Fix: use grails configuration for CORS settings

[schrd]

What does this PR do?

It removes quirks from bbb-web nginx config and uses grails config options to properly support CORS requests. CORS requests are only required if you run a cluster proxy setup as described in https://docs.bigbluebutton.org/admin/clusterproxy.html

Closes Issue(s)

Closes #15436

Motivation

Grails can handle CORS on its own. It just has to be configured in
/etc/bigbluebutton/bbb-web.properties:

grails.cors.enabled=true
grails.cors.allowedOrigins=https://bbb-proxy.example.com
grails.cors.allowCredentials=true

This is a breaking change of the nginx config if (and only if) you run a
cluster setup as described in
https://docs.bigbluebutton.org/admin/clusterproxy.html

If you run such a setup, you need to change
/etc/bigbluebutton/bbb-web.properties. Otherwise users won't be able
to join meetings, upload slides etc.

The change in PresentationController.groovy fixes the handling of
OPTIONS requests in the /bigbluebutton/presentation/checkPresentation
handler.

More

⚠️ If you merge this into 2.5 operators must be warned that if they run a cluster proxy setup they must tweak their configuration

• documentation in https://docs.bigbluebutton.org/admin/clusterproxy.html has to be adjusted.
• if requiring config changes from operators is not acceptable in 2.5, the changes in PresentationController.groovy still fix a bug.

[sonarcloud]

SonarCloud Quality Gate failed.   

3 Bugs
0 Vulnerabilities
0 Security Hotspots
2 Code Smells

No Coverage information
0.0% Duplication

[antobinary]

Thanks for this contribution @schrd !

We chatted about this internally and it looks like a very welcome change! We'd be looking into including this on BBB 2.6
I am setting the milestone and am tweaking the target branch. Likely we'll need to do a [force]push or rebase but this is something that can wait until testing+final review stage (unless you do it yourself meanwhile).

I just wanted to keep you posted on the positive feedback. Thanks again!

[danimo]

What's the status here?

[GuiLeme]

Hello, guys, sorry for the delayed response.

So, I tested this PR with a reverse proxy and only one instance of BBB, and there is something I want you to add in the configuration part, adjusting @schrd's comment: in /etc/bigbluebutton/bbb-web.properties, we must insert the BBB instance URL in the grails.cors.allowedOrigins property too, so it would be something like this:

grails.cors.enabled=true
grails.cors.allowedOrigins=https://bbb-proxy.example.com,https://bbb.example.com
grails.cors.allowCredentials=true

This fixes a connection problem with etherpad. What was happening is that bbb-web was allowed to receive requests from the proxy, but not the instance itself as it was calling the checkAuthorization endpoint in the API, so it ended up with a 403 error, see prints ahead:

And shared notes keeps loading:

With the solution mentioned, all goes as expected!

[schrd]

I think this is something else. Pad requests never should go through the proxy. Maybe someone is generating a URL /pad/... somewhere which would lead the browser to the proxy. I think instead direct connection to the BBB node should be made. I'll have a look into this.

[GuiLeme]

Yeah, it seems that for the client to connect to the pad, it has to get the session for the etherpad component, so, I guess this request to /pad/socket.io... would make sense, and also, there is a request made to bbb-web to /checkAuthorization endpoint which gave us this CORS problem.

[GuiLeme]

As I already commented on #15753 there are some fixes to the etherpad's files for nginx to avoid other CORS problem and resolve item B on #15436, so in #15753 we have a simple solution that could address it.

The problem happens when the user clicks the move notes to whiteboard button, although it answers with a 200 status, we also face a CORS problem, which would mean that in the response that etherpad gave us, nginx didn't properly set the headers, and thus the browser doesn't match with the expected, logging an error and crashing the fetch call in

bigbluebutton/bigbluebutton-html5/imports/ui/components/notes/converter-button/service.js

Line 18 in 045e2ec

const sharedNotesAsFile = await fetch(exportUrl, { credentials: 'include' });

Bearing this in mind, as @schrd pointed out in #15753 (comment) there may be a better solution for that, so we will hold this PR a bit.

[GuiLeme]

I think this is something else. Pad requests never should go through the proxy. Maybe someone is generating a URL /pad/... somewhere which would lead the browser to the proxy. I think instead direct connection to the BBB node should be made. I'll have a look into this.

@schrd, when you find it, please, respond back in this PR, so that we can properly merge it, because outside of the thing I mentioned before, it is working just fine!!

[schrd]

@GuiLeme sorry for being so late. With alangecker/bbb-etherpad-plugin#7 CORS problems in shared notes should be gone.

[GuiLeme]

@GuiLeme sorry for being so late. With alangecker/bbb-etherpad-plugin#7 CORS problems in shared notes should be gone.

Hey @schrd, so, can we close this PR? Or is it still to be merged?

[schrd]

Hey @schrd, so, can we close this PR? Or is it still to be merged?

I think it would be still useful to have this merged. BBB works without this merge but needs ugly quirks in the nginx config which do not always work as expected (see #15436). So the purpose of this MR is pure cleanup.

[GuiLeme]

---

[GuiLeme]

Ok, so after a thorough review, it looks very good, and I don't seem to find any trouble regarding this PR.
But, I've been having some trouble while creating the cluster configured server, and so I will open an issue giving some details and if anyone wants to comment out, please do so!! Thank you!

[GuiLeme]

LGTM!