From f1bce485aba2230f859e6828f5e45c08429352b4 Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Tue, 31 Mar 2026 18:52:00 -0400
Subject: [PATCH] fix(idaa): revert JWT to moderators-only pending Jitsi server
 config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Temporary rollback — non-moderators rejoin anonymously until Prosody is
configured with allow_empty_token=false to enforce JWT moderator claims.
TODO comment left in place to track the follow-up.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../(idaa)/video_conferences/+page.svelte     | 43 +++++++++++--------
 1 file changed, 24 insertions(+), 19 deletions(-)

diff --git a/src/routes/idaa/(idaa)/video_conferences/+page.svelte b/src/routes/idaa/(idaa)/video_conferences/+page.svelte
index ea5a5321..ba85324f 100644
--- a/src/routes/idaa/(idaa)/video_conferences/+page.svelte
+++ b/src/routes/idaa/(idaa)/video_conferences/+page.svelte
@@ -836,26 +836,31 @@ async function init_jitsi() {
     const url_params = data.params;
 
     // --- Initialize Jitsi ---
-    // All verified Novi users get a JWT — not just moderators.
-    // Without JWT enforcement, the room URL alone is enough to join, which violates IDAA privacy.
-    // is_moderator is encoded in the token payload by get_jitsi_jwt().
-    console.log('Jitsi: Attempting to get JWT...');
-    const jwt_token = await get_jitsi_jwt(
-        display_name,
-        email,
-        is_moderator,
-        room_name,
-        user_id
-    );
-    if (!jwt_token) {
-        const container = document.getElementById(jitsi_container_id);
-        if (container)
-            container.innerHTML =
-                '<h1>Authentication Failed. Please try again.</h1>';
-        console.error('Jitsi: Authentication failed. JWT not received.');
-        return;
+    // TODO: Issue JWT to all verified Novi users once Jitsi server is configured to enforce
+    // JWT auth and respect context.user.moderator (set allow_empty_token = false in Prosody).
+    // For now, only moderators get a JWT — non-moderators join anonymously.
+    let jwt_token = null;
+    if (is_moderator) {
+        console.log('Jitsi: Attempting to get JWT for moderator...');
+        jwt_token = await get_jitsi_jwt(
+            display_name,
+            email,
+            is_moderator,
+            room_name,
+            user_id
+        );
+        if (!jwt_token) {
+            const container = document.getElementById(jitsi_container_id);
+            if (container)
+                container.innerHTML =
+                    '<h1>Authentication Failed. Please try again.</h1>';
+            console.error('Jitsi: Authentication failed. JWT not received.');
+            return;
+        }
+        console.log('Jitsi: Successfully received JWT.');
+    } else {
+        console.log('Jitsi: Non-moderator joining without JWT (temporary — pending Jitsi server config fix).');
     }
-    console.log('Jitsi: Successfully received JWT.');
 
     const disabled_sounds = [
         disable_incoming_msg_sound ? 'INCOMING_MSG_SOUND' : null,