Audio / Video and chat setup

Code With Me uses Jitsi as a main framework for audio/video group calls. Jitsi is an open source solution, and seems to be an industry standard for those who seek such a framework. It is actively developed and improved by the community and used by various large corporations.

The Jitsi client has a web-based user interface, so its UI is integrated with JCEF technology. It is not anticipated that Code With Me users will require video so often - it’s more likely one would need to just have a voice communication during a session, so call management is wrapped with simple toolbar actions.

Server side is more interesting. Jitsi needs to create a virtual call room - this part of logic perfectly aligns with the Code With Me lobby server which generates a link. However, lobby-server has nothing to do with Jitsi services, instead it gets the username, generates the room’s name, determines the geo-region for a video bridge service, signs it with a private key and sends this back to the host. Received data can now be used from the host’s machine to enter the Jitsi’s virtual room.

Prosody, Jicofo and Web Frontend form the “Core” package, while Videobridge is a standalone scalable unit.

Free public Jitsi

You can use https://meet.jit.si. It's free, but it has some limitations. There are no guarantees that all Code With Me features will work with this type of distribution as well as there will be no guarantees that your meetings are safe because they are not protected by security JWT token.

Enable free public Jitsi

Set JITSI_URL environment variable of lobby server to https://meet.jit.si.
After that, you should have audio/video calls during the Code With Me sessions. If you are looking for more secure meetings, use On-premise Audio/Video calls.

On-premise Audio/Video calls

Jitsi backend is represented with four main components:

Core

Prosody: xmpp server for communication between components and clients
Jicofo: component for conference management
Web frontend: which serves Jitsi client web application and allows clients to communicate to prosody and other components

Videobridge

Videobridge: component which represents scalable and performant SFU implementation

Self-hosted Jitsi instance

Jitsi can be hosted in one of the following ways:

Everything hosted on a single machine: you can use Jitsi Quick Setup
Some AWS hints and stats can be found here.
Single "Core" package + multiple Videobridges
Multiple "Core" packages + Videobridges
This setup does not cover this case. Also, you can have problems with integrating this distribution to lobby due to only one link limitation in JITSI_URL parameter. This can be supported in the future.

Lobby configuration

Once you have your Jitsi instance - put its URL into JITSI_URL environment variable.

From now on you should have audio/video calls during the Code With Me sessions, but it is highly recommended to add some security to your meetings. Read about Secure setup.

Secure setup

To guarantee a secure video chat experience each client provides a JWT token signed by the lobby server that allows them to join a particular room in the system. JWT credentials are also time limited to prevent repetition attacks.

To make a signed JWT token Lobby server requires a private key.

To check validity of JWT token Jitsi requires associated public key.

Generate RSA256 for JWT tokens

To generate private and public key you can use these commands:
ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key # Don't add passphrase openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub

Configure lobby Jitsi certificate

Set the lobby server JITSI_RSA_JWT_KEY_FILE ENV variable file path of the jwtRS256.key.
From now on lobby will generate links with jwt tokens.
Next, we must configure jitsi to accept tokens forged by Lobby server.

Configure prosody

The configuration is based on this guide.
To make prosody capable of working with jwt tokens install jitsi-meet-tokens package:
apt-get install jitsi-meet-tokens
Now we have to tweak some parameters manually. Prosody config is located at /etc/prosody/prosody.cfg.lua.
Make sure that /etc/prosody/prosody.cfg.lua contains the line below:
Include "conf.d/*.cfg.lua"
Also, make sure that client to server encryption is not enforced.
Otherwise, token authentication won't work:
c2s_require_encryption=false
For cases where JWT tokens signed by certificate, prosody provides asap_key_server config entry. asap_key_server is a server which serves public part of JWT token certificate.
asap_key_server should serve our certificate for path containing sha256 of kid claim of incoming JWT token.
kid claim of our JWT token equals CWMKey:
sha256("CWMKey") is 8791edb7d806447dd0aaa98a2b568ad792696ed4d885f23b89f6beb7f7c4f44e
The app_id setting of your VirtualHost in prosody config should equal to CodeWithMe.
Check the following code example:
... c2s_require_encryption = false ... VirtualHost "jitmeet.example.com" authentication = "token"; app_id = "CodeWithMe"; asap_key_server = "https://keyserver.example.com/asap"; allow_empty_token = false; ...

asap_key_server nginx configuration (could also be the one, which serves Jitsi frontend):

...
location ~ ^/asap/8791edb7d806447dd0aaa98a2b568ad792696ed4d885f23b89f6beb7f7c4f44e(.pem)?$
{
alias /path/to/jwtRS256.key.pub;
}
...

Last modified: 25 November 2021