greenlight icon indicating copy to clipboard operation
greenlight copied to clipboard
verified publisher icon bigbluebutton

External api /meeting_ended have no authentication

Open rautniraj opened this issue 6 months ago • 0 comments

When can we expect this todo to be fixed, @farhatahmad

https://github.com/bigbluebutton/greenlight/blob/251c307b8bb71c1a9bc86144500e8eade2c66238/app/controllers/external_controller.rb#L127

I have studied how you have implemented authentication via checksum using secret key +query params + action name in scalelite. Its pretty easy to implement the same here.

I found difficulty in two places

  1. In bbb where exactly is the code when we are defining the query parameter for this callback (endcallbackurl) What i found in bbb version 3.0.9

https://github.com/bigbluebutton/bigbluebutton/blob/85510d4509f500f1cda1851153a22c15b0940e65/bbb-common-web/src/main/java/org/bigbluebutton/api/MeetingService.java#L1067

I think here i need to create and add the checksum paramater in query string. Once done in my /meeting_ended, i can then safely check if the checksum matches or not.

Problem lies that i am not sure where else i need to do modification. How i found the above code is by simply searching the 'recordingmarks' query paramater and i found that only here. After reading the code above location makes sense. Still i need your confirmation.

  1. If i look at /meeting_ended code
  def meeting_ended
    # TODO: - ahmad: Add some sort of validation
    @room = Room.find_by(meeting_id: extract_meeting_id)
    return render json: {}, status: :ok unless @room

    recordings_processing = params[:recordingmarks] == 'true' ? @room.recordings_processing + 1 : @room.recordings_processing

    unless @room.update(recordings_processing:, online: false)
      Rails.logger.error "Failed to update room(id): #{@room.id}, model errors: #{@room.errors}"
    end

    render json: {}, status: :ok
  end

I can see only two query parameters are being used recordingmarks and meetingID, the same is also passed as parameters from MeetingService.java. I have tried to print the complete request object in /meeting_ended and i got

#<ActionDispatch::Request GET "http://HOST:PORT/nk/meeting_ended?recordingmarks=false&meetingID=xyvpokrvxcqstk4rnhrlgdricokc7s1htv2emdt2" for HOST>

This makes me sure that when the bbb calls this callback only two parameters its send - so the above two i will use the create the checksum. Correct me if i am wrong.

Thank You Niraj

rautniraj avatar Jun 24 '25 06:06 rautniraj