Hi,
I just wanted to share a mechanism that I have crudely implemented for authenticating recording links.
As we know that BigBlueButton recordings are kind of "unlisted" in the fact that once the link is available, anyone can watch it. Hence using Nginx auth_request submodule, I have implemented a mechanism to authenticate the requests with some tweaks in the BBB plugin.
- Along with BBB server link for API, I have added a new column called BBB recordings link.
So I have bbb.xyz.com handling my API requests and rec.xyz.com serving my recordings although they are on the same server (this is not really necessary, and the same bbb.xyz.com itself can be used - This mechanism only works if moodle is also hosted on abc.xyz.com and cookie is shared at *.xyz.com that is cookie is available to both xyz and rec subdomains
- A new file called bbb_auth.php is created to which meetingID and bbb activity id are sent as GET parameters. if the meetingID is a part of BBB activity, a 200 OK is returned else 404 is returned. This bbb_auth.php link is used in the nginx rec.xyz.com auth_request field configuration.
- So when a logged in user from moodle visits the recording link, the recording link in the backend passes the cookie and requests bbb_auth.php for a reply, ONLY if the reply is 200 OK, the recording link (and all the audio, video and image assets involved) will be served.
This allows for an authentication between Moodle and the BigBlueButton server through Nginx with minimal modifications.
Please suggest if there are better mechanisms to do with without the cookie sharing constraint.