fix(auth): prevent JWT token credential leakage via URL query params and server logs

[onlybugs05-hackerone]

JWT tokens were exposed in server logs (CWE-532) and URL query strings (CWE-598) in the Prosody auth modules, risking credential leakage via access logs, browser history, and Referer headers.

Changes

• mod_token_verification.lua — Remove session.auth_token from the error log in verify_user(). The raw JWT was being written to error logs on every failed room join:

  -- Before: raw JWT written to error logs
  module:log('error', 'Token %s not allowed to join: %s err: %s reason: %s',
      tostring(session.auth_token), tostring(stanza.attr.to), err, reason);
  
  -- After: token omitted
  module:log('error', 'Token not allowed to join: %s err: %s reason: %s',
      tostring(stanza.attr.to), err, reason);

• mod_jitsi_session.lua — Token extraction from URL query parameters is already blocked by default (accept_token_from_query = false). Add a module-load warning when this opt-in is explicitly enabled so administrators are aware of the accepted risk:

  if accept_token_from_query then
      module:log("warn", "Security configuration: accept_token_from_query is enabled. ...")
  end

[jitsi-jenkins]

Hi, thanks for your contribution!
If you haven't already done so, could you please make sure you sign our CLA (https://jitsi.org/icla for individuals and https://jitsi.org/ccla for corporations)? We would unfortunately be unable to merge your patch unless we have that piece :(.

[onlybugs05-hackerone]

Yah I have already Done it !

[damencho]

Have you tested this with the client?

[damencho]

Thes reauires client changes

[onlybugs05-hackerone]

@damencho

Yah they do required client changes.

BUt Its Better to Stop That to for security Purposes.