X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fmiddlewares%2Fvalidators%2Foembed.ts;h=ef9a227a0446a1513727858624dcea3e404765a8;hb=a2be43f5700460d3afdc194abc788690b79e66cd;hp=0bb908d0b6719363a5f0c4e57279f8f940181b2c;hpb=97567dd81f508dd6295ac4d73d849aa2ce0a6549;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/middlewares/validators/oembed.ts b/server/middlewares/validators/oembed.ts index 0bb908d0b..ef9a227a0 100644 --- a/server/middlewares/validators/oembed.ts +++ b/server/middlewares/validators/oembed.ts @@ -1,61 +1,154 @@ -import * as express from 'express' -import { query } from 'express-validator/check' +import express from 'express' +import { query } from 'express-validator' import { join } from 'path' -import { isTestInstance } from '../../helpers/core-utils' -import { isIdOrUUIDValid } from '../../helpers/custom-validators/misc' -import { doesVideoExist } from '../../helpers/custom-validators/videos' -import { logger } from '../../helpers/logger' -import { areValidationErrors } from './utils' +import { loadVideo } from '@server/lib/model-loaders' +import { VideoPlaylistModel } from '@server/models/video/video-playlist' +import { VideoPlaylistPrivacy, VideoPrivacy } from '@shared/models' +import { HttpStatusCode } from '../../../shared/models/http/http-error-codes' +import { isTestOrDevInstance } from '../../helpers/core-utils' +import { isIdOrUUIDValid, isUUIDValid, toCompleteUUID } from '../../helpers/custom-validators/misc' import { WEBSERVER } from '../../initializers/constants' +import { areValidationErrors } from './shared' + +const playlistPaths = [ + join('videos', 'watch', 'playlist'), + join('w', 'p') +] + +const videoPaths = [ + join('videos', 'watch'), + 'w' +] + +function buildUrls (paths: string[]) { + return paths.map(p => WEBSERVER.SCHEME + '://' + join(WEBSERVER.HOST, p) + '/') +} + +const startPlaylistURLs = buildUrls(playlistPaths) +const startVideoURLs = buildUrls(videoPaths) -const urlShouldStartWith = WEBSERVER.SCHEME + '://' + join(WEBSERVER.HOST, 'videos', 'watch') + '/' -const videoWatchRegex = new RegExp('([^/]+)$') const isURLOptions = { require_host: true, require_tld: true } // We validate 'localhost', so we don't have the top level domain -if (isTestInstance()) { +if (isTestOrDevInstance()) { isURLOptions.require_tld = false } const oembedValidator = [ - query('url').isURL(isURLOptions).withMessage('Should have a valid url'), - query('maxwidth').optional().isInt().withMessage('Should have a valid max width'), - query('maxheight').optional().isInt().withMessage('Should have a valid max height'), - query('format').optional().isIn([ 'xml', 'json' ]).withMessage('Should have a valid format'), + query('url') + .isURL(isURLOptions), + query('maxwidth') + .optional() + .isInt(), + query('maxheight') + .optional() + .isInt(), + query('format') + .optional() + .isIn([ 'xml', 'json' ]), async (req: express.Request, res: express.Response, next: express.NextFunction) => { - logger.debug('Checking oembed parameters', { parameters: req.query }) - if (areValidationErrors(req, res)) return if (req.query.format !== undefined && req.query.format !== 'json') { - return res.status(501) - .json({ error: 'Requested format is not implemented on server.' }) - .end() + return res.fail({ + status: HttpStatusCode.NOT_IMPLEMENTED_501, + message: 'Requested format is not implemented on server.', + data: { + format: req.query.format + } + }) } - const startIsOk = req.query.url.startsWith(urlShouldStartWith) - const matches = videoWatchRegex.exec(req.query.url) - if (startIsOk === false || matches === null) { - return res.status(400) - .json({ error: 'Invalid url.' }) - .end() + const url = req.query.url as string + + let urlPath: string + + try { + urlPath = new URL(url).pathname + } catch (err) { + return res.fail({ + status: HttpStatusCode.BAD_REQUEST_400, + message: err.message, + data: { + url + } + }) } - const videoId = matches[1] - if (isIdOrUUIDValid(videoId) === false) { - return res.status(400) - .json({ error: 'Invalid video id.' }) - .end() + const isPlaylist = startPlaylistURLs.some(u => url.startsWith(u)) + const isVideo = isPlaylist ? false : startVideoURLs.some(u => url.startsWith(u)) + + const startIsOk = isVideo || isPlaylist + + const parts = urlPath.split('/') + + if (startIsOk === false || parts.length === 0) { + return res.fail({ + status: HttpStatusCode.BAD_REQUEST_400, + message: 'Invalid url.', + data: { + url + } + }) } - if (!await doesVideoExist(videoId, res)) return + const elementId = toCompleteUUID(parts.pop()) + if (isIdOrUUIDValid(elementId) === false) { + return res.fail({ message: 'Invalid video or playlist id.' }) + } + + if (isVideo) { + const video = await loadVideo(elementId, 'all') + + if (!video) { + return res.fail({ + status: HttpStatusCode.NOT_FOUND_404, + message: 'Video not found' + }) + } + + if ( + video.privacy === VideoPrivacy.PUBLIC || + (video.privacy === VideoPrivacy.UNLISTED && isUUIDValid(elementId) === true) + ) { + res.locals.videoAll = video + return next() + } + + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Video is not publicly available' + }) + } - return next() + // Is playlist + + const videoPlaylist = await VideoPlaylistModel.loadWithAccountAndChannelSummary(elementId, undefined) + if (!videoPlaylist) { + return res.fail({ + status: HttpStatusCode.NOT_FOUND_404, + message: 'Video playlist not found' + }) + } + + if ( + videoPlaylist.privacy === VideoPlaylistPrivacy.PUBLIC || + (videoPlaylist.privacy === VideoPlaylistPrivacy.UNLISTED && isUUIDValid(elementId)) + ) { + res.locals.videoPlaylistSummary = videoPlaylist + return next() + } + + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Playlist is not public' + }) } + ] // ---------------------------------------------------------------------------