Restrict your configuration with a JWT Token
The objective is to limit the creation of a conference room to any user authenticate with a JWT token. Guests will have to wait for one of these users to come and unlock the room.
You can find the spec here: https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md
Packages
You need those package to user the tokens authentication:
yay -S --needed lua52-base64 lua52-basexx lua52-cjson lua52-jwtjitsi lua52-luaossl
Jicofo
/etc/jicofo/jicofo.conf
jicofo {
authentication {
enabled = true
type = JWT
login-url = YOUR_DOMAIN
enable-auto-login = true
}
}
The restart.
systemctl restart jicofo
Jitsi meet
/etc/webapps/jitsi-meet/config.js
var config = {
host: {
// anonymous users need to use a dedicated muc without authentication
anonymousdomain: 'guest.YOUR_DOMAIN',
},
}
Prosody
/etc/prosody/conf.d/jitsi.cfg.lua
-- change authentification of your domain
VirtualHost "YOUR_DOMAIN"
authentification = "token"
app_id = "APP_ID"
app_secret = "APP_SECRET"
allow_empty_token = false
modules_enabled = {
-- keep existing modules and add
"presence_identity";
}
c2s_require_encryption = false
-- add guest virtual host to allow anonymous user to join your room
VirtualHost "guest.YOUR_DOMAIN"
authentication = "jitsi-anonymous"
c2s_require_encryption = false
modules_enabled = {
-- copy the content of the modules_enabled
-- of the VirtualHost "YOUR_DOMAIN"
-- remove only the module "muc_lobby_rooms" of the list
-- add presence_identity
-- example:
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"conference_duration";
"websocket";
"presence_identity";
}
Component "conference.YOUR_DOMAIN" "muc"
modules_enabled = {
-- add this to the modules_enabled
"token_verification";
}
Then restart
systemctl restart prosody
Generate a JWT token
Here a quick example in nodejs that will generate a valid link with a JWT token:
const jwt = require('jsonwebtoken')
const crypto = require('crypto');
const words = require('random-words')
const yourDomain = "YOUR_DOMAIN"
const appId = "APP_ID"
const appSecret = "APP_SECRET"
const userName = "YOUR_USERNAME"
const userEmail = "YOUR_EMAIL"
function getBody(domain, appId, name, email, room) {
const md5Email = crypto.createHash('md5').update(email).digest("hex");
const id = crypto.createHash('sha1').update(`${name}:${email}`).digest("hex")
return {
context: {
user: {
avatar: `https:/gravatar.com/avatar/${md5Email}`,
name,
email,
id,
},
group: 'users'
},
"aud": "jitsi",
"iss": appId,
"sub": domain,
room,
}
}
const room = process.argv[2] || words({exactly: 3, join: '-'})
const data = getBody(
yourDomain,
appId,
userName,
userEmail,
room,
)
const options = {
algorithm: 'HS256',
expiresIn: '2h',
}
const jwtToken = jwt.sign(data, appSecret, options)
console.log(`https://${yourDomain}/${room}?jwt=${jwtToken}`)
No Comments