Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement JWT auth for signaling connections (hello v2) #7472

Merged
merged 6 commits into from
Aug 12, 2022
Merged

Implement JWT auth for signaling connections (hello v2) #7472

merged 6 commits into from
Aug 12, 2022

Conversation

fancycode
Copy link
Member

@fancycode fancycode commented Jun 10, 2022
edited
Loading

See #7336

For now can be enabled by setting the app config use-hello-v2 to 1.

@fancycode fancycode mentioned this pull request Jun 10, 2022
Closed
@fancycode fancycode added 2. developing feature: signaling 📶 Internal and external signaling backends performance 🚀 labels Jun 10, 2022
@fancycode fancycode force-pushed the jwt-auth branch 2 times, most recently from 2361f30 to 798071c Compare July 6, 2022 14:57
@fancycode fancycode marked this pull request as ready for review July 7, 2022 13:24
@fancycode
Copy link
Member Author

@nickvergessen this is now ready for review

@nickvergessen
Copy link
Member

Before I visited the admin page my log was spamed with this error and I couldn't join any room:

{
  "reqId": "YulBGSaLbRnLRs8M99e14wAAAA0",
  "level": 3,
  "time": "2022-08-02T17:22:01+02:00",
  "remoteAddr": "172.17.0.2",
  "user": "--",
  "app": "no app in context",
  "method": "POST",
  "url": "/ocs/v2.php/apps/spreed/api/v3/signaling/backend",
  "message": "OCA\\Talk\\Config::validateSignalingTicket(): Argument #2 ($ticket) must be of type string, null given, called in /home/nickv/Nextcloud/25/server/appsbabies/spreed/lib/Controller/SignalingController.php on line 523 in file /home/nickv/Nextcloud/25/server/appsbabies/spreed/lib/Config.php line 499",
  "userAgent": "nextcloud-spreed-signaling/5d818c725765d03b47f0c436ebb2cd482958c947",
  "version": "25.0.0.4",
  "exception": {
    "Exception": "Exception",
    "Message": "OCA\\Talk\\Config::validateSignalingTicket(): Argument #2 ($ticket) must be of type string, null given, called in /home/nickv/Nextcloud/25/server/appsbabies/spreed/lib/Controller/SignalingController.php on line 523 in file /home/nickv/Nextcloud/25/server/appsbabies/spreed/lib/Config.php line 499",
    "Code": 0,
    "Trace": [
      {
        "file": "/home/nickv/Nextcloud/25/server/lib/private/AppFramework/App.php",
        "line": 172,
        "function": "dispatch",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/home/nickv/Nextcloud/25/server/lib/private/Route/Router.php",
        "line": 298,
        "function": "main",
        "class": "OC\\AppFramework\\App",
        "type": "::"
      },
      {
        "file": "/home/nickv/Nextcloud/25/server/ocs/v1.php",
        "line": 62,
        "function": "match",
        "class": "OC\\Route\\Router",
        "type": "->"
      },
      {
        "file": "/home/nickv/Nextcloud/25/server/ocs/v2.php",
        "line": 23,
        "args": [
          "/home/nickv/Nextcloud/25/server/ocs/v1.php"
        ],
        "function": "require_once"
      }
    ],
    "File": "/home/nickv/Nextcloud/25/server/lib/private/AppFramework/Http/Dispatcher.php",
    "Line": 165,
    "Previous": {
      "Exception": "TypeError",
      "Message": "OCA\\Talk\\Config::validateSignalingTicket(): Argument #2 ($ticket) must be of type string, null given, called in /home/nickv/Nextcloud/25/server/appsbabies/spreed/lib/Controller/SignalingController.php on line 523",
      "Code": 0,
      "Trace": [
        {
          "file": "/home/nickv/Nextcloud/25/server/appsbabies/spreed/lib/Controller/SignalingController.php",
          "line": 523,
          "function": "validateSignalingTicket",
          "class": "OCA\\Talk\\Config",
          "type": "->"
        },
        {
          "file": "/home/nickv/Nextcloud/25/server/appsbabies/spreed/lib/Controller/SignalingController.php",
          "line": 502,
          "function": "backendAuth",
          "class": "OCA\\Talk\\Controller\\SignalingController",
          "type": "->"
        },
        {
          "file": "/home/nickv/Nextcloud/25/server/lib/private/AppFramework/Http/Dispatcher.php",
          "line": 225,
          "function": "backend",
          "class": "OCA\\Talk\\Controller\\SignalingController",
          "type": "->"
        },
        {
          "file": "/home/nickv/Nextcloud/25/server/lib/private/AppFramework/Http/Dispatcher.php",
          "line": 133,
          "function": "executeController",
          "class": "OC\\AppFramework\\Http\\Dispatcher",
          "type": "->"
        },
        {
          "file": "/home/nickv/Nextcloud/25/server/lib/private/AppFramework/App.php",
          "line": 172,
          "function": "dispatch",
          "class": "OC\\AppFramework\\Http\\Dispatcher",
          "type": "->"
        },
        {
          "file": "/home/nickv/Nextcloud/25/server/lib/private/Route/Router.php",
          "line": 298,
          "function": "main",
          "class": "OC\\AppFramework\\App",
          "type": "::"
        },
        {
          "file": "/home/nickv/Nextcloud/25/server/ocs/v1.php",
          "line": 62,
          "function": "match",
          "class": "OC\\Route\\Router",
          "type": "->"
        },
        {
          "file": "/home/nickv/Nextcloud/25/server/ocs/v2.php",
          "line": 23,
          "args": [
            "/home/nickv/Nextcloud/25/server/ocs/v1.php"
          ],
          "function": "require_once"
        }
      ],
      "File": "/home/nickv/Nextcloud/25/server/appsbabies/spreed/lib/Config.php",
      "Line": 499
    },
    "CustomMessage": "--"
  }
}

But after visiting the admin settings it worked fine (I guess due to welcome page or something). I guess we need to either run a setup step somewhere or make sure the necessary keys are generated on all paths

nickvergessen
nickvergessen requested changes Aug 2, 2022
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good apart from the error in the upgrade scenario

@fancycode
Copy link
Member Author

Could that have been a caching issue of the JavaScript? I noticed the old-style ticket parameter was missing in the signaling settings which could result in old clients sending a null ticket. This is now fixed with e6c05ed

I'll try to reproduce this myself locally.

@nickvergessen
Copy link
Member

Could that have been a caching issue of the JavaScript?

Could be as well.

@fancycode
Copy link
Member Author

Did you also see an error like Undefined index: ticket at /path/to/apps/spreed/lib/Controller/SignalingController.php#517? With the old JS and the PHP from this PR, I get the Undefined index and the error you were getting.

@fancycode
Copy link
Member Author

But with the latest commits here it's also working with the old JS.

@nickvergessen
Copy link
Member

Undefined index: ticket at /path/to/apps/spreed/lib/Controller/SignalingController.php#517

Not found in my log file.

@fancycode
Copy link
Member Author

I'll try to reproduce this myself locally.

I tried with a new setup (new DB):

  • installed Talk before this PR (076db31)
  • Built JS (make buid-js).
  • Switched to 39715df from this PR (before my two last changes).
  • Still using old JS.
  • Got the error Argument 2 passed to OCA\\Talk\\Config::validateSignalingTicket() must be of the type string, null given you saw, but also Undefined index: ticket.
  • Switched to fe58d16
  • Still using old JS.
  • Restart signaling server to make sure new capabilites with the public key for the JWT token are fetched on next client connection (*).
  • No longer got errors, connected without JWT.
  • Built JS (make buid-js) and reload (cache disabled).
  • Connected with JWT.

So, I can't reproduce the problem you had with the latest changes to this PR. If you still do, please provide the necessary steps.

(*) Thinking about it, I should detect this case in the signaling server and expire the capabilites in this case so no restart is required. But this should not block this PR.

@fancycode
Copy link
Member Author

(*) Thinking about it, I should detect this case in the signaling server and expire the capabilites in this case so no restart is required. But this should not block this PR.

Done: strukturag/nextcloud-spreed-signaling@7496b09

@nickvergessen
Copy link
Member

If you still do, please provide the necessary steps.

No, all good with your changes from yesterday evening

@fancycode
Copy link
Member Author

strukturag/nextcloud-spreed-signaling#251 is merged. I'm planing a new release the next days or early next week.

nickvergessen
nickvergessen reviewed Aug 4, 2022
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

To not break our test server (with incompatible Signaling server) we have to wait with the merge until you released

lib/Capabilities.php Show resolved Hide resolved
@nickvergessen nickvergessen added this to the 💚 Next Major (25) milestone Aug 4, 2022
@fancycode
Copy link
Member Author

To not break our test server (with incompatible Signaling server) we have to wait with the merge until you released

This should be fully backwards compatible. The new hello v2 auth is only used if the signaling server supports it.

@nickvergessen
Copy link
Member

To not break our test server (with incompatible Signaling server) we have to wait with the merge until you released

This should be fully backwards compatible. The new hello v2 auth is only used if the signaling server supports it.

But you added it to isCompatibleSignalingServer which enforces it?
But now after checking it will just create a log entry and flag a missing update in the admin section. So should be fine. I thought that would make it not use the signaling server anymore.

@fancycode
Copy link
Member Author

But you added it to isCompatibleSignalingServer which enforces it?

Yeah, I figured you might want to push users to update to reduce load on the Nextcloud server.

@nickvergessen nickvergessen merged commit 91d3bd8 into master Aug 12, 2022
@nickvergessen nickvergessen deleted the jwt-auth branch August 12, 2022 14:07
@danxuliu danxuliu mentioned this pull request Dec 2, 2022
Merged
@fancycode fancycode mentioned this pull request Apr 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@danxuliu danxuliu Awaiting requested review from danxuliu

Assignees
No one assigned
Labels
3. to review feature: signaling 📶 Internal and external signaling backends performance 🚀
Projects
None yet
Milestone
v15.0.0-beta.1
Development

Successfully merging this pull request may close these issues.
2 participants
@fancycode @nickvergessen