Merge pull request #81 from mozilla/improve-jwts

Add optional room_ids to JWT
mozilla · Apr 19, 2021 · f16c42c · f16c42c
2 parents 3cf9f6a + 1834c21
commit f16c42c
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 7 deletions.
diff --git a/src/auth.rs b/src/auth.rs
@@ -1,17 +1,41 @@
 use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
 use serde::{Deserialize, Serialize};
 use std::error::Error;
+use crate::messages::RoomId;
 
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct ValidatedToken {
     pub join_hub: bool,
     pub kick_users: bool,
+    pub room_ids: Option<Vec<RoomId>>
+}
+
+impl ValidatedToken {
+    pub fn may_join(&self, room_id: &RoomId) -> bool {
+        if self.join_hub {
+            if let Some(allowed_rooms) = &self.room_ids {
+                if allowed_rooms.contains(room_id) { // this token explicitly lets you in this room
+                    true
+                } else { // this token lets you in some rooms, but not this one
+                    false
+                }
+            } else { // this token lets you in any room
+                true
+            }
+        } else {
+            false // this token disallows joining entirely
+        }
+    }
 }
 
 #[derive(Debug, Serialize, Deserialize)]
 struct UserClaims {
+    #[serde(default)]
     join_hub: bool,
+    #[serde(default)]
     kick_users: bool,
+    #[serde(default)]
+    room_ids: Option<Vec<RoomId>>
 }
 
 impl ValidatedToken {
@@ -22,6 +46,7 @@ impl ValidatedToken {
         Ok(ValidatedToken {
             join_hub: token_data.claims.join_hub,
             kick_users: token_data.claims.kick_users,
+            room_ids: token_data.claims.room_ids,
         })
     }
 }
diff --git a/src/lib.rs b/src/lib.rs
@@ -424,16 +424,17 @@ fn process_join(from: &Arc<Session>, room_id: RoomId, user_id: UserId, subscribe
             return Err(From::from("Rejecting anonymous join!"));
         }
         (Some(key), Some(ref token)) => match ValidatedToken::from_str(token, key) {
-            Ok(ref claims) if claims.join_hub => {
-                janus_verb!("Allowing validated join from {:p} to room {} as user {}.", from.handle, room_id, user_id);
-            }
-            Ok(_) => {
-                janus_warn!("Rejecting unauthorized join from {:p} to room {} as user {}.", from.handle, room_id, user_id);
-                return Err(From::from("Rejecting join with no join_hub permission!"));
+            Ok(ref claims) => {
+                if claims.may_join(&room_id) {
+                    janus_verb!("Allowing join from {:p} to room {} as user {}.", from.handle, room_id, user_id);
+                } else {
+                    janus_warn!("Rejecting join from {:p} to room {} as user {}.", from.handle, room_id, user_id);
+                    return Err(From::from("Rejecting join without permission!"));
+                }
             }
             Err(e) => {
                 janus_warn!(
-                    "Rejecting invalid join from {:p} to room {} as user {}. Error: {}",
+                    "Rejecting join from {:p} to room {} as user {}. Error: {}",
                     from.handle,
                     room_id,
                     user_id,