From 50cab2837fb8a624b50040802c2f89f8e4f4b11d Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Tue, 3 Jun 2014 09:09:52 +0200
Subject: [PATCH] Handle join auth through the invitation token

---
 public/vroom.pl                        | 20 +++++++++++++++++++-
 templates/default/invite.email_html.ep |  4 ++--
 templates/default/invite.email_text.ep |  2 +-
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/public/vroom.pl b/public/vroom.pl
index dccb8d5..7bcb372 100755
--- a/public/vroom.pl
+++ b/public/vroom.pl
@@ -533,6 +533,21 @@ helper delete_invitations => sub {
   return 1;
 };
 
+# Check an invitation token is valid
+helper check_invite_token => sub {
+  my $self = shift;
+  my ($room,$token) = @_;
+  my $ret = 0;
+  my $data = $self->get_room($room);
+  if (!$data || !$token){
+    return undef;
+  }
+  my $sth = eval { $self->db->prepare("SELECT * FROM `invitations` WHERE id=? AND token=? AND (`response` IS NULL OR `response`='later');") } || return undef;
+  $sth->execute($data->{id},$token) || return undef;
+  $ret = 1 if ($sth->rows == 1);
+  return $ret;
+};
+
 # Route / to the index page
 any '/' => 'index';
 
@@ -734,6 +749,7 @@ get '/(*room)' => sub {
   my $self = shift;
   my $room = $self->stash('room');
   my $video = $self->param('video') || '1';
+  my $token = $self->param('token') || undef;
   # Redirect to lower case
   if ($room ne lc $room){
     $self->redirect_to($self->get_url('/') . lc $room);
@@ -766,7 +782,9 @@ get '/(*room)' => sub {
     );
   }
   # Now, if the room is password protected and we're not a participant, nor the owner, lets prompt for the password
-  if ($data->{join_password} && (!$self->session($room) || $self->session($room)->{role} !~ m/^participant|owner$/)){
+  if ($data->{join_password} &&
+     (!$self->session($room) || $self->session($room)->{role} !~ m/^participant|owner$/) &&
+     !$self->check_invite_token($room,$token)){
     return $self->redirect_to($self->get_url('/password') . $room);
   }
   # Set this peer as a simple participant if he has no role yet (shouldn't happen)
diff --git a/templates/default/invite.email_html.ep b/templates/default/invite.email_html.ep
index fb794b1..20af1cf 100644
--- a/templates/default/invite.email_html.ep
+++ b/templates/default/invite.email_html.ep
@@ -20,8 +20,8 @@
   <%=l 'WHEN_YOU_ARE_READY' %>
   <center>
     <h1>
-      <a href="<%= $url . $room %>">
-        <%= $url . $room %>
+      <a href="<%= $url . $room %>?token=<%= $inviteId %>">
+        <%= $url . $room %>?token=<%= $inviteId %>
       </a>
     </h1>
   </center>
diff --git a/templates/default/invite.email_text.ep b/templates/default/invite.email_text.ep
index 1bf4154..1f9a4bc 100644
--- a/templates/default/invite.email_text.ep
+++ b/templates/default/invite.email_text.ep
@@ -10,7 +10,7 @@
 
 <%==l 'WHEN_YOU_ARE_READY' %>
 
-<%== $url . $room %>
+<%= $url . $room %>?token=<%= $inviteId %>
 
 <% if ($message && $message ne ''){ %>
 <%==l 'MESSAGE_FROM_ORGANIZER' %>: