External api /meeting_ended have no authentication #6095
Description
When can we expect this todo to be fixed, @farhatahmad
I have studied how you have implemented authentication via checksum using secret key +query params + action name in scalelite. Its pretty easy to implement the same here.
I found difficulty in two places
- In bbb where exactly is the code when we are defining the query parameter for this callback (endcallbackurl)
What i found in bbb version 3.0.9
I think here i need to create and add the checksum paramater in query string. Once done in my /meeting_ended, i can then safely check if the checksum matches or not.
Problem lies that i am not sure where else i need to do modification. How i found the above code is by simply searching the 'recordingmarks' query paramater and i found that only here. After reading the code above location makes sense. Still i need your confirmation.
- If i look at /meeting_ended code
def meeting_ended
# TODO: - ahmad: Add some sort of validation
@room = Room.find_by(meeting_id: extract_meeting_id)
return render json: {}, status: :ok unless @room
recordings_processing = params[:recordingmarks] == 'true' ? @room.recordings_processing + 1 : @room.recordings_processing
unless @room.update(recordings_processing:, online: false)
Rails.logger.error "Failed to update room(id): #{@room.id}, model errors: #{@room.errors}"
end
render json: {}, status: :ok
end
I can see only two query parameters are being used recordingmarks and meetingID, the same is also passed as parameters from MeetingService.java. I have tried to print the complete request object in /meeting_ended and i got
#<ActionDispatch::Request GET "http://HOST:PORT/nk/meeting_ended?recordingmarks=false&meetingID=xyvpokrvxcqstk4rnhrlgdricokc7s1htv2emdt2" for HOST>
This makes me sure that when the bbb calls this callback only two parameters its send - so the above two i will use the create the checksum. Correct me if i am wrong.
Thank You
Niraj