Hide api.url and api.secret to allow a mutualised BBB server between more than one Nextcloud instance.

[vincib]

Current situation

I'm hosting a lot of nextclouds instances in a single server (~50) and we'd like to provide all our nextcloud users with the BBB app.

But since this app requires to give the administrator of nextcloud the url and API secret of the BBB instance, it allows them to list and join any room in the BBB server, even if those rooms are used by other nextcloud instances.

Proposed feature

I'd like to be able to hide the api.url and api.secret settings (mostly api.secret though...) into config.php instead of bbb apps setting.

Thanks to that, we could mutualise a BBB server (which requires a dedicated VM) between many nextclouds, while securing a bit the isolation between those BBB users.

Alternatives

I considered installing a Scalelite instance for each BBB, but we found that a bit overkill...

Additional context

I pushed a commit for that feature into my fork here https://github.com/vincib/cloud_bbb If you think that's a good idea, I can do a pull request.

[sualko]

For me it feels like a security issue to share the secret between all instances, even if the user does not have direct access via the bbb admin interface. You never now if there is a app which is exposing env settings or what ever.

Anyway I think it's a good idea to never print the secret to the user after saving. This means we return a defined string for the secret in the settings form and only if we get something else while submitting, we will update the value. What do you think? Would this satisfy your needs?

[vincib]

I agree with that, but layered security makes it better anyway ;) (our BBB API is restricted for those users ;) )

Your idea is great! If you don't want to develop it, do you want me to propose a PR ?

[sualko]

It's quite some time and I guess you already found a solution to your issue. Anyway if there is anything which you could contribute, I would appreciate a pull request.