Merge pull request #370 from mynaparrot/auth_change

Simplify auth token for plugnmeet

go.mod

@@ -7,22 +7,22 @@ require (
 	github.com/antoniodipinto/ikisocket v0.0.0-20230914204858-ee499ed8c55e
 	github.com/cavaliergopher/grab/v3 v3.0.1
 	github.com/gabriel-vasile/mimetype v1.4.3
+	github.com/go-jose/go-jose/v3 v3.0.0
 	github.com/goccy/go-json v0.10.2
 	github.com/gofiber/contrib/websocket v1.2.2
 	github.com/gofiber/fiber/v2 v2.50.0
 	github.com/gofiber/template/html/v2 v2.0.5
 	github.com/google/uuid v1.4.0
 	github.com/jordic/lti v0.0.0-20160211051708-2c756eacbab9
-	github.com/livekit/protocol v1.8.1
+	github.com/livekit/protocol v1.9.0
 	github.com/livekit/server-sdk-go v1.1.1
-	github.com/mynaparrot/plugnmeet-protocol v0.0.0-20231031161056-bfdd564a2187
+	github.com/mynaparrot/plugnmeet-protocol v0.0.0-20231101090512-986c547473f2
 	github.com/redis/go-redis/v9 v9.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.8.4
 	github.com/urfave/cli/v2 v2.25.7
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
-	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -40,7 +40,6 @@ require (
 	github.com/fasthttp/websocket v1.5.6 // indirect
 	github.com/frostbyte73/core v0.0.9 // indirect
 	github.com/gammazero/deque v0.2.1 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-sql-driver/mysql v1.7.1 // indirect
@@ -70,7 +69,7 @@ require (
 	github.com/pion/datachannel v1.5.5 // indirect
 	github.com/pion/dtls/v2 v2.2.7 // indirect
 	github.com/pion/ice/v2 v2.3.11 // indirect
-	github.com/pion/interceptor v0.1.24 // indirect
+	github.com/pion/interceptor v0.1.25 // indirect
 	github.com/pion/logging v0.2.2 // indirect
 	github.com/pion/mdns v0.0.9 // indirect
 	github.com/pion/randutil v0.1.0 // indirect

go.sum

@@ -124,6 +124,8 @@ github.com/livekit/mediatransportutil v0.0.0-20231017082622-43f077b4e60e h1:yNeI
 github.com/livekit/mediatransportutil v0.0.0-20231017082622-43f077b4e60e/go.mod h1:+WIOYwiBMive5T81V8B2wdAc2zQNRjNQiJIcPxMTILY=
 github.com/livekit/protocol v1.8.1 h1:zyan2n5ZhHS1OGZUr/hfeLXGH7IB+ZivZCaouG4zd20=
 github.com/livekit/protocol v1.8.1/go.mod h1:oTWtPGfpZSJGKRrbSvDQK0jiuUylYzhiw/bnGB4Cqko=
+github.com/livekit/protocol v1.9.0 h1:YCTvVNxlz36Y3Fsjec7if1+6HpwvZAqAzBfKYBsS5EY=
+github.com/livekit/protocol v1.9.0/go.mod h1:l2WjlZWErS6vBlQaQyCGwWLt1aOx10XfQTsmvLjJWFQ=
 github.com/livekit/psrpc v0.5.0 h1:g+yYNSs6Y1/vM7UlFkB2s/ARe2y3RKWZhX8ata5j+eo=
 github.com/livekit/psrpc v0.5.0/go.mod h1:1XYH1LLoD/YbvBvt6xg2KQ/J3InLXSJK6PL/+DKmuAU=
 github.com/livekit/server-sdk-go v1.1.1 h1:TkDD/Ecyh7XNuxgxhpsDQ1uzbTlDWwwJrbkyUjQmcbY=
@@ -141,10 +143,11 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D
 github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
-github.com/mynaparrot/plugnmeet-protocol v0.0.0-20231031161056-bfdd564a2187 h1:MtXBvi19ByX8ZmcjwWV/O6TfRXAemL65l/KUpvCQ9PQ=
-github.com/mynaparrot/plugnmeet-protocol v0.0.0-20231031161056-bfdd564a2187/go.mod h1:fPL9QlamupRdcdMAdreF11GD1FDyHSWzkEOX2A6aC9Q=
+github.com/mynaparrot/plugnmeet-protocol v0.0.0-20231101090512-986c547473f2 h1:1bGS4BGiiKQ1BvL+wkj4wByp+y9TvvL5dywuPFy8XZ8=
+github.com/mynaparrot/plugnmeet-protocol v0.0.0-20231101090512-986c547473f2/go.mod h1:5f5Dv97VkJDXNtAQW4Z1qjDGAhDUJKkvvWDjinzIkmY=
 github.com/nats-io/nats.go v1.31.0 h1:/WFBHEc/dOKBF6qf1TZhrdEfTmOZ5JzdJ+Y3m6Y/p7E=
 github.com/nats-io/nats.go v1.31.0/go.mod h1:di3Bm5MLsoB4Bx61CBTsxuarI36WbhAwOm8QrW39+i8=
 github.com/nats-io/nkeys v0.4.6 h1:IzVe95ru2CT6ta874rt9saQRkWfe2nFj1NtvYSLqMzY=
@@ -170,6 +173,8 @@ github.com/pion/ice/v2 v2.3.11/go.mod h1:hPcLC3kxMa+JGRzMHqQzjoSj3xtE9F+eoncmXLl
 github.com/pion/interceptor v0.1.18/go.mod h1:tpvvF4cPM6NGxFA1DUMbhabzQBxdWMATDGEUYOR9x6I=
 github.com/pion/interceptor v0.1.24 h1:lN4ua3yUAJCgNKQKcZIM52wFjBgjN0r7shLj91PkJ0c=
 github.com/pion/interceptor v0.1.24/go.mod h1:wkbPYAak5zKsfpVDYMtEfWEy8D4zL+rpxCxPImLOg3Y=
+github.com/pion/interceptor v0.1.25 h1:pwY9r7P6ToQ3+IF0bajN0xmk/fNw/suTgaTdlwTDmhc=
+github.com/pion/interceptor v0.1.25/go.mod h1:wkbPYAak5zKsfpVDYMtEfWEy8D4zL+rpxCxPImLOg3Y=
 github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
 github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms=
 github.com/pion/mdns v0.0.8/go.mod h1:hYE72WX8WDveIhg7fmXgMKivD3Puklk0Ymzog0lSyaI=
@@ -410,8 +415,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

pkg/controllers/auth_token.go

@@ -6,7 +6,6 @@ import (
 	"crypto/subtle"
 	"encoding/hex"
 	"github.com/gofiber/fiber/v2"
-	"github.com/livekit/protocol/auth"
 	"github.com/mynaparrot/plugnmeet-protocol/plugnmeet"
 	"github.com/mynaparrot/plugnmeet-protocol/utils"
 	"github.com/mynaparrot/plugnmeet-server/pkg/config"
@@ -87,7 +86,7 @@ func HandleGenerateJoinToken(c *fiber.Ctx) error {
 	}
 
 	m := models.NewAuthTokenModel()
-	token, err := m.DoGenerateToken(req)
+	token, err := m.GeneratePlugNmeetAccessToken(req)
 	if err != nil {
 		return utils.SendCommonProtoJsonResponse(c, false, err.Error())
 	}
@@ -121,7 +120,7 @@ func HandleVerifyToken(c *fiber.Ctx) error {
 	if cm == nil {
 		return utils.SendCommonProtobufResponse(c, false, "invalid request")
 	}
-	claims := cm.(*auth.ClaimGrants)
+	claims := cm.(*plugnmeet.PlugNmeetTokenClaims)
 	// after usage, we can make it null as we don't need this value again.
 	c.Locals("claims", nil)
 
@@ -182,11 +181,7 @@ func HandleVerifyHeaderToken(c *fiber.Ctx) error {
 		return utils.SendCommonProtoJsonResponse(c, false, "Authorization header is missing")
 	}
 
-	info := &models.ValidateTokenReq{
-		Token: authToken,
-	}
-
-	claims, err := m.DoValidateToken(info, false)
+	claims, err := m.VerifyPlugNmeetAccessToken(authToken)
 	if err != nil {
 		_ = c.SendStatus(errStatus)
 		return utils.SendCommonProtoJsonResponse(c, false, err.Error())
@@ -198,28 +193,28 @@ func HandleVerifyHeaderToken(c *fiber.Ctx) error {
 		c.Locals("claims", claims)
 	}
 
-	c.Locals("isAdmin", claims.Video.RoomAdmin)
-	c.Locals("roomId", claims.Video.Room)
-	c.Locals("requestedUserId", claims.Identity)
+	c.Locals("isAdmin", claims.IsAdmin)
+	c.Locals("roomId", claims.RoomId)
+	c.Locals("requestedUserId", claims.UserId)
 
 	return c.Next()
 }
 
 // HandleRenewToken renew token only possible if it remains valid. This mean you'll require to renew it before expire.
 func HandleRenewToken(c *fiber.Ctx) error {
-	info := new(models.ValidateTokenReq)
+	info := new(models.RenewTokenReq)
 	m := models.NewAuthTokenModel()
 
 	err := c.BodyParser(info)
 	if err != nil {
 		return utils.SendCommonProtoJsonResponse(c, false, err.Error())
 	}
 
-	if info.Token == "" || info.Sid == "" || info.RoomId == "" {
+	if info.Token == "" {
 		return utils.SendCommonProtoJsonResponse(c, false, "missing required fields")
 	}
 
-	token, err := m.DoRenewToken(info)
+	token, err := m.DoRenewPlugNmeetToken(info.Token)
 	if err != nil {
 		return utils.SendCommonProtoJsonResponse(c, false, err.Error())
 	}

pkg/controllers/webhook.go

@@ -2,6 +2,7 @@ package controllers
 
 import (
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/base64"
 	"github.com/gofiber/fiber/v2"
 	"github.com/livekit/protocol/livekit"
@@ -22,22 +23,18 @@ func HandleWebhook(c *fiber.Ctx) error {
 		return c.SendStatus(fiber.StatusForbidden)
 	}
 
-	req := &models.ValidateTokenReq{
-		Token: string(authToken),
-	}
 	m := models.NewAuthTokenModel()
-
 	// here request is coming from livekit
 	// so, we'll use livekit secret to validate
-	claims, err := m.DoValidateToken(req, true)
+	ourHash, err := m.ValidateLivekitWebhookToken(string(authToken))
 	if err != nil {
 		return c.SendStatus(fiber.StatusForbidden)
 	}
 
 	sha := sha256.Sum256(body)
 	hash := base64.StdEncoding.EncodeToString(sha[:])
 
-	if claims.Sha256 != hash {
+	if subtle.ConstantTimeCompare([]byte(ourHash), []byte(hash)) != 1 {
 		return c.SendStatus(fiber.StatusForbidden)
 	}
 

pkg/controllers/websocket_service.go

@@ -11,9 +11,10 @@ import (
 )
 
 type websocketController struct {
-	kws         *ikisocket.Websocket
-	token       string
-	participant config.ChatParticipant
+	kws            *ikisocket.Websocket
+	token          string
+	participant    config.ChatParticipant
+	authTokenModel *models.AuthTokenModel
 }
 
 func newWebsocketController(kws *ikisocket.Websocket) *websocketController {
@@ -32,9 +33,10 @@ func newWebsocketController(kws *ikisocket.Websocket) *websocketController {
 	}
 
 	return &websocketController{
-		kws:         kws,
-		participant: p,
-		token:       authToken,
+		kws:            kws,
+		participant:    p,
+		token:          authToken,
+		authTokenModel: models.NewAuthTokenModel(),
 	}
 }
 
@@ -44,37 +46,22 @@ func (c *websocketController) validation() bool {
 		return false
 	}
 
-	m := models.NewAuthTokenModel()
-	info := &models.ValidateTokenReq{
-		Token: c.token,
-	}
-
-	claims, err := m.DoValidateToken(info, false)
+	claims, err := c.authTokenModel.VerifyPlugNmeetAccessToken(c.token)
 	if err != nil {
 		_ = c.kws.EmitTo(c.kws.UUID, []byte("invalid auth token"), ikisocket.TextMessage)
 		return false
 	}
 
-	if claims.Identity != c.participant.UserId || claims.Video.Room != c.participant.RoomId {
+	if claims.UserId != c.participant.UserId || claims.RoomId != c.participant.RoomId {
 		_ = c.kws.EmitTo(c.kws.UUID, []byte("unauthorized access!"), ikisocket.TextMessage)
 		return false
 	}
 
 	c.participant.Name = claims.Name
 	// default set false
-	c.kws.SetAttribute("isAdmin", false)
+	c.kws.SetAttribute("isAdmin", claims.IsAdmin)
+	c.participant.IsAdmin = true
 
-	rs := models.NewRoomService()
-	metadata, err := rs.UnmarshalParticipantMetadata(claims.Metadata)
-	if err != nil {
-		_ = c.kws.EmitTo(c.kws.UUID, []byte("can't Unmarshal metadata!"), ikisocket.TextMessage)
-		return false
-	}
-
-	if metadata.IsAdmin {
-		c.kws.SetAttribute("isAdmin", true)
-		c.participant.IsAdmin = true
-	}
 	return true
 }
 

pkg/models/analytics_auth.go

@@ -5,11 +5,11 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/gofiber/fiber/v2"
 	"github.com/mynaparrot/plugnmeet-protocol/plugnmeet"
 	"github.com/mynaparrot/plugnmeet-server/pkg/config"
-	"gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 	"os"
 	"strings"
 	"time"