Initial commit

Signed-off-by: Sebastian Wicki <gandro@gmx.net>

.gitignore

@@ -0,0 +1 @@
+/mods.htpasswd

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Luxeria
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,132 @@
+# jitsi-token-service
+
+This project provides an implementation of a token provider for the
+[Jitsi JWT authentication mechanism](https://github.com/jitsi/lib-jitsi-meet/blob/f5f1c314c9de875357b41784254aa73768d2bfdc/doc/tokens.md)
+for _self-hosted_ Jitsi Meet installations.
+In particular, it also is able to generate moderator tokens for the
+[`token_affiliation`](https://github.com/jitsi-contrib/prosody-plugins/blob/127ef7e89d6d36e1a1c95897c857f86a7f485a4a/token_affiliation/README.md)
+plugin.
+
+This effectively allows you to provide an external login system for authenticating
+Jitsi moderators (without the need)
+
+## Configuration
+
+### Environment
+
+This section describes the environment variables which are used to configure
+the token service:
+
+- `COOKIE_NAME` _(required)_: Name of the moderator cookie (example: `jitsi_mod_jwt`)
+- `JWT_VALIDITY` _(default: `1h`)_: Duration for which the generated token
+  should be valid for (example: `1h30m`, `300s`)
+- `JWT_SECRET` _(required)_: Secret JWT signing string, this value needs
+  to match the one configured in Jitsi meet (example: `my_jitsi_app_secret`)
+- `JWT_ISSUER` _(required)_: JWT issuer, this value needs
+  to match the one configured in Jitsi meet (example: `my_jitsi_app_id`)
+- `JWT_AUDIENCE` _(default: `jitsi`)_: JWT audience, this value needs
+  to match the one configured in Jitsi
+- `JWT_LEEWAY` _(default: `1m`)_: Maximum clock drift allowed for JWT validation
+- `JITSI_URL` _(required)_: Jitsi Meet base URL (without the room identifier)
+  (example: `https://meet.jitsi`)
+- `HTML_DOCROOT` _(default: `./html`)_: Directory containing the HTML login
+  form template
+- `HTML_TITLE` _(default: `Jitsi Moderator Login`)_: HTML title displayed to
+  the user on the login form
+- `MODS_FILE` _(default: `./mods.htpasswd`)_: Path to the htaccess file containing
+  the list of all authorized moderators with their password hash
+- `HTTP_ADDR` _(default: `:8080`)_: Address on which the HTTP server will listen on
+
+### Moderators File
+
+The `MODS_FILE` environment variable must point to a text file in the `htaccess`
+format containing all authorized moderators with their accompanying password
+hashes. Use one line per username and pasword pair. Empty lines or comment lines
+(starting with `#`) are allowed.
+
+The password hash needs to be a [bcrypt](https://en.wikipedia.org/wiki/Bcrypt)
+hash (cost 11 or higher is recommended).
+
+```apache
+# example mods.htaccess file:
+bob:$2y$12$EAZVfUzqmzqloNbfRAqY.e295IjhfHI/Ma2Tezqk8DryRZnkOT792
+alice:$2y$12$ianjnXNNHVQwiy3R15NsiO.lC04uEG7SEzP6qv/Rs1NZmNyPB6Muu
+```
+
+> [!NOTE]
+> The moderator file username is only used for authentication and is not
+> forwarded to Jitsi Meet in any form.
+> Moderators may use a different username as their "Display Name" when joining
+> a Jitsi Meet room.
+
+### Jitsi
+
+For details on how to configure your self-hosted instance of Jitsi,
+please refer to the Jitsi documentation.
+The following example illustrates what values may be relevant when using
+[jitsi/docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet):
+
+```shell
+# Enable JWT authentication
+ENABLE_AUTH=1
+AUTH_TYPE=jwt
+
+# JWT identifier and secret (shared between Jitsi and the token service)
+JWT_APP_ID=my_jitsi_app_id
+JWT_APP_SECRET=my_jitsi_app_secret # important: change this!
+
+# URL to this token service
+TOKEN_AUTH_URL=https://auth.jitsi:8080/autologin?room={room}
+
+# Enable the token_affiliation Prosody plugin
+XMPP_MUC_MODULES=token_affiliation
+```
+
+## Login Flow
+
+```mermaid
+sequenceDiagram
+    participant Browser as User Agent
+    participant Auth as Jitsi Token Service<br>(auth.jitsi)
+    participant Jitsi as Jitsi Meet<br>(meet.jitsi)
+
+    opt Moderator Login
+        activate Browser
+
+        Browser->>+Auth: GET https://auth.jitsi/login
+        Auth-->>-Browser: Login Page
+
+        Note over Browser: User provides<br>username and password
+
+        Browser->>+Auth: POST https://auth.jitsi/login
+        Note over Auth: Verifies username and password
+        Note over Auth: Generates and signs JWT<br>(with `moderator:true` claim)
+        Auth-->>-Browser: Store JWT in cookie
+
+        deactivate Browser
+    end
+
+    activate Browser
+    Browser->>+Jitsi: https://meet.jitsi/<room>
+    Note over Jitsi: User is not authenticated.<br>Deny user to join room
+    Jitsi-->>-Browser: Redirect to Jitsi Token Service
+
+    Browser->>+Auth: GET https://auth.jitsi/autologin?room=<room>
+    alt Cookie provided
+        Note over Auth: Verifies cookie and JWT.<br>Reuses JWT if valid
+    else Cookie missing<br>or invalid
+        Note over Auth: Generates and signs new JWT<br>(without moderator claim)
+    end
+    Auth-->>-Browser: Redirect to Jitsi Meet (with JWT)
+
+    Browser->>+Jitsi: https://meet.jitsi/<room>?jwt=<JWT>
+    Note over Jitsi: Verifies JWT signature
+    alt `moderator:true`
+        Note over Jitsi: Allow user to join and<br>grant moderator rights
+    else `moderator:false`
+        Note over Jitsi: Allow user to join
+    end
+    Jitsi-->>-Browser: Join room
+
+    deactivate Browser
+```

go.mod

@@ -0,0 +1,9 @@
+module github.com/luxeria/jitsi-token-service
+
+go 1.22.2
+
+require (
+	github.com/caarlos0/env/v11 v11.0.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
+	golang.org/x/crypto v0.22.0
+)

go.sum

@@ -0,0 +1,6 @@
+github.com/caarlos0/env/v11 v11.0.0 h1:ZIlkOjuL3xoZS0kmUJlF74j2Qj8GMOq3CDLX/Viak8Q=
+github.com/caarlos0/env/v11 v11.0.0/go.mod h1:2RC3HQu8BQqtEK3V4iHPxj0jOdWdbPpWJ6pOueeU1xM=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=

html/login.tmpl.html

@@ -0,0 +1,66 @@
+<!doctype html>
+<html>
+
+<head>
+    <meta charset=utf-8>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+
+    <title>{{ .Title }}</title>
+    <style>
+        body,
+        input {
+            font-family: system-ui;
+            font-size: 18px;
+            max-width: 360px;
+            margin: 48px auto 0;
+        }
+
+        div.error {
+            background-color: #fcd3d2;
+            border: 1px solid #811211;
+            color: #811211;
+            border-radius: 3px;
+            text-align: center;
+            padding: 12px;
+            margin-bottom: 24px;
+        }
+
+        h1.title {
+            text-align: center;
+        }
+
+        input {
+            width: 100%;
+            box-sizing: border-box;
+            margin: 6px 0 12px;
+        }
+
+        input[type=submit] {
+            margin: 12px 0 0;
+        }
+    </style>
+</head>
+
+<body>
+    <h1 class="title">{{ .Title }}</h1>
+    {{ if .Error }}
+    <div class="error">
+        {{ .Error }}
+    </div>
+    {{ end }}
+    <form method="POST">
+        <div>
+            <label for="username">Username:</label>
+            <input type="text" id="username" name="username" autofocus required />
+        </div>
+
+        <div>
+            <label for="password">Password:</label>
+            <input type="password" id="password" name="password" required />
+        </div>
+
+        <input type="submit" value="Login" />
+    </form>
+</body>
+
+</html>