Scalelite always uses LOADBALANCER_SECRET to sign recording ready notification, but frontends can be configured with one of LOADBALANCER_SECRETS instead (leading to verification failure) #1029
If you configure one or multiple LOADBALANCER_SECRETS and use one of these as BIGBLUEBUTTON_SECRET in Greenlight (v3), GL3 fails to verify recording ready notifications, because SL will sign these using LOADBALANCER_SECRET.
Relevant code in app/services/recording_ready_notifier_service.rb:
As long as one is allowed to use one of the LOADBALANCER_SECRETS as opposed to the LOADBALANCER_SECRET for a frontend, SL needs to use the correct secret for the recording ready notification or not encode this at all.
ffdixon
commented
8 months ago
Describe the bug
If you configure one or multiple LOADBALANCER_SECRETS and use one of these as BIGBLUEBUTTON_SECRET in Greenlight (v3), GL3 fails to verify recording ready notifications, because SL will sign these using LOADBALANCER_SECRET.
Relevant code in app/services/recording_ready_notifier_service.rb:
In my testing fetch_secrets(tenant_name: tenant_name)[0] returns the value of LOADBALANCER_SECRET.
Related issue in GL: https://github.com/bigbluebutton/greenlight/issues/5392
Deployment: SL + GL3
Expected behavior
As long as one is allowed to use one of the LOADBALANCER_SECRETS as opposed to the LOADBALANCER_SECRET for a frontend, SL needs to use the correct secret for the recording ready notification or not encode this at all.