search

miroslavpejic85 / mirotalksfu

🏆 WebRTC - SFU - Simple, Secure, Scalable Real-Time Video Conferences Up to 8k, compatible with all browsers and platforms.
https://sfu.mirotalk.com
GNU Affero General Public License v3.0
2.15k stars 340 forks source link

Token allowing entry even after expiry #149

Closed arladmin closed 8 months ago

arladmin commented 8 months ago

Bug Report

Describe the bug

The token generated by the Token Endpoint, is authenticating users even after it's expiry!

To reproduce

Steps to reproduce the behavior:

  1. Generate a token using the above endpoint with an 'expire' value of, say '1m'.
  2. Wait for a minute.
  3. Use the returned token to join a room using the Direct Join endpoint [Also set the roomPassword body parameter equal to true
  4. The user should not be able to enter the room but is able to!

Expected behavior

Authentication should fail.

miroslavpejic85 commented 8 months ago

Hello @arladmin;

Not a Bug :)

The token serves to bypass user or presenter login when host protection or user authentication is enabled in the config.js file. If these settings are set to false by default, the token is unnecessary and remains unchecked.

// Configuration settings for host protection and user authentication
host: {
    /*
        Host Protection (default: false)
        Enhance host security by enabling host protection. When enabled, user authentication is required.
        Provide valid usernames and passwords in the users array or retrieve active users from a database
        using the users_api_endpoint for validation.
    */
    protected: true, // If set to true, tokens will be checked for direct joins
    user_auth: true, // If set to true, tokens will be checked for direct joins

    // Additional configuration options...
}

During our testing phase, we observed that the token is appropriately handled when host protection or user authentication is enabled, as demonstrated.

mirotalksfu-direct-join-token

Please, join us on our Community forum on Discord here. If something is unclear, feel free to ask questions instead of opening an issue here, as this platform is primarily for confirmed bugs.

Thank you for your collaboration.

arladmin commented 8 months ago

@miroslavpejic85

I do already have this set:

host: {
    protected: true, 
    user_auth: true, 
}

In which case, this would actually be a bug, right?

miroslavpejic85 commented 8 months ago

Kindly ensure that MiroTalk SFU is updated to the latest version.

Did you utilize the same code base as provided in this repository?

However, I have encountered difficulty reproducing the issue as described.

mirotalk-sfu-token-expired
miroslavpejic85 commented 8 months ago

I'm planning to close this for now. If anyone else runs into the same issue with our official source code, feel free to let me know, and I'll be more than happy to reopen it! Your feedback is always valued. Thanks a bunch! 😊