feat(analytics): enhance analytics functionality with token validation and data extraction

server/routes/analytics.js

@@ -1,13 +1,24 @@
 import { Router } from 'express';
+import crypto from 'crypto';
 import { getDb } from '../config/database.js';
 import { authenticateToken } from '../middleware/auth.js';
 import { log } from '../config/logger.js';
+import { getAnalyticsToken } from '../config/bbb.js';
 
 const router = Router();
 
-// POST /api/analytics/callback/:uid - BBB Learning Analytics callback (no auth, called by BBB)
+// POST /api/analytics/callback/:uid?token=... - BBB Learning Analytics callback (token-secured)
 router.post('/callback/:uid', async (req, res) => {
   try {
+    const { token } = req.query;
+    const expectedToken = getAnalyticsToken(req.params.uid);
+
+    // Constant-time comparison to prevent timing attacks
+    if (!token || token.length !== expectedToken.length ||
+        !crypto.timingSafeEqual(Buffer.from(token), Buffer.from(expectedToken))) {
+      return res.status(403).json({ error: 'Invalid token' });
+    }
+
     const db = getDb();
     const room = await db.get('SELECT id, uid, learning_analytics FROM rooms WHERE uid = ?', [req.params.uid]);
 
@@ -24,9 +35,10 @@ router.post('/callback/:uid', async (req, res) => {
       return res.status(400).json({ error: 'Invalid analytics data' });
     }
 
-    // Extract meeting info from BBB analytics payload
-    const meetingId = data.intId || data.extId || room.uid;
-    const meetingName = data.name || room.uid;
+    // Extract meeting info from BBB learning analytics payload
+    // Format: { meeting_id, internal_meeting_id, data: { metadata: { meeting_name }, duration, attendees, ... } }
+    const meetingId = data.internal_meeting_id || data.meeting_id || room.uid;
+    const meetingName = data.data?.metadata?.meeting_name || data.meeting_id || room.uid;
 
     // Upsert: update if same meeting already exists (BBB sends updates during the meeting)
     const existing = await db.get(