Feature/password protected videos (#5836)

* Add server endpoints

* Refactoring test suites

* Update server and add openapi documentation

* fix compliation and tests

* upload/import password protected video on client

* add server error code

* Add video password to update resolver

* add custom message when sharing pw protected video

* improve confirm component

* Add new alert in component

* Add ability to watch protected video on client

* Cannot have password protected replay privacy

* Add migration

* Add tests

* update after review

* Update check params tests

* Add live videos test

* Add more filter test

* Update static file privacy test

* Update object storage tests

* Add test on feeds

* Add missing word

* Fix tests

* Fix tests on live videos

* add embed support on password protected videos

* fix style

* Correcting data leaks

* Unable to add password protected privacy on replay

* Updated code based on review comments

* fix validator and command

* Updated code based on review comments

1 files changed, 80 insertions, 0 deletions

diff --git a/server/middlewares/validators/shared/video-passwords.ts b/server/middlewares/validators/shared/video-passwords.ts
new file mode 100644
index 000000000..efcc95dc4
--- /dev/null
+++ b/server/middlewares/validators/shared/video-passwords.ts
@@ -0,0 +1,80 @@
+import express from 'express'
+import { HttpStatusCode, UserRight, VideoPrivacy } from '@shared/models'
+import { forceNumber } from '@shared/core-utils'
+import { VideoPasswordModel } from '@server/models/video/video-password'
+import { header } from 'express-validator'
+import { getVideoWithAttributes } from '@server/helpers/video'
+
+function isValidVideoPasswordHeader () {
+  return header('x-peertube-video-password')
+    .optional()
+    .isString()
+}
+
+function checkVideoIsPasswordProtected (res: express.Response) {
+  const video = getVideoWithAttributes(res)
+  if (video.privacy !== VideoPrivacy.PASSWORD_PROTECTED) {
+    res.fail({
+      status: HttpStatusCode.BAD_REQUEST_400,
+      message: 'Video is not password protected'
+    })
+    return false
+  }
+
+  return true
+}
+
+async function doesVideoPasswordExist (idArg: number | string, res: express.Response) {
+  const video = getVideoWithAttributes(res)
+  const id = forceNumber(idArg)
+  const videoPassword = await VideoPasswordModel.loadByIdAndVideo({ id, videoId: video.id })
+
+  if (!videoPassword) {
+    res.fail({
+      status: HttpStatusCode.NOT_FOUND_404,
+      message: 'Video password not found'
+    })
+    return false
+  }
+
+  res.locals.videoPassword = videoPassword
+
+  return true
+}
+
+async function isVideoPasswordDeletable (res: express.Response) {
+  const user = res.locals.oauth.token.User
+  const userAccount = user.Account
+  const video = res.locals.videoAll
+
+  // Check if the user who did the request is able to delete the video passwords
+  if (
+    user.hasRight(UserRight.UPDATE_ANY_VIDEO) === false && // Not a moderator
+    video.VideoChannel.accountId !== userAccount.id // Not the video owner
+  ) {
+    res.fail({
+      status: HttpStatusCode.FORBIDDEN_403,
+      message: 'Cannot remove passwords of another user\'s video'
+    })
+    return false
+  }
+
+  const passwordCount = await VideoPasswordModel.countByVideoId(video.id)
+
+  if (passwordCount <= 1) {
+    res.fail({
+      status: HttpStatusCode.BAD_REQUEST_400,
+      message: 'Cannot delete the last password of the protected video'
+    })
+    return false
+  }
+
+  return true
+}
+
+export {
+  isValidVideoPasswordHeader,
+  checkVideoIsPasswordProtected as isVideoPasswordProtected,
+  doesVideoPasswordExist,
+  isVideoPasswordDeletable
+}