1 import express from 'express'
2 import { query } from 'express-validator'
3 import LRUCache from 'lru-cache'
4 import { basename, dirname } from 'path'
5 import { exists, isUUIDValid } from '@server/helpers/custom-validators/misc'
6 import { logger } from '@server/helpers/logger'
7 import { LRU_CACHE } from '@server/initializers/constants'
8 import { VideoModel } from '@server/models/video/video'
9 import { VideoFileModel } from '@server/models/video/video-file'
10 import { HttpStatusCode } from '@shared/models'
11 import { areValidationErrors, checkCanAccessVideoStaticFiles } from './shared'
13 const staticFileTokenBypass = new LRUCache<string, boolean>({
14 max: LRU_CACHE.STATIC_VIDEO_FILES_RIGHTS_CHECK.MAX_SIZE,
15 ttl: LRU_CACHE.STATIC_VIDEO_FILES_RIGHTS_CHECK.TTL
18 const ensureCanAccessVideoPrivateWebTorrentFiles = [
19 query('videoFileToken').optional().custom(exists),
21 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
22 if (areValidationErrors(req, res)) return
24 const token = extractTokenOrDie(req, res)
27 const cacheKey = token + '-' + req.originalUrl
29 if (staticFileTokenBypass.has(cacheKey)) {
30 const allowedFromCache = staticFileTokenBypass.get(cacheKey)
32 if (allowedFromCache === true) return next()
34 return res.sendStatus(HttpStatusCode.FORBIDDEN_403)
37 const allowed = await isWebTorrentAllowed(req, res)
39 staticFileTokenBypass.set(cacheKey, allowed)
41 if (allowed !== true) return
47 const ensureCanAccessPrivateVideoHLSFiles = [
48 query('videoFileToken').optional().custom(exists),
50 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
51 if (areValidationErrors(req, res)) return
53 const videoUUID = basename(dirname(req.originalUrl))
55 if (!isUUIDValid(videoUUID)) {
56 logger.debug('Path does not contain valid video UUID to serve static file %s', req.originalUrl)
58 return res.sendStatus(HttpStatusCode.FORBIDDEN_403)
61 const token = extractTokenOrDie(req, res)
64 const cacheKey = token + '-' + videoUUID
66 if (staticFileTokenBypass.has(cacheKey)) {
67 const allowedFromCache = staticFileTokenBypass.get(cacheKey)
69 if (allowedFromCache === true) return next()
71 return res.sendStatus(HttpStatusCode.FORBIDDEN_403)
74 const allowed = await isHLSAllowed(req, res, videoUUID)
76 staticFileTokenBypass.set(cacheKey, allowed)
78 if (allowed !== true) return
85 ensureCanAccessVideoPrivateWebTorrentFiles,
86 ensureCanAccessPrivateVideoHLSFiles
89 // ---------------------------------------------------------------------------
91 async function isWebTorrentAllowed (req: express.Request, res: express.Response) {
92 const filename = basename(req.path)
94 const file = await VideoFileModel.loadWithVideoByFilename(filename)
96 logger.debug('Unknown static file %s to serve', req.originalUrl, { filename })
98 res.sendStatus(HttpStatusCode.FORBIDDEN_403)
102 const video = file.getVideo()
104 return checkCanAccessVideoStaticFiles({ req, res, video, paramId: video.uuid })
107 async function isHLSAllowed (req: express.Request, res: express.Response, videoUUID: string) {
108 const video = await VideoModel.load(videoUUID)
111 logger.debug('Unknown static file %s to serve', req.originalUrl, { videoUUID })
113 res.sendStatus(HttpStatusCode.FORBIDDEN_403)
117 return checkCanAccessVideoStaticFiles({ req, res, video, paramId: video.uuid })
120 function extractTokenOrDie (req: express.Request, res: express.Response) {
121 const token = res.locals.oauth?.token.accessToken || req.query.videoFileToken
125 message: 'Bearer token is missing in headers or video file token is missing in URL query parameters',
126 status: HttpStatusCode.FORBIDDEN_403