Summary
getSessionToken() returns undefined on BigBlueButton 3.0.30+, breaking any plugin that uses it to authenticate a connection.
getSessionToken() reads the token only from the URL query string:
// core/auxiliary/session-token/getter.ts
export function getSessionToken(): string | undefined {
const params = new URLSearchParams(window.location.search);
return params.get('sessionToken') || undefined;
}BBB 3.0.30 (bigbluebutton/bigbluebutton#25219, "Hide sessionToken from URL bar") now removes sessionToken from window.location during client startup (via history.replaceState) and stores it in window.sessionStorage under the key BBB_sessionToken. The HTML5 Auth singleton is constructed during bootstrap — before any plugin mounts — so by the time a plugin calls pluginApi.getSessionToken(), the URL no longer contains the token and the getter returns undefined.
PR #25219's description states it has no plugin/SDK impact; the SDK's dependency on the URL was not considered.
Impact
- Affects every plugin that calls
getSessionToken(), on any server ≥ 3.0.30.
- The getter is byte-identical from at least
v0.0.92 through the current v0.1.20, so bumping the SDK does not help — the latest SDK is equally affected.
Reproduction
A plugin that builds an authenticated URL, e.g.:
const url = `wss://${host}/vnc?sessionToken=${pluginApi.getSessionToken()}`;produces ...?sessionToken=undefined on 3.0.30, and the backend rejects it. Observed in production on a 3.0.30 server: an auth_request-gated websocket endpoint returned 401 for GET /vnc?sessionToken=undefined, where the same plugin worked on 3.0.27/3.0.29.
Where the token lives now
imports/ui/services/storage/session.ts constructs the session storage as new ObservableStorage(window.sessionStorage, 'BBB_'), and Auth stores the token via Storage.setItem('sessionToken', ...) — i.e. window.sessionStorage.getItem('BBB_sessionToken'). Verified empirically on both 3.0.29 and 3.0.30: the token is present in sessionStorage['BBB_sessionToken'].
Suggested fix
Make getSessionToken() read the URL first (older servers, and the brief pre-strip window on 3.0.30), then fall back to sessionStorage['BBB_sessionToken']. This is version-agnostic and fixes the whole plugin ecosystem in one place. PR to follow.
This issue was researched and written by an AI assistant (Claude) on behalf of Brent Baccala (cosine@freesoft.org), based on diagnosing a real-world remote-desktop plugin failure on a production BBB 3.0.30 server and reading the bigbluebutton and bigbluebutton-html-plugin-sdk sources.
Summary
getSessionToken()returnsundefinedon BigBlueButton 3.0.30+, breaking any plugin that uses it to authenticate a connection.getSessionToken()reads the token only from the URL query string:BBB 3.0.30 (bigbluebutton/bigbluebutton#25219, "Hide sessionToken from URL bar") now removes
sessionTokenfromwindow.locationduring client startup (viahistory.replaceState) and stores it inwindow.sessionStorageunder the keyBBB_sessionToken. The HTML5Authsingleton is constructed during bootstrap — before any plugin mounts — so by the time a plugin callspluginApi.getSessionToken(), the URL no longer contains the token and the getter returnsundefined.PR #25219's description states it has no plugin/SDK impact; the SDK's dependency on the URL was not considered.
Impact
getSessionToken(), on any server ≥ 3.0.30.v0.0.92through the currentv0.1.20, so bumping the SDK does not help — the latest SDK is equally affected.Reproduction
A plugin that builds an authenticated URL, e.g.:
produces
...?sessionToken=undefinedon 3.0.30, and the backend rejects it. Observed in production on a 3.0.30 server: anauth_request-gated websocket endpoint returned401forGET /vnc?sessionToken=undefined, where the same plugin worked on 3.0.27/3.0.29.Where the token lives now
imports/ui/services/storage/session.tsconstructs the session storage asnew ObservableStorage(window.sessionStorage, 'BBB_'), andAuthstores the token viaStorage.setItem('sessionToken', ...)— i.e.window.sessionStorage.getItem('BBB_sessionToken'). Verified empirically on both 3.0.29 and 3.0.30: the token is present insessionStorage['BBB_sessionToken'].Suggested fix
Make
getSessionToken()read the URL first (older servers, and the brief pre-strip window on 3.0.30), then fall back tosessionStorage['BBB_sessionToken']. This is version-agnostic and fixes the whole plugin ecosystem in one place. PR to follow.This issue was researched and written by an AI assistant (Claude) on behalf of Brent Baccala (cosine@freesoft.org), based on diagnosing a real-world remote-desktop plugin failure on a production BBB 3.0.30 server and reading the bigbluebutton and bigbluebutton-html-plugin-sdk sources.