diff options
author | Chocobozzz <me@florianbigard.com> | 2022-12-20 09:15:49 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-12-20 09:15:49 +0100 |
commit | 868314e8bf6bcc325b0fea35887071ef0614a46d (patch) | |
tree | 2f46353e3a44ed6db3068d1d1e4f3b472fdd3869 | |
parent | 93293ca7887e34fd9b6413fdaeea3d1dddc46ece (diff) | |
download | PeerTube-868314e8bf6bcc325b0fea35887071ef0614a46d.tar.gz PeerTube-868314e8bf6bcc325b0fea35887071ef0614a46d.tar.zst PeerTube-868314e8bf6bcc325b0fea35887071ef0614a46d.zip |
Add ability to get user from file token
-rw-r--r-- | server/controllers/api/videos/token.ts | 2 | ||||
-rw-r--r-- | server/lib/plugins/plugin-helpers-builder.ts | 2 | ||||
-rw-r--r-- | server/lib/video-tokens-manager.ts | 22 | ||||
-rw-r--r-- | server/middlewares/validators/shared/videos.ts | 12 | ||||
-rw-r--r-- | server/tests/fixtures/peertube-plugin-test/main.js | 5 | ||||
-rw-r--r-- | server/tests/plugins/filter-hooks.ts | 47 | ||||
-rw-r--r-- | server/types/express.d.ts | 5 |
7 files changed, 64 insertions, 31 deletions
diff --git a/server/controllers/api/videos/token.ts b/server/controllers/api/videos/token.ts index 009b6dfb6..22387c3e8 100644 --- a/server/controllers/api/videos/token.ts +++ b/server/controllers/api/videos/token.ts | |||
@@ -22,7 +22,7 @@ export { | |||
22 | function generateToken (req: express.Request, res: express.Response) { | 22 | function generateToken (req: express.Request, res: express.Response) { |
23 | const video = res.locals.onlyVideo | 23 | const video = res.locals.onlyVideo |
24 | 24 | ||
25 | const { token, expires } = VideoTokensManager.Instance.create(video.uuid) | 25 | const { token, expires } = VideoTokensManager.Instance.create({ videoUUID: video.uuid, user: res.locals.oauth.token.User }) |
26 | 26 | ||
27 | return res.json({ | 27 | return res.json({ |
28 | files: { | 28 | files: { |
diff --git a/server/lib/plugins/plugin-helpers-builder.ts b/server/lib/plugins/plugin-helpers-builder.ts index 7b1def6e3..e75c0b994 100644 --- a/server/lib/plugins/plugin-helpers-builder.ts +++ b/server/lib/plugins/plugin-helpers-builder.ts | |||
@@ -245,7 +245,7 @@ function buildUserHelpers () { | |||
245 | }, | 245 | }, |
246 | 246 | ||
247 | getAuthUser: (res: express.Response) => { | 247 | getAuthUser: (res: express.Response) => { |
248 | const user = res.locals.oauth?.token?.User | 248 | const user = res.locals.oauth?.token?.User || res.locals.videoFileToken?.user |
249 | if (!user) return undefined | 249 | if (!user) return undefined |
250 | 250 | ||
251 | return UserModel.loadByIdFull(user.id) | 251 | return UserModel.loadByIdFull(user.id) |
diff --git a/server/lib/video-tokens-manager.ts b/server/lib/video-tokens-manager.ts index c43085d16..17aa29cdd 100644 --- a/server/lib/video-tokens-manager.ts +++ b/server/lib/video-tokens-manager.ts | |||
@@ -1,5 +1,7 @@ | |||
1 | import LRUCache from 'lru-cache' | 1 | import LRUCache from 'lru-cache' |
2 | import { LRU_CACHE } from '@server/initializers/constants' | 2 | import { LRU_CACHE } from '@server/initializers/constants' |
3 | import { MUserAccountUrl } from '@server/types/models' | ||
4 | import { pick } from '@shared/core-utils' | ||
3 | import { buildUUID } from '@shared/extra-utils' | 5 | import { buildUUID } from '@shared/extra-utils' |
4 | 6 | ||
5 | // --------------------------------------------------------------------------- | 7 | // --------------------------------------------------------------------------- |
@@ -10,19 +12,22 @@ class VideoTokensManager { | |||
10 | 12 | ||
11 | private static instance: VideoTokensManager | 13 | private static instance: VideoTokensManager |
12 | 14 | ||
13 | private readonly lruCache = new LRUCache<string, string>({ | 15 | private readonly lruCache = new LRUCache<string, { videoUUID: string, user: MUserAccountUrl }>({ |
14 | max: LRU_CACHE.VIDEO_TOKENS.MAX_SIZE, | 16 | max: LRU_CACHE.VIDEO_TOKENS.MAX_SIZE, |
15 | ttl: LRU_CACHE.VIDEO_TOKENS.TTL | 17 | ttl: LRU_CACHE.VIDEO_TOKENS.TTL |
16 | }) | 18 | }) |
17 | 19 | ||
18 | private constructor () {} | 20 | private constructor () {} |
19 | 21 | ||
20 | create (videoUUID: string) { | 22 | create (options: { |
23 | user: MUserAccountUrl | ||
24 | videoUUID: string | ||
25 | }) { | ||
21 | const token = buildUUID() | 26 | const token = buildUUID() |
22 | 27 | ||
23 | const expires = new Date(new Date().getTime() + LRU_CACHE.VIDEO_TOKENS.TTL) | 28 | const expires = new Date(new Date().getTime() + LRU_CACHE.VIDEO_TOKENS.TTL) |
24 | 29 | ||
25 | this.lruCache.set(token, videoUUID) | 30 | this.lruCache.set(token, pick(options, [ 'user', 'videoUUID' ])) |
26 | 31 | ||
27 | return { token, expires } | 32 | return { token, expires } |
28 | } | 33 | } |
@@ -34,7 +39,16 @@ class VideoTokensManager { | |||
34 | const value = this.lruCache.get(options.token) | 39 | const value = this.lruCache.get(options.token) |
35 | if (!value) return false | 40 | if (!value) return false |
36 | 41 | ||
37 | return value === options.videoUUID | 42 | return value.videoUUID === options.videoUUID |
43 | } | ||
44 | |||
45 | getUserFromToken (options: { | ||
46 | token: string | ||
47 | }) { | ||
48 | const value = this.lruCache.get(options.token) | ||
49 | if (!value) return undefined | ||
50 | |||
51 | return value.user | ||
38 | } | 52 | } |
39 | 53 | ||
40 | static get Instance () { | 54 | static get Instance () { |
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts index ebbfc0a0a..0033a32ff 100644 --- a/server/middlewares/validators/shared/videos.ts +++ b/server/middlewares/validators/shared/videos.ts | |||
@@ -180,18 +180,16 @@ async function checkCanAccessVideoStaticFiles (options: { | |||
180 | return checkCanSeeVideo(options) | 180 | return checkCanSeeVideo(options) |
181 | } | 181 | } |
182 | 182 | ||
183 | if (!video.hasPrivateStaticPath()) return true | ||
184 | |||
185 | const videoFileToken = req.query.videoFileToken | 183 | const videoFileToken = req.query.videoFileToken |
186 | if (!videoFileToken) { | 184 | if (videoFileToken && VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) { |
187 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) | 185 | const user = VideoTokensManager.Instance.getUserFromToken({ token: videoFileToken }) |
188 | return false | ||
189 | } | ||
190 | 186 | ||
191 | if (VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) { | 187 | res.locals.videoFileToken = { user } |
192 | return true | 188 | return true |
193 | } | 189 | } |
194 | 190 | ||
191 | if (!video.hasPrivateStaticPath()) return true | ||
192 | |||
195 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) | 193 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
196 | return false | 194 | return false |
197 | } | 195 | } |
diff --git a/server/tests/fixtures/peertube-plugin-test/main.js b/server/tests/fixtures/peertube-plugin-test/main.js index 19dccf26e..19ba9f278 100644 --- a/server/tests/fixtures/peertube-plugin-test/main.js +++ b/server/tests/fixtures/peertube-plugin-test/main.js | |||
@@ -250,7 +250,10 @@ async function register ({ registerHook, registerSetting, settingsManager, stora | |||
250 | 250 | ||
251 | registerHook({ | 251 | registerHook({ |
252 | target: 'filter:api.download.video.allowed.result', | 252 | target: 'filter:api.download.video.allowed.result', |
253 | handler: (result, params) => { | 253 | handler: async (result, params) => { |
254 | const loggedInUser = await peertubeHelpers.user.getAuthUser(params.res) | ||
255 | if (loggedInUser) return { allowed: true } | ||
256 | |||
254 | if (params && !params.streamingPlaylist && params.video.name.includes('bad file')) { | 257 | if (params && !params.streamingPlaylist && params.video.name.includes('bad file')) { |
255 | return { allowed: false, errorMessage: 'Cao Cao' } | 258 | return { allowed: false, errorMessage: 'Cao Cao' } |
256 | } | 259 | } |
diff --git a/server/tests/plugins/filter-hooks.ts b/server/tests/plugins/filter-hooks.ts index 083fd43ca..6724b3bf8 100644 --- a/server/tests/plugins/filter-hooks.ts +++ b/server/tests/plugins/filter-hooks.ts | |||
@@ -430,6 +430,7 @@ describe('Test plugin filter hooks', function () { | |||
430 | 430 | ||
431 | describe('Download hooks', function () { | 431 | describe('Download hooks', function () { |
432 | const downloadVideos: VideoDetails[] = [] | 432 | const downloadVideos: VideoDetails[] = [] |
433 | let downloadVideo2Token: string | ||
433 | 434 | ||
434 | before(async function () { | 435 | before(async function () { |
435 | this.timeout(120000) | 436 | this.timeout(120000) |
@@ -459,6 +460,8 @@ describe('Test plugin filter hooks', function () { | |||
459 | for (const uuid of uuids) { | 460 | for (const uuid of uuids) { |
460 | downloadVideos.push(await servers[0].videos.get({ id: uuid })) | 461 | downloadVideos.push(await servers[0].videos.get({ id: uuid })) |
461 | } | 462 | } |
463 | |||
464 | downloadVideo2Token = await servers[0].videoToken.getVideoFileToken({ videoId: downloadVideos[2].uuid }) | ||
462 | }) | 465 | }) |
463 | 466 | ||
464 | it('Should run filter:api.download.torrent.allowed.result', async function () { | 467 | it('Should run filter:api.download.torrent.allowed.result', async function () { |
@@ -471,32 +474,42 @@ describe('Test plugin filter hooks', function () { | |||
471 | 474 | ||
472 | it('Should run filter:api.download.video.allowed.result', async function () { | 475 | it('Should run filter:api.download.video.allowed.result', async function () { |
473 | { | 476 | { |
474 | const res = await makeRawRequest({ url: downloadVideos[1].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.FORBIDDEN_403 }) | 477 | const refused = downloadVideos[1].files[0].fileDownloadUrl |
478 | const allowed = [ | ||
479 | downloadVideos[0].files[0].fileDownloadUrl, | ||
480 | downloadVideos[2].files[0].fileDownloadUrl | ||
481 | ] | ||
482 | |||
483 | const res = await makeRawRequest({ url: refused, expectedStatus: HttpStatusCode.FORBIDDEN_403 }) | ||
475 | expect(res.body.error).to.equal('Cao Cao') | 484 | expect(res.body.error).to.equal('Cao Cao') |
476 | 485 | ||
477 | await makeRawRequest({ url: downloadVideos[0].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 }) | 486 | for (const url of allowed) { |
478 | await makeRawRequest({ url: downloadVideos[2].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 }) | 487 | await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 }) |
488 | await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 }) | ||
489 | } | ||
479 | } | 490 | } |
480 | 491 | ||
481 | { | 492 | { |
482 | const res = await makeRawRequest({ | 493 | const refused = downloadVideos[2].streamingPlaylists[0].files[0].fileDownloadUrl |
483 | url: downloadVideos[2].streamingPlaylists[0].files[0].fileDownloadUrl, | ||
484 | expectedStatus: HttpStatusCode.FORBIDDEN_403 | ||
485 | }) | ||
486 | 494 | ||
487 | expect(res.body.error).to.equal('Sun Jian') | 495 | const allowed = [ |
496 | downloadVideos[2].files[0].fileDownloadUrl, | ||
497 | downloadVideos[0].streamingPlaylists[0].files[0].fileDownloadUrl, | ||
498 | downloadVideos[1].streamingPlaylists[0].files[0].fileDownloadUrl | ||
499 | ] | ||
488 | 500 | ||
489 | await makeRawRequest({ url: downloadVideos[2].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 }) | 501 | // Only streaming playlist is refuse |
502 | const res = await makeRawRequest({ url: refused, expectedStatus: HttpStatusCode.FORBIDDEN_403 }) | ||
503 | expect(res.body.error).to.equal('Sun Jian') | ||
490 | 504 | ||
491 | await makeRawRequest({ | 505 | // But not we there is a user in res |
492 | url: downloadVideos[0].streamingPlaylists[0].files[0].fileDownloadUrl, | 506 | await makeRawRequest({ url: refused, token: servers[0].accessToken, expectedStatus: HttpStatusCode.OK_200 }) |
493 | expectedStatus: HttpStatusCode.OK_200 | 507 | await makeRawRequest({ url: refused, query: { videoFileToken: downloadVideo2Token }, expectedStatus: HttpStatusCode.OK_200 }) |
494 | }) | ||
495 | 508 | ||
496 | await makeRawRequest({ | 509 | // Other files work |
497 | url: downloadVideos[1].streamingPlaylists[0].files[0].fileDownloadUrl, | 510 | for (const url of allowed) { |
498 | expectedStatus: HttpStatusCode.OK_200 | 511 | await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 }) |
499 | }) | 512 | } |
500 | } | 513 | } |
501 | }) | 514 | }) |
502 | }) | 515 | }) |
diff --git a/server/types/express.d.ts b/server/types/express.d.ts index 3738ffc47..99244d2a0 100644 --- a/server/types/express.d.ts +++ b/server/types/express.d.ts | |||
@@ -10,6 +10,7 @@ import { | |||
10 | MChannelBannerAccountDefault, | 10 | MChannelBannerAccountDefault, |
11 | MChannelSyncChannel, | 11 | MChannelSyncChannel, |
12 | MStreamingPlaylist, | 12 | MStreamingPlaylist, |
13 | MUserAccountUrl, | ||
13 | MVideoChangeOwnershipFull, | 14 | MVideoChangeOwnershipFull, |
14 | MVideoFile, | 15 | MVideoFile, |
15 | MVideoFormattableDetails, | 16 | MVideoFormattableDetails, |
@@ -187,6 +188,10 @@ declare module 'express' { | |||
187 | actor: MActorAccountChannelId | 188 | actor: MActorAccountChannelId |
188 | } | 189 | } |
189 | 190 | ||
191 | videoFileToken?: { | ||
192 | user: MUserAccountUrl | ||
193 | } | ||
194 | |||
190 | authenticated?: boolean | 195 | authenticated?: boolean |
191 | 196 | ||
192 | registeredPlugin?: RegisteredPlugin | 197 | registeredPlugin?: RegisteredPlugin |