Put private videos under a specific subdirectory

1 files changed, 40 insertions, 14 deletions

diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index e3a98c58f..c29751eca 100644
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -1,7 +1,7 @@
 import { Request, Response } from 'express'
-import { isUUIDValid } from '@server/helpers/custom-validators/misc'
 import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
 import { isAbleToUploadVideo } from '@server/lib/user'
+import { VideoTokensManager } from '@server/lib/video-tokens-manager'
 import { authenticatePromise } from '@server/middlewares/auth'
 import { VideoModel } from '@server/models/video/video'
 import { VideoChannelModel } from '@server/models/video/video-channel'
@@ -108,26 +108,21 @@ async function checkCanSeeVideo (options: {
   res: Response
   paramId: string
   video: MVideo
-  authenticateInQuery?: boolean // default false
 }) {
-  const { req, res, video, paramId, authenticateInQuery = false } = options
+  const { req, res, video, paramId } = options
 
-  if (video.requiresAuth()) {
-    return checkCanSeeAuthVideo(req, res, video, authenticateInQuery)
+  if (video.requiresAuth(paramId)) {
+    return checkCanSeeAuthVideo(req, res, video)
   }
 
-  if (video.privacy === VideoPrivacy.UNLISTED) {
-    if (isUUIDValid(paramId)) return true
-
-    return checkCanSeeAuthVideo(req, res, video, authenticateInQuery)
+  if (video.privacy === VideoPrivacy.UNLISTED || video.privacy === VideoPrivacy.PUBLIC) {
+    return true
   }
 
-  if (video.privacy === VideoPrivacy.PUBLIC) return true
-
-  throw new Error('Fatal error when checking video right ' + video.url)
+  throw new Error('Unknown video privacy when checking video right ' + video.url)
 }
 
-async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoId | MVideoWithRights, authenticateInQuery = false) {
+async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoId | MVideoWithRights) {
   const fail = () => {
     res.fail({
       status: HttpStatusCode.FORBIDDEN_403,
@@ -137,7 +132,7 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
     return false
   }
 
-  await authenticatePromise(req, res, authenticateInQuery)
+  await authenticatePromise(req, res)
 
   const user = res.locals.oauth?.token.User
   if (!user) return fail()
@@ -173,6 +168,36 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
 
 // ---------------------------------------------------------------------------
 
+async function checkCanAccessVideoStaticFiles (options: {
+  video: MVideo
+  req: Request
+  res: Response
+  paramId: string
+}) {
+  const { video, req, res, paramId } = options
+
+  if (res.locals.oauth?.token.User) {
+    return checkCanSeeVideo(options)
+  }
+
+  if (!video.requiresAuth(paramId)) return true
+
+  const videoFileToken = req.query.videoFileToken
+  if (!videoFileToken) {
+    res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+    return false
+  }
+
+  if (VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) {
+    return true
+  }
+
+  res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+  return false
+}
+
+// ---------------------------------------------------------------------------
+
 function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
   // Retrieve the user who did the request
   if (onlyOwned && video.isOwned() === false) {
@@ -220,6 +245,7 @@ export {
   doesVideoExist,
   doesVideoFileOfVideoExist,
 
+  checkCanAccessVideoStaticFiles,
   checkUserCanManageVideo,
   checkCanSeeVideo,
   checkUserQuota