feat: add BigBlueButton conferencing app

[holygeek00]

/claim #1985

What changed

Adds a BigBlueButton conferencing app integration that can be configured with a BigBlueButton server URL and shared secret.

The implementation:

• adds BigBlueButton app metadata, install endpoint, key schema, and app-store registration
• creates BigBlueButton meetings through the signed create API call
• returns attendee join URLs through the signed join API call
• ends meetings through the signed end API call
• includes helper coverage for URL normalization and checksum generation

Verification

• node .yarn/releases/yarn-4.12.0.cjs vitest run packages/app-store/bigbluebutton/lib/VideoApiAdapter.test.ts
• node .yarn/releases/yarn-4.12.0.cjs workspace @calcom/app-store type-check

[github-actions]

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "Add BigBlueButton conferencing app". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

[github-actions]

Welcome to Cal.diy, @holygeek00! Thanks for opening this pull request.

A few things to keep in mind:

• This is Cal.diy, not Cal.com. Cal.diy is a community-driven, fully open-source fork of Cal.com licensed under MIT. Your changes here will be part of Cal.diy — they will not be deployed to the Cal.com production app.
• Please review our Contributing Guidelines if you haven't already.
• Make sure your PR title follows the Conventional Commits format.

A maintainer will review your PR soon. Thanks for contributing!

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9ddbdf3c-b54a-4455-8799-1490ca781ddc

📥 Commits

Reviewing files that changed from the base of the PR and between 010c3df and 7ba9d38.

📒 Files selected for processing (3)

• packages/app-store/bigbluebutton/api/add.ts
• packages/app-store/bigbluebutton/lib/VideoApiAdapter.test.ts
• packages/app-store/bigbluebutton/lib/VideoApiAdapter.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/app-store/bigbluebutton/api/add.ts
• packages/app-store/bigbluebutton/lib/VideoApiAdapter.ts

---

📝 Walkthrough

Walkthrough

This PR adds a BigBlueButton app: metadata and Zod schemas for required config keys, a VideoApiAdapter implementing meeting create/update/delete with SHA1-signed BigBlueButton API URLs and response checks, unit tests and test helpers, an installation API that enforces auth/team-admin checks and persists credentials to Prisma, barrel exports, and registration of the app across generated app-store registry files.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'feat: add BigBlueButton conferencing app' accurately and concisely summarizes the main change: adding a new BigBlueButton conferencing app integration to the codebase.
Description check	✅ Passed	The PR description is directly related to the changeset, detailing what changed, how the BigBlueButton app was implemented, and providing verification steps.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/app-store/bigbluebutton/api/add.ts`:
- Around line 21-24: The team-admin authorization call
throwIfNotHaveAdminAccessToTeam is executed outside the try/catch and can throw
before your normalized API error handling; move or wrap this invocation (and the
similar occurrences around lines referencing the same check, e.g., the other
call at 56-60) inside the existing try/catch block (or add a surrounding
try/catch) so any thrown errors are caught and returned via your standard error
response path; update references to numericTeamId and req.session.user.id usage
accordingly inside that protected block.
- Around line 33-51: The find/create queries for credentials
(prisma.credential.findFirst and prisma.credential.create in add.ts where
variables alreadyInstalled and installation are used) are returning the full
record including the sensitive key; change both queries to use explicit select {
id: true } so you only fetch the id (avoid returning credential.key) — for
findFirst add select: { id: true } to the query and for create wrap the create
call with select: { id: true } so only the new credential id is returned and no
key data is exposed.
- Around line 8-12: The handler currently permits state-changing requests
without HTTP method checks; add an explicit POST-only gate at the top of the
export default async function handler(req, res) that returns 405 for any
non-POST: if req.method !== 'POST' then set the Allow header to 'POST' and
respond with res.status(405).json({ message: 'Method Not Allowed' }) and return;
apply the same POST-only check to the other mutating endpoint in this file (the
other export default handler that performs install/uninstall logic) so all
state-changing API routes reject non-POST methods.

In `@packages/app-store/bigbluebutton/lib/VideoApiAdapter.test.ts`:
- Around line 5-12: Add a regression test that covers server URLs ending with
"/api" (no trailing slash) to prevent duplication of the API segment; update the
test in VideoApiAdapter.test.ts to call testHelpers.normalizeServerUrl with a
value like "https://bbb.example.com/api" and assert the result.toString() equals
"https://bbb.example.com/api/" so normalizeServerUrl (the helper under test) is
verified to append a single trailing slash and not duplicate "api".

In `@packages/app-store/bigbluebutton/lib/VideoApiAdapter.ts`:
- Around line 15-17: Replace the fixed ATTENDEE_PASSWORD and MODERATOR_PASSWORD
constants with per-meeting, cryptographically-generated passwords: remove those
static constants and generate strong random strings (e.g., using Node's
crypto.randomBytes or a secure UUID) when a meeting is created, assign them to
the meeting object, and use those generated values wherever
ATTENDEE_PASSWORD/MODERATOR_PASSWORD were referenced (e.g., in the createMeeting
logic and join URL construction inside VideoApiAdapter.ts and the functions that
build join links). Ensure the generated passwords are returned/stored with the
meeting metadata (instead of global constants) so getJoinUrl/joinMeeting (or
similarly named methods) read the per-meeting passwords; validate length/entropy
and avoid logging the raw secrets.
- Around line 55-57: The callBigBlueButtonApi function lacks a network timeout;
update callBigBlueButtonApi to use an AbortController with a configurable
timeout (e.g., constant or env var) so the fetch(url) is aborted after the
timeout; create the controller, pass controller.signal to fetch, schedule a
setTimeout to call controller.abort(), clear the timeout after response/text is
received, and ensure you surface/handle the abort error (e.g., rethrow or wrap
with a descriptive error) so callers know the request timed out.
- Around line 24-26: The pathname normalization in VideoApiAdapter.ts
incorrectly transforms a URL ending with "/api" into ".../api/api/"; update the
logic in the code that manipulates url.pathname (the block that checks
url.pathname.endsWith("/api/")) to explicitly handle both "/api" and "/api/"
cases and ensure the final pathname ends with exactly "/api/" without
duplicating "api" (e.g., detect and replace any trailing "/api" or "/api/" with
"/api/"). Keep this change localized to the pathname-normalization code path
that currently sets url.pathname = `${url.pathname.replace(/\/$/, "")}/api/`; to
avoid double-appending.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1a11d0df-ad8f-4ed1-8d1a-def473fcfd36

📥 Commits

Reviewing files that changed from the base of the PR and between 180ede2 and bf5c548.

⛔ Files ignored due to path filters (2)

• packages/app-store/bigbluebutton/static/icon.svg is excluded by !**/*.svg
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (16)

• packages/app-store/apps.keys-schemas.generated.ts
• packages/app-store/apps.metadata.generated.ts
• packages/app-store/apps.schemas.generated.ts
• packages/app-store/apps.server.generated.ts
• packages/app-store/bigbluebutton/DESCRIPTION.md
• packages/app-store/bigbluebutton/_metadata.ts
• packages/app-store/bigbluebutton/api/add.ts
• packages/app-store/bigbluebutton/api/index.ts
• packages/app-store/bigbluebutton/index.ts
• packages/app-store/bigbluebutton/lib/VideoApiAdapter.test.ts
• packages/app-store/bigbluebutton/lib/VideoApiAdapter.ts
• packages/app-store/bigbluebutton/lib/index.ts
• packages/app-store/bigbluebutton/package.json
• packages/app-store/bigbluebutton/zod.ts
• packages/app-store/bookerApps.metadata.generated.ts
• packages/app-store/video.adapters.generated.ts

[holygeek00]

Could a maintainer please add the run-ci label when you have a chance? The required workflow is currently blocked for external contributor review.\n\nLocal verification run:\n- node .yarn/releases/yarn-4.12.0.cjs vitest run packages/app-store/bigbluebutton/lib/VideoApiAdapter.test.ts\n- node .yarn/releases/yarn-4.12.0.cjs workspace @calcom/app-store type-check

[CLAassistant]

All committers have signed the CLA.

[holygeek00]

CLA is signed now. Could a maintainer please add the run-ci label when available so the required workflow can run?

Latest local verification:

• node .yarn/releases/yarn-4.12.0.cjs vitest run packages/app-store/bigbluebutton/lib/VideoApiAdapter.test.ts
• node .yarn/releases/yarn-4.12.0.cjs workspace @calcom/app-store type-check
• node .yarn/releases/yarn-4.12.0.cjs biome check packages/app-store/bigbluebutton

[holygeek00]

The required workflow is still blocked by the external-contributor run-ci gate:

This PR is from an external contributor and requires the run-ci label before CI can run.

Could a maintainer please review and add run-ci when appropriate so the full CI suite can run?

Current status:

• CLA is signed
• CodeRabbit has no actionable comments after the latest fixes
• semgrep passed
• Local verification completed with:
  • node .yarn/releases/yarn-4.12.0.cjs vitest run packages/app-store/bigbluebutton/lib/VideoApiAdapter.test.ts
  • node .yarn/releases/yarn-4.12.0.cjs workspace @calcom/app-store type-check
  • node .yarn/releases/yarn-4.12.0.cjs biome check packages/app-store/bigbluebutton

[bandhan-majumder]

please attach a working demo in the description. making it draft til then.