Jitsi Meet - Solution for moderator re-entry problem with token_moderation and/or token_affiliation

mod_muc_lobby_rooms.lua

--- Author: Lars Scheibling
--- Link: https://github.com/scheibling
--- Credit to @veratiz for the code we used as the base for this (https://github.com/jitsi/jitsi-meet/issues/7561#issuecomment-972688412)

--- This segment fixes an issue with token_moderation and token_affiliation
--- where the following scenario occurs:
--- 1. Moderator starts room and activates lobby (with or without password)
--- 2. One or several users enter the room
--- 3. The moderator is briefly disconnected and reconnects
--- 4. The room is now void of moderators, and nobody can let them back in. 
---    Re-entry with the password is possible, but not if this is set automatically and 
---    never displayed to the moderator
--- 5. The room has to be exited by all participants and re-started for the moderator to regain control or be able to enter
---
--- The plugin token_owner_party fixes it with kicking all users if no more moderators are in the room
--- which is not really feasible in some instances where meetings are held with clients, with no easy 
--- method of communication to be able to ask them to exit and re-enter the meeting.
---
--- This addition checks the "moderator" JWT attribute set by token_moderation and the "affiliation" attribute
--- set by "token_affiliation" to see whether someone is valid for re-entry. With moderator = true or
--- affiliation = owner/moderator/teacher, the lobby will be bypassed and the participant will be automatically
--- re-admitted into the room

--- The part below is placed into mod_muc_lobby_rooms.lua, usually in /usr/share/jitsi-meet/prosody-plugins/
--- SECTION: host_module:hook('muc-occupant-pre-join', function (event)

--- IMPORTANT:
--- This piece of code will NOT identify if the joining moderator is the SAME moderator that was disconnected.
--- This is up to the piece of software that issues the JWT to determine.
--- Any user with the moderator flag that has permission to the room according to the JWT will skip the lobby.


--- Line ~383
local password = join:get_child_text('password', MUC_NS);
if password and room:get_password() and password == room:get_password() then
    whitelistJoin = true;
end

---
--- INSERT THIS PART ---

local basexx = require "basexx";

-- Check if a JWT token is provided
if event.origin.auth_token then
    -- Decode the JWT token
    local dotFirst = event.origin.auth_token:find("%.");
    if dotFirst then
        local dotSecond = event.origin.auth_token:sub(dotFirst + 1):find("%.");
        if dotSecond then
            local bodyB64 = event.origin.auth_token:sub(dotFirst + 1, dotFirst + dotSecond - 1);
            local body = json.decode(basexx.from_url64(bodyB64));

            module:log('debug', 'Valid JWT token found, checking indicators');

            -- Get the token attributes for affiliation/moderator status
            local modModeration = body['moderator'];
            local modAffiliation = body['context']['user']['affiliation'];

            -- Whitelist the auto-reentry for moderators/owners/teachers
            if modModeration and modModeration == true then
                module:log('debug', 'User is moderator according to token_moderation, permitting entry');
                whitelistJoin = true;
            elseif modAffiliation and (modAffiliation == 'owner' or modAffiliation == 'moderator' or modAffiliation == 'teacher') then
                module:log('debug', 'User is moderator according to token_affiliation, permitting entry');
                whitelistJoin = true;
            else
                module:log('debug', 'No valid affiliations for direct entry found in JWT');
            end
        end
    end
end

--- /INSERT THIS PART
---
if whitelistJoin then
    local affiliation = room:get_affiliation(invitee);
    if not affiliation or affiliation == 0 then
    .....