Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(api): Deprecate password on the endpoints. #14668

Merged
merged 2 commits into from
Mar 30, 2022
Merged

refactor(api): Deprecate password on the endpoints. #14668

merged 2 commits into from
Mar 30, 2022

Conversation

GuiLeme
Copy link
Collaborator

@GuiLeme GuiLeme commented Mar 24, 2022

What does this PR do?

This PR is a refactor for we not to need the password in the endpoints anymore. As discussed in the issue #14335, we came to the conclusion that the password is useless in terms of security, since it is easy to get them in getMeetings once you have the salt.

Closes Issue(s)

Closes #14335

More

It is worth reinforcing that the password is now deprecated, which means it still can be used, but we don't need it anymore, and that's why we will have old integrations preserved.

@GuiLeme
Copy link
Collaborator Author

GuiLeme commented Mar 24, 2022
edited
Loading

I would like to make some comments here mainly to help the reviewer to go throught all the endpoints with all the possibilities.

First of all: The new refactoring makes it possible to send a request to the create endpoint without any passwords, but, on the grounds that old integrations with BBB don't crash, internally, the back-end generates the moderator and viewer's passwords. Those are just used so that BBB finds out what role will the user be, in case the role parameter is not send in the join endpoint.

The user is able to send an end request with or without the password, too, the only thing to keep in mind is that you might have to use the randomly generated password (which you can easily access via getMeetingInfo or getMettings endpoint request)

So, down below we have all the endpoints' routes refactored with their checksum already matching the fallowing salt:
sTOj3DtONs3Y5c0jva96zWTygdawideEQKJmCsQ

To test it thoroughly it is necessary to picture all the combinations here:
Meeting (With or without password) + Join (With or without password and role) + End (With or without Password)

(the ones marked with ***** need the randomly generated password that it is possible to get via a getMeetingInfo request)

CREATE (Without password)

/bigbluebutton/api/create?allowStartStopRecording=true&autoStartRecording=false&meetingID=Test&name=Test&record=false&voiceBridge=76756&welcome=%3Cbr%3EWelcome+to+%3Cb%3E%25%25CONFNAME%25%25%3C%2Fb%3E%21&checksum=96ef76b51a86805e2c790066636867e56091793e

JOIN (With password and without role) *****

/bigbluebutton/api/join?fullName=David&meetingID=Test&password=mp&redirect=true&checksum=534a38844363218cc4e7fd8c6e6a253c2d8d6de5

JOIN (Without password and without role)

/bigbluebutton/api/join?fullName=David&meetingID=Test&redirect=true&checksum=c0a748eaf7f147daaec696c1bf6be089f255d7d5

JOIN (With role and without password)

/bigbluebutton/api/join?fullName=David&meetingID=Test&redirect=true&role=moderator&checksum=9bea8e63abe41306a48aa523460ecd055d2565ae

JOIN (with role and with password)

/bigbluebutton/api/join?fullName=David&meetingID=Test&redirect=true&role=moderator&password=mp&checksum=6582cc8d1c52801a020868ee101028cf29439bbe

END (Without password)

/bigbluebutton/api/end?meetingID=Test&checksum=05c4091b22e2b5cd4918d570e84f26fe4e691acb

@GuiLeme
[issue-14335] - Changes in review, the random password has been added…
247794f 
… if a null one is sent while creating the meeting to avoid crashes in old integrations.
@sonarcloud
Copy link

sonarcloud bot commented Mar 30, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 2 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@antobinary antobinary added this to the Release 2.4 milestone Mar 30, 2022
@antobinary
Copy link
Member

@jfederico tested on a temp server. Time to merge. Great work @GuiLeme !!

@antobinary antobinary merged commit 4ad4e8e into bigbluebutton:v2.4.x-release Mar 30, 2022
@antobinary antobinary mentioned this pull request May 5, 2022
Open
@antobinary antobinary changed the title [issue-14335]- Deprecate password on the endpoints. refactor(api): Deprecate password on the endpoints. Apr 1, 2022
@antobinary antobinary mentioned this pull request Apr 4, 2022
Closed
@antobinary antobinary mentioned this pull request Jun 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Release 2.4
Development

Successfully merging this pull request may close these issues.
2 participants
@GuiLeme @antobinary