasl(host, { anonymous = get_username_from_token });
+    return new_sasl(host, { anonymous = get_username_from_token });
 end
 
 module:provides("auth", provider);
 
 local function anonymous(self, message)
 
-	local username = generate_uuid();
+    local username = generate_uuid();
 
-	-- This calls the handler created in 'provider.get_sasl_handler(session)'
-	local result, err, msg = self.profile.anonymous(self, username, self.realm);
+    -- This calls the handler created in 'provider.get_sasl_handler(session)'
+    local result, err, msg = self.profile.anonymous(self, username, self.realm);
 
-	if result == true then
-		if (self.username == nil) then
-			self.username = username;
-		end
-		return "success";
-	else
-		return "failure", err, msg;
-	end
-end
+    if result == true then
+        if (self.username == nil) then
+            self.username = username;
+        end
+        return "success";
+    else
+        return "failure", err, msg;
+    end
+    end
 
 sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);

resources/prosody-plugins/token/util.lib.lua

@@ -301,6 +301,17 @@ function Util:process_and_verify_token(session, acceptedIssuers)
           session.jitsi_meet_context_user = {};
           session.jitsi_meet_context_user.id = claims["user_id"];
         end
+
+        -- fire event that token has been verified and pass the session and the decoded token
+        prosody.events.fire_event('jitsi-authentication-token-verified', {
+            session = session;
+            claims = claims;
+        });
+
+        if session.contextRequired and claims["context"] == nil then
+            return false, "not-allowed", 'jwt missing required context claim';
+        end
+
         return true;
     else
         return false, "not-allowed", msg;