Feature/password protected videos (#5836)

* Add server endpoints

* Refactoring test suites

* Update server and add openapi documentation

* fix compliation and tests

* upload/import password protected video on client

* add server error code

* Add video password to update resolver

* add custom message when sharing pw protected video

* improve confirm component

* Add new alert in component

* Add ability to watch protected video on client

* Cannot have password protected replay privacy

* Add migration

* Add tests

* update after review

* Update check params tests

* Add live videos test

* Add more filter test

* Update static file privacy test

* Update object storage tests

* Add test on feeds

* Add missing word

* Fix tests

* Fix tests on live videos

* add embed support on password protected videos

* fix style

* Correcting data leaks

* Unable to add password protected privacy on replay

* Updated code based on review comments

* fix validator and command

* Updated code based on review comments

1 files changed, 7 insertions, 3 deletions

diff --git a/server/middlewares/validators/static.ts b/server/middlewares/validators/static.ts
index 9c2d890ba..36a94080c 100644
--- a/server/middlewares/validators/static.ts
+++ b/server/middlewares/validators/static.ts
@@ -9,7 +9,7 @@ import { VideoModel } from '@server/models/video/video'
 import { VideoFileModel } from '@server/models/video/video-file'
 import { MStreamingPlaylist, MVideoFile, MVideoThumbnail } from '@server/types/models'
 import { HttpStatusCode } from '@shared/models'
-import { areValidationErrors, checkCanAccessVideoStaticFiles } from './shared'
+import { areValidationErrors, checkCanAccessVideoStaticFiles, isValidVideoPasswordHeader } from './shared'
 
 type LRUValue = {
   allowed: boolean
@@ -25,6 +25,8 @@ const staticFileTokenBypass = new LRUCache<string, LRUValue>({
 const ensureCanAccessVideoPrivateWebTorrentFiles = [
   query('videoFileToken').optional().custom(exists),
 
+  isValidVideoPasswordHeader(),
+
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return
 
@@ -73,6 +75,8 @@ const ensureCanAccessPrivateVideoHLSFiles = [
     .optional()
     .customSanitizer(isSafePeerTubeFilenameWithoutExtension),
 
+  isValidVideoPasswordHeader(),
+
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return
 
@@ -167,11 +171,11 @@ async function isHLSAllowed (req: express.Request, res: express.Response, videoU
 }
 
 function extractTokenOrDie (req: express.Request, res: express.Response) {
-  const token = res.locals.oauth?.token.accessToken || req.query.videoFileToken
+  const token = req.header('x-peertube-video-password') || req.query.videoFileToken || res.locals.oauth?.token.accessToken
 
   if (!token) {
     return res.fail({
-      message: 'Bearer token is missing in headers or video file token is missing in URL query parameters',
+      message: 'Video password header, video file token query parameter and bearer token are all missing', //
       status: HttpStatusCode.FORBIDDEN_403
     })
   }