search

matrix-org / prosody-mod-auth-matrix-user-verification

Matrix user verification auth for Prosody
Apache License 2.0
24 stars 12 forks source link

User auth service mandating user signs JWT token with the string 'notused' #20

Open RhysRdm opened 1 year ago

RhysRdm commented 1 year ago

The auth service module has recently added code that means a user must have a signed JWT. The problem is the user auth service is always passing in the key 'notused' when trying to verify a signed token. Please see below code from line 178 of the module:

    if jwt.decode == nil then
        data, msg = jwt.verify(session.auth_token, "HS256", "notused");
    else

The key should be taken from the prosody cfg file or an environment variable.

The current work around is to sign the JWT with notused.

Steps to recreate:

  1. Create a matrix user auth JWT
  2. Sign the JWT with a given string string
  3. Set your 'app_secret' config to the given string
  4. Connect to your jitsi server with room and JWT
warrenbailey commented 1 year ago

Also the algorithm should be taken from the jwt token itself rather than hard coded to "HS256" as jwt supports multiple algorithms