Passcode to join zipcall #44
Comments
|
We could add this as an optional setting. I'm thinking of a 'lockdown' button that prompts the host for a password when they activate it and then every new user to join has to enter the password? |
|
@Chaphasilor, I'd be a FTC for this repo, but if you think it's a good first issue to start with, I'd love to give it a shot! |
|
@bdlb77 that would be awesome! take your time getting to know the repo and code, and if you feel confident you can implement this in a secure way somehow, just give it a shot and open a PR :D |
|
@Chaphasilor, I'm thinking of an approach similar to how Zoom does it: A user enables the the "lockdown" toggle / button and it will generate a URL with a hashed token/password attacked to it at the end: |
|
+1 for this one, would be nice to have. Maybe it could be helpful to have a look at how Jitsi (https://github.com/jitsi/jitsi-meet) implemented their "password protect meeting from within" feature. |
|
@bdlb77 sorry for the late reply, I already replied in my head 🙄 The token-based idea is okay, I'd say, but this way users will have to copy and paste the token, instead of just telling the other participant the password. I know this is only an issue once lockdown is activated while the call is already going and a new user want's to join, but it's still an issue. Imagine the following scenario: I think given that Zipcall isn't intended for business use, we could use a mix of token and password, i.e. a short token that is easy to remember (only numbers, or only hex, max. 8 characters). That should be secure enough but also easy to share. Also, keep in mind that you'll need to update the call link and show it with a snackbar once lockdown mode is enabled :) All in all your idea is good, just try to keep the token as simple as possible! |
|
@Chaphasilor
The first option is just creating a more unique URL and doesn't really do much of a justified "locked down call" For the 2nd option, If WebRTC creates a peer-2-peer stream... The password can be stored in the metadata for a user and streamed to an incoming user who wants to join.. and if those passwords match then they could be authenticated and fully join the call.. Or something along these lines... Maybe I'm missing something that would make this a little easier? haha |
|
@bdlb77 yeah, I think the second option would be the way to go here. Maybe we could use the Zipcall server to check the pass token though, for example by requesting all currently connected users to send the current password and check if it matches the one provided by the new client? For a fully serverless solution you'd need every call participant to check if the new client's pass token matches their own one and only open a WebRTC connection if it does. I imagine this to be a bit more complex. But I guess you should just try out both approaches, maybe we've missed something :D |
|
Using the server for authentication would be the better approach here.
|
|
@ianramzy you're referring to a different approach than the 2nd option correct? The concern I have with using the server for authentication is that state would need to be introduced to persist a password that belongs to a video call. I think Node.js has this functionality to support in-memory storage (basic example: https://stackoverflow.com/questions/2219333/nodejs-in-memory-storage). There'd need to be some in-memory cache on server-side to persist Room Names and Passwords. Doesn't seem too bad to implement :) |
|
@Chaphasilor so: a User joins and provides a password, in the server it pulls down the password of the Host by webRTC data (I don't know how else you'd query the Host's client without some other reference to the Host), and you check it in the server. I'm not sure I understand fully that Heroku will wipe all data regularly. Will that happen while a connection is active to the call? I'd imagine this approach would use a Redis store I'll work two of these examples and maybe it'll help give further light over which approach is more worthwhile.
I should be able to show something in the next couple of days :) |
|
@bdlb77 yep, something like that :D Heroku will regularly 'move' the server, i.e. clone the repo to a new virtual server, start it and then erase the old server files. This means you can't save anything to the fs and server state will reset regularly. I'm not sure how connections influence this and I also don't know if the Zipcall server constantly keeps the connection alive, you'd have to check with the Heroku docs :) I'm looking forward to what you come up with! <3 |
|
Is it simpler to just have the user who created the chat approve new users who are trying to join, no password needed? |
since there is no user authentication, I don't think this would be a good idea, there are ways to bypass , something like the same name, etc. |
|
do you know how the Whereby solution works? with locked room, and the owner of the room accept (or not) people to come in.. |
|
yes |
Since the URLs are just a gate pass for the video call, there might be a chance of getting intruders into the call with a simple brute force.
Users feel more secure if we have some passcode or approval from the creator to join into call.
The text was updated successfully, but these errors were encountered: