Feature/password protected videos (#5836)

* Add server endpoints * Refactoring test suites * Update server and add openapi documentation * fix compliation and tests * upload/import password protected video on client * add server error code * Add video password to update resolver * add custom message when sharing pw protected video * improve confirm component * Add new alert in component * Add ability to watch protected video on client * Cannot have password protected replay privacy * Add migration * Add tests * update after review * Update check params tests * Add live videos test * Add more filter test * Update static file privacy test * Update object storage tests * Add test on feeds * Add missing word * Fix tests * Fix tests on live videos * add embed support on password protected videos * fix style * Correcting data leaks * Unable to add password protected privacy on replay * Updated code based on review comments * fix validator and command * Updated code based on review comments
author: Wicklow <123956049+wickloww@users.noreply.github.com> 2023-06-29 07:48:55 +0000
committer: GitHub <noreply@github.com> 2023-06-29 09:48:55 +0200
commit: 40346ead2b0b7afa475aef057d3673b6c7574b7a (patch)
tree: 24ffdc23c3a9d987334842e0d400b5bd44500cf7 /server/middlewares/validators/videos
parent: ae22c59f14d0d553f60b281948b6c232c2aca178 (diff)
download: PeerTube-40346ead2b0b7afa475aef057d3673b6c7574b7a.tar.gz
PeerTube-40346ead2b0b7afa475aef057d3673b6c7574b7a.tar.zst
PeerTube-40346ead2b0b7afa475aef057d3673b6c7574b7a.zip
10 files changed, 160 insertions, 9 deletions
diff --git a/server/middlewares/validators/videos/index.ts b/server/middlewares/validators/videos/index.ts
index d225dfe45..0c824c314 100644
--- a/server/middlewares/validators/videos/index.ts
+++ b/server/middlewares/validators/videos/index.ts
@@ -12,6 +12,8 @@ export * from './video-shares'
 export * from './video-source'
 export * from './video-stats'
 export * from './video-studio'
+export * from './video-token'
 export * from './video-transcoding'
 export * from './videos'
 export * from './video-channel-sync'
+export * from './video-passwords'
diff --git a/server/middlewares/validators/videos/video-captions.ts b/server/middlewares/validators/videos/video-captions.ts
index 72b2febc3..077a58d2e 100644
--- a/server/middlewares/validators/videos/video-captions.ts
+++ b/server/middlewares/validators/videos/video-captions.ts
@@ -10,7 +10,8 @@ import {
  checkUserCanManageVideo,
  doesVideoCaptionExist,
  doesVideoExist,
-  isValidVideoIdParam
+  isValidVideoIdParam,
+  isValidVideoPasswordHeader
 } from '../shared'
 const addVideoCaptionValidator = [
@@ -62,6 +63,8 @@ const deleteVideoCaptionValidator = [
 const listVideoCaptionsValidator = [
  isValidVideoIdParam('videoId'),
+  isValidVideoPasswordHeader(),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 133feb7bd..70689b02e 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -14,7 +14,8 @@ import {
  doesVideoCommentExist,
  doesVideoCommentThreadExist,
  doesVideoExist,
-  isValidVideoIdParam
+  isValidVideoIdParam,
+  isValidVideoPasswordHeader
 } from '../shared'
 const listVideoCommentsValidator = [
@@ -51,6 +52,7 @@ const listVideoCommentsValidator = [
 const listVideoCommentThreadsValidator = [
  isValidVideoIdParam('videoId'),
+  isValidVideoPasswordHeader(),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return
@@ -67,6 +69,7 @@ const listVideoThreadCommentsValidator = [
  param('threadId')
    .custom(isIdValid),
+  isValidVideoPasswordHeader(),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return
@@ -84,6 +87,7 @@ const addVideoCommentThreadValidator = [
  body('text')
    .custom(isValidVideoCommentText),
+  isValidVideoPasswordHeader(),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return
@@ -102,6 +106,7 @@ const addVideoCommentReplyValidator = [
  isValidVideoIdParam('videoId'),
  param('commentId').custom(isIdValid),
+  isValidVideoPasswordHeader(),
  body('text').custom(isValidVideoCommentText),
diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts
index 72442aeb6..a1cb65b70 100644
--- a/server/middlewares/validators/videos/video-imports.ts
+++ b/server/middlewares/validators/videos/video-imports.ts
@@ -9,7 +9,11 @@ import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models'
 import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model'
 import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc'
 import { isVideoImportTargetUrlValid, isVideoImportTorrentFile } from '../../../helpers/custom-validators/video-imports'
-import { isVideoMagnetUriValid, isVideoNameValid } from '../../../helpers/custom-validators/videos'
+import {
+  isValidPasswordProtectedPrivacy,
+  isVideoMagnetUriValid,
+  isVideoNameValid
+} from '../../../helpers/custom-validators/videos'
 import { cleanUpReqFiles } from '../../../helpers/express-utils'
 import { logger } from '../../../helpers/logger'
 import { CONFIG } from '../../../initializers/config'
@@ -38,6 +42,10 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([
    .custom(isVideoNameValid).withMessage(
      `Should have a video name between ${CONSTRAINTS_FIELDS.VIDEOS.NAME.min} and ${CONSTRAINTS_FIELDS.VIDEOS.NAME.max} characters long`
    ),
+  body('videoPasswords')
+    .optional()
+    .isArray()
+    .withMessage('Video passwords should be an array.'),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    const user = res.locals.oauth.token.User
@@ -45,6 +53,8 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([
    if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
+    if (!isValidPasswordProtectedPrivacy(req, res)) return cleanUpReqFiles(req)
    if (CONFIG.IMPORT.VIDEOS.HTTP.ENABLED !== true && req.body.targetUrl) {
      cleanUpReqFiles(req)
diff --git a/server/middlewares/validators/videos/video-live.ts b/server/middlewares/validators/videos/video-live.ts
index 2aff831a8..ec69a3011 100644
--- a/server/middlewares/validators/videos/video-live.ts
+++ b/server/middlewares/validators/videos/video-live.ts
@@ -17,7 +17,7 @@ import {
  VideoState
 } from '@shared/models'
 import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../../helpers/custom-validators/misc'
-import { isVideoNameValid, isVideoPrivacyValid } from '../../../helpers/custom-validators/videos'
+import { isValidPasswordProtectedPrivacy, isVideoNameValid, isVideoReplayPrivacyValid } from '../../../helpers/custom-validators/videos'
 import { cleanUpReqFiles } from '../../../helpers/express-utils'
 import { logger } from '../../../helpers/logger'
 import { CONFIG } from '../../../initializers/config'
@@ -69,7 +69,7 @@ const videoLiveAddValidator = getCommonVideoEditAttributes().concat([
  body('replaySettings.privacy')
    .optional()
    .customSanitizer(toIntOrNull)
-    .custom(isVideoPrivacyValid),
+    .custom(isVideoReplayPrivacyValid),
  body('permanentLive')
    .optional()
@@ -81,9 +81,16 @@ const videoLiveAddValidator = getCommonVideoEditAttributes().concat([
    .customSanitizer(toIntOrNull)
    .custom(isLiveLatencyModeValid),
+  body('videoPasswords')
+    .optional()
+    .isArray()
+    .withMessage('Video passwords should be an array.'),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
+    if (!isValidPasswordProtectedPrivacy(req, res)) return cleanUpReqFiles(req)
    if (CONFIG.LIVE.ENABLED !== true) {
      cleanUpReqFiles(req)
@@ -170,7 +177,7 @@ const videoLiveUpdateValidator = [
  body('replaySettings.privacy')
    .optional()
    .customSanitizer(toIntOrNull)
-    .custom(isVideoPrivacyValid),
+    .custom(isVideoReplayPrivacyValid),
  body('latencyMode')
    .optional()
diff --git a/server/middlewares/validators/videos/video-passwords.ts b/server/middlewares/validators/videos/video-passwords.ts
new file mode 100644
index 000000000..200e496f6
--- /dev/null
+++ b/server/middlewares/validators/videos/video-passwords.ts
@@ -0,0 +1,77 @@
+import express from 'express'
+import {
+  areValidationErrors,
+  doesVideoExist,
+  isVideoPasswordProtected,
+  isValidVideoIdParam,
+  doesVideoPasswordExist,
+  isVideoPasswordDeletable,
+  checkUserCanManageVideo
+} from '../shared'
+import { body, param } from 'express-validator'
+import { isIdValid } from '@server/helpers/custom-validators/misc'
+import { isValidPasswordProtectedPrivacy } from '@server/helpers/custom-validators/videos'
+import { UserRight } from '@shared/models'
+const listVideoPasswordValidator = [
+  isValidVideoIdParam('videoId'),
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+    if (!await doesVideoExist(req.params.videoId, res)) return
+    if (!isVideoPasswordProtected(res)) return
+    // Check if the user who did the request is able to access video password list
+    const user = res.locals.oauth.token.User
+    if (!checkUserCanManageVideo(user, res.locals.videoAll, UserRight.SEE_ALL_VIDEOS, res)) return
+    return next()
+  }
+]
+const updateVideoPasswordListValidator = [
+  body('passwords')
+    .optional()
+    .isArray()
+    .withMessage('Video passwords should be an array.'),
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+    if (!await doesVideoExist(req.params.videoId, res)) return
+    if (!isValidPasswordProtectedPrivacy(req, res)) return
+    // Check if the user who did the request is able to update video passwords
+    const user = res.locals.oauth.token.User
+    if (!checkUserCanManageVideo(user, res.locals.videoAll, UserRight.UPDATE_ANY_VIDEO, res)) return
+    return next()
+  }
+]
+const removeVideoPasswordValidator = [
+  isValidVideoIdParam('videoId'),
+  param('passwordId')
+    .custom(isIdValid),
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+    if (!await doesVideoExist(req.params.videoId, res)) return
+    if (!isVideoPasswordProtected(res)) return
+    if (!await doesVideoPasswordExist(req.params.passwordId, res)) return
+    if (!await isVideoPasswordDeletable(res)) return
+    return next()
+  }
+]
+// ---------------------------------------------------------------------------
+export {
+  listVideoPasswordValidator,
+  updateVideoPasswordListValidator,
+  removeVideoPasswordValidator
+}
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts
index c631a16f8..95a5ba63a 100644
--- a/server/middlewares/validators/videos/video-playlists.ts
+++ b/server/middlewares/validators/videos/video-playlists.ts
@@ -153,7 +153,7 @@ const videoPlaylistsGetValidator = (fetchType: VideoPlaylistFetchType) => {
      }
      if (videoPlaylist.privacy === VideoPlaylistPrivacy.PRIVATE) {
-        await authenticatePromise(req, res)
+        await authenticatePromise({ req, res })
        const user = res.locals.oauth ? res.locals.oauth.token.User : null
diff --git a/server/middlewares/validators/videos/video-rates.ts b/server/middlewares/validators/videos/video-rates.ts
index 275634d5b..c837b047b 100644
--- a/server/middlewares/validators/videos/video-rates.ts
+++ b/server/middlewares/validators/videos/video-rates.ts
@@ -7,13 +7,14 @@ import { isIdValid } from '../../../helpers/custom-validators/misc'
 import { isRatingValid } from '../../../helpers/custom-validators/video-rates'
 import { isVideoRatingTypeValid } from '../../../helpers/custom-validators/videos'
 import { AccountVideoRateModel } from '../../../models/account/account-video-rate'
-import { areValidationErrors, checkCanSeeVideo, doesVideoExist, isValidVideoIdParam } from '../shared'
+import { areValidationErrors, checkCanSeeVideo, doesVideoExist, isValidVideoIdParam, isValidVideoPasswordHeader } from '../shared'
 const videoUpdateRateValidator = [
  isValidVideoIdParam('id'),
  body('rating')
    .custom(isVideoRatingTypeValid),
+  isValidVideoPasswordHeader(),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return
diff --git a/server/middlewares/validators/videos/video-token.ts b/server/middlewares/validators/videos/video-token.ts
new file mode 100644
index 000000000..d4253e21d
--- /dev/null
+++ b/server/middlewares/validators/videos/video-token.ts
@@ -0,0 +1,24 @@
+import express from 'express'
+import { VideoPrivacy } from '../../../../shared/models/videos'
+import { HttpStatusCode } from '@shared/models'
+import { exists } from '@server/helpers/custom-validators/misc'
+const videoFileTokenValidator = [
+  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    const video = res.locals.onlyVideo
+    if (video.privacy !== VideoPrivacy.PASSWORD_PROTECTED && !exists(res.locals.oauth.token.User)) {
+      return res.fail({
+        status: HttpStatusCode.UNAUTHORIZED_401,
+        message: 'Not authenticated'
+      })
+    }
+    return next()
+  }
+]
+// ---------------------------------------------------------------------------
+export {
+  videoFileTokenValidator
+}
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index 794e1d4f1..7f1f39b11 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -23,6 +23,7 @@ import { isBooleanBothQueryValid, isNumberArray, isStringArray } from '../../../
 import {
  areVideoTagsValid,
  isScheduleVideoUpdatePrivacyValid,
+  isValidPasswordProtectedPrivacy,
  isVideoCategoryValid,
  isVideoDescriptionValid,
  isVideoFileMimeTypeValid,
@@ -55,7 +56,8 @@ import {
  doesVideoChannelOfAccountExist,
  doesVideoExist,
  doesVideoFileOfVideoExist,
-  isValidVideoIdParam
+  isValidVideoIdParam,
+  isValidVideoPasswordHeader
 } from '../shared'
 const videosAddLegacyValidator = getCommonVideoEditAttributes().concat([
@@ -70,6 +72,10 @@ const videosAddLegacyValidator = getCommonVideoEditAttributes().concat([
  body('channelId')
    .customSanitizer(toIntOrNull)
    .custom(isIdValid),
+  body('videoPasswords')
+    .optional()
+    .isArray()
+    .withMessage('Video passwords should be an array.'),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
@@ -81,6 +87,8 @@ const videosAddLegacyValidator = getCommonVideoEditAttributes().concat([
      return cleanUpReqFiles(req)
    }
+    if (!isValidPasswordProtectedPrivacy(req, res)) return cleanUpReqFiles(req)
    try {
      if (!videoFile.duration) await addDurationToVideo(videoFile)
    } catch (err) {
@@ -174,6 +182,10 @@ const videosAddResumableInitValidator = getCommonVideoEditAttributes().concat([
  body('channelId')
    .customSanitizer(toIntOrNull)
    .custom(isIdValid),
+  body('videoPasswords')
+    .optional()
+    .isArray()
+    .withMessage('Video passwords should be an array.'),
  header('x-upload-content-length')
    .isNumeric()
@@ -205,6 +217,8 @@ const videosAddResumableInitValidator = getCommonVideoEditAttributes().concat([
    const files = { videofile: [ videoFileMetadata ] }
    if (!await commonVideoChecksPass({ req, res, user, videoFileSize: videoFileMetadata.size, files })) return cleanup()
+    if (!isValidPasswordProtectedPrivacy(req, res)) return cleanup()
    // multer required unsetting the Content-Type, now we can set it for node-uploadx
    req.headers['content-type'] = 'application/json; charset=utf-8'
    // place previewfile in metadata so that uploadx saves it in .META
@@ -227,12 +241,18 @@ const videosUpdateValidator = getCommonVideoEditAttributes().concat([
    .optional()
    .customSanitizer(toIntOrNull)
    .custom(isIdValid),
+  body('videoPasswords')
+    .optional()
+    .isArray()
+    .withMessage('Video passwords should be an array.'),
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    if (areValidationErrors(req, res)) return cleanUpReqFiles(req)
    if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req)
    if (!await doesVideoExist(req.params.id, res)) return cleanUpReqFiles(req)
+    if (!isValidPasswordProtectedPrivacy(req, res)) return cleanUpReqFiles(req)
    const video = getVideoWithAttributes(res)
    if (video.isLive && video.privacy !== req.body.privacy && video.state !== VideoState.WAITING_FOR_LIVE) {
      return res.fail({ message: 'Cannot update privacy of a live that has already started' })
@@ -281,6 +301,8 @@ const videosCustomGetValidator = (fetchType: 'for-api' | 'all' | 'only-video' |
  return [
    isValidVideoIdParam('id'),
+    isValidVideoPasswordHeader(),
    async (req: express.Request, res: express.Response, next: express.NextFunction) => {
      if (areValidationErrors(req, res)) return
      if (!await doesVideoExist(req.params.id, res, fetchType)) return
author	Wicklow <123956049+wickloww@users.noreply.github.com>	2023-06-29 07:48:55 +0000
committer	GitHub <noreply@github.com>	2023-06-29 09:48:55 +0200
commit	40346ead2b0b7afa475aef057d3673b6c7574b7a (patch)
tree	24ffdc23c3a9d987334842e0d400b5bd44500cf7 /server/middlewares/validators/videos
parent	ae22c59f14d0d553f60b281948b6c232c2aca178 (diff)
download	PeerTube-40346ead2b0b7afa475aef057d3673b6c7574b7a.tar.gz PeerTube-40346ead2b0b7afa475aef057d3673b6c7574b7a.tar.zst PeerTube-40346ead2b0b7afa475aef057d3673b6c7574b7a.zip