Tools icon indicating copy to clipboard operation
Tools copied to clipboard

Published 20 hours ago verified publisher icon AgoraIO

Security issue: RtcTokenBuilder token's role can overridden by the client

Open dlinah opened this issue 4 years ago • 6 comments

i have an project in agora with the app certificate enabled. the problem is , if i set the role in the RtcTokenBuilder to RtcRole.SUBSCRIBER and then set it to "host" in AgoraRTC.createClient on the client , then the client we be able to publish video and audio like i host . and vice versa if the token has the role of PUBLISHER, and the client has the role of "audience" it will throw an error when i try to publish video or audio.

 Uncaught (in promise) i {name: "AgoraRTCException", code: "INVALID_OPERATION", message: "AgoraRTCError INVALID_OPERATION: audience can not publish stream", data: undefined

it should be there other way around.

token server : "agora-access-token": "^2.0.4" client : "agora-rtc-sdk-ng": "^0.1.9"

dlinah avatar Jun 09 '20 16:06 dlinah

you may need to call setClient to make yourself a host before publishing stream. it has nothing to do with token privilege as far as i can see

plutoless avatar Jun 14 '20 09:06 plutoless

that is problem ,that the client can publish a stream without permission from the server , it's expected that the generated token will control client privilege (weather a client can publish a stream or not ), isn't it ? i set the role in RtcTokenBuilder.buildTokenWithUid function as documented in docs;

dlinah avatar Jun 16 '20 10:06 dlinah

I am having the same concern here regarding users to be able to send publish stream from the client event though the token was created with the SUBSCRIBER role. Is anyone having a look at this issue ?

elhmn avatar Sep 14 '20 10:09 elhmn

@dlinah @elhmn the privilege for publishing & subscription is by default not active. please contact sales if you do need this feature, we will need to configure for you in our backend.

plutoless avatar Sep 22 '20 06:09 plutoless

@plutoless Is this still the case, that this needs to be activated by sales?

lodmfjord avatar Jun 10 '21 11:06 lodmfjord

Looking at the source docs for buildTokenWithAccount in the agora-access-token NodeJS library, it mentions this explicitly:

role – See #userRole.

  • Role.PUBLISHER; RECOMMENDED. Use this role for a voice/video call or a live broadcast.
  • Role.SUBSCRIBER: ONLY use this role if your live-broadcast scenario requires authentication for Hosting-in . In order for this role to take effect, please contact our support team to enable authentication for Hosting-in for you. Otherwise, Role_Subscriber still has the same privileges as Role_Publisher.

Unfortunately this links through to a broken page:

  • https://docs.agora.io/en/Agora%20Platform/terms?platform=All%20Platforms#hosting-in

But, if we look at the 'API Reference' on the 'Authenticate Your Users with Tokens' page, we can see more about this:

  • https://docs.agora.io/en/Video/token_server#api-reference

role: The privilege of the user, either as a publisher or a subscriber. This parameter determines whether a user can publish streams in the channel.

  • Role_Publisher(1): (Default) The user has the privilege of a publisher, that is, the user can publish streams in the channel.
  • Role_Subscriber(2): The user has the privilege of a subscriber, that is, the user can only subscribe to streams, not publish them, in the channel.

This value takes effect only if you have enabled co-host authentication. For details, see FAQ How do I use co-host authentication.

Looking at the 'How do I use co-host token authentication?' page:

  • https://docs.agora.io/en/Interactive%20Broadcast/faq/token_cohost

    • Co-host authentication is the means by which the SDK authenticates whether a user has the privilege to publish streams in a live streaming channel.

    • This function guarantees that only authorized users can publish streams in a channel and prevents illegal users from deliberately disrupting a streaming session.

Before proceeding, ensure that your app meets the following requirements:

Uses the Agora RTC SDK v2.1.0 or later. Uses only token-based authentication on all app clients to authenticate users.

This seems to require some code changes to set up properly, but to enable it for your project, you can seemingly do it via the Agora Console, without needing to talk to sales:

  • https://docs.agora.io/en/Interactive%20Broadcast/faq/token_cohost#3-enable-co-host-authentication

image

image

Even so, I think this is a pretty insecure and obscure default leading to a security risk. Instead of defaulting to the same privileges as Role_Publisher, I would expect an error to be thrown if I try and use Role_Subscriber when my account doesn't have whatever feature it relies on enabled by sales.

0xdevalias avatar Jun 27 '21 11:06 0xdevalias

@0xdevalias We have already fixed broken page

sunshinexcode avatar Jul 18 '24 06:07 sunshinexcode

We have already fixed broken page

@sunshinexcode My comment was from 2021 and I have since well and truly moved on; but glad that you did.

0xdevalias avatar Jul 19 '24 02:07 0xdevalias

@0xdevalias thanks

sunshinexcode avatar Jul 22 '24 02:07 sunshinexcode