[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / oembed.ts

import express from 'express'
import { query } from 'express-validator'
import { join } from 'path'
import { loadVideo } from '@server/lib/model-loaders'
import { VideoPlaylistModel } from '@server/models/video/video-playlist'
import { VideoPlaylistPrivacy, VideoPrivacy } from '@shared/models'
import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
import { isTestOrDevInstance } from '../../helpers/core-utils'
import { isIdOrUUIDValid, isUUIDValid, toCompleteUUID } from '../../helpers/custom-validators/misc'
import { WEBSERVER } from '../../initializers/constants'
import { areValidationErrors } from './shared'

const playlistPaths = [
  join('videos', 'watch', 'playlist'),
  join('w', 'p')
]

const videoPaths = [
  join('videos', 'watch'),
  'w'
]

function buildUrls (paths: string[]) {
  return paths.map(p => WEBSERVER.SCHEME + '://' + join(WEBSERVER.HOST, p) + '/')
}

const startPlaylistURLs = buildUrls(playlistPaths)
const startVideoURLs = buildUrls(videoPaths)

const isURLOptions = {
  require_host: true,
  require_tld: true
}

// We validate 'localhost', so we don't have the top level domain
if (isTestOrDevInstance()) {
  isURLOptions.require_tld = false
}

const oembedValidator = [
  query('url')
    .isURL(isURLOptions),
  query('maxwidth')
    .optional()
    .isInt(),
  query('maxheight')
    .optional()
    .isInt(),
  query('format')
    .optional()
    .isIn([ 'xml', 'json' ]),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return

    if (req.query.format !== undefined && req.query.format !== 'json') {
      return res.fail({
        status: HttpStatusCode.NOT_IMPLEMENTED_501,
        message: 'Requested format is not implemented on server.',
        data: {
          format: req.query.format
        }
      })
    }

    const url = req.query.url as string

    let urlPath: string

    try {
      urlPath = new URL(url).pathname
    } catch (err) {
      return res.fail({
        status: HttpStatusCode.BAD_REQUEST_400,
        message: err.message,
        data: {
          url
        }
      })
    }

    const isPlaylist = startPlaylistURLs.some(u => url.startsWith(u))
    const isVideo = isPlaylist ? false : startVideoURLs.some(u => url.startsWith(u))

    const startIsOk = isVideo || isPlaylist

    const parts = urlPath.split('/')

    if (startIsOk === false || parts.length === 0) {
      return res.fail({
        status: HttpStatusCode.BAD_REQUEST_400,
        message: 'Invalid url.',
        data: {
          url
        }
      })
    }

    const elementId = toCompleteUUID(parts.pop())
    if (isIdOrUUIDValid(elementId) === false) {
      return res.fail({ message: 'Invalid video or playlist id.' })
    }

    if (isVideo) {
      const video = await loadVideo(elementId, 'all')

      if (!video) {
        return res.fail({
          status: HttpStatusCode.NOT_FOUND_404,
          message: 'Video not found'
        })
      }

      if (
        video.privacy === VideoPrivacy.PUBLIC ||
        (video.privacy === VideoPrivacy.UNLISTED && isUUIDValid(elementId) === true)
      ) {
        res.locals.videoAll = video
        return next()
      }

      return res.fail({
        status: HttpStatusCode.FORBIDDEN_403,
        message: 'Video is not publicly available'
      })
    }

    // Is playlist

    const videoPlaylist = await VideoPlaylistModel.loadWithAccountAndChannelSummary(elementId, undefined)
    if (!videoPlaylist) {
      return res.fail({
        status: HttpStatusCode.NOT_FOUND_404,
        message: 'Video playlist not found'
      })
    }

    if (
      videoPlaylist.privacy === VideoPlaylistPrivacy.PUBLIC ||
      (videoPlaylist.privacy === VideoPlaylistPrivacy.UNLISTED && isUUIDValid(elementId))
    ) {
      res.locals.videoPlaylistSummary = videoPlaylist
      return next()
    }

    return res.fail({
      status: HttpStatusCode.FORBIDDEN_403,
      message: 'Playlist is not public'
    })
  }

]

// ---------------------------------------------------------------------------

export {
  oembedValidator
}
Commit	Line	Data
41fb13c3	1	import express from 'express'
c8861d5d	2	import { query } from 'express-validator'
d8755eed	3	import { join } from 'path'
868fce62	4	import { loadVideo } from '@server/lib/model-loaders'
6fad8e51 C	5	import { VideoPlaylistModel } from '@server/models/video/video-playlist'
6fad8e51 C	6	import { VideoPlaylistPrivacy, VideoPrivacy } from '@shared/models'
c0e8b12e	7	import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
9452d4fd	8	import { isTestOrDevInstance } from '../../helpers/core-utils'
b3d9dedc	9	import { isIdOrUUIDValid, isUUIDValid, toCompleteUUID } from '../../helpers/custom-validators/misc'
6dd9de95	10	import { WEBSERVER } from '../../initializers/constants'
10363c74	11	import { areValidationErrors } from './shared'
d8755eed	12
a1eda903 C	13	const playlistPaths = [
	14	join('videos', 'watch', 'playlist'),
	15	join('w', 'p')
	16	]
	17
	18	const videoPaths = [
	19	join('videos', 'watch'),
	20	'w'
	21	]
	22
	23	function buildUrls (paths: string[]) {
	24	return paths.map(p => WEBSERVER.SCHEME + '://' + join(WEBSERVER.HOST, p) + '/')
	25	}
	26
	27	const startPlaylistURLs = buildUrls(playlistPaths)
	28	const startVideoURLs = buildUrls(videoPaths)
6fad8e51	29
d8755eed C	30	const isURLOptions = {
	31	require_host: true,
	32	require_tld: true
	33	}
	34
	35	// We validate 'localhost', so we don't have the top level domain
9452d4fd	36	if (isTestOrDevInstance()) {
d8755eed C	37	isURLOptions.require_tld = false
	38	}
	39
	40	const oembedValidator = [
396f6f01 C	41	query('url')
	42	.isURL(isURLOptions),
	43	query('maxwidth')
	44	.optional()
	45	.isInt(),
	46	query('maxheight')
	47	.optional()
	48	.isInt(),
	49	query('format')
	50	.optional()
	51	.isIn([ 'xml', 'json' ]),
d8755eed	52
a2431b7d	53	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
a2431b7d C	54	if (areValidationErrors(req, res)) return
	55
	56	if (req.query.format !== undefined && req.query.format !== 'json') {
76148b27 RK	57	return res.fail({
	58	status: HttpStatusCode.NOT_IMPLEMENTED_501,
	59	message: 'Requested format is not implemented on server.',
	60	data: {
	61	format: req.query.format
	62	}
	63	})
a2431b7d C	64	}
a2431b7d C	65
67c604ae C	66	const url = req.query.url as string
67c604ae C	67
e93ee838 C	68	let urlPath: string
	69
	70	try {
	71	urlPath = new URL(url).pathname
	72	} catch (err) {
	73	return res.fail({
	74	status: HttpStatusCode.BAD_REQUEST_400,
	75	message: err.message,
	76	data: {
	77	url
	78	}
	79	})
	80	}
	81
a1eda903 C	82	const isPlaylist = startPlaylistURLs.some(u => url.startsWith(u))
a1eda903 C	83	const isVideo = isPlaylist ? false : startVideoURLs.some(u => url.startsWith(u))
6fad8e51 C	84
	85	const startIsOk = isVideo \|\| isPlaylist
	86
e5d9877f	87	const parts = urlPath.split('/')
67c604ae	88
e5d9877f	89	if (startIsOk === false \|\| parts.length === 0) {
76148b27 RK	90	return res.fail({
	91	status: HttpStatusCode.BAD_REQUEST_400,
	92	message: 'Invalid url.',
	93	data: {
	94	url
	95	}
	96	})
a2431b7d	97	}
d8755eed	98
e5d9877f	99	const elementId = toCompleteUUID(parts.pop())
6fad8e51	100	if (isIdOrUUIDValid(elementId) === false) {
76148b27	101	return res.fail({ message: 'Invalid video or playlist id.' })
a2431b7d	102	}
d8755eed	103
6fad8e51	104	if (isVideo) {
868fce62	105	const video = await loadVideo(elementId, 'all')
6fad8e51 C	106
6fad8e51 C	107	if (!video) {
76148b27 RK	108	return res.fail({
	109	status: HttpStatusCode.NOT_FOUND_404,
	110	message: 'Video not found'
	111	})
6fad8e51	112	}
d8755eed	113
b3d9dedc C	114	if (
	115	video.privacy === VideoPrivacy.PUBLIC \|\|
	116	(video.privacy === VideoPrivacy.UNLISTED && isUUIDValid(elementId) === true)
	117	) {
	118	res.locals.videoAll = video
	119	return next()
6fad8e51 C	120	}
6fad8e51 C	121
b3d9dedc C	122	return res.fail({
	123	status: HttpStatusCode.FORBIDDEN_403,
	124	message: 'Video is not publicly available'
	125	})
6fad8e51 C	126	}
	127
	128	// Is playlist
	129
	130	const videoPlaylist = await VideoPlaylistModel.loadWithAccountAndChannelSummary(elementId, undefined)
	131	if (!videoPlaylist) {
76148b27 RK	132	return res.fail({
	133	status: HttpStatusCode.NOT_FOUND_404,
	134	message: 'Video playlist not found'
	135	})
6fad8e51 C	136	}
6fad8e51 C	137
b3d9dedc C	138	if (
	139	videoPlaylist.privacy === VideoPlaylistPrivacy.PUBLIC \|\|
	140	(videoPlaylist.privacy === VideoPlaylistPrivacy.UNLISTED && isUUIDValid(elementId))
	141	) {
	142	res.locals.videoPlaylistSummary = videoPlaylist
	143	return next()
6fad8e51 C	144	}
6fad8e51 C	145
b3d9dedc C	146	return res.fail({
	147	status: HttpStatusCode.FORBIDDEN_403,
	148	message: 'Playlist is not public'
	149	})
d8755eed	150	}
6fad8e51	151
d8755eed C	152	]
	153
	154	// ---------------------------------------------------------------------------
	155
	156	export {
	157	oembedValidator
	158	}