Feature/password protected videos (#5836)

* Add server endpoints

* Refactoring test suites

* Update server and add openapi documentation

* fix compliation and tests

* upload/import password protected video on client

* add server error code

* Add video password to update resolver

* add custom message when sharing pw protected video

* improve confirm component

* Add new alert in component

* Add ability to watch protected video on client

* Cannot have password protected replay privacy

* Add migration

* Add tests

* update after review

* Update check params tests

* Add live videos test

* Add more filter test

* Update static file privacy test

* Update object storage tests

* Add test on feeds

* Add missing word

* Fix tests

* Fix tests on live videos

* add embed support on password protected videos

* fix style

* Correcting data leaks

* Unable to add password protected privacy on replay

* Updated code based on review comments

* fix validator and command

* Updated code based on review comments

4 files changed, 47 insertions, 20 deletions

diff --git a/client/src/assets/player/shared/manager-options/hls-options-builder.ts b/client/src/assets/player/shared/manager-options/hls-options-builder.ts
index 194991fa4..8091110bc 100644
--- a/client/src/assets/player/shared/manager-options/hls-options-builder.ts
+++ b/client/src/assets/player/shared/manager-options/hls-options-builder.ts
@@ -31,7 +31,7 @@ export class HLSOptionsBuilder {
     const loader = new this.p2pMediaLoaderModule.Engine(p2pMediaLoaderConfig).createLoaderClass() as P2PMediaLoader
 
     const p2pMediaLoader: P2PMediaLoaderPluginOptions = {
-      requiresAuth: commonOptions.requiresAuth,
+      requiresUserAuth: commonOptions.requiresUserAuth,
       videoFileToken: commonOptions.videoFileToken,
 
       redundancyUrlManager,
@@ -88,17 +88,24 @@ export class HLSOptionsBuilder {
         httpFailedSegmentTimeout: 1000,
 
         xhrSetup: (xhr, url) => {
-          if (!this.options.common.requiresAuth) return
+          const { requiresUserAuth, requiresPassword } = this.options.common
+
+          if (!(requiresUserAuth || requiresPassword)) return
+
           if (!isSameOrigin(this.options.common.serverUrl, url)) return
 
-          xhr.setRequestHeader('Authorization', this.options.common.authorizationHeader())
+          if (requiresPassword) xhr.setRequestHeader('x-peertube-video-password', this.options.common.videoPassword())
+
+          else xhr.setRequestHeader('Authorization', this.options.common.authorizationHeader())
         },
 
         segmentValidator: segmentValidatorFactory({
           segmentsSha256Url: this.options.p2pMediaLoader.segmentsSha256Url,
           authorizationHeader: this.options.common.authorizationHeader,
-          requiresAuth: this.options.common.requiresAuth,
-          serverUrl: this.options.common.serverUrl
+          requiresUserAuth: this.options.common.requiresUserAuth,
+          serverUrl: this.options.common.serverUrl,
+          requiresPassword: this.options.common.requiresPassword,
+          videoPassword: this.options.common.videoPassword
         }),
 
         segmentUrlBuilder: segmentUrlBuilderFactory(redundancyUrlManager),
diff --git a/client/src/assets/player/shared/manager-options/webtorrent-options-builder.ts b/client/src/assets/player/shared/manager-options/webtorrent-options-builder.ts
index b5bdcd4e6..80eec02cf 100644
--- a/client/src/assets/player/shared/manager-options/webtorrent-options-builder.ts
+++ b/client/src/assets/player/shared/manager-options/webtorrent-options-builder.ts
@@ -26,10 +26,10 @@ export class WebTorrentOptionsBuilder {
 
       videoFileToken: commonOptions.videoFileToken,
 
-      requiresAuth: commonOptions.requiresAuth,
+      requiresUserAuth: commonOptions.requiresUserAuth,
 
       buildWebSeedUrls: file => {
-        if (!commonOptions.requiresAuth) return []
+        if (!commonOptions.requiresUserAuth && !commonOptions.requiresPassword) return []
 
         return [ addQueryParams(file.fileUrl, { videoFileToken: commonOptions.videoFileToken() }) ]
       },
diff --git a/client/src/assets/player/shared/p2p-media-loader/segment-validator.ts b/client/src/assets/player/shared/p2p-media-loader/segment-validator.ts
index 44a31bfb4..e86d3d159 100644
--- a/client/src/assets/player/shared/p2p-media-loader/segment-validator.ts
+++ b/client/src/assets/player/shared/p2p-media-loader/segment-validator.ts
@@ -13,11 +13,20 @@ function segmentValidatorFactory (options: {
   serverUrl: string
   segmentsSha256Url: string
   authorizationHeader: () => string
-  requiresAuth: boolean
+  requiresUserAuth: boolean
+  requiresPassword: boolean
+  videoPassword: () => string
 }) {
-  const { serverUrl, segmentsSha256Url, authorizationHeader, requiresAuth } = options
-
-  let segmentsJSON = fetchSha256Segments({ serverUrl, segmentsSha256Url, authorizationHeader, requiresAuth })
+  const { serverUrl, segmentsSha256Url, authorizationHeader, requiresUserAuth, requiresPassword, videoPassword } = options
+
+  let segmentsJSON = fetchSha256Segments({
+    serverUrl,
+    segmentsSha256Url,
+    authorizationHeader,
+    requiresUserAuth,
+    requiresPassword,
+    videoPassword
+  })
   const regex = /bytes=(\d+)-(\d+)/
 
   return async function segmentValidator (segment: Segment, _method: string, _peerId: string, retry = 1) {
@@ -34,7 +43,14 @@ function segmentValidatorFactory (options: {
 
       await wait(500)
 
-      segmentsJSON = fetchSha256Segments({ serverUrl, segmentsSha256Url, authorizationHeader, requiresAuth })
+      segmentsJSON = fetchSha256Segments({
+        serverUrl,
+        segmentsSha256Url,
+        authorizationHeader,
+        requiresUserAuth,
+        requiresPassword,
+        videoPassword
+      })
       await segmentValidator(segment, _method, _peerId, retry + 1)
 
       return
@@ -78,13 +94,17 @@ function fetchSha256Segments (options: {
   serverUrl: string
   segmentsSha256Url: string
   authorizationHeader: () => string
-  requiresAuth: boolean
+  requiresUserAuth: boolean
+  requiresPassword: boolean
+  videoPassword: () => string
 }): Promise<SegmentsJSON> {
-  const { serverUrl, segmentsSha256Url, requiresAuth, authorizationHeader } = options
+  const { serverUrl, segmentsSha256Url, requiresUserAuth, authorizationHeader, requiresPassword, videoPassword } = options
 
-  const headers = requiresAuth && isSameOrigin(serverUrl, segmentsSha256Url)
-    ? { Authorization: authorizationHeader() }
-    : {}
+  let headers: { [ id: string ]: string } = {}
+  if (isSameOrigin(serverUrl, segmentsSha256Url)) {
+    if (requiresPassword) headers = { 'x-peertube-video-password': videoPassword() }
+    else if (requiresUserAuth) headers = { Authorization: authorizationHeader() }
+  }
 
   return fetch(segmentsSha256Url, { headers })
     .then(res => res.json() as Promise<SegmentsJSON>)
diff --git a/client/src/assets/player/shared/webtorrent/webtorrent-plugin.ts b/client/src/assets/player/shared/webtorrent/webtorrent-plugin.ts
index 3dde44a60..e2e220c03 100644
--- a/client/src/assets/player/shared/webtorrent/webtorrent-plugin.ts
+++ b/client/src/assets/player/shared/webtorrent/webtorrent-plugin.ts
@@ -59,7 +59,7 @@ class WebTorrentPlugin extends Plugin {
   private isAutoResolutionObservation = false
   private playerRefusedP2P = false
 
-  private requiresAuth: boolean
+  private requiresUserAuth: boolean
   private videoFileToken: () => string
 
   private torrentInfoInterval: any
@@ -86,7 +86,7 @@ class WebTorrentPlugin extends Plugin {
     this.savePlayerSrcFunction = this.player.src
     this.playerElement = options.playerElement
 
-    this.requiresAuth = options.requiresAuth
+    this.requiresUserAuth = options.requiresUserAuth
     this.videoFileToken = options.videoFileToken
 
     this.buildWebSeedUrls = options.buildWebSeedUrls
@@ -546,7 +546,7 @@ class WebTorrentPlugin extends Plugin {
 
     let httpUrl = this.currentVideoFile.fileUrl
 
-    if (this.requiresAuth && this.videoFileToken) {
+    if (this.videoFileToken) {
       httpUrl = addQueryParams(httpUrl, { videoFileToken: this.videoFileToken() })
     }