[IMP] peek into the JWT to get the channel uuid

ThanhDodeurOdoo · ThanhDodeurOdoo · commit 40e2cb63772c · 2025-04-23T09:40:17.000+02:00
Before this commit, the payload of the first websocket message (auth)
would expect the channel uuid along the jwt, to know where to look
to get the key used to sign it.

It was slightly redundant as the channel uuid is part of the jwt
payload. With the new JWT implementation, we now have the freedom
to read the JWT before verifying it.

It also reduces the business code complexity as we no longer need to
check the corner case of passing a keyed channel uuid in the jwt
while skipping the channelUUID of the websocket payload (see removed
code in `connect()` of `ws.js`.

This is safe to do as the payload is verified with the key of the
channel, which means that the signature has to match the channel uuid
and tampering with it would invalidate the content.
diff --git a/src/services/auth.js b/src/services/auth.js
@@ -144,31 +144,58 @@ function safeEqual(a, b) {
  * @throws {AuthenticationError}
  */
 export function verify(jsonWebToken, key = jwtKey) {
-    const keyBuffer = Buffer.isBuffer(key) ? key : Buffer.from(key, "base64");
-    let parsedJWT;
-    try {
-        parsedJWT = parseJwt(jsonWebToken);
-    } catch {
-        throw new AuthenticationError("Invalid JWT format");
-    }
-    const { header, claims, signature, signedData } = parsedJWT;
-    const expectedSignature = ALGORITHM_FUNCTIONS[header.alg]?.(signedData, keyBuffer);
-    if (!expectedSignature) {
-        throw new AuthenticationError(`Unsupported algorithm: ${header.alg}`);
-    }
-    if (!safeEqual(signature, expectedSignature)) {
-        throw new AuthenticationError("Invalid signature");
-    }
-    // `exp`, `iat` and `nbf` are in seconds (`NumericDate` per RFC7519)
-    const now = Math.floor(Date.now() / 1000);
-    if (claims.exp && claims.exp < now) {
-        throw new AuthenticationError("Token expired");
-    }
-    if (claims.nbf && claims.nbf > now) {
-        throw new AuthenticationError("Token not valid yet");
+    const jwt = new JsonWebToken(jsonWebToken);
+    return jwt.verify(key);
+}
+
+export class JsonWebToken {
+    /**
+     * @type {{
+     *     header: JWTHeader,
+     *     claims: JWTClaims,
+     *     signature: Buffer,
+     *     signedData: string,
+     * }}
+     */
+    unsafe;
+    /**
+     * @param {string} jsonWebToken
+     */
+    constructor(jsonWebToken) {
+        let payload;
+        try {
+            payload = parseJwt(jsonWebToken);
+        } catch {
+            throw new AuthenticationError("Malformed JWT");
+        }
+        this.unsafe = payload;
     }
-    if (claims.iat && claims.iat > now + 60) {
-        throw new AuthenticationError("Token issued in the future");
+
+    /**
+     * @param {WithImplicitCoercion<string>} [key] buffer/b64 str
+     * @return {JWTClaims}
+     */
+    verify(key = jwtKey) {
+        const { header, claims, signature, signedData } = this.unsafe;
+        const keyBuffer = Buffer.isBuffer(key) ? key : Buffer.from(key, "base64");
+        const expectedSignature = ALGORITHM_FUNCTIONS[header.alg]?.(signedData, keyBuffer);
+        if (!expectedSignature) {
+            throw new AuthenticationError(`Unsupported algorithm: ${header.alg}`);
+        }
+        if (!safeEqual(signature, expectedSignature)) {
+            throw new AuthenticationError("Invalid signature");
+        }
+        // `exp`, `iat` and `nbf` are in seconds (`NumericDate` per RFC7519)
+        const now = Math.floor(Date.now() / 1000);
+        if (claims.exp && claims.exp < now) {
+            throw new AuthenticationError("Token expired");
+        }
+        if (claims.nbf && claims.nbf > now) {
+            throw new AuthenticationError("Token not valid yet");
+        }
+        if (claims.iat && claims.iat > now + 60) {
+            throw new AuthenticationError("Token issued in the future");
+        }
+        return claims;
     }
-    return claims;
 }
diff --git a/src/services/ws.js b/src/services/ws.js
@@ -7,7 +7,7 @@ import { Logger, extractRequestInfo } from "#src/utils/utils.js";
 import { AuthenticationError, OvercrowdedError } from "#src/utils/errors.js";
 import { SESSION_CLOSE_CODE } from "#src/models/session.js";
 import { Channel } from "#src/models/channel.js";
-import { verify } from "#src/services/auth.js";
+import { JsonWebToken } from "#src/services/auth.js";
 
 /**
  * @typedef Credentials
@@ -102,19 +102,11 @@ export function close() {
  * @param {import("ws").WebSocket} webSocket
  * @param {Credentials}
  */
-function connect(webSocket, { channelUUID, jwt }) {
-    let channel = Channel.records.get(channelUUID);
-    const authResult = verify(jwt, channel?.key);
-    const { sfu_channel_uuid, session_id, ice_servers } = authResult;
-    if (!channelUUID && sfu_channel_uuid) {
-        // Cases where the channelUUID is not provided in the credentials for backwards compatibility with version 1.1 and earlier.
-        channel = Channel.records.get(sfu_channel_uuid);
-        if (channel.key) {
-            throw new AuthenticationError(
-                "A channel with a key can only be accessed by providing a channelUUID in the credentials"
-            );
-        }
-    }
+function connect(webSocket, { jwt }) {
+    const token = new JsonWebToken(jwt);
+    const channel = Channel.records.get(token.unsafe.claims.sfu_channel_uuid);
+    const authResult = token.verify(channel?.key);
+    const { session_id, ice_servers } = authResult;
     if (!channel) {
         throw new AuthenticationError(`Channel does not exist`);
     }
