Add JWT token authentication

[edmw]

Hi,

this adds JWT token authentication to the module. Administrator can specify an application id and secret shared with the configured Jitsi server which will be used to generate a JWT token specific for a user joining a room.

[edmw]

Ok, found a big issue: The route to /conference/ is unprotected at the moment. While the generation of the JWT token is done in actionOpen any not authenticated call to this route creates a valid token which can be used to join a room.

I see two options to resolve this:

1. move the generation of the JWT token into actionIndex
2. protect all routes in RoomController including actionOpen

Note: I‘m no expert in Yii2 nor Humhub, so any help would be appreciated.

PS: Is there a reason why only the route to actionIndex is protected with login?

[edmw]

Did two things with the latest commit:

1. Added access level "login" to all routes of the room controller (as mentioned before, I'm not sure if this is without side-effects -- works for me).
2. JWT token will be an empty string if generated with guest access.

Additionally fixed a typo which caused the jwt to not contain the email address.

[luke-]

This is really a great contribution.

Previously, it was possible for not registered users to participate by simply following the url. Is that still possible? If not, maybe we want to offer an option for this behaviour?

[edmw]

Oh, you're right. This won't be possible anymore. Even if using an open Jitsi server a visitor of the url will be required to login. We could remove the access level again, but then in the case of JWT token authentication using the url will simply fail because of my second code change.

[luke-]

In case of enabled JWT you can add something like this to the action:

if (Yii::$app->user->isGuest && !empty($this->module->getSettingsForm()->jitsiAppID)) {
            return Yii::$app->user->loginRequired();
}

But without JWT I would keep the way it is, so that guests can simply join.

How is it work with Jitsi with JWT & guests? Is guest access still possible like LDAP or Internal Auth?

A future dream solution regarding the guests topic could be a "random" share link and a simple form to enter a name which then generates a JWT token. (even user is unauthenticated in HumHub).

But the current soution is great, except that guests without JWT should be able to participate.

[edmw]

Unfortunately, Prosody (conference backend of Jitsi) supports one authentication method at a time only. It's not possible to enable JWT authentication while keeping the possibility to login via LDAP or internal auth (this was my goal for my private Humhub/Jitsi installation).

My latest commit added your suggestion. Now, sharing the url should be possible when using an open Jitsi server without any limitations. When using JWT token auth, any visitor will be required to login.

[luke-]

Ok great, then I will prepare a new release with your changes later.