From d591495e41a9f281d919503a7f0c5217ef190a81 Mon Sep 17 00:00:00 2001
From: Ark74 <ark@switnet.org>
Date: Mon, 1 Sep 2025 04:56:40 -0600
Subject: [PATCH] mode/jwt.sh: update WIP

---
 mode/jwt.sh | 48 ++++++++++++++++++++----------------------------
 1 file changed, 20 insertions(+), 28 deletions(-)

diff --git a/mode/jwt.sh b/mode/jwt.sh
index 58eb82f..c69a4dc 100644
--- a/mode/jwt.sh
+++ b/mode/jwt.sh
@@ -27,31 +27,25 @@ SECRET_APP="$(tr -dc "a-zA-Z0-9" < /dev/urandom | fold -w 64 | head -n1)"
 SRP_STR="$(grep -n "VirtualHost \"$DOMAIN\"" "$PROSODY_FILE" | head -n1 | cut -d ":" -f1)"
 SRP_END="$((SRP_STR + 10))"
 
-## Required  openssl for Focal 20.04
-if [ "$(lsb_release -sc)" = "focal" ]; then
-echo "deb http://ppa.launchpad.net/rael-gc/rvm/ubuntu focal main" | \
-sudo tee /etc/apt/sources.list.d/rvm.list
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F4E3FBBE
-apt-get update
+# Prosody 0.12 only
+if command -v prosodyctl >/dev/null 2>&1; then
+  PROSODY_VER="$(prosodyctl about 2>/dev/null | sed -n 's/^Prosody //p' | awk '{print $1}')"
+  case "$PROSODY_VER" in
+    0.12.*) : ;;
+    *) echo "Prosody $PROSODY_VER NO supported for JWT mode (required 0.12.x)"
+       exit 1 ;;
+  esac
 fi
 
-apt-get -y install \
-                    lua5.2 \
-                    liblua5.2 \
-                    luarocks \
-                    libssl1.0-dev \
-                    python3-jwt
-
-luarocks install basexx
-luarocks install luacrypto
-luarocks install lua-cjson 2.1.0-1
+# Install dependencies
+apt-get -y install python3-jwt
 
 echo "set jitsi-meet-tokens/appid string $APP_ID" | debconf-set-selections
 echo "set jitsi-meet-tokens/appsecret password $SECRET_APP" | debconf-set-selections
 
 apt-get install -y jitsi-meet-tokens
 
-#Setting up
+# Setting up
 sed -i "s|c2s_require_encryption = true|c2s_require_encryption = false|" "$PROSODY_SYS"
 #-
 sed -i "$SRP_STR,$SRP_END{s|authentication = \"jitsi-anonymous\"|authentication = \"token\"|}" "$PROSODY_FILE"
@@ -66,11 +60,12 @@ sed -i "/app_secret/a \\\\" "$PROSODY_FILE"
 sed -i "s|--allow_empty_token =.*|allow_empty_token = false|" "$PROSODY_FILE"
 sed -i 's|--"token_verification"|"token_verification"|' "$PROSODY_FILE"
 
-#Request auth
-sed -i "s|#org.jitsi.jicofo.auth.URL=EXT_JWT:|org.jitsi.jicofo.auth.URL=EXT_JWT:|" "$JICOFO_SIP"
+# Request auth
+## JWT via Prosody: don't touch Jicofo
+#sed -i "s|#org.jitsi.jicofo.auth.URL=EXT_JWT:|org.jitsi.jicofo.auth.URL=EXT_JWT:|" "$JICOFO_SIP"
 sed -i "s|// anonymousdomain: 'guest.example.com'|anonymousdomain: \'guest.$DOMAIN\'|" "$MEET_CONF"
 
-#Enable jibri recording
+# Enable jibri recording
 cat  << REC-JIBRI >> "$PROSODY_FILE"
 
 VirtualHost "recorder.$DOMAIN"
@@ -81,16 +76,12 @@ VirtualHost "recorder.$DOMAIN"
 
 REC-JIBRI
 
-#Setup guests and lobby
+# Setup guests and lobby
 cat << P_SR >> "$PROSODY_FILE"
--- #Change back lobby - https://community.jitsi.org/t/64769/136
 VirtualHost "guest.$DOMAIN"
-    authentication = "token"
-    allow_empty_token = true
+    authentication = "jitsi-anonymous"
     c2s_require_encryption = false
     speakerstats_component = "speakerstats.$DOMAIN"
-    app_id="$APP_ID";
-    app_secret="$SECRET_APP";
 
     modules_enabled = {
       "speakerstats";
@@ -102,14 +93,15 @@ echo -e "\nUse the following for your App (e.g. Rocket.Chat):\n"
 echo -e "\nAPP_ID: $APP_ID" && \
 echo -e "SECRET_APP: $SECRET_APP\n"
 
-echo -e "You can test JWT authentication with the following token:\n"
+echo -e "You can test JWT authentication with the following token for the next hour:\n"
 pyjwt3 --key="$SECRET_APP" \
     encode \
+    --alg HS256 \
     group="Rocket.Chat" \
     aud="$APP_ID" \
     iss="$APP_ID" \
     sub="$DOMAIN" \
     room="*" \
-    algorithm="HS256"
+    exp="$(($(date +%s)+3600))"
 
 read -n 1 -s -r -p $'\n'"Press any key to continue..."$'\n'