From 1834c2178f516bd25c1c5ede6947bd438ea44d09 Mon Sep 17 00:00:00 2001
From: Marshall Polaris <marshall@pol.rs>
Date: Tue, 16 Feb 2021 01:44:31 -0800
Subject: [PATCH] Add optional room_ids to JWT

---
 src/auth.rs | 25 +++++++++++++++++++++++++
 src/lib.rs  | 15 ++++++++-------
 2 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/src/auth.rs b/src/auth.rs
index 764e74c..55172ce 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -1,17 +1,41 @@
 use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
 use serde::{Deserialize, Serialize};
 use std::error::Error;
+use crate::messages::RoomId;
 
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct ValidatedToken {
     pub join_hub: bool,
     pub kick_users: bool,
+    pub room_ids: Option<Vec<RoomId>>
+}
+
+impl ValidatedToken {
+    pub fn may_join(&self, room_id: &RoomId) -> bool {
+        if self.join_hub {
+            if let Some(allowed_rooms) = &self.room_ids {
+                if allowed_rooms.contains(room_id) { // this token explicitly lets you in this room
+                    true
+                } else { // this token lets you in some rooms, but not this one
+                    false
+                }
+            } else { // this token lets you in any room
+                true
+            }
+        } else {
+            false // this token disallows joining entirely
+        }
+    }
 }
 
 #[derive(Debug, Serialize, Deserialize)]
 struct UserClaims {
+    #[serde(default)]
     join_hub: bool,
+    #[serde(default)]
     kick_users: bool,
+    #[serde(default)]
+    room_ids: Option<Vec<RoomId>>
 }
 
 impl ValidatedToken {
@@ -22,6 +46,7 @@ impl ValidatedToken {
         Ok(ValidatedToken {
             join_hub: token_data.claims.join_hub,
             kick_users: token_data.claims.kick_users,
+            room_ids: token_data.claims.room_ids,
         })
     }
 }
diff --git a/src/lib.rs b/src/lib.rs
index 2af91fb..cc1ea6b 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -424,16 +424,17 @@ fn process_join(from: &Arc<Session>, room_id: RoomId, user_id: UserId, subscribe
             return Err(From::from("Rejecting anonymous join!"));
         }
         (Some(key), Some(ref token)) => match ValidatedToken::from_str(token, key) {
-            Ok(ref claims) if claims.join_hub => {
-                janus_verb!("Allowing validated join from {:p} to room {} as user {}.", from.handle, room_id, user_id);
-            }
-            Ok(_) => {
-                janus_warn!("Rejecting unauthorized join from {:p} to room {} as user {}.", from.handle, room_id, user_id);
-                return Err(From::from("Rejecting join with no join_hub permission!"));
+            Ok(ref claims) => {
+                if claims.may_join(&room_id) {
+                    janus_verb!("Allowing join from {:p} to room {} as user {}.", from.handle, room_id, user_id);
+                } else {
+                    janus_warn!("Rejecting join from {:p} to room {} as user {}.", from.handle, room_id, user_id);
+                    return Err(From::from("Rejecting join without permission!"));
+                }
             }
             Err(e) => {
                 janus_warn!(
-                    "Rejecting invalid join from {:p} to room {} as user {}. Error: {}",
+                    "Rejecting join from {:p} to room {} as user {}. Error: {}",
                     from.handle,
                     room_id,
                     user_id,