No checksum in the webhook callback request

[swayhead]

My application is receiving callback POST requests from the webhook with data payload as expected.
However, there is no checksum in the URL included.

I registered the callback URL as https://xxx.yy/kivi/registerEvent/

I expect to receive the request as https://xxx.yy/kivi/registerEvent/?checksum=12345 like mentioned in the documentation https://docs.bigbluebutton.org/dev/webhooks.html#callback-format

Instead I am getting the original URL without parameters:

Is there any adjustment on the server I am missing?

Thanks

[Erika31]

Try to set
auth2_0: false
in /usr/local/bigbluebutton/bbb-webhooks/config/default.yml

Then
bbb-conf --restart
should do the trick...

But I don't know if this configuration resists over the time...!

[swayhead]

Ok. As far as I could see from the code, this flag sets the authorization bearer in the header.
I'm now looking for the checksum-param in the URL and, if empty, I check for the bearer string against the BBB-secret. It works.
Thank you.

[Erika31]

Well, IMHO, I think that the BBB-Secret should not be transmitted over the network. On a non-secured connection, it means the BBB-Secret is revealed, which is too dangerous...
More, it thus looses its integrity-check feature...

[swayhead]

And right you are.
Though the connection is secure, this surely is not a best practice.

[kiano0sh]

@swayhead Right now I'm facing the same problem (even over a secure network), I looked over headers and found an authorization header which is the shared secret of my bbb server and I think with that secret and domain value in body it is also possible to authorize the request. let me know if you figure it out.

[ulfgebhardt]

Here is an implementation https://github.com/dreammall-earth/dreammall.earth/blob/master/backend/src/api/BBB.ts#L93