fix(idaa): require JWT for all Novi users, remove embed meeting button

- Issue JWT to all verified Novi users, not just moderators; unauthenticated URL access no longer sufficient to join an IDAA video conference - Remove 'embedmeeting' from Jitsi toolbar via explicit toolbarButtons whitelist; the embed dialog exposed the Jitsi host/room URL violating IDAA privacy rules Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-31 17:53:09 -04:00
parent ae4b94f1b2
commit 9b0c05b80c
1 changed files with 32 additions and 22 deletions
--- a/src/routes/idaa/(idaa)/video_conferences/+page.svelte
+++ b/src/routes/idaa/(idaa)/video_conferences/+page.svelte
@@ -836,28 +836,26 @@ async function init_jitsi() {
    const url_params = data.params;

    // --- Initialize Jitsi ---
-    let jwt_token = null;
-    if (is_moderator) {
-        console.log('Jitsi: Attempting to get JWT for moderator...');
-        jwt_token = await get_jitsi_jwt(
-            display_name,
-            email,
-            is_moderator,
-            room_name,
-            user_id
-        );
-        if (!jwt_token) {
-            const container = document.getElementById(jitsi_container_id);
-            if (container)
-                container.innerHTML =
-                    '<h1>Authentication Failed. Please try again.</h1>';
-            console.error('Jitsi: Authentication failed. JWT not received.');
-            return;
-        }
-        console.log('Jitsi: Successfully received JWT.');
-    } else {
-        console.log('Jitsi: Not a moderator, proceeding without JWT.');
+    // All verified Novi users get a JWT — not just moderators.
+    // Without JWT enforcement, the room URL alone is enough to join, which violates IDAA privacy.
+    // is_moderator is encoded in the token payload by get_jitsi_jwt().
+    console.log('Jitsi: Attempting to get JWT...');
+    const jwt_token = await get_jitsi_jwt(
+        display_name,
+        email,
+        is_moderator,
+        room_name,
+        user_id
+    );
+    if (!jwt_token) {
+        const container = document.getElementById(jitsi_container_id);
+        if (container)
+            container.innerHTML =
+                '<h1>Authentication Failed. Please try again.</h1>';
+        console.error('Jitsi: Authentication failed. JWT not received.');
+        return;
    }
+    console.log('Jitsi: Successfully received JWT.');

    const disabled_sounds = [
        disable_incoming_msg_sound ? 'INCOMING_MSG_SOUND' : null,
@@ -879,7 +877,19 @@ async function init_jitsi() {
            startWithVideoMuted: true,
            enableLobby: is_moderator,
            disableReactionsModeration: false,
-            disabledSounds: disabled_sounds
+            disabledSounds: disabled_sounds,
+            // Explicit toolbar whitelist — omitting 'embedmeeting' entirely.
+            // "Embed Meeting" exposes the Jitsi host/room URL and must never appear
+            // for IDAA users (authenticated or not) — privacy requirement.
+            toolbarButtons: [
+                'camera', 'chat', 'closedcaptions', 'desktop', 'download',
+                'etherpad', 'feedback', 'filmstrip', 'fullscreen', 'hangup',
+                'help', 'invite', 'livestreaming', 'microphone',
+                'mute-everyone', 'mute-video-everyone', 'participants-pane',
+                'profile', 'raisehand', 'recording', 'security',
+                'select-background', 'settings', 'shareaudio', 'sharedvideo',
+                'shortcuts', 'stats', 'tileview', 'toggle-camera', 'videoquality'
+            ]
        },
        interfaceConfigOverwrite: {
            DISABLE_JOIN_LEAVE_NOTIFICATIONS: true,