From 1e63a116c8c73af1d040b03518f7d7813d2be86e Mon Sep 17 00:00:00 2001
From: pabloFuente <pablofuenteperez@gmail.com>
Date: Wed, 4 Apr 2018 12:29:36 +0200
Subject: [PATCH] Random token created in openvidu-server instead of
 openvidu-browser for insecure participants

---
 .../ts/OpenViduInternal/SessionInternal.ts        | 10 +---------
 .../io/openvidu/server/core/SessionManager.java   | 15 ++++++++-------
 .../java/io/openvidu/server/rpc/RpcHandler.java   |  2 ++
 3 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/openvidu-browser/ts/OpenViduInternal/SessionInternal.ts b/openvidu-browser/ts/OpenViduInternal/SessionInternal.ts
index 577052d1..ffb79772 100644
--- a/openvidu-browser/ts/OpenViduInternal/SessionInternal.ts
+++ b/openvidu-browser/ts/OpenViduInternal/SessionInternal.ts
@@ -116,12 +116,8 @@ export class SessionInternal {
             }
             else {
 
-                if (!token) {
-                    token = this.randomToken();
-                }
-
                 let joinParams = {
-                    token: token,
+                    token: (!!token) ? token : '',
                     session: this.sessionId,
                     metadata: this.options.metadata,
                     secret: this.openVidu.getSecret(),
@@ -646,8 +642,4 @@ export class SessionInternal {
         }
     }
 
-    private randomToken(): string {
-        return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
-    }
-
 }
diff --git a/openvidu-server/src/main/java/io/openvidu/server/core/SessionManager.java b/openvidu-server/src/main/java/io/openvidu/server/core/SessionManager.java
index 824d846f..3a9806e5 100644
--- a/openvidu-server/src/main/java/io/openvidu/server/core/SessionManager.java
+++ b/openvidu-server/src/main/java/io/openvidu/server/core/SessionManager.java
@@ -149,7 +149,7 @@ public abstract class SessionManager {
 
 	public String newSessionId(SessionProperties sessionProperties) {
 		String sessionId = OpenViduServer.publicUrl;
-		sessionId += "/" + RandomStringUtils.randomAlphanumeric(16).toLowerCase();
+		sessionId += "/" + this.generateRandomChain();
 
 		this.sessionidTokenTokenobj.put(sessionId, new ConcurrentHashMap<>());
 		this.sessionidParticipantpublicidParticipant.put(sessionId, new ConcurrentHashMap<>());
@@ -163,7 +163,7 @@ public abstract class SessionManager {
 		if (this.sessionidParticipantpublicidParticipant.get(sessionId) != null
 				&& this.sessionidTokenTokenobj.get(sessionId) != null) {
 			if (isMetadataFormatCorrect(serverMetadata)) {
-				String token = RandomStringUtils.randomAlphanumeric(16).toLowerCase();
+				String token = this.generateRandomChain();
 				this.sessionidTokenTokenobj.get(sessionId).put(token, new Token(token, role, serverMetadata));
 				showTokens();
 				return token;
@@ -234,12 +234,12 @@ public abstract class SessionManager {
 	public Participant newParticipant(String sessionId, String participantPrivatetId, Token token,
 			String clientMetadata) {
 		if (this.sessionidParticipantpublicidParticipant.get(sessionId) != null) {
-			String participantPublicId = RandomStringUtils.randomAlphanumeric(16).toLowerCase();
+			String participantPublicId = this.generateRandomChain();
 			ConcurrentHashMap<String, Participant> participantpublicidParticipant = this.sessionidParticipantpublicidParticipant
 					.get(sessionId);
 			while (participantpublicidParticipant.containsKey(participantPublicId)) {
 				// Avoid random 'participantpublicid' collisions
-				participantPublicId = RandomStringUtils.randomAlphanumeric(16).toLowerCase();
+				participantPublicId = this.generateRandomChain();
 			}
 			Participant p = new Participant(participantPrivatetId, participantPublicId, token, clientMetadata);
 			this.sessionidParticipantpublicidParticipant.get(sessionId).put(participantPublicId, p);
@@ -267,9 +267,6 @@ public abstract class SessionManager {
 			if (t != null) {
 				return t;
 			} else {
-				if (isInsecureParticipant(participantPrivateId)) {
-					return null;
-				}
 				throw new OpenViduException(Code.TOKEN_CANNOT_BE_CREATED_ERROR_CODE, sessionId);
 			}
 		} else {
@@ -288,6 +285,10 @@ public abstract class SessionManager {
 	public void showAllParticipants() {
 		log.info("<SESSIONID, PARTICIPANTS>: {}", this.sessionidParticipantpublicidParticipant.toString());
 	}
+	
+	public String generateRandomChain() {
+		return RandomStringUtils.randomAlphanumeric(16).toLowerCase();
+	}
 
 	/**
 	 * Closes all resources. This method has been annotated with the @PreDestroy
diff --git a/openvidu-server/src/main/java/io/openvidu/server/rpc/RpcHandler.java b/openvidu-server/src/main/java/io/openvidu/server/rpc/RpcHandler.java
index d3c8d239..e00a61c4 100644
--- a/openvidu-server/src/main/java/io/openvidu/server/rpc/RpcHandler.java
+++ b/openvidu-server/src/main/java/io/openvidu/server/rpc/RpcHandler.java
@@ -21,6 +21,7 @@ import io.openvidu.client.internal.ProtocolElements;
 import io.openvidu.server.config.OpenviduConfig;
 import io.openvidu.server.core.MediaOptions;
 import io.openvidu.server.core.Participant;
+import io.openvidu.server.core.ParticipantRole;
 import io.openvidu.server.core.SessionManager;
 import io.openvidu.server.core.Token;
 
@@ -129,6 +130,7 @@ public class RpcHandler extends DefaultJsonRpcHandler<JsonObject> {
 
 		if (openviduConfig.isOpenViduSecret(secret)) {
 			sessionManager.newInsecureParticipant(participantPrivatetId);
+			token = sessionManager.generateRandomChain();
 			if (recorder) {
 				generateRecorderParticipant = true;
 			}