From bae77f21f870bdcf7c389f2b7e1d57d730af3c83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=94=D0=B0=D0=BC=D1=8F=D0=BD=20=D0=9C=D0=B8=D0=BD=D0=BA?= =?UTF-8?q?=D0=BE=D0=B2?= Date: Fri, 20 Oct 2023 08:50:38 -0500 Subject: [PATCH] feat: Adds event for parsed jwt and check for required token.context (#13973) * squash: Remove tabs. * feat: Adds a check for context required in jwt. * feat: Adds an event to notify for parsed jwt. --- resources/prosody-plugins/mod_auth_token.lua | 48 ++++++++++---------- resources/prosody-plugins/token/util.lib.lua | 11 +++++ 2 files changed, 35 insertions(+), 24 deletions(-) diff --git a/resources/prosody-plugins/mod_auth_token.lua b/resources/prosody-plugins/mod_auth_token.lua index e5353c696344..b272ed4f6cd9 100644 --- a/resources/prosody-plugins/mod_auth_token.lua +++ b/resources/prosody-plugins/mod_auth_token.lua @@ -22,10 +22,10 @@ local host = module.host; -- Extract 'token' param from URL when session is created function init_session(event) - local session, request = event.session, event.request; - local query = request.url.query; + local session, request = event.session, event.request; + local query = request.url.query; - if query ~= nil then + if query ~= nil then local params = formdecode(query); -- The following fields are filled in the session, by extracting them @@ -41,32 +41,32 @@ module:hook_global("bosh-session", init_session); module:hook_global("websocket-session", init_session); function provider.test_password(username, password) - return nil, "Password based auth not supported"; + return nil, "Password based auth not supported"; end function provider.get_password(username) - return nil; + return nil; end function provider.set_password(username, password) - return nil, "Set password not supported"; + return nil, "Set password not supported"; end function provider.user_exists(username) - return nil; + return nil; end function provider.create_user(username, password) - return nil; + return nil; end function provider.delete_user(username) - return nil; + return nil; end function provider.get_sasl_handler(session) - local function get_username_from_token(self, message) + local function get_username_from_token(self, message) -- retrieve custom public key from server and save it on the session local pre_event_result = prosody.events.fire_event("pre-jitsi-authentication-fetch-key", session); @@ -116,28 +116,28 @@ function provider.get_sasl_handler(session) end return res; - end + end - return new_sasl(host, { anonymous = get_username_from_token }); + return new_sasl(host, { anonymous = get_username_from_token }); end module:provides("auth", provider); local function anonymous(self, message) - local username = generate_uuid(); + local username = generate_uuid(); - -- This calls the handler created in 'provider.get_sasl_handler(session)' - local result, err, msg = self.profile.anonymous(self, username, self.realm); + -- This calls the handler created in 'provider.get_sasl_handler(session)' + local result, err, msg = self.profile.anonymous(self, username, self.realm); - if result == true then - if (self.username == nil) then - self.username = username; - end - return "success"; - else - return "failure", err, msg; - end -end + if result == true then + if (self.username == nil) then + self.username = username; + end + return "success"; + else + return "failure", err, msg; + end + end sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous); diff --git a/resources/prosody-plugins/token/util.lib.lua b/resources/prosody-plugins/token/util.lib.lua index 5d988b9cdc4f..ab413c85cf8e 100644 --- a/resources/prosody-plugins/token/util.lib.lua +++ b/resources/prosody-plugins/token/util.lib.lua @@ -301,6 +301,17 @@ function Util:process_and_verify_token(session, acceptedIssuers) session.jitsi_meet_context_user = {}; session.jitsi_meet_context_user.id = claims["user_id"]; end + + -- fire event that token has been verified and pass the session and the decoded token + prosody.events.fire_event('jitsi-authentication-token-verified', { + session = session; + claims = claims; + }); + + if session.contextRequired and claims["context"] == nil then + return false, "not-allowed", 'jwt missing required context claim'; + end + return true; else return false, "not-allowed", msg;