We need jwt to make sure no one can hijack peerId

2020-03-28 23:20:37 +01:00 · 2020-03-28 23:20:37 +01:00 · 87d4037562
parent 3043098f0c
commit 87d4037562
4 changed files with 60 additions and 20 deletions
--- a/app/src/RoomClient.js
+++ b/app/src/RoomClient.js
@ -1521,24 +1521,46 @@ export default class RoomClient
 				}));
 			if (this._screenSharingProducer)
 			{
 				this._screenSharingProducer.close();
 				store.dispatch(
 					producerActions.removeProducer(this._screenSharingProducer.id));
 				this._screenSharingProducer = null;
 			}
 			if (this._webcamProducer)
 			{
 				this._webcamProducer.close();
 				store.dispatch(
 					producerActions.removeProducer(this._webcamProducer.id));
 				this._webcamProducer = null;
 			}
 			if (this._micProducer)
 			{
 				this._micProducer.close();
-			// Close mediasoup Transports.
+				store.dispatch(
 					producerActions.removeProducer(this._micProducer.id));
 				this._micProducer = null;
 			}
 			if (this._sendTransport)
 			{
 				this._sendTransport.close();
 				this._sendTransport = null;
 			}
 			if (this._recvTransport)
 			{
 				this._recvTransport.close();
 				this._recvTransport = null;
 			}
--- a/server/lib/Room.js
+++ b/server/lib/Room.js
@ -3,6 +3,7 @@ const axios = require('axios');
 const Logger = require('./Logger');
 const Lobby = require('./Lobby');
 const { v4: uuidv4 } = require('uuid');
 const jwt = require('jsonwebtoken');
 const userRoles = require('../userRoles');
 const config = require('../config/config');
@ -123,12 +124,27 @@ class Room extends EventEmitter
 		this.emit('close');
 	}
-	handlePeer({ peer, token })
+	verifyPeer({ id, token })
 	{
-		logger.info('handlePeer() [peer:"%s", roles:"%s", token:"%s"]', peer.id, peer.roles, token);
+		try
 		{
 			const decoded = jwt.verify(token, this._uuid);
-		// This peer is returning, reconnect
+			logger.info('verifyPeer() [decoded:"%o"]', decoded);
-		const verifiedPeer = token && token === this._uuid;
+
 			return decoded.id === id;
 		}
 		catch (err)
 		{
 			logger.warn('verifyPeer() | invalid token');
 		}
 		return false;
 	}
 	handlePeer({ peer, returning })
 	{
 		logger.info('handlePeer() [peer:"%s", roles:"%s", returning:"%s"]', peer.id, peer.roles, returning);
 		// Should not happen
 		if (this._peers[peer.id])
@ -139,7 +155,7 @@ class Room extends EventEmitter
 		}
 		// Returning user
-		if (verifiedPeer)
+		if (returning)
 			this._peerJoining(peer, true);
 		// Always let ADMIN in, even if locked
 		else if (peer.roles.includes(userRoles.ADMIN))
@ -356,7 +372,9 @@ class Room extends EventEmitter
 		}
 		else
 		{
-			peer.socket.handshake.session.token = this._uuid;
+			const token = jwt.sign({ id: peer.id }, this._uuid, { noTimestamp: true });
 			peer.socket.handshake.session.token = token;
 			peer.socket.handshake.session.save();
--- a/server/package.json
+++ b/server/package.json
@ -25,6 +25,7 @@
 		"express-socket.io-session": "^1.3.5",
 		"helmet": "^3.21.2",
 		"ims-lti": "^3.0.2",
 		"jsonwebtoken": "^8.5.1",
 		"mediasoup": "^3.5.5",
 		"openid-client": "^3.7.3",
 		"passport": "^0.4.0",
--- a/server/server.js
+++ b/server/server.js
@ -469,21 +469,20 @@ async function runWebSocketServer()
 			const room = await getOrCreateRoom({ roomId });
 			let peer = peers.get(peerId);
 			let returning = false;
-			if (peer)
+			if (peer && !token)
-			{
+			{ // Don't allow hijacking sessions
 				if (token)
 				{
 					peer.close();
 					peer = null;
 				}
 				else
 				{
 				socket.disconnect(true);
 				return;
 			}
 			else if (token && room.verifyPeer({ id: peerId, token }))
 			{ // Returning user, remove if old peer exists
 				if (peer)
 					peer.close();
 				returning = true;
 			}
 			peer = new Peer({ id: peerId, roomId, socket });
@ -516,7 +515,7 @@ async function runWebSocketServer()
 				}
 			}
-			room.handlePeer({ peer, token });
+			room.handlePeer({ peer, returning });
 		})
 			.catch((error) =>
 			{