feat: Enable end-to-end encryption for WebRTC streams.

Signed-off-by: Joachim Bauch <bauch@struktur.de>

.eslintignore

@@ -2,5 +2,7 @@
 # SPDX-License-Identifier: CC0-1.0
 /js/*
 /src/types/openapi/*
+/src/utils/e2ee/crypto-utils.js
+/src/utils/e2ee/Jitsi*.js
 /src/utils/media/effects/virtual-background/vendor/*
 /tests/*

lib/Controller/PageController.php

@@ -270,6 +270,7 @@ protected function pageHandler(
 		$csp->addAllowedChildSrcDomain("'self'");
 		$csp->addAllowedScriptDomain('blob:');
 		$csp->addAllowedScriptDomain("'self'");
+		$csp->addAllowedScriptDomain("'wasm-unsafe-eval'");
 		$csp->addAllowedConnectDomain('blob:');
 		$csp->addAllowedConnectDomain("'self'");
 		$csp->addAllowedImageDomain('https://*.tile.openstreetmap.org');
@@ -332,6 +333,7 @@ public function recording(string $token): Response {
 		$csp->addAllowedChildSrcDomain("'self'");
 		$csp->addAllowedScriptDomain('blob:');
 		$csp->addAllowedScriptDomain("'self'");
+		$csp->addAllowedScriptDomain("'wasm-unsafe-eval'");
 		$csp->addAllowedConnectDomain('blob:');
 		$csp->addAllowedConnectDomain("'self'");
 		$csp->addAllowedImageDomain('https://*.tile.openstreetmap.org');
@@ -418,6 +420,7 @@ protected function guestEnterRoom(
 		$csp->addAllowedChildSrcDomain("'self'");
 		$csp->addAllowedScriptDomain('blob:');
 		$csp->addAllowedScriptDomain("'self'");
+		$csp->addAllowedScriptDomain("'wasm-unsafe-eval'");
 		$csp->addAllowedConnectDomain('blob:');
 		$csp->addAllowedConnectDomain("'self'");
 		$csp->addAllowedImageDomain('https://*.tile.openstreetmap.org');
@@ -475,6 +478,7 @@ protected function invitedEmail(
 		$csp->addAllowedChildSrcDomain("'self'");
 		$csp->addAllowedScriptDomain('blob:');
 		$csp->addAllowedScriptDomain("'self'");
+		$csp->addAllowedScriptDomain("'wasm-unsafe-eval'");
 		$csp->addAllowedConnectDomain('blob:');
 		$csp->addAllowedConnectDomain("'self'");
 		$csp->addAllowedImageDomain('https://*.tile.openstreetmap.org');

lib/Signaling/Manager.php

@@ -39,7 +39,8 @@ public function isCompatibleSignalingServer(IResponse $response): bool {
 			&& in_array('federation', $features, true)
 			&& in_array('incall-all', $features, true)
 			&& in_array('hello-v2', $features, true)
-			&& in_array('switchto', $features, true);
+			&& in_array('switchto', $features, true)
+			&& in_array('join-features', $features, true);
 	}
 
 	public function getSignalingServerMissingFeatures(IResponse $response): array {

package.json

@@ -25,6 +25,7 @@
   },
   "dependencies": {
     "@linusborg/vue-simple-portal": "^0.1.5",
+    "@matrix-org/olm": "^3.2.15",
     "@nextcloud/auth": "^2.4.0",
     "@nextcloud/axios": "^2.5.1",
     "@nextcloud/browser-storage": "^0.4.0",
@@ -42,6 +43,7 @@
     "@nextcloud/vue": "^8.21.0",
     "@vueuse/components": "^11.3.0",
     "@vueuse/core": "^11.2.0",
+    "base64-js": "^1.5.1",
     "blurhash": "^2.0.5",
     "crypto-js": "^4.2.0",
     "debounce": "^2.2.0",
@@ -59,6 +61,7 @@
     "pinia": "^2.3.0",
     "ua-parser-js": "^2.0.0",
     "util": "^0.12.5",
+    "uuid": "^11.0.3",
     "vue": "^2.7.16",
     "vue-cropperjs": "^4.2.0",
     "vue-draggable-resizable": "^2.3.0",

src/utils/e2ee/JitsiDeferred.js

@@ -0,0 +1,49 @@
+/**
+ * SPDX-FileCopyrightText: 2020 Jitsi team at 8x8 and the community.
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Based on code from https://github.com/jitsi/jitsi-meet
+ */
+
+/**
+ * Promise-like object which can be passed around for resolving it later. It
+ * implements the "thenable" interface, so it can be used wherever a Promise
+ * could be used.
+ *
+ * In addition a "reject on timeout" functionality is provided.
+ */
+export default class Deferred {
+    /**
+     * Instantiates a Deferred object.
+     */
+    constructor() {
+        this.promise = new Promise((resolve, reject) => {
+            this.resolve = (...args) => {
+                this.clearRejectTimeout();
+                resolve(...args);
+            };
+            this.reject = (...args) => {
+                this.clearRejectTimeout();
+                reject(...args);
+            };
+        });
+        this.then = this.promise.then.bind(this.promise);
+        this.catch = this.promise.catch.bind(this.promise);
+    }
+
+    /**
+     * Clears the reject timeout.
+     */
+    clearRejectTimeout() {
+        clearTimeout(this._timeout);
+    }
+
+    /**
+     * Rejects the promise after the given timeout.
+     */
+    setRejectTimeout(ms) {
+        this._timeout = setTimeout(() => {
+            this.reject(new Error('timeout'));
+        }, ms);
+    }
+}