Update: Recording download url 403 error

Hello Everyone,

We apologize for any inconvenience that may have happen with the ability to use the cloud recording download url. Last weekend our backend team deployed a new security feature to fix a potential vulnerability with our recordings.

However, since this security fix interrupted our valued customers downloading recordings with the download_url, we are in the process of removing the change so that you can continue using the download_url with the access token.

Our Engineering team is currently investigating to make sure we do not cause any other service interruptions and as soon we are able to make the change. Please follow this thread and we will notify you asap.

Update: You are still able to download all of your recordings through the browser.

Thanks
Michael

1 Like

Michael,

We just saw the following behavior with our “VoiceVibes” integration – the download_url which was returned by the Cloud Recordings API for one specific customer results in the following message when it is loaded in a browser or via a download script: “Download has been disabled by the administrator (200)”

Can you confirm that this is caused by the issue you mentioned?

We are seeing all downloads broken for one customer while another customer is fine. Do you anticipate that once this is resolved all customers will work and that error will no longer be shown for download_url’s returned by your API under any circumstances?

Another post made reference to a user setting called “Require password to access shared cloud recordings” and I just wanted to make sure that that setting isn’t what is breaking this and that once you fix things on your end, any customer who installs our integration will be able to provide non-blocked download_url’s.

Thanks!

Hey @debra,

Your issues is different then the Recording download url 403 error.

To fix your issue, the Admin of the account needs to go to the account settings https://zoom.us/account/setting?tab=recording

And turn off the “Only the host can download cloud recordings” setting.

Then you will no longer get this error:

Thanks,
Tommy

Tommy,

Thanks for the reply.

I’m a little disappointed to hear this. This results in a bad customer experience – customers using our integration must now be shown an error first and we then have to make an educated guess as to what caused the error and recommend they change this setting in their Zoom account.

It would be much better if we are able to know ahead of time that the download links are invalid. Is there a way to tell based on user info returned from one of the other API endpoints or some other method that the download links returned for the Cloud recordings won’t actually work when our system attempts to download them? Can you update your API to not return them in the first place (which makes sense since they won’t ever work)?

Since the entire point of our integration hinges on being able to receive working download links, it makes the most sense to handle this during the “setup”/“authorization” phase of installing our integration. We could then show a warning to users who have their download links set to private that they need to change this setting before they can proceed with using the integration.

As it stands now, it looks like we have to assume everything is okay, wait until a customer wants to us to download one of their recordings then try the download link to see if it works. If it doesn’t, we need to show an error and request that they change the setting, which may or may not be the cause of the error (since our backend isn’t currently configured to parse out and look for the “disabled by administrator” text we can’t be sure if the problem is in their settings or a Zoom problem such as the original thread above).

Again… is there any way to tell ahead of time that the account’s download links are set to private and won’t actually work?

Either way, thanks for the response so far.

1 Like

This brings up a good question about the API, does the endpoint /users/{userId}/recordings bring back a list of meetings that you have access to the recordings of or recordings of meetings you participated in that have a recording which you may or may not have access to? I assume If this endpoint returns a download_url for a recording, the user has access to download it with their access token.

Agreed. Also, it seems rather unfortunate to me that the Oauth permission doesn’t override the checkbox in the user settings.

In my code now, I don’t use any access token, simply access the download_url, and it used to work perfectly until two days ago. Can you confirm that your rollback will not break my code? or should I integrate some kind of access_token I currently know nothing about?

Also, do we have an ETA on this issue?

1 Like

Please let us know when this issue will be fixed. This issue forced us to shutdown our services till fixed. We are in the process of finding the alternative options to pull the old files from the affected date till fix date (from Zoom cloud to customers). Is it possible for Zoom to trigger the recording (completed) notification for the old files? Thanks.

I also have the same question as we are not using access token as of now , simply using download_url. Do we have to change the code accordingly.

Hi @Everyone,

Good news! Our Engineers have worked tirelessly overnight to resolve the download url issue which you are experiencing. Now that the fix is in place, please try to use your access token with the download url to confirm that it is working.

Let us know if you are still experiencing this or any other issues.

Thanks

Thanks, all is working as usual again.

2 Likes

Is it possible to trigger the recording completed notification by Zoom for the recording done during the issue period? Otherwise there is no way we can upload the recording to our customers. Thanks.

Hey @selva.iyyamperumal,

You can get all recordings by date using the List all Recordings endpoint and then upload them respectively.

Thanks,
Tommy

1 Like

See the bug/missing feature discussed here: BUG downloading cloud recordings with access token set results in an invalid response

Thanks for your help Ryan.

Hi Tommy,
Yes, we have been thinking about this option. We have to develop code to do. All our connectors looking for the recording completed notification and upload the files once received. Is it possible to trigger the recording completed notification by Zoom for the recording done during the issue period?

Thanks.

@Michael_Purnell
Thanks. We could download the recordings properly now.

1 Like

Hey @selva.iyyamperumal,

Unfortunately this is not possible as our webhook notifications are triggered by callbacks after the event occurs.

To accomplish what you want, you can get all the recordings and then reuse your existing logic/code to upload them to your cloud storage service / customers.

-Tommy