[Help]: Set up BigBlueButton to accept REST API calls from cross-origin custom client

18 views
Skip to first unread message

Hariharan Narayanan

unread,
Jul 1, 2024, 2:12:47 AM (5 days ago) Jul 1
to BigBlueButton-dev
Hello

I am facing some CORS issues with my setup of BigBlueButton and would appreciate any help to understand this.

My setup:
I have already verified that the BigBlueButton server and Greenlight are correctly installed as per the documentation and I am able to create and attend meetings as a registered user using this setup.

Requirement:
  • I need to be able to use my Custom web client to
    • Create a meeting in the BigBlueButton server by using the BBB REST API.
    • Join a meeting in the BigBlueButton server using the BBB REST API and share the resulting meeting URL to client.
The issues:
  • For the custom web client, I am able to create a meeting by calling the POST create API
  • However, while trying to join the meeting (with GET join API) from my custom web client I was facing CORS issue with error 403 (Unauthorized). The Firefox browser network calls and console screenshots for this are attached (api-calls-1.png and console-1.png).
  • Based on the console errors I tried to configure CORS headers in [/usr/share/bigbluebutton/nginx/bbb-html5.nginx]. The updated file is attached and my changes are in lines 47-78 (bbb-html5.nginx).
  • After this change is done the CORS errors are apparently solved but joining the meeting (with GET join API) returns HTTP 404 (not found) error. The browser network calls and console screenshots (api-calls-2.png and console-2.png) are attached.
The output of [bbb-conf --status] and [bbb-conf --check] are also attached.

Any help or guidance to point me in the right direction (i.e., join a BBB meeting session in a new browser tab from my prototype) would be most appreciated.

-Thank you
Hariharan Narayanan
bbb-html5.nginx
bbb-conf--status.output.txt
console-1.png
bbb-conf--check.output.txt
api-calls-1.png
api-calls-2.png
console-2.png

Marcel Hellkamp

unread,
Jul 2, 2024, 8:51:22 AM (3 days ago) Jul 2
to bigblueb...@googlegroups.com
Am 01.07.24 um 08:12 schrieb Hariharan Narayanan:

Requirement:
  • I need to be able to use my Custom web client to
    • Create a meeting in the BigBlueButton server by using the BBB REST API.
    • Join a meeting in the BigBlueButton server using the BBB REST API and share the resulting meeting URL to client.

Bad idea. For your API secret to stay a secret, it MUST NOT leave the server. Your web client is public, everything it does is public. Using the API secret directly in a web client makes it public, too. You always need a trusted server-side component to issue /create calls or generate /join links. And since server-side HTTP clients are not bound to CORS restrictions, your CORS problems disappears as soon as you do it the way it was intended.


The issues:
    • For the custom web client, I am able to create a meeting by calling the POST create API
    • However, while trying to join the meeting (with GET join API) from my custom web client I was facing CORS issue with error 403 (Unauthorized). The Firefox browser network calls and console screenshots for this are attached (api-calls-1.png and console-1.png).
    • After this change is done the CORS errors are apparently solved but joining the meeting (with GET join API) returns HTTP 404 (not found) error. The browser network calls and console screenshots (api-calls-2.png and console-2.png) are attached.

      Why are you fetching the join link via JavaScript? Your web client should ask your trusted server-side component to /create a meeting and return a valid /join link for that meeting (the one with meetingID and checksum in it, NOT the one with a sessionToken) and then open a new window, popup, or frame with that URL in it. That's it.

      VG Marcel
      Reply all
      Reply to author
      Forward
      0 new messages