fix: update presentation URL structure for token protection

server/routes/rooms.js

@@ -498,7 +498,7 @@ router.post('/:uid/start', authenticateToken, async (req, res) => {
     let presentationUrl = null;
     if (room.presentation_file) {
       const { token, expires } = signPresentationUrl(room.presentation_file);
-      presentationUrl = `${baseUrl}/api/rooms/presentations/${room.presentation_file}?token=${token}&expires=${expires}`;
+      presentationUrl = `${baseUrl}/api/rooms/presentations/${token}/${expires}/${room.presentation_file}`;
     }
     const analyticsCallbackURL = room.learning_analytics
       ? `${baseUrl}/api/analytics/callback/${room.uid}?token=${getAnalyticsToken(room.uid)}`
@@ -702,10 +702,11 @@ router.get('/:uid/status', async (req, res) => {
   }
 });
 
-// GET /api/rooms/presentations/:filename - Serve presentation file (token-protected for BBB)
+// GET /api/rooms/presentations/:token/:expires/:filename - Serve presentation file (token-protected for BBB)
-router.get('/presentations/:filename', (req, res) => {
+// Token and expires are path segments so the URL ends with the filename,
-  const { token, expires } = req.query;
+// allowing BBB to detect the file type from the extension.
-  const { filename } = req.params;
+router.get('/presentations/:token/:expires/:filename', (req, res) => {
+  const { token, expires, filename } = req.params;
 
   if (!token || !expires) {
     return res.status(401).json({ error: 'Missing token' });