Add JWT authorization support to Rocket.Chat.ReactNative clients.

[ankar84]

• Your Rocket.Chat Experimental app version: 4.0.2.2087
• Your Rocket.Chat server version: 2.1.0
• Device (or Simulator) you're running with: Xiaomi Redmi Note 4x
  After implementing [NEW] Jitsi meet room access via a token #12259 we can successfully connect securly from Windows desktop clients to Jitsi calls. User with meet link but without valid JWT-token cannot connect to Jitsi Meet call. That user get logon form, that do not accept any data.
  But with JWT authentication turned on we have a problem with Rocket.Chat mobile applications (Rocket.Chat React Native).
  It seems like mobile app do not send JWT token to Jitsi and while connecting to Jitsi Meet call mobile client user get the same logon\password form, that do not accept any data.
  In Jitsi logs we see in that moment:

Oct 08 13:58:01 general warn Error verifying token err:not-allowed, reason: token required

So, please add JWT authorization support to Rocket.Chat.ReactNative clients.
Thanks!

[ar1em]

Hi, I have the same problem with iOS app.

Your Rocket.Chat Experimental app version: 1.20.1.12049
Your Rocket.Chat server version: 2.2.0
Device (or Simulator) you're running with: IPhone 7+

I am already sent an issue to the old app (RocketChat/Rocket.Chat.iOS#2780).
Will, this improvement be implemented only in the new (React) version or the old app will be updated either?

[reetp]

Will, this improvement be implemented only in the new (React) version or the old app will be updated either?

In a word, yes.

The old apps will never have this and are not being updated - see https://rocket.chat/2019/10/11/moving-mobile-apps-to-react/

It will be done when it is done. Of course your PRs with your code to assist are welcome, or you can contribute via:

https://github.com/RocketChat/Rocket.Chat#donate
https://www.bountysource.com/teams/rocketchat

Otherwise you will have to wait patiently and hope that the devs add this.

[ankar84]

Little update on that issue.
With Jitsi Meet configuration we made it possible to Rocket.Chat.ReactNative Clients to connect to already created call. One restriction in that case is you can't start call from Rocket.Chat.ReactNative Clients, but only join to started call.
Here is an important part of /jitsi/prosody/conf.d/jitsi-meet.cfg.lua config file for that case:

VirtualHost "guest.meet.jitsi"
authentication = "token"
app_id = "some_id"
app_secret = "some_secret"
allow_empty_token = true

c2s_require_encryption = false

I think main thing here is option allow_empty_token = true which gives Rocket.Chat.ReactNative Clients ability to connect with JWT authorization enabled.
app_id and app_secret we set same as in VirtualHost "meet.jitsi" part of config.
And also in that case user with meet link but without valid JWT-token can connect to Jitsi Meet call. As guest I think. And Rocket.Chat.ReactNative Clients do the same.

[JohnLukeP]

Setting allow_empty_token = true on Jitsi will have the drawback of allowing unauthenticated guest to join and, worse, creating rooms. Basically people from the App (which supposedly have the token) and guests are treated in the same way.
I think this should be fixed on the rocketchat app side which is not correctly sending the token.

[ankar84]

Setting allow_empty_token = true on Jitsi will have the drawback of allowing unauthenticated guest to join and, worse, creating rooms. Basically people from the App (which supposedly have the token) and guests are treated in the same way.
I think this should be fixed on the rocketchat app side which is not correctly sending the token.

It is not quite true. As I said with virtual host guest.meet.jitsi all fine. All in my post, read carefully.

[JohnLukeP]

Setting allow_empty_token = true on Jitsi will have the drawback of allowing unauthenticated guest to join and, worse, creating rooms. Basically people from the App (which supposedly have the token) and guests are treated in the same way.
I think this should be fixed on the rocketchat app side which is not correctly sending the token.

It is not quite true. As I said with virtual host guest.meet.jitsi all fine. All in my post, read carefully.

Thanks, you're right, my mistake. I have only a question about this: since we're configuring different virtual hosts (eg. meet.jitsi and guest.meet.jitsi in this case), rocketchat, when creating the videoconference, gives a link only for the main virtualhost (eg. meet.jitsi/RoomName) do we have to change the link (eg. to guest.meet.jitsi/RoomName) before sharing it with guests?

[ankar84]

I have only a question about this: since we're configuring different virtual hosts (eg. meet.jitsi and guest.meet.jitsi in this case), rocketchat, when creating the videoconference, gives a link only for the main virtualhost (eg. meet.jitsi/RoomName) do we have to change the link (eg. to guest.meet.jitsi/RoomName) before sharing it with guests?

We did not changed any Rocket.Chat links. Just enabled allow_empty_token = true in guest.meet.jitsi virtualhost.
Now I see only one restriction - mobile user can't create new videoconference (actualy guest can't do that, which is good for us).
And advantages of that options for us - is that mobile users now can join already started video calls (as guest I think) and any external (not Rocket.Chat) user can join video call by clicking a secret link.
If JWT authorization will be added to ReactNative client, any mobile user will be able to start video call.

[JohnLukeP]

I have only a question about this: since we're configuring different virtual hosts (eg. meet.jitsi and guest.meet.jitsi in this case), rocketchat, when creating the videoconference, gives a link only for the main virtualhost (eg. meet.jitsi/RoomName) do we have to change the link (eg. to guest.meet.jitsi/RoomName) before sharing it with guests?

We did not changed any Rocket.Chat links. Just enabled allow_empty_token = true in guest.meet.jitsi virtualhost.
Now I see only one restriction - mobile user can't create new videoconference (actualy guest can't do that, which is good for us).
And advantages of that options for us - is that mobile users now can join already started video calls (as guest I think) and any external (not Rocket.Chat) user can join video call by clicking a secret link.
If JWT authorization will be added to ReactNative client, any mobile user will be able to start video call.

Thanks for your reply, I also replicated your configurations in my environment.
Added, in
/etc/prosody/conf.avail/video.xxxxx.it.cfg.lua (which contains the main virtualhost etc)

the guest virtualhost:

VirtualHost "guest.video.xxxxx.it"
authentication = "token"
app_id = "some_app_id"
app_secret = "some_app_secret"
allow_empty_token = true
c2s_require_encryption = false

using the same app_id and app_secret as the authenticated host. Also added, inside the config file:
/etc/jitsi/meet/videoxxxxx.it-config.js

the parameter for the guest domain
domain: 'video.xxxxx.it', (already there)
anonymousdomain: 'guest.video.xxxxx.it' (new added)

It works but now every anonymous user can create rooms and get the moderators right.
Do you have configured something more elsewhere?

[djorkaeffalexandre]

Hey @ankar84, can you reach me on https://open.rocket.chat?
My username on there is djorkaeff.alexandre.
I'll implement this soon.

[ankar84]

I tested #1746 in my environment and can tell that it works great.
I tested creation of video call from mobile from:

• DM
• Private Chat
• Discussion

And all tests was successful!
So, @djorkaeffalexandre great job!
@diegolmello I will wait that functionality in new release. And I pretty sure @JohnLukeP will!
Thank you for your great job!

[ankar84]

@djorkaeffalexandre
Almost all fine, but not all.
Today I found, that if you start Video call from user profile - JWT authorization will not happened.

Alexandre, please fix it.

[djorkaeffalexandre]

@ankar84 can you open an issue about that? This is weird because we call the same function of the call on RoomActions View.
Can you describe how you navigate to RoomInfo View?
Clicking on some mention or from RoomActions?

[ankar84]

Can you describe how you navigate to RoomInfo View?

In any chat tap at username - you get User Info of that user
Tap Video call - get error

[ankar84]

@djorkaeffalexandre 4.6.1 still has that bug, checked moment ago.

[djorkaeffalexandre]

@ankar84 I'm doing some refactoring on RoomInfo view to implement livechat Info and Actions, I'll take a moment to check if it was fixed with these refactor!
Thanks and best regards.

[gr0ebi]

this is still a problem, just updatet to 3.2.2 and newest Android App (4.6.4.2118)
if I start a DM video call on my webinterface, others can connect with their Android app
so JWT isn't working for starting video calls in the app

[djorkaeffalexandre]

Hey @gr0ebi, can you please test our latest beta? v4.7. It seems to be fixed.
The instructions to join our beta programs are on our README.
Thanks.

[gr0ebi]

@djorkaeffalexandre thanks a lot for your fast reply, i will check when I'm at home!

[gr0ebi]

@djorkaeffalexandre
4.7 RC App starting jitsi with JWT works great!
I tested from my phone to other clients that still have 4.6.
Since I start the jitsi session and authorize with JWT all others can join at least anonym. (we have anon-users allowed after someone auths)
So am I right that the next official release will be 4.7 or should I upgrade my clients to the beta?

[djorkaeffalexandre]

@gr0ebi I'm happy to hear this. :)
Yes, the next official release will be 4.7! You can wait this if it's not a problem for you.

[ankar84]

4.7 RC App starting jitsi with JWT works great!

I don't know, but for me Jitsi with jwt authorization works since early 4.6 and works great, thanks to @djorkaeffalexandre
And 4.7 has updated Jitsi SDK thanks to @diegolmello

[diegolmello]

@gr0ebi If you can wait, we're going to release 4.7 officially next week.

[gr0ebi]

@ankar84 i have the exact same issue as u showed in your GIF
@diegolmello thanks a lot, I'm gonna wait 👍