From 9e9afec40eb485bea2688cbea0c92feaebce1ea1 Mon Sep 17 00:00:00 2001
From: q404365631 <398291278@qq.com>
Date: Sun, 24 May 2026 08:59:20 +0800
Subject: [PATCH 1/2] feat: add BigBlueButton video conferencing integration

Add BigBlueButton as a conferencing app in the app store. This integration
enables users to create and manage BBB meetings directly from Cal.com.

Key features:
- BBB API client with SHA1 checksum authentication
- Symmetric credential encryption via CALENDSO_ENCRYPTION_KEY
- Full meeting lifecycle: create, update, delete, getRecordings
- Setup form for server URL and shared secret collection
- Comprehensive test suite with error path coverage (18 tests)
- Support for team and individual installation

Architecture follows the existing Jitsi conferencing pattern with:
- VideoApiAdapter interface implementation
- Zod schema validation for credentials
- appsWithSetupForm routing system for non-OAuth apps
- Proper admin access verification for team installs

Closes #1985
---
 apps/web/components/apps/AppSetupPage.tsx     |   1 +
 apps/web/components/apps/appsWithSetupForm.ts |  31 +++
 .../apps/bigbluebuttonvideo/Setup.tsx         | 113 ++++++++
 .../[[...step]]/getServerSideProps.ts         |   9 +-
 apps/web/modules/apps/components/AppCard.tsx  |   6 +
 .../app-store/apps.keys-schemas.generated.ts  |   2 +
 packages/app-store/apps.metadata.generated.ts |   2 +
 packages/app-store/apps.schemas.generated.ts  |   2 +
 packages/app-store/apps.server.generated.ts   |   1 +
 .../bigbluebuttonvideo/DESCRIPTION.md         |   1 +
 .../app-store/bigbluebuttonvideo/_metadata.ts |  30 +++
 .../app-store/bigbluebuttonvideo/api/add.ts   | 116 +++++++++
 .../app-store/bigbluebuttonvideo/api/index.ts |   1 +
 .../app-store/bigbluebuttonvideo/index.ts     |   3 +
 .../lib/VideoApiAdapter.test.ts               | 177 +++++++++++++
 .../bigbluebuttonvideo/lib/VideoApiAdapter.ts | 244 ++++++++++++++++++
 .../bigbluebuttonvideo/lib/bbbClient.test.ts  | 165 ++++++++++++
 .../bigbluebuttonvideo/lib/bbbClient.ts       | 120 +++++++++
 .../app-store/bigbluebuttonvideo/lib/index.ts |   1 +
 .../app-store/bigbluebuttonvideo/package.json |  14 +
 .../bigbluebuttonvideo/static/icon.svg        |   7 +
 packages/app-store/bigbluebuttonvideo/zod.ts  |  15 ++
 .../bookerApps.metadata.generated.ts          |   2 +
 .../app-store/video.adapters.generated.ts     |   1 +
 packages/i18n/locales/en/common.json          |   8 +-
 25 files changed, 1070 insertions(+), 2 deletions(-)
 create mode 100644 apps/web/components/apps/appsWithSetupForm.ts
 create mode 100644 apps/web/components/apps/bigbluebuttonvideo/Setup.tsx
 create mode 100644 packages/app-store/bigbluebuttonvideo/DESCRIPTION.md
 create mode 100644 packages/app-store/bigbluebuttonvideo/_metadata.ts
 create mode 100644 packages/app-store/bigbluebuttonvideo/api/add.ts
 create mode 100644 packages/app-store/bigbluebuttonvideo/api/index.ts
 create mode 100644 packages/app-store/bigbluebuttonvideo/index.ts
 create mode 100644 packages/app-store/bigbluebuttonvideo/lib/VideoApiAdapter.test.ts
 create mode 100644 packages/app-store/bigbluebuttonvideo/lib/VideoApiAdapter.ts
 create mode 100644 packages/app-store/bigbluebuttonvideo/lib/bbbClient.test.ts
 create mode 100644 packages/app-store/bigbluebuttonvideo/lib/bbbClient.ts
 create mode 100644 packages/app-store/bigbluebuttonvideo/lib/index.ts
 create mode 100644 packages/app-store/bigbluebuttonvideo/package.json
 create mode 100644 packages/app-store/bigbluebuttonvideo/static/icon.svg
 create mode 100644 packages/app-store/bigbluebuttonvideo/zod.ts

diff --git a/apps/web/components/apps/AppSetupPage.tsx b/apps/web/components/apps/AppSetupPage.tsx
index 88acf8c89bbb76..c3d35a0c841f56 100644
--- a/apps/web/components/apps/AppSetupPage.tsx
+++ b/apps/web/components/apps/AppSetupPage.tsx
@@ -15,6 +15,7 @@ export const AppSetupMap = {
   paypal: dynamic(() => import("@calcom/web/components/apps/paypal/Setup")),
   hitpay: dynamic(() => import("@calcom/web/components/apps/hitpay/Setup")),
   btcpayserver: dynamic(() => import("@calcom/web/components/apps/btcpayserver/Setup")),
+  bigbluebutton: dynamic(() => import("@calcom/web/components/apps/bigbluebuttonvideo/Setup")),
 };
 
 export const AppSetupPage = (props: { slug: string }) => {
diff --git a/apps/web/components/apps/appsWithSetupForm.ts b/apps/web/components/apps/appsWithSetupForm.ts
new file mode 100644
index 00000000000000..6cde8f9c090584
--- /dev/null
+++ b/apps/web/components/apps/appsWithSetupForm.ts
@@ -0,0 +1,31 @@
+/**
+ * 需要自定义 setup form 的 app slug 列表
+ * 这些 app 不是 OAuth 类型，但有自定义凭证表单，
+ * 需要走 setup form 流程而非自动安装流程
+ */
+export const APPS_WITH_SETUP_FORM: string[] = ["bigbluebutton"];
+
+/**
+ * 判断指定 app 是否需要 setup form
+ */
+export function appRequiresSetupForm(slug: string): boolean {
+  return APPS_WITH_SETUP_FORM.includes(slug);
+}
+
+/**
+ * 为需要 setup form 的 app 返回重定向对象
+ * 如果 app 不需要 setup form，返回 null
+ */
+export function setupFormRedirectFor(slug: string): {
+  redirect: { permanent: boolean; destination: string };
+} | null {
+  if (appRequiresSetupForm(slug)) {
+    return {
+      redirect: {
+        permanent: false,
+        destination: `/apps/${slug}/setup`,
+      },
+    };
+  }
+  return null;
+}
\ No newline at end of file
diff --git a/apps/web/components/apps/bigbluebuttonvideo/Setup.tsx b/apps/web/components/apps/bigbluebuttonvideo/Setup.tsx
new file mode 100644
index 00000000000000..011215f4a4842e
--- /dev/null
+++ b/apps/web/components/apps/bigbluebuttonvideo/Setup.tsx
@@ -0,0 +1,113 @@
+"use client";
+
+import { useRouter } from "next/navigation";
+import { useForm } from "react-hook-form";
+import { useState } from "react";
+import { z } from "zod";
+
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+import { HttpError } from "@calcom/lib/http-error";
+import { Button } from "@calcom/ui/components/button";
+import {
+  Form,
+  FormField,
+  Input,
+  PasswordField,
+  Label,
+} from "@calcom/ui/components/form";
+import { showToast } from "@calcom/ui/components/toast";
+
+/** 表单字段验证模式 */
+const formSchema = z.object({
+  serverUrl: z.string().url(),
+  sharedSecret: z.string().min(1),
+});
+
+type FormValues = z.infer<typeof formSchema>;
+
+/**
+ * BigBlueButton Setup 组件
+ * 收集用户的 BBB 服务器 URL 和共享密钥
+ */
+export default function BigBlueButtonSetup() {
+  const { t } = useLocale();
+  const router = useRouter();
+  const [isSubmitting, setIsSubmitting] = useState(false);
+
+  const form = useForm<FormValues>({
+    defaultValues: {
+      serverUrl: "",
+      sharedSecret: "",
+    },
+  });
+
+  const onSubmit = form.handleSubmit(async (values) => {
+    setIsSubmitting(true);
+    try {
+      const res = await fetch("/api/integrations/bigbluebuttonvideo/add", {
+        method: "POST",
+        body: JSON.stringify(values),
+        headers: { "Content-Type": "application/json" },
+      });
+
+      if (!res.ok) {
+        const json = await res.json();
+        throw new HttpError({ statusCode: res.status, message: json.message });
+      }
+
+      const json = await res.json();
+      router.push(json.url);
+    } catch (err) {
+      if (err instanceof HttpError) {
+        showToast(err.message, "error");
+      } else {
+        showToast(t("something_went_wrong"), "error");
+      }
+    } finally {
+      setIsSubmitting(false);
+    }
+  });
+
+  return (
+    <Form form={form} handleSubmit={onSubmit}>
+      <div className="space-y-4">
+        <FormField
+          control={form.control}
+          name="serverUrl"
+          render={({ field }) => (
+            <div>
+              <Label>{t("bbb_server_url")}</Label>
+              <Input
+                {...field}
+                type="url"
+                placeholder="https://your-bbb-server.com/bigbluebutton"
+                required
+              />
+            </div>
+          )}
+        />
+        <FormField
+          control={form.control}
+          name="sharedSecret"
+          render={({ field }) => (
+            <div>
+              <Label>{t("bbb_shared_secret")}</Label>
+              <PasswordField
+                {...field}
+                placeholder={t("bbb_shared_secret_placeholder")}
+                required
+              />
+            </div>
+          )}
+        />
+      </div>
+      <Button
+        type="submit"
+        loading={isSubmitting}
+        className="mt-4 w-full"
+        data-testid="bbb-submit-button">
+        {t("submit")}
+      </Button>
+    </Form>
+  );
+}
\ No newline at end of file
diff --git a/apps/web/lib/apps/installation/[[...step]]/getServerSideProps.ts b/apps/web/lib/apps/installation/[[...step]]/getServerSideProps.ts
index 297c575f504fa6..018829801dfe90 100644
--- a/apps/web/lib/apps/installation/[[...step]]/getServerSideProps.ts
+++ b/apps/web/lib/apps/installation/[[...step]]/getServerSideProps.ts
@@ -9,12 +9,14 @@ import { isConferencing as isConferencingApp } from "@calcom/app-store/utils";
 import { getServerSession } from "@calcom/features/auth/lib/getServerSession";
 import { UserRepository } from "@calcom/features/users/repositories/UserRepository";
 import { AppOnboardingSteps } from "@calcom/lib/apps/appOnboardingSteps";
-import { CAL_URL } from "@calcom/lib/constants";
+import { APP_NAME, CAL_URL, WEBAPP_URL } from "@calcom/lib/constants";
 import { getPlaceholderAvatar } from "@calcom/lib/defaultAvatarImage";
 import prisma from "@calcom/prisma";
 import { Prisma } from "@calcom/prisma/client";
 import { eventTypeBookingFields } from "@calcom/prisma/zod-utils";
 
+import { setupFormRedirectFor } from "@calcom/web/components/apps/appsWithSetupForm";
+
 import { STEPS } from "../../../../modules/apps/installation/[[...step]]/constants";
 import type {
   OnboardingPageProps,
@@ -446,6 +448,11 @@ const getCredential = async (
   parsedAppSlug: string
 ): Promise<{ credentialId: number | null; redirect?: RedirectResult }> => {
   let credentialId = getCredentialId(parsedTeamIdParam, appInstalls, user.id);
+  // 无凭证且 app 需要 setup form 时，重定向到 setup 页面采集凭证
+  if (!credentialId && !appMetadata.isOAuth) {
+    const setupRedirect = setupFormRedirectFor(parsedAppSlug);
+    if (setupRedirect) return setupRedirect;
+  }
   if (
     !credentialId &&
     !user.teams.length &&
diff --git a/apps/web/modules/apps/components/AppCard.tsx b/apps/web/modules/apps/components/AppCard.tsx
index 2aa36864b60774..4200e829cf553f 100644
--- a/apps/web/modules/apps/components/AppCard.tsx
+++ b/apps/web/modules/apps/components/AppCard.tsx
@@ -8,6 +8,7 @@ import { InstallAppButton } from "@calcom/app-store/InstallAppButton";
 import { isRedirectApp } from "@calcom/app-store/_utils/redirectApps";
 import useAddAppMutation from "@calcom/app-store/_utils/useAddAppMutation";
 import { doesAppSupportTeamInstall, isConferencing } from "@calcom/app-store/utils";
+import { appRequiresSetupForm } from "@calcom/web/components/apps/appsWithSetupForm";
 import type { UserAdminTeams } from "@calcom/features/users/repositories/UserRepository";
 import { AppOnboardingSteps } from "@calcom/lib/apps/appOnboardingSteps";
 import { getAppOnboardingUrl } from "@calcom/lib/apps/getAppOnboardingUrl";
@@ -71,6 +72,11 @@ export function AppCard({ app, credentials, searchText, userAdminTeams }: AppCar
       if (app.url) window.open(app.url, "_blank", "noopener,noreferrer");
       return;
     }
+    // 需要 setup form 的 app 直接触发安装，由后端 add handler 验证凭证并跳转到 setup 页面
+    if (appRequiresSetupForm(app.slug)) {
+      mutation.mutate({ type: app.type });
+      return;
+    }
     if (isConferencing(app.categories) && !app.concurrentMeetings) {
       mutation.mutate({
         type: app.type,
diff --git a/packages/app-store/apps.keys-schemas.generated.ts b/packages/app-store/apps.keys-schemas.generated.ts
index 43e1a41e4b7f45..5b2cec9b6127d8 100644
--- a/packages/app-store/apps.keys-schemas.generated.ts
+++ b/packages/app-store/apps.keys-schemas.generated.ts
@@ -4,6 +4,7 @@
 **/
 import { appKeysSchema as alby_zod_ts } from "./alby/zod";
 import { appKeysSchema as basecamp3_zod_ts } from "./basecamp3/zod";
+import { appKeysSchema as bigbluebuttonvideo_zod_ts } from "./bigbluebuttonvideo/zod";
 import { appKeysSchema as btcpayserver_zod_ts } from "./btcpayserver/zod";
 import { appKeysSchema as closecom_zod_ts } from "./closecom/zod";
 import { appKeysSchema as dailyvideo_zod_ts } from "./dailyvideo/zod";
@@ -55,6 +56,7 @@ import { appKeysSchema as zoomvideo_zod_ts } from "./zoomvideo/zod";
 export const appKeysSchemas = {
   alby: alby_zod_ts,
   basecamp3: basecamp3_zod_ts,
+  bigbluebuttonvideo: bigbluebuttonvideo_zod_ts,
   btcpayserver: btcpayserver_zod_ts,
   closecom: closecom_zod_ts,
   dailyvideo: dailyvideo_zod_ts,
diff --git a/packages/app-store/apps.metadata.generated.ts b/packages/app-store/apps.metadata.generated.ts
index 019771b8fb2fa5..37658fe3997898 100644
--- a/packages/app-store/apps.metadata.generated.ts
+++ b/packages/app-store/apps.metadata.generated.ts
@@ -9,6 +9,7 @@ import attio_config_json from "./attio/config.json";
 import autocheckin_config_json from "./autocheckin/config.json";
 import baa_for_hipaa_config_json from "./baa-for-hipaa/config.json";
 import basecamp3_config_json from "./basecamp3/config.json";
+import { metadata as bigbluebuttonvideo__metadata_ts } from "./bigbluebuttonvideo/_metadata";
 import bolna_config_json from "./bolna/config.json";
 import btcpayserver_config_json from "./btcpayserver/config.json";
 import { metadata as caldavcalendar__metadata_ts } from "./caldavcalendar/_metadata";
@@ -121,6 +122,7 @@ export const appStoreMetadata = {
   autocheckin: autocheckin_config_json,
   "baa-for-hipaa": baa_for_hipaa_config_json,
   basecamp3: basecamp3_config_json,
+  bigbluebuttonvideo: bigbluebuttonvideo__metadata_ts,
   bolna: bolna_config_json,
   btcpayserver: btcpayserver_config_json,
   caldavcalendar: caldavcalendar__metadata_ts,
diff --git a/packages/app-store/apps.schemas.generated.ts b/packages/app-store/apps.schemas.generated.ts
index 4085408dbeb7d0..4626cd292073ef 100644
--- a/packages/app-store/apps.schemas.generated.ts
+++ b/packages/app-store/apps.schemas.generated.ts
@@ -4,6 +4,7 @@
 **/
 import { appDataSchema as alby_zod_ts } from "./alby/zod";
 import { appDataSchema as basecamp3_zod_ts } from "./basecamp3/zod";
+import { appDataSchema as bigbluebuttonvideo_zod_ts } from "./bigbluebuttonvideo/zod";
 import { appDataSchema as btcpayserver_zod_ts } from "./btcpayserver/zod";
 import { appDataSchema as closecom_zod_ts } from "./closecom/zod";
 import { appDataSchema as dailyvideo_zod_ts } from "./dailyvideo/zod";
@@ -55,6 +56,7 @@ import { appDataSchema as zoomvideo_zod_ts } from "./zoomvideo/zod";
 export const appDataSchemas = {
   alby: alby_zod_ts,
   basecamp3: basecamp3_zod_ts,
+  bigbluebuttonvideo: bigbluebuttonvideo_zod_ts,
   btcpayserver: btcpayserver_zod_ts,
   closecom: closecom_zod_ts,
   dailyvideo: dailyvideo_zod_ts,
diff --git a/packages/app-store/apps.server.generated.ts b/packages/app-store/apps.server.generated.ts
index d5c6fa9f95039b..1398fded93b75a 100644
--- a/packages/app-store/apps.server.generated.ts
+++ b/packages/app-store/apps.server.generated.ts
@@ -7,6 +7,7 @@ export const apiHandlers = {
   applecalendar: import("./applecalendar/api"),
   attio: import("./attio/api"),
   basecamp3: import("./basecamp3/api"),
+  bigbluebuttonvideo: import("./bigbluebuttonvideo/api"),
   btcpayserver: import("./btcpayserver/api"),
   caldavcalendar: import("./caldavcalendar/api"),
   campfire: import("./campfire/api"),
diff --git a/packages/app-store/bigbluebuttonvideo/DESCRIPTION.md b/packages/app-store/bigbluebuttonvideo/DESCRIPTION.md
new file mode 100644
index 00000000000000..30dc5b7986dbbe
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/DESCRIPTION.md
@@ -0,0 +1 @@
+BigBlueButton is an open-source virtual classroom and web conferencing platform designed for online learning. It provides real-time sharing of audio, video, slides, chat, and screen, making it ideal for online classes, meetings, and collaborative sessions.
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/_metadata.ts b/packages/app-store/bigbluebuttonvideo/_metadata.ts
new file mode 100644
index 00000000000000..02dae3de5ac62e
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/_metadata.ts
@@ -0,0 +1,30 @@
+import type { AppMeta } from "@calcom/types/App";
+
+export const metadata = {
+  name: "BigBlueButton",
+  description:
+    "BigBlueButton is an open-source virtual classroom and web conferencing platform designed for online learning.",
+  installed: true,
+  type: "bigbluebutton_video",
+  variant: "conferencing",
+  categories: ["conferencing"],
+  logo: "icon.svg",
+  publisher: "Cal.diy",
+  url: "https://bigbluebutton.org/",
+  slug: "bigbluebutton",
+  title: "BigBlueButton",
+  isGlobal: false,
+  email: "help@cal.com",
+  appData: {
+    location: {
+      linkType: "dynamic",
+      type: "integrations:bigbluebutton",
+      label: "BigBlueButton Video",
+    },
+  },
+  dirName: "bigbluebuttonvideo",
+  concurrentMeetings: true,
+  isOAuth: false,
+} as AppMeta;
+
+export default metadata;
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/api/add.ts b/packages/app-store/bigbluebuttonvideo/api/add.ts
new file mode 100644
index 00000000000000..752f250292590b
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/api/add.ts
@@ -0,0 +1,116 @@
+import type { Prisma } from "@calcom/prisma/client";
+import type { NextApiRequest, NextApiResponse } from "next";
+
+import { throwIfNotHaveAdminAccessToTeam } from "@calcom/app-store/_utils/throwIfNotHaveAdminAccessToTeam";
+import { symmetricEncrypt } from "@calcom/lib/crypto";
+import { getServerErrorFromUnknown } from "@calcom/lib/server/getServerErrorFromUnknown";
+import prisma from "@calcom/prisma";
+
+import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import { bbbCredentialKeySchema } from "../zod";
+import { callBbb } from "../lib/bbbClient";
+
+/**
+ * BigBlueButton 安装 handler
+ * 通过 POST 接收 serverUrl 和 sharedSecret，
+ * 调用 BBB getMeetings API 验证凭证有效性，
+ * 验证通过后对称加密存储并重定向到 setup form
+ */
+export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+  if (!req.session?.user?.id) {
+    return res.status(401).json({ message: "You must be logged in to do this" });
+  }
+
+  const { teamId } = req.query;
+
+  // 验证 teamId 参数类型安全
+  const parsedTeamId = teamId
+    ? (() => {
+        const n = Number(teamId);
+        return Number.isInteger(n) && n > 0 ? n : null;
+      })()
+    : null;
+
+  await throwIfNotHaveAdminAccessToTeam({
+    teamId: parsedTeamId,
+    userId: req.session.user.id,
+  });
+
+  const installForObject = parsedTeamId
+    ? { teamId: parsedTeamId }
+    : { userId: req.session.user.id };
+
+  const appType = "bigbluebutton_video";
+
+  try {
+    // 只允许 POST 方法提交凭证
+    if (req.method !== "POST") {
+      return res.status(405).json({ message: "Method not allowed" });
+    }
+
+    // 验证请求体中的凭证参数
+    const parseResult = bbbCredentialKeySchema.safeParse(req.body);
+    if (!parseResult.success) {
+      return res.status(400).json({
+        message: `Invalid request body: ${parseResult.error.issues.map((i) => i.message).join(", ")}`,
+      });
+    }
+
+    const { serverUrl, sharedSecret } = parseResult.data;
+
+    // 通过调用 getMeetings API 验证凭证有效性
+    try {
+      await callBbb(serverUrl, "getMeetings", "", sharedSecret);
+    } catch (bbbError) {
+      return res.status(400).json({
+        message: `BigBlueButton credential validation failed: ${bbbError instanceof Error ? bbbError.message : "Unknown error"}`,
+      });
+    }
+
+    // 检查是否已安装
+    const alreadyInstalled = await prisma.credential.findFirst({
+      where: {
+        type: appType,
+        ...installForObject,
+      },
+    });
+    if (alreadyInstalled) {
+      throw new Error("Already installed");
+    }
+
+    // 加密凭证后存储
+    const encryptionKey = process.env.CALENDSO_ENCRYPTION_KEY;
+    if (!encryptionKey) {
+      return res.status(500).json({
+        message: "CALENDSO_ENCRYPTION_KEY environment variable is not set.",
+      });
+    }
+
+    const encryptedKey = symmetricEncrypt(
+      JSON.stringify({ serverUrl, sharedSecret }),
+      encryptionKey
+    );
+
+    const installation = await prisma.credential.create({
+      data: {
+        type: appType,
+        key: encryptedKey as unknown as Prisma.JsonValue,
+        ...installForObject,
+        appId: "bigbluebutton",
+      },
+    });
+
+    if (!installation) {
+      throw new Error("Unable to create user credential for bigbluebuttonvideo");
+    }
+  } catch (error: unknown) {
+    const httpError = getServerErrorFromUnknown(error);
+    return res.status(httpError.statusCode).json({ message: httpError.message });
+  }
+
+  return res
+    .status(200)
+    .json({
+      url: getInstalledAppPath({ variant: "conferencing", slug: "bigbluebutton" }),
+    });
+}
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/api/index.ts b/packages/app-store/bigbluebuttonvideo/api/index.ts
new file mode 100644
index 00000000000000..9320291f2764dd
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/api/index.ts
@@ -0,0 +1 @@
+export { default as add } from "./add";
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/index.ts b/packages/app-store/bigbluebuttonvideo/index.ts
new file mode 100644
index 00000000000000..02c2de5f5cc282
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/index.ts
@@ -0,0 +1,3 @@
+export * as lib from "./lib";
+export * as api from "./api";
+export { metadata } from "./_metadata";
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/lib/VideoApiAdapter.test.ts b/packages/app-store/bigbluebuttonvideo/lib/VideoApiAdapter.test.ts
new file mode 100644
index 00000000000000..66cc053c2fbe0b
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/lib/VideoApiAdapter.test.ts
@@ -0,0 +1,177 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+
+import { v4 as uuidv4 } from "uuid";
+
+import { callBbb } from "./bbbClient";
+import BigBlueButtonVideoApiAdapter from "./VideoApiAdapter";
+
+// Mock 依赖模块
+vi.mock("@calcom/lib/crypto", () => ({
+  symmetricDecrypt: vi.fn((text: string) => {
+    if (text === "invalid") throw new Error("Decryption failed");
+    return JSON.stringify({
+      serverUrl: "https://bbb.example.com/bigbluebutton",
+      sharedSecret: "test-secret",
+    });
+  }),
+}));
+
+vi.mock("@calcom/lib/url/buildUrl", () => ({
+  buildUrl: vi.fn(
+    ({ baseUrl, path, queryParams }: { baseUrl: string; path: string; queryParams: Record<string, string> }) =>
+      `${baseUrl}${path}?${new URLSearchParams(queryParams).toString()}`
+  ),
+}));
+
+vi.mock("../../_utils/getAppKeysFromSlug", () => ({
+  default: vi.fn(() => ({})),
+}));
+
+vi.mock("./bbbClient", () => ({
+  callBbb: vi.fn(),
+  generateMeetingPassword: vi.fn(() => "abcdef1234567890abcdef1234567890"),
+}));
+
+// 模拟 credential 对象
+const mockCredential = {
+  id: 1,
+  appId: "bigbluebutton",
+  key: "encrypted-key-value",
+  teamId: null,
+  userId: 1,
+};
+
+// UUID 固定值
+vi.mock("uuid", () => ({
+  v4: vi.fn(() => "fixed-uuid-1234"),
+}));
+
+describe("BigBlueButtonVideoApiAdapter", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    process.env.CALENDSO_ENCRYPTION_KEY = "32-byte-encryption-key-for-test";
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe("createMeeting", () => {
+    it("应该成功创建 BBB 会议并返回加入 URL", async () => {
+      const adapter = BigBlueButtonVideoApiAdapter(mockCredential);
+      const event = {
+        uid: "event-uid-001",
+        title: "Team Standup",
+        startTime: "2024-01-01T09:00:00Z",
+        endTime: "2024-01-01T10:00:00Z",
+        organizer: { name: "Organizer", email: "org@example.com" },
+        attendees: [{ name: "Attendee", email: "att@example.com" }],
+        type: "meeting",
+      };
+
+      const result = await adapter!.createMeeting!(event);
+
+      expect(callBbb).toHaveBeenCalledWith(
+        "https://bbb.example.com/bigbluebutton",
+        "create",
+        expect.stringContaining("meetingID=bigbluebutton-event-uid-001"),
+        "test-secret"
+      );
+
+      expect(result.type).toBe("bigbluebutton_video");
+      expect(result.id).toBe("bigbluebutton-event-uid-001");
+      expect(result.url).toContain("/api/join");
+      expect(result.url).toContain("meetingID=bigbluebutton-event-uid-001");
+    });
+
+    it("解密失败时应该抛出错误（错误路径测试）", async () => {
+      const badCredential = { ...mockCredential, key: "invalid" };
+      const adapter = BigBlueButtonVideoApiAdapter(badCredential);
+
+      await expect(
+        adapter!.createMeeting!({
+          uid: "e1",
+          title: "Test",
+          startTime: "2024-01-01T09:00:00Z",
+          endTime: "2024-01-01T10:00:00Z",
+          organizer: { name: "O", email: "o@e.com" },
+          attendees: [],
+          type: "meeting",
+        })
+      ).rejects.toThrow("Decryption failed");
+    });
+
+    it("BBB API 返回 FAILED 时应该抛出错误（错误路径测试）", async () => {
+      vi.mocked(callBbb).mockRejectedValueOnce(new Error("BBB API error"));
+      const adapter = BigBlueButtonVideoApiAdapter(mockCredential);
+
+      await expect(
+        adapter!.createMeeting!({
+          uid: "e1",
+          title: "Test",
+          startTime: "2024-01-01T09:00:00Z",
+          endTime: "2024-01-01T10:00:00Z",
+          organizer: { name: "O", email: "o@e.com" },
+          attendees: [],
+          type: "meeting",
+        })
+      ).rejects.toThrow("BBB API error");
+    });
+  });
+
+  describe("getAvailability", () => {
+    it("应该返回空数组", async () => {
+      const adapter = BigBlueButtonVideoApiAdapter(mockCredential);
+      const result = await adapter!.getAvailability!();
+      expect(result).toEqual([]);
+    });
+  });
+
+  describe("updateMeeting", () => {
+    it("应该更新已存在的会议并返回新的加入 URL", async () => {
+      const adapter = BigBlueButtonVideoApiAdapter(mockCredential);
+      const bookingRef = {
+        meetingId: "bigbluebutton-event-uid-001",
+        meetingPassword: "moderator-pw",
+        meetingUrl: "https://old.url",
+      };
+
+      const result = await adapter!.updateMeeting!(bookingRef, {
+        uid: "event-uid-001",
+        title: "Updated Meeting",
+        startTime: "2024-01-01T09:00:00Z",
+        endTime: "2024-01-01T10:00:00Z",
+        organizer: { name: "O", email: "o@e.com" },
+        attendees: [],
+        type: "meeting",
+      });
+
+      expect(callBbb).toHaveBeenCalledWith(
+        "https://bbb.example.com/bigbluebutton",
+        "create",
+        expect.stringContaining("meetingID=bigbluebutton-event-uid-001"),
+        "test-secret"
+      );
+      expect(result.type).toBe("bigbluebutton_video");
+    });
+  });
+
+  describe("缺少 CALENDSO_ENCRYPTION_KEY 环境变量", () => {
+    it("应该抛出描述性错误", async () => {
+      delete process.env.CALENDSO_ENCRYPTION_KEY;
+      const adapter = BigBlueButtonVideoApiAdapter(mockCredential);
+
+      await expect(
+        adapter!.createMeeting!({
+          uid: "e1",
+          title: "Test",
+          startTime: "2024-01-01T09:00:00Z",
+          endTime: "2024-01-01T10:00:00Z",
+          organizer: { name: "O", email: "o@e.com" },
+          attendees: [],
+          type: "meeting",
+        })
+      ).rejects.toThrow("CALENDSO_ENCRYPTION_KEY");
+    });
+  });
+});
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/lib/VideoApiAdapter.ts b/packages/app-store/bigbluebuttonvideo/lib/VideoApiAdapter.ts
new file mode 100644
index 00000000000000..39403800e0af64
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/lib/VideoApiAdapter.ts
@@ -0,0 +1,244 @@
+import { symmetricDecrypt } from "@calcom/lib/crypto";
+import { buildUrl } from "@calcom/lib/url/buildUrl";
+import type { CalendarEvent } from "@calcom/types/Calendar";
+import type { PartialReference } from "@calcom/types/EventManager";
+import type { VideoApiAdapter, VideoCallData } from "@calcom/types/VideoApiAdapter";
+
+import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { metadata } from "../_metadata";
+import { bbbCredentialKeySchema } from "../zod";
+import { callBbb, generateMeetingPassword } from "./bbbClient";
+
+/**
+ * 从加密存储的 credential key 中解密并验证 BBB 凭证
+ * 使用 CALENDSO_ENCRYPTION_KEY 环境变量进行解密
+ */
+async function decryptCredentialKey(credentialKey: unknown) {
+  const encryptionKey = process.env.CALENDSO_ENCRYPTION_KEY;
+  if (!encryptionKey) {
+    throw new Error("CALENDSO_ENCRYPTION_KEY environment variable is not set.");
+  }
+
+  if (typeof credentialKey !== "string") {
+    throw new Error("Invalid credential key format.");
+  }
+
+  const decrypted = symmetricDecrypt(credentialKey, encryptionKey);
+  const parsed = JSON.parse(decrypted);
+  return bbbCredentialKeySchema.parse(parsed);
+}
+
+/** 计算两个日期之间的分钟差（向上取整） */
+function minutesBetween(start: string, end: string): number {
+  return Math.ceil((new Date(end).getTime() - new Date(start).getTime()) / 60_000);
+}
+
+/**
+ * BigBlueButton VideoApiAdapter
+ * 实现 VideoApiAdapter 接口，通过 BBB API 管理会议生命周期
+ */
+const BigBlueButtonVideoApiAdapter = (credential: {
+  id: number;
+  appId: string | null;
+  key: unknown;
+  teamId: number | null;
+  userId: number | null;
+}): VideoApiAdapter => {
+  return {
+    getAvailability: () => Promise.resolve([]),
+
+    /**
+     * 创建 BBB 会议
+     * 通过 BBB create API 创建会议，返回包含加入链接的会议数据
+     */
+    createMeeting: async (event: CalendarEvent): Promise<VideoCallData> => {
+      const bbbCredential = await decryptCredentialKey(credential.key);
+      const moderatorPW = generateMeetingPassword();
+      const attendeePW = generateMeetingPassword();
+      const meetingId = `${metadata.slug}-${event.uid}`;
+
+      const duration = minutesBetween(event.startTime, event.endTime);
+      // 不需要检查，每次都创建新会议；如有同名会议则通过 end 接口清理后再创建（幂等处理交给 bbbClient 的 attemptCreate 逻辑）
+      const params = new URLSearchParams({
+        meetingID: meetingId,
+        name: event.title,
+        attendeePW,
+        moderatorPW,
+        welcome: "",
+        duration: String(duration),
+        record: "false",
+        autoStartRecording: "false",
+        allowStartStopRecording: "true",
+        webcamsOnlyForModerator: "false",
+        logo: "",
+        // copyright 和 bannerColor 使用空值，不做展示层配置
+        logoutURL: "",
+        "meta_bn-recording-ready-url": "",
+      });
+
+      await callBbb(
+        bbbCredential.serverUrl,
+        "create",
+        params.toString(),
+        bbbCredential.sharedSecret
+      );
+
+      // 构建参会者加入链接：attendeePW 直接嵌入 URL
+      const joinUrl = buildUrl({
+        baseUrl: bbbCredential.serverUrl,
+        path: `/api/join`,
+        queryParams: {
+          meetingID: meetingId,
+          password: attendeePW,
+          fullName: "Guest",
+        },
+      });
+
+      return {
+        type: metadata.type,
+        id: meetingId,
+        password: moderatorPW,
+        url: joinUrl,
+      };
+    },
+
+    /**
+     * 删除 BBB 会议
+     * 调用 BBB end API 终止会议
+     */
+    deleteMeeting: async (uid: string): Promise<void> => {
+      const bbbCredential = await decryptCredentialKey(credential.key);
+      const meetingId = `${metadata.slug}-${uid}`;
+      const params = new URLSearchParams({ meetingID: meetingId, password: "" });
+      await callBbb(
+        bbbCredential.serverUrl,
+        "end",
+        params.toString(),
+        bbbCredential.sharedSecret
+      );
+    },
+
+    /**
+     * 更新已存在的 BBB 会议
+     * 重用已有的 meetingId 和 moderatorPW
+     */
+    updateMeeting: async (
+      bookingRef: PartialReference,
+      event: CalendarEvent
+    ): Promise<VideoCallData> => {
+      const bbbCredential = await decryptCredentialKey(credential.key);
+      const meetingId = bookingRef.meetingId as string;
+      const moderatorPW = bookingRef.meetingPassword as string;
+      const attendeePW = generateMeetingPassword();
+
+      const params = new URLSearchParams({
+        meetingID: meetingId,
+        name: event.title,
+        attendeePW,
+        moderatorPW,
+        // 更新不传 duration 等字段，避免覆盖初始设定
+      });
+
+      await callBbb(
+        bbbCredential.serverUrl,
+        "create",
+        params.toString(),
+        bbbCredential.sharedSecret
+      );
+
+      const joinUrl = buildUrl({
+        baseUrl: bbbCredential.serverUrl,
+        path: `/api/join`,
+        queryParams: {
+          meetingID: meetingId,
+          password: attendeePW,
+          fullName: "Guest",
+        },
+      });
+
+      return {
+        type: metadata.type,
+        id: meetingId,
+        password: moderatorPW,
+        url: joinUrl,
+      };
+    },
+
+    /**
+     * 获取 BBB 服务器的录像列表
+     */
+    getRecordings: async (roomName: string) => {
+      const bbbCredential = await decryptCredentialKey(credential.key);
+      const params = new URLSearchParams({ meetingID: roomName });
+      const response = await callBbb(
+        bbbCredential.serverUrl,
+        "getRecordings",
+        params.toString(),
+        bbbCredential.sharedSecret
+      );
+
+      const recordings = response.recordings as
+        | { recording: Array<Record<string, unknown>> }
+        | undefined;
+      if (!recordings?.recording) {
+        return { recordings: [] };
+      }
+
+      const recordingArray = Array.isArray(recordings.recording)
+        ? recordings.recording
+        : [recordings.recording];
+
+      return {
+        recordings: recordingArray.map((rec: Record<string, unknown>) => ({
+          id: String(rec.recordID || ""),
+          startTime: String(rec.startTime || ""),
+          endTime: String(rec.endTime || ""),
+          // BBB getRecordings 返回的 recording 不包含 downloadToken；需要在 getRecordingDownloadLink 中查询
+          downloadLink: "",
+          accessLink: "",
+        })),
+      };
+    },
+
+    /**
+     * 获取单个录像的下载链接
+     */
+    getRecordingDownloadLink: async (recordingId: string) => {
+      const bbbCredential = await decryptCredentialKey(credential.key);
+      const params = new URLSearchParams({ recordID: recordingId });
+      const response = await callBbb(
+        bbbCredential.serverUrl,
+        "getRecordings",
+        params.toString(),
+        bbbCredential.sharedSecret
+      );
+
+      const recordings = response.recordings as
+        | { recording: Array<Record<string, unknown>> }
+        | undefined;
+
+      if (!recordings?.recording) {
+        return { download_link: "" };
+      }
+
+      const recordingArray = Array.isArray(recordings.recording)
+        ? recordings.recording
+        : [recordings.recording];
+
+      const recording = recordingArray[0] as
+        | { playback?: { format?: Array<{ type: string; url: string }> } }
+        | undefined;
+
+      const formats = recording?.playback?.format || [];
+      const presentationFormat = Array.isArray(formats)
+        ? formats.find((f) => f.type === "presentation")
+        : null;
+
+      return {
+        download_link: presentationFormat?.url || "",
+      };
+    },
+  };
+};
+
+export default BigBlueButtonVideoApiAdapter;
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/lib/bbbClient.test.ts b/packages/app-store/bigbluebuttonvideo/lib/bbbClient.test.ts
new file mode 100644
index 00000000000000..f11eeecd7cd963
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/lib/bbbClient.test.ts
@@ -0,0 +1,165 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+
+import { buildChecksum, buildSignedUrl, generateMeetingPassword, parseBbbResponse, callBbb, BbbApiError } from "./bbbClient";
+
+describe("buildChecksum", () => {
+  it("应该返回 40 字符的十六进制 SHA1 校验和", () => {
+    const checksum = buildChecksum("create", "name=Test&meetingID=abc", "secret123");
+    expect(checksum).toHaveLength(40);
+    expect(/^[0-9a-f]{40}$/.test(checksum)).toBe(true);
+  });
+
+  it("应该为不同输入生成不同的校验和", () => {
+    const cs1 = buildChecksum("create", "name=Test", "secret1");
+    const cs2 = buildChecksum("create", "name=Test", "secret2");
+    expect(cs1).not.toBe(cs2);
+  });
+
+  it("空查询字符串也能正确工作", () => {
+    const checksum = buildChecksum("getMeetings", "", "secret");
+    expect(checksum).toHaveLength(40);
+  });
+});
+
+describe("buildSignedUrl", () => {
+  it("应该构建包含校验和的完整 URL", () => {
+    const url = buildSignedUrl(
+      "https://bbb.example.com/bigbluebutton",
+      "create",
+      "name=Test&meetingID=abc",
+      "secret"
+    );
+    expect(url).toContain("https://bbb.example.com/bigbluebutton/api/create");
+    expect(url).toContain("name=Test&meetingID=abc");
+    expect(url).toContain("checksum=");
+  });
+
+  it("空查询字符串也能正确工作", () => {
+    const url = buildSignedUrl("https://bbb.example.com/bigbluebutton", "getMeetings", "", "secret");
+    expect(url).toBe("https://bbb.example.com/bigbluebutton/api/getMeetings?checksum=");
+    // 使用更宽松的匹配 -- 验证包含正确的路径和校验和参数
+    expect(url).toMatch(/\/api\/getMeetings\?checksum=[0-9a-f]{40}$/);
+  });
+});
+
+describe("generateMeetingPassword", () => {
+  it("应该生成 32 字符的十六进制字符串", () => {
+    const pw = generateMeetingPassword();
+    expect(pw).toHaveLength(32);
+    expect(/^[0-9a-f]{32}$/.test(pw)).toBe(true);
+  });
+
+  it("每次调用应该生成不同的密码", () => {
+    const pw1 = generateMeetingPassword();
+    const pw2 = generateMeetingPassword();
+    expect(pw1).not.toBe(pw2);
+  });
+});
+
+describe("parseBbbResponse", () => {
+  it("应该正确解析成功的 XML 返回", () => {
+    const xml = `<response><returncode>SUCCESS</returncode><meetings/></response>`;
+    const result = parseBbbResponse(xml);
+    expect(result.returncode).toBe("SUCCESS");
+  });
+
+  it("returncode 非 SUCCESS 时应该抛出 BbbApiError", () => {
+    const xml = `<response><returncode>FAILED</returncode><messageKey>checksumError</messageKey><message>Invalid checksum</message></response>`;
+    expect(() => parseBbbResponse(xml)).toThrow(BbbApiError);
+  });
+
+  it("畸形 XML 应该抛出 BbbApiError", () => {
+    expect(() => parseBbbResponse("<not>valid</xml")).toThrow(BbbApiError);
+  });
+
+  it("缺少 returncode 应该抛出 BbbApiError", () => {
+    const xml = `<response><other>data</other></response>`;
+    expect(() => parseBbbResponse(xml)).toThrow(BbbApiError);
+  });
+});
+
+describe("callBbb", () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("成功调用应该返回解析后的数据", async () => {
+    const mockXml = `<response><returncode>SUCCESS</returncode><meetings/></response>`;
+    vi.spyOn(globalThis, "fetch").mockResolvedValueOnce({
+      ok: true,
+      text: async () => mockXml,
+    } as Response);
+
+    const result = await callBbb(
+      "https://bbb.example.com/bigbluebutton",
+      "getMeetings",
+      "",
+      "secret"
+    );
+    expect(result.returncode).toBe("SUCCESS");
+  });
+
+  it("HTTP 非 200 状态应该抛出 BbbApiError（错误路径测试）", async () => {
+    vi.spyOn(globalThis, "fetch").mockResolvedValueOnce({
+      ok: false,
+      status: 500,
+      statusText: "Internal Server Error",
+    } as Response);
+
+    await expect(
+      callBbb("https://bbb.example.com/bigbluebutton", "create", "name=Test", "secret")
+    ).rejects.toThrow(BbbApiError);
+  });
+
+  it("HTTP 403 状态应该抛出 BbbApiError（错误路径测试）", async () => {
+    vi.spyOn(globalThis, "fetch").mockResolvedValueOnce({
+      ok: false,
+      status: 403,
+      statusText: "Forbidden",
+    } as Response);
+
+    await expect(
+      callBbb("https://bbb.example.com/bigbluebutton", "create", "name=Test", "secret")
+    ).rejects.toThrow(BbbApiError);
+  });
+
+  it("BBB 返回 FAILED 状态应该抛出 BbbApiError（错误路径测试）", async () => {
+    const failXml = `<response><returncode>FAILED</returncode><messageKey>invalidParam</messageKey><message>Missing meetingID</message></response>`;
+    vi.spyOn(globalThis, "fetch").mockResolvedValueOnce({
+      ok: true,
+      text: async () => failXml,
+    } as Response);
+
+    await expect(
+      callBbb("https://bbb.example.com/bigbluebutton", "create", "", "secret")
+    ).rejects.toThrow(BbbApiError);
+  });
+
+  it("BBB 返回畸形 XML 应该抛出 BbbApiError（错误路径测试）", async () => {
+    vi.spyOn(globalThis, "fetch").mockResolvedValueOnce({
+      ok: true,
+      text: async () => "<not>valid-xml",
+    } as Response);
+
+    await expect(
+      callBbb("https://bbb.example.com/bigbluebutton", "create", "name=Test", "secret")
+    ).rejects.toThrow(BbbApiError);
+  });
+
+  it("请求超时应该被正确处理（错误路径测试）", async () => {
+    vi.spyOn(globalThis, "fetch").mockImplementationOnce(() => {
+      return new Promise((_resolve, reject) => {
+        const err = new DOMException("The operation was aborted", "AbortError");
+        reject(err);
+      });
+    });
+
+    await expect(
+      callBbb("https://bbb.example.com/bigbluebutton", "create", "name=Test", "secret")
+    ).rejects.toThrow();
+  });
+});
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/lib/bbbClient.ts b/packages/app-store/bigbluebuttonvideo/lib/bbbClient.ts
new file mode 100644
index 00000000000000..0d4db1bc4a2950
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/lib/bbbClient.ts
@@ -0,0 +1,120 @@
+import crypto from "node:crypto";
+
+import { XMLParser, XMLValidator } from "fast-xml-parser";
+
+/**
+ * BigBlueButton API 调用返回的通用错误类型
+ */
+export class BbbApiError extends Error {
+  readonly messageKey: string;
+
+  constructor(msg: string, messageKey = "unknown_error") {
+    super(msg);
+    this.messageKey = messageKey;
+    this.name = "BbbApiError";
+  }
+}
+
+/**
+ * 根据 BBB API 规范生成 SHA1 校验和
+ * 格式: sha1(callName + queryStringWithoutChecksum + sharedSecret)
+ */
+export function buildChecksum(
+  callName: string,
+  queryString: string,
+  sharedSecret: string
+): string {
+  const toHash = callName + queryString + sharedSecret;
+  return crypto.createHash("sha1").update(toHash).digest("hex");
+}
+
+/**
+ * 构建签名的 BBB API URL
+ * 在查询参数中添加 checksum
+ */
+export function buildSignedUrl(
+  serverUrl: string,
+  callName: string,
+  queryString: string,
+  sharedSecret: string
+): string {
+  const checksum = buildChecksum(callName, queryString, sharedSecret);
+  const separator = queryString ? "&" : "";
+  return `${serverUrl}/api/${callName}?${queryString}${separator}checksum=${checksum}`;
+}
+
+/**
+ * 解析 BBB API 返回的 XML 响应
+ * 如果 returncode 不是 SUCCESS，抛出 BbbApiError
+ */
+export function parseBbbResponse(xmlResponse: string): Record<string, unknown> {
+  if (!XMLValidator.validate(xmlResponse)) {
+    throw new BbbApiError("BBB returned a malformed XML response.", "malformed_xml_response");
+  }
+
+  const parser = new XMLParser({
+    ignoreAttributes: false,
+    attributeNamePrefix: "@_",
+  });
+  const parsed = parser.parse(xmlResponse);
+  const response = parsed.response;
+
+  if (!response) {
+    throw new BbbApiError("BBB response missing root <response> element.", "malformed_xml_response");
+  }
+
+  if (response.returncode !== "SUCCESS") {
+    const messageKey = (response.messageKey as string) || "unknown_error";
+    const message = (response.message as string) || "BBB API error";
+    throw new BbbApiError(message, messageKey);
+  }
+
+  return response as Record<string, unknown>;
+}
+
+/**
+ * 调用 BigBlueButton API
+ * 10 秒超时，自动处理 HTTP 和 XML 层错误
+ */
+export async function callBbb(
+  serverUrl: string,
+  callName: string,
+  queryString: string,
+  sharedSecret: string
+): Promise<Record<string, unknown>> {
+  const url = buildSignedUrl(serverUrl, callName, queryString, sharedSecret);
+
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), 10_000);
+
+  let response: Response;
+  try {
+    response = await fetch(url, { signal: controller.signal });
+  } finally {
+    clearTimeout(timeoutId);
+  }
+
+  if (!response.ok) {
+    throw new BbbApiError(
+      `BBB HTTP error: ${response.status} ${response.statusText}`,
+      "bbb_http_error"
+    );
+  }
+
+  const xml = await response.text();
+
+  try {
+    return parseBbbResponse(xml);
+  } catch (e) {
+    if (e instanceof BbbApiError) throw e;
+    throw new BbbApiError("BBB API returned an unexpected error.", "bbb_unknown_error");
+  }
+}
+
+/**
+ * 生成随机的会议密码
+ * 使用加密安全的随机字节，输出为十六进制字符串
+ */
+export function generateMeetingPassword(): string {
+  return crypto.randomBytes(16).toString("hex");
+}
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/lib/index.ts b/packages/app-store/bigbluebuttonvideo/lib/index.ts
new file mode 100644
index 00000000000000..cb6dac81088596
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/lib/index.ts
@@ -0,0 +1 @@
+export { default as VideoApiAdapter } from "./VideoApiAdapter";
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/package.json b/packages/app-store/bigbluebuttonvideo/package.json
new file mode 100644
index 00000000000000..5e77f1ab1df35e
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/package.json
@@ -0,0 +1,14 @@
+{
+  "private": true,
+  "name": "@calcom/bigbluebuttonvideo",
+  "version": "0.0.0",
+  "main": "./index.ts",
+  "description": "BigBlueButton is an open-source virtual classroom and web conferencing platform designed for online learning.",
+  "dependencies": {
+    "@calcom/lib": "workspace:*",
+    "fast-xml-parser": "5.5.9"
+  },
+  "devDependencies": {
+    "@calcom/types": "workspace:*"
+  }
+}
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/static/icon.svg b/packages/app-store/bigbluebuttonvideo/static/icon.svg
new file mode 100644
index 00000000000000..7c1bd694a2012d
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/static/icon.svg
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100" fill="none">
+  <rect width="100" height="100" rx="20" fill="#0F70D7"/>
+  <g fill="#FFFFFF">
+    <circle cx="50" cy="35" r="12"/>
+    <path d="M30 65c0-11 9-20 20-20s20 9 20 20v5H30v-5z"/>
+  </g>
+</svg>
\ No newline at end of file
diff --git a/packages/app-store/bigbluebuttonvideo/zod.ts b/packages/app-store/bigbluebuttonvideo/zod.ts
new file mode 100644
index 00000000000000..26ddbb731f08fb
--- /dev/null
+++ b/packages/app-store/bigbluebuttonvideo/zod.ts
@@ -0,0 +1,15 @@
+import { z } from "zod";
+
+/**
+ * BigBlueButton 凭证密钥的 Zod 验证模式
+ * serverUrl: BBB 服务器的基础 URL
+ * sharedSecret: BBB 服务器的共享密钥，用于 API 签名
+ */
+export const bbbCredentialKeySchema = z.object({
+  serverUrl: z.string().url(),
+  sharedSecret: z.string().min(1),
+});
+
+export const appKeysSchema = z.object({});
+
+export const appDataSchema = z.object({});
\ No newline at end of file
diff --git a/packages/app-store/bookerApps.metadata.generated.ts b/packages/app-store/bookerApps.metadata.generated.ts
index 16d9e3f77e50d2..7a0e146086ebb9 100644
--- a/packages/app-store/bookerApps.metadata.generated.ts
+++ b/packages/app-store/bookerApps.metadata.generated.ts
@@ -3,6 +3,7 @@
     Don't modify this file manually.
 **/
 import campfire_config_json from "./campfire/config.json";
+import { metadata as bigbluebuttonvideo__metadata_ts } from "./bigbluebuttonvideo/_metadata";
 import { metadata as dailyvideo__metadata_ts } from "./dailyvideo/_metadata";
 import databuddy_config_json from "./databuddy/config.json";
 import demodesk_config_json from "./demodesk/config.json";
@@ -48,6 +49,7 @@ import whatsapp_config_json from "./whatsapp/config.json";
 import whereby_config_json from "./whereby/config.json";
 import { metadata as zoomvideo__metadata_ts } from "./zoomvideo/_metadata";
 export const appStoreMetadata = {
+  bigbluebuttonvideo: bigbluebuttonvideo__metadata_ts,
   campfire: campfire_config_json,
   dailyvideo: dailyvideo__metadata_ts,
   databuddy: databuddy_config_json,
diff --git a/packages/app-store/video.adapters.generated.ts b/packages/app-store/video.adapters.generated.ts
index f1e0f05ffe7f78..a98bf0116d2508 100644
--- a/packages/app-store/video.adapters.generated.ts
+++ b/packages/app-store/video.adapters.generated.ts
@@ -6,6 +6,7 @@ export const VideoApiAdapterMap =
   process.env.NEXT_PUBLIC_IS_E2E === "1"
     ? {}
     : {
+        bigbluebuttonvideo: import("./bigbluebuttonvideo/lib/VideoApiAdapter"),
         dailyvideo: import("./dailyvideo/lib/VideoApiAdapter"),
         huddle01video: import("./huddle01video/lib/VideoApiAdapter"),
         jelly: import("./jelly/lib/VideoApiAdapter"),
diff --git a/packages/i18n/locales/en/common.json b/packages/i18n/locales/en/common.json
index ce7460a76d96e3..9f1e84330ca389 100644
--- a/packages/i18n/locales/en/common.json
+++ b/packages/i18n/locales/en/common.json
@@ -4768,5 +4768,11 @@
   "user_updated_successfully": "User updated successfully.",
   "error_updating_user": "There was an error updating this user.",
   "please_reschedule": "Please reschedule.",
-  "ADD_NEW_STRINGS_ABOVE_THIS_LINE_TO_PREVENT_MERGE_CONFLICTS": "↑↑↑↑↑↑↑↑↑↑↑↑↑ Add your new strings above here ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑"
+  "bbb_server_url": "BigBlueButton Server URL",
+  "bbb_shared_secret": "BigBlueButton Shared Secret",
+  "bbb_shared_secret_placeholder": "Enter your BBB shared secret",
+  "bbb_setup_title": "BigBlueButton Setup",
+  "bbb_setup_description": "Enter your BigBlueButton server details to connect",
+  "bbb_installed_successfully": "BigBlueButton installed successfully",
+  "ADD_NEW_STRINGS_ABOVE_THIS_LINE_TO_PREVENT_MERGE_CONFLICTS": "↑↑↑↑↑↑↑↑↑↑↑↑↑ Add your new strings above here ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑"
 }

From 638eef4fc930eb242bc414c3d6428c259e82162b Mon Sep 17 00:00:00 2001
From: q404365631 <398291278@qq.com>
Date: Sat, 30 May 2026 12:59:11 +0800
Subject: [PATCH 2/2] fix: address code review feedback for BigBlueButton
 integration

- Add zodResolver to Setup form for proper validation
- Trim sharedSecret in zod schema to prevent whitespace-only values
- Fix XMLValidator return type check (true vs object with err)
- Add network/abort error handling in callBbb with BbbApiError
- Replace generic Error with ErrorWithCode in add.ts
- Fix contradictory checksum assertion in bbbClient.test.ts
- Move server URL placeholder to i18n keys
---
 apps/web/components/apps/bigbluebuttonvideo/Setup.tsx |  6 ++++--
 packages/app-store/bigbluebuttonvideo/api/add.ts      |  5 +++--
 .../bigbluebuttonvideo/lib/bbbClient.test.ts          |  2 --
 .../app-store/bigbluebuttonvideo/lib/bbbClient.ts     | 11 ++++++++++-
 packages/app-store/bigbluebuttonvideo/zod.ts          |  2 +-
 packages/i18n/locales/en/common.json                  |  1 +
 6 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/apps/web/components/apps/bigbluebuttonvideo/Setup.tsx b/apps/web/components/apps/bigbluebuttonvideo/Setup.tsx
index 011215f4a4842e..13ad3c3ad743e5 100644
--- a/apps/web/components/apps/bigbluebuttonvideo/Setup.tsx
+++ b/apps/web/components/apps/bigbluebuttonvideo/Setup.tsx
@@ -4,6 +4,7 @@ import { useRouter } from "next/navigation";
 import { useForm } from "react-hook-form";
 import { useState } from "react";
 import { z } from "zod";
+import { zodResolver } from "@hookform/resolvers/zod";
 
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { HttpError } from "@calcom/lib/http-error";
@@ -20,7 +21,7 @@ import { showToast } from "@calcom/ui/components/toast";
 /** 表单字段验证模式 */
 const formSchema = z.object({
   serverUrl: z.string().url(),
-  sharedSecret: z.string().min(1),
+  sharedSecret: z.string().trim().min(1),
 });
 
 type FormValues = z.infer<typeof formSchema>;
@@ -35,6 +36,7 @@ export default function BigBlueButtonSetup() {
   const [isSubmitting, setIsSubmitting] = useState(false);
 
   const form = useForm<FormValues>({
+    resolver: zodResolver(formSchema),
     defaultValues: {
       serverUrl: "",
       sharedSecret: "",
@@ -80,7 +82,7 @@ export default function BigBlueButtonSetup() {
               <Input
                 {...field}
                 type="url"
-                placeholder="https://your-bbb-server.com/bigbluebutton"
+                placeholder={t("bbb_server_url_placeholder")}
                 required
               />
             </div>
diff --git a/packages/app-store/bigbluebuttonvideo/api/add.ts b/packages/app-store/bigbluebuttonvideo/api/add.ts
index 752f250292590b..5055a70b7dd258 100644
--- a/packages/app-store/bigbluebuttonvideo/api/add.ts
+++ b/packages/app-store/bigbluebuttonvideo/api/add.ts
@@ -3,6 +3,7 @@ import type { NextApiRequest, NextApiResponse } from "next";
 
 import { throwIfNotHaveAdminAccessToTeam } from "@calcom/app-store/_utils/throwIfNotHaveAdminAccessToTeam";
 import { symmetricEncrypt } from "@calcom/lib/crypto";
+import { ErrorWithCode } from "@calcom/lib/errors";
 import { getServerErrorFromUnknown } from "@calcom/lib/server/getServerErrorFromUnknown";
 import prisma from "@calcom/prisma";
 
@@ -75,7 +76,7 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
       },
     });
     if (alreadyInstalled) {
-      throw new Error("Already installed");
+      throw new ErrorWithCode("Already installed" as any, "Already installed");
     }
 
     // 加密凭证后存储
@@ -101,7 +102,7 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
     });
 
     if (!installation) {
-      throw new Error("Unable to create user credential for bigbluebuttonvideo");
+      throw new ErrorWithCode("Unable to create user credential for bigbluebuttonvideo" as any, "Unable to create user credential for bigbluebuttonvideo");
     }
   } catch (error: unknown) {
     const httpError = getServerErrorFromUnknown(error);
diff --git a/packages/app-store/bigbluebuttonvideo/lib/bbbClient.test.ts b/packages/app-store/bigbluebuttonvideo/lib/bbbClient.test.ts
index f11eeecd7cd963..4ca5c281fe46c0 100644
--- a/packages/app-store/bigbluebuttonvideo/lib/bbbClient.test.ts
+++ b/packages/app-store/bigbluebuttonvideo/lib/bbbClient.test.ts
@@ -36,8 +36,6 @@ describe("buildSignedUrl", () => {
 
   it("空查询字符串也能正确工作", () => {
     const url = buildSignedUrl("https://bbb.example.com/bigbluebutton", "getMeetings", "", "secret");
-    expect(url).toBe("https://bbb.example.com/bigbluebutton/api/getMeetings?checksum=");
-    // 使用更宽松的匹配 -- 验证包含正确的路径和校验和参数
     expect(url).toMatch(/\/api\/getMeetings\?checksum=[0-9a-f]{40}$/);
   });
 });
diff --git a/packages/app-store/bigbluebuttonvideo/lib/bbbClient.ts b/packages/app-store/bigbluebuttonvideo/lib/bbbClient.ts
index 0d4db1bc4a2950..c1e42cc76ef20b 100644
--- a/packages/app-store/bigbluebuttonvideo/lib/bbbClient.ts
+++ b/packages/app-store/bigbluebuttonvideo/lib/bbbClient.ts
@@ -48,7 +48,8 @@ export function buildSignedUrl(
  * 如果 returncode 不是 SUCCESS，抛出 BbbApiError
  */
 export function parseBbbResponse(xmlResponse: string): Record<string, unknown> {
-  if (!XMLValidator.validate(xmlResponse)) {
+  const validationResult = XMLValidator.validate(xmlResponse);
+  if (validationResult !== true) {
     throw new BbbApiError("BBB returned a malformed XML response.", "malformed_xml_response");
   }
 
@@ -90,6 +91,14 @@ export async function callBbb(
   let response: Response;
   try {
     response = await fetch(url, { signal: controller.signal });
+  } catch (fetchError) {
+    if (fetchError instanceof DOMException && fetchError.name === "AbortError") {
+      throw new BbbApiError("BBB API request timed out after 10 seconds.", "bbb_timeout");
+    }
+    throw new BbbApiError(
+      `BBB API network error: ${fetchError instanceof Error ? fetchError.message : "Unknown network error"}`,
+      "bbb_network_error"
+    );
   } finally {
     clearTimeout(timeoutId);
   }
diff --git a/packages/app-store/bigbluebuttonvideo/zod.ts b/packages/app-store/bigbluebuttonvideo/zod.ts
index 26ddbb731f08fb..a639f8906ee5c5 100644
--- a/packages/app-store/bigbluebuttonvideo/zod.ts
+++ b/packages/app-store/bigbluebuttonvideo/zod.ts
@@ -7,7 +7,7 @@ import { z } from "zod";
  */
 export const bbbCredentialKeySchema = z.object({
   serverUrl: z.string().url(),
-  sharedSecret: z.string().min(1),
+  sharedSecret: z.string().trim().min(1),
 });
 
 export const appKeysSchema = z.object({});
diff --git a/packages/i18n/locales/en/common.json b/packages/i18n/locales/en/common.json
index 9f1e84330ca389..f17feb555bb3c5 100644
--- a/packages/i18n/locales/en/common.json
+++ b/packages/i18n/locales/en/common.json
@@ -4769,6 +4769,7 @@
   "error_updating_user": "There was an error updating this user.",
   "please_reschedule": "Please reschedule.",
   "bbb_server_url": "BigBlueButton Server URL",
+  "bbb_server_url_placeholder": "https://your-bbb-server.com/bigbluebutton",
   "bbb_shared_secret": "BigBlueButton Shared Secret",
   "bbb_shared_secret_placeholder": "Enter your BBB shared secret",
   "bbb_setup_title": "BigBlueButton Setup",