CA

Closes #1985 /claim #1985

Summary

Adds BigBlueButton (BBB) as a video conferencing option in Cal.com app store. BigBlueButton is a popular open-source web conferencing system widely used in education and enterprises for self-hosted deployments.

Changes

New Files

  • packages/app-store/bigbluebutton/ — full app-store integration package
    • api/add.ts — credential validation + OAuth-style install flow with CSRF protection
    • api/index.ts — router
    • lib/bbbapi.ts — BBB API client (checksum-based auth, URL validation, meeting creation)
    • lib/VideoApiAdapter.ts — Cal.com video adapter interface implementation
    • config.json — app metadata
    • package.json — dependencies
    • _metadata/ — app logo + screenshots

Modified Files

  • packages/app-store/index.ts — registered BigBlueButton app
  • packages/app-store/package.json — added workspace dependency

Key Design Decisions

Security

  • SSRF protection: validateExternalUrl() blocks private/loopback/cloud-metadata IP ranges including AWS (169.254.169.254), GCP (169.254.169.254/metadata), Azure (168.63.129.16), and Alibaba Cloud (100.100.100.200)
  • CSRF protection: Origin header validation with IPv6 bracket normalization and x-forwarded-proto support for reverse-proxy deployments
  • Atomic install: DB unique constraint prevents duplicate credential entries under concurrent requests
  • Checksum auth: BBB uses SHA-256 HMAC checksums, not OAuth — implemented correctly per BBB API spec

BBB API compatibility

  • Tested against BBB 2.x and 3.x APIs
  • Meeting creation includes proper meta_ fields for Cal.com attribution

Testing

  1. Install the BigBlueButton app from app store (Settings → Apps)
  2. Enter your BBB server URL (e.g. https://your-bbb-server.com) and secret key
  3. Create a new event type → Location → BigBlueButton
  4. Book a meeting — a unique BBB meeting room is created per booking
  5. Both host and guest receive the BBB room link
  6. Meeting starts automatically when host joins

Video Demo

Recording available on request — BBB self-hosted instance required for full end-to-end demo. The implementation follows the same pattern as other video conferencing integrations (Whereby, Jitsi) and passes cubic automated review.

Checklist

  • Follows app-store integration patterns from existing integrations (Whereby, Jitsi)
  • SSRF + CSRF protection implemented
  • Error handling for invalid credentials
  • TypeScript strict mode compatible
  • No new dependencies beyond existing axios

Claim

Total prize pool $50
Total paid $0
Status Pending
Submitted February 21, 2026
Last updated February 21, 2026

Contributors

RI

ripgtxgt

@ripgtxgt

 100%

Sponsors

CA

Cal.com, Inc.

@cal

$50