From 91c723596a01f183b871c1794c438c0904de3830 Mon Sep 17 00:00:00 2001
From: Brent Baccala <cosine@freesoft.org>
Date: Thu, 18 Jun 2026 22:54:10 -0400
Subject: [PATCH] fix(auth): fall back to sessionStorage for session token

BBB 3.0.30 (bigbluebutton/bigbluebutton#25219, 'Hide sessionToken from URL
bar') removes sessionToken from window.location at client startup and stores
it in sessionStorage['BBB_sessionToken']. getSessionToken() read only the URL,
so it returned undefined on 3.0.30+, breaking any plugin that uses it to
authenticate (e.g. ?sessionToken=undefined rejected by the backend).

Read the URL first (older cores and the brief pre-strip window), then fall
back to sessionStorage. Version-agnostic; no behavior change on <3.0.30.

Fixes #268

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/core/auxiliary/session-token/getter.ts | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/core/auxiliary/session-token/getter.ts b/src/core/auxiliary/session-token/getter.ts
index 151589ff..7b59ed0c 100644
--- a/src/core/auxiliary/session-token/getter.ts
+++ b/src/core/auxiliary/session-token/getter.ts
@@ -1,4 +1,17 @@
 export function getSessionToken(): string | undefined {
-  const params = new URLSearchParams(window.location.search);
-  return params.get('sessionToken') || undefined;
+  // BigBlueButton 3.0.30 (bigbluebutton/bigbluebutton#25219, "Hide sessionToken
+  // from URL bar") removes `sessionToken` from window.location during client
+  // startup and stores it in sessionStorage under the key `BBB_sessionToken`
+  // (ObservableStorage 'BBB_' prefix + 'sessionToken'). Plugins mount after that
+  // bootstrap, so reading only the URL returns undefined on 3.0.30+.
+  //
+  // Read the URL first (older cores, and the brief window before the strip),
+  // then fall back to sessionStorage so the token resolves on 3.0.30+ too.
+  const fromUrl = new URLSearchParams(window.location.search).get('sessionToken');
+  if (fromUrl) return fromUrl;
+  try {
+    return window.sessionStorage.getItem('BBB_sessionToken') || undefined;
+  } catch {
+    return undefined;
+  }
 }