Jot Security
Can someone explain, please with example, how to get jot security to work. When I add any of them, it won't connect.
My jot server is 1.0.3 .
Also, how does domain setting work in config.json? Again, anything I add here, it fails to connect. I want it to be locked to my domain only. I tried server IP, but failed to connect.
Documentation doesn't mention ANY of the above keys, secrets.
Thank you! 🙏
-
Does "secret" even work in 1.0.3? I added it, restarted the app, and jot still connects and functions without secret set in admin panel?
Why?
-
Hello @Wise ,
Yes, the secret exists in the version that was uploaded to the Jot Server files on Git, but it hasn't been released yet. It's the very bottom option from your screen. I will try to release it during this week.
The two upper options, JWT token API ID and JWT token App secret, are related to the Jitsi integration and can be enabled when JWT is installed for Jitsi.
-
Thank you @Alexey
So, if I go ahead an install jitsu server, I can lock it down using the first two fields? I had asked questions about jitsi but got no answers. If I enable both, then only my site will be able to communicate with jitsi? Not allowing creation of rooms without authentication?
-
Hello @Wise ,
If you enable both Jitsi options and install Jitsi with JWT, then only users from your site will be able to create and join rooms on your Jitsi instance. The Jot Messenger JWT option allows users to connect to Jot Messenger using a JWT token.
-
@Alexey thank you! Now I feel better about installing jitsi and will work on that next.
Can you please explain the domain field in config.json for jot server. I want to allow only my domain to reach it. Seems anything I add here is wrong.
I will also keep checking for jot server release 😁🙏
-
Hello @Wise,
Domains option allows you to specify which IP addresses are permitted to connect to the server for the Jot Messenger module. Here's how it works:
If you want to allow specific IP addresses, you can list them one by one:
"domains": ["127.0.0.1", "127.0.0.2"]In this example, only the IP addresses 127.0.0.1 and 127.0.0.2 are allowed to use the server. If you want to allow any IP address to connect to the server, you can use an asterisk (*):
"domains": ["*"]In this case, any domain or IP address can use your server for the Jot Messenger module. In summary, listing specific IPs restricts access to those IPs only, while using * opens access to all domains.
-
If I put my server IPs in that list, it does not work.
So the word "domains" to me seems incorrect. Are you saying that every users IP would need added to this list? Because you just quoted the documentation, which makes no sense.
If my domain is blah.com at 1.1.1.1 - how do I restrict only my domain using the server. Because when I put 1.1.1.1 it fails to connect for everyone.
Not sure who understands what happens in real world pen testing, but if I can connect freely to anything, I can DOS it with my team in half a second with a few million requests.
So please explain, like I am a idiot, how to secure jot server. Because, nothing I do works.
Thank you.
-
Also, I tried to use git version of jot-server to enable secret token at least, and it appears something is missing from the git? Idk. It don't work either.
-
Any idea when a new release of jot server will be done? I would like to use jwt to secure my installation. This does not work in last release of 2018.
@Alexey how to scale jot-server? If a site grows to large numbers, one server can't possibly accommodate that - so how to scale?
Also, asking again... Under domains, if I put my site IP for my domain, it doesn't work. The word domains is very misguiding here. You have put local host addresses as examples. If my site uses 1.1.1.5 as IP, if I put that in the list, it stops connecting. How exactly does this work?
-
Hello!
Regarding the update: It will be finished next week. Thank you for your patience!
Regarding scaling Jot-server: By default, it can handle several thousand connections and work with multiple domains without any issues. We have never had problems with it overloading before.
About domains: You should use the IPs of the sites from which users are allowed to connect to the Jot-server. The GitHub version is not finished yet, but domains should work fine for the current version 1.0.3. I will prepare it next week, and it will work as expected for the latest version 1.0.4 as well.
-
@Alexey what about sites that use cloudflare DNS? I don't know exactly how you use the jot server, but I suspect it is from the browser, so, how does it know which domain is what IP? Especially since I sit behind cloudflare?
-
Also, logging doesn't seem to do a thing either?
-
Hello!
I've updated the version on GitHub. Feel free to test it. You no longer need to use an IP address. You may leave the option
domains: "*"but make sure to define the JWT token with the secret word. It should work.Regarding the log function: it doesn't log requests or responses. It is used when the server crashes and cannot start, or when there are exceptions or errors during server operation.
-
@Alexey I cloned the repo, dependency install, and have it running in pm2. secret is working. When I changed it in studio it displayed "Connection failed" in messenger. 👍
Oh, for anyone running Ubuntu 22.04 jammy LTS, the repo version of node is 12 LTS. The github jot server requires at least 14 for a dependency.
-
Can you tell me where messenger interacts with notifications? For privacy reasons I need to remove message from push notifications. This is bad.
-
Yes, the dependencies have been updated to address vulnerabilities, so versions some of them have been changed. Anyway Node.js 14 is now also is not new compared to the latest stable version, Node.js 20.
-
Push notifications for Messenger are located in the Notifications module. You can disable them in the PUSH area under Studio -> Notifications.
-
@Alexey I mean in code, I don't want to disable them, just remove the talk snippet that goes with the push notification. One signal stores all messages. It is a huge privacy issue.
-
Hello!
I suppose you may use silent_mode option to prevent sending push notifications.
1) In file modules/boonex/classes/BxMessngerModule.php find the method:
public function sendNotifications($iLotId, $iJotId, $aOnlineUsers = [], $aRecipients = [], $sType = BX_MSG_NTFS_MESSAGE)and replace code:
bx_alert($sModule, !$bIsMention ? 'got_jot_ntfs' : 'got_mention_ntfs', $iLotId, $this->_iProfileId, array( 'object_author_id' => $iPart, 'recipient_id' => $iPart, 'subobject_id' => $iJotId ));with this code:
bx_alert($sModule, !$bIsMention ? 'got_jot_ntfs' : 'got_mention_ntfs', $iLotId, $this->_iProfileId, array( 'object_author_id' => $iPart, 'recipient_id' => $iPart, 'subobject_id' => $iJotId, 'silent_mode' => BX_NTFS_SLTMODE_SITE_PUSH )); -
Will this still send the push notification? I don't want to disable them. Let me explain completely
Push notification:
Wise sent a message Hey how you doing?
OneSignal stores the 'Hey how you doing' part for every message sent. I simply want to remove the talk part.
Wise sent a message New message waiting in talkSo every message would say that instead of the actual message, otherwise I have a privacy issue with third party.
Thank you for your help @Alexey 🙏
-
Good point! I have added it to the features list https://github.com/unacms/jot-client-una/issues/310
You may correct code in the same file modules/boonex/classes/BxMessngerModule.php.
Find the function serviceGetMessageContent($aEvent)
and replace this line:
$sAlterBody = $sTruncatedMessage ? $sTruncatedMessage : _t('_bx_messenger_txt_sample_email_push', html2txt($sMessage));with this code:
$sAlterBody = $sTruncatedMessage ? 'New message waiting in talk' : _t('_bx_messenger_txt_sample_email_push', html2txt($sMessage));
