diff options
| author | Chocobozzz <me@florianbigard.com> | 2022-12-20 09:15:49 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2022-12-20 09:15:49 +0100 |
| commit | 868314e8bf6bcc325b0fea35887071ef0614a46d (patch) | |
| tree | 2f46353e3a44ed6db3068d1d1e4f3b472fdd3869 | |
| parent | 93293ca7887e34fd9b6413fdaeea3d1dddc46ece (diff) | |
| download | PeerTube-868314e8bf6bcc325b0fea35887071ef0614a46d.tar.gz PeerTube-868314e8bf6bcc325b0fea35887071ef0614a46d.tar.zst PeerTube-868314e8bf6bcc325b0fea35887071ef0614a46d.zip | |
Add ability to get user from file token
| -rw-r--r-- | server/controllers/api/videos/token.ts | 2 | ||||
| -rw-r--r-- | server/lib/plugins/plugin-helpers-builder.ts | 2 | ||||
| -rw-r--r-- | server/lib/video-tokens-manager.ts | 22 | ||||
| -rw-r--r-- | server/middlewares/validators/shared/videos.ts | 12 | ||||
| -rw-r--r-- | server/tests/fixtures/peertube-plugin-test/main.js | 5 | ||||
| -rw-r--r-- | server/tests/plugins/filter-hooks.ts | 47 | ||||
| -rw-r--r-- | server/types/express.d.ts | 5 |
7 files changed, 64 insertions, 31 deletions
diff --git a/server/controllers/api/videos/token.ts b/server/controllers/api/videos/token.ts index 009b6dfb6..22387c3e8 100644 --- a/server/controllers/api/videos/token.ts +++ b/server/controllers/api/videos/token.ts | |||
| @@ -22,7 +22,7 @@ export { | |||
| 22 | function generateToken (req: express.Request, res: express.Response) { | 22 | function generateToken (req: express.Request, res: express.Response) { |
| 23 | const video = res.locals.onlyVideo | 23 | const video = res.locals.onlyVideo |
| 24 | 24 | ||
| 25 | const { token, expires } = VideoTokensManager.Instance.create(video.uuid) | 25 | const { token, expires } = VideoTokensManager.Instance.create({ videoUUID: video.uuid, user: res.locals.oauth.token.User }) |
| 26 | 26 | ||
| 27 | return res.json({ | 27 | return res.json({ |
| 28 | files: { | 28 | files: { |
diff --git a/server/lib/plugins/plugin-helpers-builder.ts b/server/lib/plugins/plugin-helpers-builder.ts index 7b1def6e3..e75c0b994 100644 --- a/server/lib/plugins/plugin-helpers-builder.ts +++ b/server/lib/plugins/plugin-helpers-builder.ts | |||
| @@ -245,7 +245,7 @@ function buildUserHelpers () { | |||
| 245 | }, | 245 | }, |
| 246 | 246 | ||
| 247 | getAuthUser: (res: express.Response) => { | 247 | getAuthUser: (res: express.Response) => { |
| 248 | const user = res.locals.oauth?.token?.User | 248 | const user = res.locals.oauth?.token?.User || res.locals.videoFileToken?.user |
| 249 | if (!user) return undefined | 249 | if (!user) return undefined |
| 250 | 250 | ||
| 251 | return UserModel.loadByIdFull(user.id) | 251 | return UserModel.loadByIdFull(user.id) |
diff --git a/server/lib/video-tokens-manager.ts b/server/lib/video-tokens-manager.ts index c43085d16..17aa29cdd 100644 --- a/server/lib/video-tokens-manager.ts +++ b/server/lib/video-tokens-manager.ts | |||
| @@ -1,5 +1,7 @@ | |||
| 1 | import LRUCache from 'lru-cache' | 1 | import LRUCache from 'lru-cache' |
| 2 | import { LRU_CACHE } from '@server/initializers/constants' | 2 | import { LRU_CACHE } from '@server/initializers/constants' |
| 3 | import { MUserAccountUrl } from '@server/types/models' | ||
| 4 | import { pick } from '@shared/core-utils' | ||
| 3 | import { buildUUID } from '@shared/extra-utils' | 5 | import { buildUUID } from '@shared/extra-utils' |
| 4 | 6 | ||
| 5 | // --------------------------------------------------------------------------- | 7 | // --------------------------------------------------------------------------- |
| @@ -10,19 +12,22 @@ class VideoTokensManager { | |||
| 10 | 12 | ||
| 11 | private static instance: VideoTokensManager | 13 | private static instance: VideoTokensManager |
| 12 | 14 | ||
| 13 | private readonly lruCache = new LRUCache<string, string>({ | 15 | private readonly lruCache = new LRUCache<string, { videoUUID: string, user: MUserAccountUrl }>({ |
| 14 | max: LRU_CACHE.VIDEO_TOKENS.MAX_SIZE, | 16 | max: LRU_CACHE.VIDEO_TOKENS.MAX_SIZE, |
| 15 | ttl: LRU_CACHE.VIDEO_TOKENS.TTL | 17 | ttl: LRU_CACHE.VIDEO_TOKENS.TTL |
| 16 | }) | 18 | }) |
| 17 | 19 | ||
| 18 | private constructor () {} | 20 | private constructor () {} |
| 19 | 21 | ||
| 20 | create (videoUUID: string) { | 22 | create (options: { |
| 23 | user: MUserAccountUrl | ||
| 24 | videoUUID: string | ||
| 25 | }) { | ||
| 21 | const token = buildUUID() | 26 | const token = buildUUID() |
| 22 | 27 | ||
| 23 | const expires = new Date(new Date().getTime() + LRU_CACHE.VIDEO_TOKENS.TTL) | 28 | const expires = new Date(new Date().getTime() + LRU_CACHE.VIDEO_TOKENS.TTL) |
| 24 | 29 | ||
| 25 | this.lruCache.set(token, videoUUID) | 30 | this.lruCache.set(token, pick(options, [ 'user', 'videoUUID' ])) |
| 26 | 31 | ||
| 27 | return { token, expires } | 32 | return { token, expires } |
| 28 | } | 33 | } |
| @@ -34,7 +39,16 @@ class VideoTokensManager { | |||
| 34 | const value = this.lruCache.get(options.token) | 39 | const value = this.lruCache.get(options.token) |
| 35 | if (!value) return false | 40 | if (!value) return false |
| 36 | 41 | ||
| 37 | return value === options.videoUUID | 42 | return value.videoUUID === options.videoUUID |
| 43 | } | ||
| 44 | |||
| 45 | getUserFromToken (options: { | ||
| 46 | token: string | ||
| 47 | }) { | ||
| 48 | const value = this.lruCache.get(options.token) | ||
| 49 | if (!value) return undefined | ||
| 50 | |||
| 51 | return value.user | ||
| 38 | } | 52 | } |
| 39 | 53 | ||
| 40 | static get Instance () { | 54 | static get Instance () { |
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts index ebbfc0a0a..0033a32ff 100644 --- a/server/middlewares/validators/shared/videos.ts +++ b/server/middlewares/validators/shared/videos.ts | |||
| @@ -180,18 +180,16 @@ async function checkCanAccessVideoStaticFiles (options: { | |||
| 180 | return checkCanSeeVideo(options) | 180 | return checkCanSeeVideo(options) |
| 181 | } | 181 | } |
| 182 | 182 | ||
| 183 | if (!video.hasPrivateStaticPath()) return true | ||
| 184 | |||
| 185 | const videoFileToken = req.query.videoFileToken | 183 | const videoFileToken = req.query.videoFileToken |
| 186 | if (!videoFileToken) { | 184 | if (videoFileToken && VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) { |
| 187 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) | 185 | const user = VideoTokensManager.Instance.getUserFromToken({ token: videoFileToken }) |
| 188 | return false | ||
| 189 | } | ||
| 190 | 186 | ||
| 191 | if (VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) { | 187 | res.locals.videoFileToken = { user } |
| 192 | return true | 188 | return true |
| 193 | } | 189 | } |
| 194 | 190 | ||
| 191 | if (!video.hasPrivateStaticPath()) return true | ||
| 192 | |||
| 195 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) | 193 | res.sendStatus(HttpStatusCode.FORBIDDEN_403) |
| 196 | return false | 194 | return false |
| 197 | } | 195 | } |
diff --git a/server/tests/fixtures/peertube-plugin-test/main.js b/server/tests/fixtures/peertube-plugin-test/main.js index 19dccf26e..19ba9f278 100644 --- a/server/tests/fixtures/peertube-plugin-test/main.js +++ b/server/tests/fixtures/peertube-plugin-test/main.js | |||
| @@ -250,7 +250,10 @@ async function register ({ registerHook, registerSetting, settingsManager, stora | |||
| 250 | 250 | ||
| 251 | registerHook({ | 251 | registerHook({ |
| 252 | target: 'filter:api.download.video.allowed.result', | 252 | target: 'filter:api.download.video.allowed.result', |
| 253 | handler: (result, params) => { | 253 | handler: async (result, params) => { |
| 254 | const loggedInUser = await peertubeHelpers.user.getAuthUser(params.res) | ||
| 255 | if (loggedInUser) return { allowed: true } | ||
| 256 | |||
| 254 | if (params && !params.streamingPlaylist && params.video.name.includes('bad file')) { | 257 | if (params && !params.streamingPlaylist && params.video.name.includes('bad file')) { |
| 255 | return { allowed: false, errorMessage: 'Cao Cao' } | 258 | return { allowed: false, errorMessage: 'Cao Cao' } |
| 256 | } | 259 | } |
diff --git a/server/tests/plugins/filter-hooks.ts b/server/tests/plugins/filter-hooks.ts index 083fd43ca..6724b3bf8 100644 --- a/server/tests/plugins/filter-hooks.ts +++ b/server/tests/plugins/filter-hooks.ts | |||
| @@ -430,6 +430,7 @@ describe('Test plugin filter hooks', function () { | |||
| 430 | 430 | ||
| 431 | describe('Download hooks', function () { | 431 | describe('Download hooks', function () { |
| 432 | const downloadVideos: VideoDetails[] = [] | 432 | const downloadVideos: VideoDetails[] = [] |
| 433 | let downloadVideo2Token: string | ||
| 433 | 434 | ||
| 434 | before(async function () { | 435 | before(async function () { |
| 435 | this.timeout(120000) | 436 | this.timeout(120000) |
| @@ -459,6 +460,8 @@ describe('Test plugin filter hooks', function () { | |||
| 459 | for (const uuid of uuids) { | 460 | for (const uuid of uuids) { |
| 460 | downloadVideos.push(await servers[0].videos.get({ id: uuid })) | 461 | downloadVideos.push(await servers[0].videos.get({ id: uuid })) |
| 461 | } | 462 | } |
| 463 | |||
| 464 | downloadVideo2Token = await servers[0].videoToken.getVideoFileToken({ videoId: downloadVideos[2].uuid }) | ||
| 462 | }) | 465 | }) |
| 463 | 466 | ||
| 464 | it('Should run filter:api.download.torrent.allowed.result', async function () { | 467 | it('Should run filter:api.download.torrent.allowed.result', async function () { |
| @@ -471,32 +474,42 @@ describe('Test plugin filter hooks', function () { | |||
| 471 | 474 | ||
| 472 | it('Should run filter:api.download.video.allowed.result', async function () { | 475 | it('Should run filter:api.download.video.allowed.result', async function () { |
| 473 | { | 476 | { |
| 474 | const res = await makeRawRequest({ url: downloadVideos[1].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.FORBIDDEN_403 }) | 477 | const refused = downloadVideos[1].files[0].fileDownloadUrl |
| 478 | const allowed = [ | ||
| 479 | downloadVideos[0].files[0].fileDownloadUrl, | ||
| 480 | downloadVideos[2].files[0].fileDownloadUrl | ||
| 481 | ] | ||
| 482 | |||
| 483 | const res = await makeRawRequest({ url: refused, expectedStatus: HttpStatusCode.FORBIDDEN_403 }) | ||
| 475 | expect(res.body.error).to.equal('Cao Cao') | 484 | expect(res.body.error).to.equal('Cao Cao') |
| 476 | 485 | ||
| 477 | await makeRawRequest({ url: downloadVideos[0].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 }) | 486 | for (const url of allowed) { |
| 478 | await makeRawRequest({ url: downloadVideos[2].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 }) | 487 | await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 }) |
| 488 | await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 }) | ||
| 489 | } | ||
| 479 | } | 490 | } |
| 480 | 491 | ||
| 481 | { | 492 | { |
| 482 | const res = await makeRawRequest({ | 493 | const refused = downloadVideos[2].streamingPlaylists[0].files[0].fileDownloadUrl |
| 483 | url: downloadVideos[2].streamingPlaylists[0].files[0].fileDownloadUrl, | ||
| 484 | expectedStatus: HttpStatusCode.FORBIDDEN_403 | ||
| 485 | }) | ||
| 486 | 494 | ||
| 487 | expect(res.body.error).to.equal('Sun Jian') | 495 | const allowed = [ |
| 496 | downloadVideos[2].files[0].fileDownloadUrl, | ||
| 497 | downloadVideos[0].streamingPlaylists[0].files[0].fileDownloadUrl, | ||
| 498 | downloadVideos[1].streamingPlaylists[0].files[0].fileDownloadUrl | ||
| 499 | ] | ||
| 488 | 500 | ||
| 489 | await makeRawRequest({ url: downloadVideos[2].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 }) | 501 | // Only streaming playlist is refuse |
| 502 | const res = await makeRawRequest({ url: refused, expectedStatus: HttpStatusCode.FORBIDDEN_403 }) | ||
| 503 | expect(res.body.error).to.equal('Sun Jian') | ||
| 490 | 504 | ||
| 491 | await makeRawRequest({ | 505 | // But not we there is a user in res |
| 492 | url: downloadVideos[0].streamingPlaylists[0].files[0].fileDownloadUrl, | 506 | await makeRawRequest({ url: refused, token: servers[0].accessToken, expectedStatus: HttpStatusCode.OK_200 }) |
| 493 | expectedStatus: HttpStatusCode.OK_200 | 507 | await makeRawRequest({ url: refused, query: { videoFileToken: downloadVideo2Token }, expectedStatus: HttpStatusCode.OK_200 }) |
| 494 | }) | ||
| 495 | 508 | ||
| 496 | await makeRawRequest({ | 509 | // Other files work |
| 497 | url: downloadVideos[1].streamingPlaylists[0].files[0].fileDownloadUrl, | 510 | for (const url of allowed) { |
| 498 | expectedStatus: HttpStatusCode.OK_200 | 511 | await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 }) |
| 499 | }) | 512 | } |
| 500 | } | 513 | } |
| 501 | }) | 514 | }) |
| 502 | }) | 515 | }) |
diff --git a/server/types/express.d.ts b/server/types/express.d.ts index 3738ffc47..99244d2a0 100644 --- a/server/types/express.d.ts +++ b/server/types/express.d.ts | |||
| @@ -10,6 +10,7 @@ import { | |||
| 10 | MChannelBannerAccountDefault, | 10 | MChannelBannerAccountDefault, |
| 11 | MChannelSyncChannel, | 11 | MChannelSyncChannel, |
| 12 | MStreamingPlaylist, | 12 | MStreamingPlaylist, |
| 13 | MUserAccountUrl, | ||
| 13 | MVideoChangeOwnershipFull, | 14 | MVideoChangeOwnershipFull, |
| 14 | MVideoFile, | 15 | MVideoFile, |
| 15 | MVideoFormattableDetails, | 16 | MVideoFormattableDetails, |
| @@ -187,6 +188,10 @@ declare module 'express' { | |||
| 187 | actor: MActorAccountChannelId | 188 | actor: MActorAccountChannelId |
| 188 | } | 189 | } |
| 189 | 190 | ||
| 191 | videoFileToken?: { | ||
| 192 | user: MUserAccountUrl | ||
| 193 | } | ||
| 194 | |||
| 190 | authenticated?: boolean | 195 | authenticated?: boolean |
| 191 | 196 | ||
| 192 | registeredPlugin?: RegisteredPlugin | 197 | registeredPlugin?: RegisteredPlugin |