jitsi-openid icon indicating copy to clipboard operation
jitsi-openid copied to clipboard
verified publisher icon MarcelCoding

`room` claim is always set to `*`

Open micolous opened this issue 1 year ago • 0 comments

jitsi-openid always creates a JWT with a room claim set to *:

https://github.com/MarcelCoding/jitsi-openid/blob/eb7b9d74ca93da85660ea387aadb4da6d3b2e0d7/src/routes.rs#L156

The room is saved to the session, and is used in that same handler to construct a final URL to send to Jitsi Meet:

https://github.com/MarcelCoding/jitsi-openid/blob/eb7b9d74ca93da85660ea387aadb4da6d3b2e0d7/src/routes.rs#L165

Also, the room session attribute itself is set from an external input:

https://github.com/MarcelCoding/jitsi-openid/blob/eb7b9d74ca93da85660ea387aadb4da6d3b2e0d7/src/routes.rs#L36-L40

This should reject setting it to *.

Properly scoping the JWT means you could also run the token_no_wildcard contrib plugin, so that Jitsi Meet any rejects token containing wildcards in the sub or room parameters, which could limit the scope of another security issue.

micolous avatar Oct 11 '24 00:10 micolous