From c058ba3bf1d3f62d5007077391c119418dc036b1 Mon Sep 17 00:00:00 2001
From: Michelle <michelle.winkler@miichelle.moe>
Date: Wed, 1 Apr 2026 09:43:32 +0200
Subject: [PATCH] fix: update presentation URL structure for token protection

---
 server/routes/rooms.js | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/server/routes/rooms.js b/server/routes/rooms.js
index b4023b9..5fdce90 100644
--- a/server/routes/rooms.js
+++ b/server/routes/rooms.js
@@ -498,7 +498,7 @@ router.post('/:uid/start', authenticateToken, async (req, res) => {
     let presentationUrl = null;
     if (room.presentation_file) {
       const { token, expires } = signPresentationUrl(room.presentation_file);
-      presentationUrl = `${baseUrl}/api/rooms/presentations/${room.presentation_file}?token=${token}&expires=${expires}`;
+      presentationUrl = `${baseUrl}/api/rooms/presentations/${token}/${expires}/${room.presentation_file}`;
     }
     const analyticsCallbackURL = room.learning_analytics
       ? `${baseUrl}/api/analytics/callback/${room.uid}?token=${getAnalyticsToken(room.uid)}`
@@ -702,10 +702,11 @@ router.get('/:uid/status', async (req, res) => {
   }
 });
 
-// GET /api/rooms/presentations/:filename - Serve presentation file (token-protected for BBB)
-router.get('/presentations/:filename', (req, res) => {
-  const { token, expires } = req.query;
-  const { filename } = req.params;
+// GET /api/rooms/presentations/:token/:expires/:filename - Serve presentation file (token-protected for BBB)
+// Token and expires are path segments so the URL ends with the filename,
+// allowing BBB to detect the file type from the extension.
+router.get('/presentations/:token/:expires/:filename', (req, res) => {
+  const { token, expires, filename } = req.params;
 
   if (!token || !expires) {
     return res.status(401).json({ error: 'Missing token' });