Fix private video download

2 files changed, 10 insertions, 8 deletions

diff --git a/server/middlewares/oauth.ts b/server/middlewares/oauth.ts
index 77fb305dd..bb90dac47 100644
--- a/server/middlewares/oauth.ts
+++ b/server/middlewares/oauth.ts
@@ -12,8 +12,10 @@ const oAuthServer = new OAuthServer({
   model: require('../lib/oauth-model')
 })
 
-function authenticate (req: express.Request, res: express.Response, next: express.NextFunction) {
-  oAuthServer.authenticate()(req, res, err => {
+function authenticate (req: express.Request, res: express.Response, next: express.NextFunction, authenticateInQuery = false) {
+  const options = authenticateInQuery ? { allowBearerTokensInQueryString: true } : {}
+
+  oAuthServer.authenticate(options)(req, res, err => {
     if (err) {
       logger.warn('Cannot authenticate.', { err })
 
@@ -50,16 +52,14 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) {
     })
 }
 
-function authenticatePromiseIfNeeded (req: express.Request, res: express.Response) {
+function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) {
   return new Promise(resolve => {
     // Already authenticated? (or tried to)
     if (res.locals.oauth && res.locals.oauth.token.User) return resolve()
 
     if (res.locals.authenticated === false) return res.sendStatus(401)
 
-    authenticate(req, res, () => {
-      return resolve()
-    })
+    authenticate(req, res, () => resolve(), authenticateInQuery)
   })
 }
 
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index 53a2f193d..ab984d84a 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -147,7 +147,7 @@ async function checkVideoFollowConstraints (req: express.Request, res: express.R
             })
 }
 
-const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video-with-rights') => {
+const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video-with-rights', authenticateInQuery = false) => {
   return [
     param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
 
@@ -162,7 +162,7 @@ const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video-
 
       // Video private or blacklisted
       if (video.privacy === VideoPrivacy.PRIVATE || videoAll.VideoBlacklist) {
-        await authenticatePromiseIfNeeded(req, res)
+        await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
 
         const user = res.locals.oauth ? res.locals.oauth.token.User : null
 
@@ -193,6 +193,7 @@ const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video-
 }
 
 const videosGetValidator = videosCustomGetValidator('all')
+const videosDownloadValidator = videosCustomGetValidator('all', true)
 
 const videosRemoveValidator = [
   param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -407,6 +408,7 @@ export {
   videosAddValidator,
   videosUpdateValidator,
   videosGetValidator,
+  videosDownloadValidator,
   checkVideoFollowConstraints,
   videosCustomGetValidator,
   videosRemoveValidator,