We need jwt to make sure no one can hijack peerId

2020-03-28 23:20:37 +01:00 · 2020-03-28 23:20:37 +01:00 · 87d4037562
parent 3043098f0c
commit 87d4037562
4 changed files with 60 additions and 20 deletions
--- a/app/src/RoomClient.js
+++ b/app/src/RoomClient.js
@ -1521,24 +1521,46 @@ export default class RoomClient
 				}));

 			if (this._screenSharingProducer)
+			{
 				this._screenSharingProducer.close();

+				store.dispatch(
+					producerActions.removeProducer(this._screenSharingProducer.id));
+
+				this._screenSharingProducer = null;
+			}
+
 			if (this._webcamProducer)
+			{
 				this._webcamProducer.close();

+				store.dispatch(
+					producerActions.removeProducer(this._webcamProducer.id));
+
+				this._webcamProducer = null;
+			}
+
 			if (this._micProducer)
+			{
 				this._micProducer.close();

-			// Close mediasoup Transports.
+				store.dispatch(
+					producerActions.removeProducer(this._micProducer.id));
+
+				this._micProducer = null;
+			}
+
 			if (this._sendTransport)
 			{
 				this._sendTransport.close();
+
 				this._sendTransport = null;
 			}

 			if (this._recvTransport)
 			{
 				this._recvTransport.close();
+
 				this._recvTransport = null;
 			}

--- a/server/lib/Room.js
+++ b/server/lib/Room.js
@ -3,6 +3,7 @@ const axios = require('axios');
 const Logger = require('./Logger');
 const Lobby = require('./Lobby');
 const { v4: uuidv4 } = require('uuid');
+const jwt = require('jsonwebtoken');
 const userRoles = require('../userRoles');
 const config = require('../config/config');

@ -123,12 +124,27 @@ class Room extends EventEmitter
 		this.emit('close');
 	}

-	handlePeer({ peer, token })
+	verifyPeer({ id, token })
 	{
-		logger.info('handlePeer() [peer:"%s", roles:"%s", token:"%s"]', peer.id, peer.roles, token);
+		try
+		{
+			const decoded = jwt.verify(token, this._uuid);

-		// This peer is returning, reconnect
-		const verifiedPeer = token && token === this._uuid;
+			logger.info('verifyPeer() [decoded:"%o"]', decoded);
+
+			return decoded.id === id;
+		}
+		catch (err)
+		{
+			logger.warn('verifyPeer() | invalid token');
+		}
+
+		return false;
+	}
+
+	handlePeer({ peer, returning })
+	{
+		logger.info('handlePeer() [peer:"%s", roles:"%s", returning:"%s"]', peer.id, peer.roles, returning);

 		// Should not happen
 		if (this._peers[peer.id])
@ -139,7 +155,7 @@ class Room extends EventEmitter
 		}

 		// Returning user
-		if (verifiedPeer)
+		if (returning)
 			this._peerJoining(peer, true);
 		// Always let ADMIN in, even if locked
 		else if (peer.roles.includes(userRoles.ADMIN))
@ -356,7 +372,9 @@ class Room extends EventEmitter
 		}
 		else
 		{
-			peer.socket.handshake.session.token = this._uuid;
+			const token = jwt.sign({ id: peer.id }, this._uuid, { noTimestamp: true });
+
+			peer.socket.handshake.session.token = token;

 			peer.socket.handshake.session.save();

--- a/server/package.json
+++ b/server/package.json
@ -25,6 +25,7 @@
 		"express-socket.io-session": "^1.3.5",
 		"helmet": "^3.21.2",
 		"ims-lti": "^3.0.2",
+		"jsonwebtoken": "^8.5.1",
 		"mediasoup": "^3.5.5",
 		"openid-client": "^3.7.3",
 		"passport": "^0.4.0",
--- a/server/server.js
+++ b/server/server.js
@ -469,21 +469,20 @@ async function runWebSocketServer()
 			const room = await getOrCreateRoom({ roomId });

 			let peer = peers.get(peerId);
+			let returning = false;

-			if (peer)
-			{
-				if (token)
-				{
-					peer.close();
-
-					peer = null;
-				}
-				else
-				{
+			if (peer && !token)
+			{ // Don't allow hijacking sessions
 				socket.disconnect(true);

 				return;
 			}
+			else if (token && room.verifyPeer({ id: peerId, token }))
+			{ // Returning user, remove if old peer exists
+				if (peer)
+					peer.close();
+
+				returning = true;
 			}

 			peer = new Peer({ id: peerId, roomId, socket });
@ -516,7 +515,7 @@ async function runWebSocketServer()
 				}
 			}

-			room.handlePeer({ peer, token });
+			room.handlePeer({ peer, returning });
 		})
 			.catch((error) =>
 			{