search

miroslavpejic85 / mirotalk

🚀 WebRTC - P2P - Simple, Secure, Fast Real-Time Video Conferences Up to 4k and 60fps, compatible with all browsers and platforms.
https://p2p.mirotalk.com
GNU Affero General Public License v3.0
2.59k stars 502 forks source link

Add one-time token authentication for guests #209

Closed tphlru closed 3 months ago

tphlru commented 3 months ago

Feature request

I'd like to be able to set one-time authorization "tokens" instead of (or together with) login and password. This could be useful for people who organize conferences with different and every time new people (guests) and do not want to give them username and password for security reasons. (like using of my server by everyone for free without authorization, for their own).

These tokens can be made mandatory for the whole system and for all rooms (if it is activated in the settings).

For each new room - a different token, however, fixed for the room. (So that you can leave the room and come back with the same token.) I propose to form the room token as a hash (sha-256 or SipHash-2-4 for example) of the room name and the current date. For example, for room "mickeymouse" and date 04.02.2024 (mickeymouse04022024) would be hash: 

7b5695aad4f62cc60e0fbc69f8f9e79b0902716911ce81da0ef8739bacd63def
or SipHash-2-4:
2ecedd1ae7198f49.

This authorization method will be valid for 1 day. It may make sense to include other temporary information in the hash to avoid deactivation at midnight.

Also, I think you should also provide this as an additional get parameter for the link for convenience.

In summary, the algorithm is as follows:

  1. The owner creates a room and logs into it with a known personal login and password.
  2. Copies a link to the conference with the token embedded in it.
  3. Sends the link with the token to the "guest"
  4. The owner can leave the room and re-enter as many times as he/she wants.
  5. A conference is going on, everyone enters the room through the token link. 5.1 The system generates a hash of the room as soon as someone tries to enter it (by name and date). 5.2 The system compares the provided and generated hash.
  6. After the conference, "guests" cannot log in with the same link and use it for "malicious" purposes.

I've explained the general principle, but other improvements are possible, such as including a more specific time in the token so that you can only log in to the conference at the stated time.

Pros

This could be useful for people who organize conferences with different and every time new people (guests) and do not want to give them username and password for security reasons. (like using of my server by everyone for free without authorization, for their own).

Also, it's better than a system with passwords since the access token is only valid for one room and groups of people won't interfere with each other accidentally.

Using tokens with the specified time can improve the methods of organizing conferences without the need to use admin panels and control systems.

Additional context

I sincerely admire your work! As a programmer, I understand very well how difficult it is to realize such a project. You have perfectly done the basic functions of large applications like zoom or zoho meetings. Thank you for that!

I hope you understand my idea, and you will be able to implement it.

If you have any questions about my proposal, I will be happy to answer them. Unfortunately, now I don't have time to dive into the program code and prepare pull request, but I will be glad to help with the code if it is required. Please forgive me for possible mistakes and inaccuracies in the text, I am still learning English.

miroslavpejic85 commented 3 months ago

Hey @tphlru!

I completely understand your perspective. I had already been considering ways to enhance host protection and user authentication, particularly through jsonwebtoken, used in MiroTalk WEB as well!

I sincerely admire your work! As a programmer, I understand very well how difficult it is to realize such a project. You have perfectly done the basic functions of large applications like zoom or zoho meetings. Thank you for that!

Thanks a bunch! ❤️ For Zoom alternative, considering MiroTalk SFU for more suitable options ideal for large group video conferences.

Please join with us in the conversation on the [MiroTalk Discord forum](). It's a great platform where we can collectively explore ideas and suggestions. We have the dedicated channel, allowing us to engage without cluttering the open issue space here.

Looking forward to see you on our Discrod forum!

Thank you!

miroslavpejic85 commented 3 months ago

To archive this task:

Step 1: Update .env File

Update the .env file with the following parameters for JWT token configuration:

# JWT token config
JWT_KEY=mirotalk_jwt_secret
JWT_EXP=1h

Step 2: Configure Host User Authentication

Set up host user authentication by modifying the .env file as follows:

HOST_USER_AUTH=true # Set to true to enable user authentication
HOST_USERS='[{"username": "globalUsername", "password": "globalPassword"}]' # Add global valid credentials

Step 3: Create Meeting Endpoint

Call the API to create an endpoint for the meeting. You can specify the expiration time for the token (default is 1 hour) using the following commands:

For presenter/s:

curl -X POST "https://p2p.mirotalk.com/api/v1/join" \
-H "authorization: mirotalk_default_secret" \
-H "Content-Type: application/json" \
--data '{"room":"test","name":"presenter","audio":"true","video":"true","screen":"false","hide":"false","notify":"true","token":{"username":"globalUsername","password":"globalPassword","presenter":"true", "expire":"1d"}}'

The response will provide a valid entrypoint URL for the meeting, which you can customize and share to the room presenters.

For guest/s:

curl -X POST "https://p2p.mirotalk.com/api/v1/join" \
-H "authorization: mirotalk_default_secret" \
-H "Content-Type: application/json" \
--data '{"room":"test","name":"guest","audio":"true","video":"true","screen":"false","hide":"false","notify":"true","token":{"username":"globalUsername","password":"globalPassword","presenter":"false", "expire":"1d"}}'

Step 4: Retrieve Meeting Endpoint

The response will provide a valid entrypoint URL for the meeting, which you can customize and share to your participants.

[!NOTE]

Upon token expiration, users can seamlessly join the meeting without the need for re-authentication. Alternatively, if a token expires, you have the option to generate a new one directly using the API, ensuring uninterrupted access for participants. This allows for a smooth user experience, eliminating the hassle of repeated login procedures and facilitating uninterrupted meeting participation.

With the open-source flexibility, you can customize JSON Web Tokens (JWTs) to fit your needs. This includes storing data and managing logic on the server side. This approach allows for tailored authentication and authorization, boosting security and functionality to match your requirements precisely.

Documentation