Limit access to a room with a password

[menardorama]

Hi,

First let me tell you that your app is really great and useful.

I have a feature request that could help us a lot.

We are using screego for internal use only (aka not publicly available) and we choose to not limit the users because of the actual security model (lack of external auth for now).

But it would be great if screego could have an option to define a room password like what we can have on videoconference app such as jitsi for instance.

A user create a room and next define a room password for watcher users.

Thanks a lot again :-)

[BroderPeters]

For the password thingy you can just use an id that is longer.

I remember the maintainer of the project arguing with this: #85 (comment)

Shouldn't that solve your case as well?

[menardorama]

From a security perspective having a stronger room name is not a good solution.

I understand completely that this product should stay as simple as it is.

It's just a user feedback, after you do what you want; we are already happy with that but that doesn't check all the boxes from our security officer....

Thanks a lot

[jmattheis]

The room name should be transmitted via TLS, thus, it shouldn't be readable by a third-party. IMO this should be enough for most of the use-cases.

Still, I'll keep this feature in mind if there are any similar feature request in the future. If enough people want it, then maybe I'll change my mind :P.

[Kumm-Kai]

I would also be interested in a feature like this.

Currently there is SCREEGO_AUTH_MODE and the users file. Would it be possible to extend this to also require login for joining and sharing in already created rooms? Or what is the current use case for this?

[jmattheis]

@Kumm-Kai This certainly sounds like a useful feature. I've created #107 for this.

[menardorama]

Having security by hiding the room name is not and will never be a security measure....

As a workaround I will put an Oauth2 proxy in front of screego......

You tool is still great by the way, not really secured but great :-)

[Aeyk]

I would also like to limit access to a room or all rooms to only authenticated users, and I believe the config documentation is misleading because it says

# Defines when a user login is required
# Possible values:
#   all: User login is always required
#   turn: User login is required for TURN connections
#   none: User login is never required
SCREEGO_AUTH_MODE=turn

Am I reading it wrong? I interpreted this section, specifically the line describing SCREEGO_AUTH_MODE=all that user login is required to join or create a room but it seems it is not always required because if you know the room id and it's already been created, then you don't need a user login.

[jmattheis]

Screego auth mode currently only affects room creation.

[Aeyk]

Yes, I realized that from reading through the issues and comments, should the wording be changed in the documentation or did I misunderstand that section?

[jmattheis]

The docs could be improved to be more clear about this.