Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add JWT authorization support to Rocket.Chat.ReactNative clients. #1356

Closed
ankar84 opened this issue Nov 1, 2019 · 23 comments · Fixed by #1746
Closed

Add JWT authorization support to Rocket.Chat.ReactNative clients. #1356

ankar84 opened this issue Nov 1, 2019 · 23 comments · Fixed by #1746

Comments

@ankar84
Copy link
Contributor

ankar84 commented Nov 1, 2019

  • Your Rocket.Chat Experimental app version: 4.0.2.2087
  • Your Rocket.Chat server version: 2.1.0
  • Device (or Simulator) you're running with: Xiaomi Redmi Note 4x
    After implementing [NEW] Jitsi meet room access via a token #12259 we can successfully connect securly from Windows desktop clients to Jitsi calls. User with meet link but without valid JWT-token cannot connect to Jitsi Meet call. That user get logon form, that do not accept any data.
    But with JWT authentication turned on we have a problem with Rocket.Chat mobile applications (Rocket.Chat React Native).
    It seems like mobile app do not send JWT token to Jitsi and while connecting to Jitsi Meet call mobile client user get the same logon\password form, that do not accept any data.
    In Jitsi logs we see in that moment:

Oct 08 13:58:01 general warn Error verifying token err:not-allowed, reason: token required

So, please add JWT authorization support to Rocket.Chat.ReactNative clients.
Thanks!

@ar1em
Copy link

ar1em commented Nov 4, 2019

Hi, I have the same problem with iOS app.

Your Rocket.Chat Experimental app version: 1.20.1.12049
Your Rocket.Chat server version: 2.2.0
Device (or Simulator) you're running with: IPhone 7+

I am already sent an issue to the old app (RocketChat/Rocket.Chat.iOS#2780).
Will, this improvement be implemented only in the new (React) version or the old app will be updated either?

@reetp
Copy link

reetp commented Nov 11, 2019

Will, this improvement be implemented only in the new (React) version or the old app will be updated either?

In a word, yes.

The old apps will never have this and are not being updated - see https://rocket.chat/2019/10/11/moving-mobile-apps-to-react/

It will be done when it is done. Of course your PRs with your code to assist are welcome, or you can contribute via:

https://github.com/RocketChat/Rocket.Chat#donate
https://www.bountysource.com/teams/rocketchat

Otherwise you will have to wait patiently and hope that the devs add this.

@ankar84
Copy link
Contributor Author

ankar84 commented Dec 11, 2019

Little update on that issue.
With Jitsi Meet configuration we made it possible to Rocket.Chat.ReactNative Clients to connect to already created call. One restriction in that case is you can't start call from Rocket.Chat.ReactNative Clients, but only join to started call.
Here is an important part of /jitsi/prosody/conf.d/jitsi-meet.cfg.lua config file for that case:

VirtualHost "guest.meet.jitsi"
authentication = "token"
app_id = "some_id"
app_secret = "some_secret"
allow_empty_token = true

c2s_require_encryption = false

I think main thing here is option allow_empty_token = true which gives Rocket.Chat.ReactNative Clients ability to connect with JWT authorization enabled.
app_id and app_secret we set same as in VirtualHost "meet.jitsi" part of config.
And also in that case user with meet link but without valid JWT-token can connect to Jitsi Meet call. As guest I think. And Rocket.Chat.ReactNative Clients do the same.

@JohnLukeP
Copy link

Setting allow_empty_token = true on Jitsi will have the drawback of allowing unauthenticated guest to join and, worse, creating rooms. Basically people from the App (which supposedly have the token) and guests are treated in the same way.
I think this should be fixed on the rocketchat app side which is not correctly sending the token.

@ankar84
Copy link
Contributor Author

ankar84 commented Dec 22, 2019

Setting allow_empty_token = true on Jitsi will have the drawback of allowing unauthenticated guest to join and, worse, creating rooms. Basically people from the App (which supposedly have the token) and guests are treated in the same way.
I think this should be fixed on the rocketchat app side which is not correctly sending the token.

It is not quite true. As I said with virtual host guest.meet.jitsi all fine. All in my post, read carefully.

@JohnLukeP
Copy link

Setting allow_empty_token = true on Jitsi will have the drawback of allowing unauthenticated guest to join and, worse, creating rooms. Basically people from the App (which supposedly have the token) and guests are treated in the same way.
I think this should be fixed on the rocketchat app side which is not correctly sending the token.

It is not quite true. As I said with virtual host guest.meet.jitsi all fine. All in my post, read carefully.

Thanks, you're right, my mistake. I have only a question about this: since we're configuring different virtual hosts (eg. meet.jitsi and guest.meet.jitsi in this case), rocketchat, when creating the videoconference, gives a link only for the main virtualhost (eg. meet.jitsi/RoomName) do we have to change the link (eg. to guest.meet.jitsi/RoomName) before sharing it with guests?

@ankar84
Copy link
Contributor Author

ankar84 commented Dec 23, 2019

I have only a question about this: since we're configuring different virtual hosts (eg. meet.jitsi and guest.meet.jitsi in this case), rocketchat, when creating the videoconference, gives a link only for the main virtualhost (eg. meet.jitsi/RoomName) do we have to change the link (eg. to guest.meet.jitsi/RoomName) before sharing it with guests?

We did not changed any Rocket.Chat links. Just enabled allow_empty_token = true in guest.meet.jitsi virtualhost.
Now I see only one restriction - mobile user can't create new videoconference (actualy guest can't do that, which is good for us).
And advantages of that options for us - is that mobile users now can join already started video calls (as guest I think) and any external (not Rocket.Chat) user can join video call by clicking a secret link.
If JWT authorization will be added to ReactNative client, any mobile user will be able to start video call.

@JohnLukeP
Copy link

JohnLukeP commented Jan 7, 2020

I have only a question about this: since we're configuring different virtual hosts (eg. meet.jitsi and guest.meet.jitsi in this case), rocketchat, when creating the videoconference, gives a link only for the main virtualhost (eg. meet.jitsi/RoomName) do we have to change the link (eg. to guest.meet.jitsi/RoomName) before sharing it with guests?

We did not changed any Rocket.Chat links. Just enabled allow_empty_token = true in guest.meet.jitsi virtualhost.
Now I see only one restriction - mobile user can't create new videoconference (actualy guest can't do that, which is good for us).
And advantages of that options for us - is that mobile users now can join already started video calls (as guest I think) and any external (not Rocket.Chat) user can join video call by clicking a secret link.
If JWT authorization will be added to ReactNative client, any mobile user will be able to start video call.

Thanks for your reply, I also replicated your configurations in my environment.
Added, in
/etc/prosody/conf.avail/video.xxxxx.it.cfg.lua (which contains the main virtualhost etc)

the guest virtualhost:

VirtualHost "guest.video.xxxxx.it"
authentication = "token"
app_id = "some_app_id"
app_secret = "some_app_secret"
allow_empty_token = true
c2s_require_encryption = false

using the same app_id and app_secret as the authenticated host. Also added, inside the config file:
/etc/jitsi/meet/videoxxxxx.it-config.js

the parameter for the guest domain
domain: 'video.xxxxx.it', (already there)
anonymousdomain: 'guest.video.xxxxx.it' (new added)

It works but now every anonymous user can create rooms and get the moderators right.
Do you have configured something more elsewhere?

@djorkaeffalexandre
Copy link
Collaborator

Hey @ankar84, can you reach me on https://open.rocket.chat?
My username on there is djorkaeff.alexandre.
I'll implement this soon.

@ankar84
Copy link
Contributor Author

ankar84 commented Feb 18, 2020

I tested #1746 in my environment and can tell that it works great.
I tested creation of video call from mobile from:

  • DM
  • Private Chat
  • Discussion

And all tests was successful!
So, @djorkaeffalexandre great job!
@diegolmello I will wait that functionality in new release. And I pretty sure @JohnLukeP will!
Thank you for your great job!

@ankar84
Copy link
Contributor Author

ankar84 commented Apr 2, 2020

@djorkaeffalexandre
Almost all fine, but not all.
Today I found, that if you start Video call from user profile - JWT authorization will not happened.
image
Alexandre, please fix it.

@djorkaeffalexandre
Copy link
Collaborator

@ankar84 can you open an issue about that? This is weird because we call the same function of the call on RoomActions View.
Can you describe how you navigate to RoomInfo View?
Clicking on some mention or from RoomActions?

@ankar84
Copy link
Contributor Author

ankar84 commented Apr 2, 2020

Can you describe how you navigate to RoomInfo View?

In any chat tap at username - you get User Info of that user
Tap Video call - get error
videoerror

@ankar84
Copy link
Contributor Author

ankar84 commented Apr 7, 2020

@djorkaeffalexandre 4.6.1 still has that bug, checked moment ago.

@djorkaeffalexandre
Copy link
Collaborator

@ankar84 I'm doing some refactoring on RoomInfo view to implement livechat Info and Actions, I'll take a moment to check if it was fixed with these refactor!
Thanks and best regards.

@gr0ebi
Copy link

gr0ebi commented May 18, 2020

this is still a problem, just updatet to 3.2.2 and newest Android App (4.6.4.2118)
if I start a DM video call on my webinterface, others can connect with their Android app
so JWT isn't working for starting video calls in the app

@djorkaeffalexandre
Copy link
Collaborator

Hey @gr0ebi, can you please test our latest beta? v4.7. It seems to be fixed.
The instructions to join our beta programs are on our README.
Thanks.

@gr0ebi
Copy link

gr0ebi commented May 18, 2020

@djorkaeffalexandre thanks a lot for your fast reply, i will check when I'm at home!

@gr0ebi
Copy link

gr0ebi commented May 18, 2020

@djorkaeffalexandre
4.7 RC App starting jitsi with JWT works great!
I tested from my phone to other clients that still have 4.6.
Since I start the jitsi session and authorize with JWT all others can join at least anonym. (we have anon-users allowed after someone auths)
So am I right that the next official release will be 4.7 or should I upgrade my clients to the beta?

@djorkaeffalexandre
Copy link
Collaborator

djorkaeffalexandre commented May 18, 2020

@gr0ebi I'm happy to hear this. :)
Yes, the next official release will be 4.7! You can wait this if it's not a problem for you.

@ankar84
Copy link
Contributor Author

ankar84 commented May 18, 2020

4.7 RC App starting jitsi with JWT works great!

I don't know, but for me Jitsi with jwt authorization works since early 4.6 and works great, thanks to @djorkaeffalexandre
And 4.7 has updated Jitsi SDK thanks to @diegolmello

@diegolmello
Copy link
Member

@gr0ebi If you can wait, we're going to release 4.7 officially next week.

@gr0ebi
Copy link

gr0ebi commented May 18, 2020

@ankar84 i have the exact same issue as u showed in your GIF
@diegolmello thanks a lot, I'm gonna wait 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants