Feature/password protected videos (#5836)

* Add server endpoints

* Refactoring test suites

* Update server and add openapi documentation

* fix compliation and tests

* upload/import password protected video on client

* add server error code

* Add video password to update resolver

* add custom message when sharing pw protected video

* improve confirm component

* Add new alert in component

* Add ability to watch protected video on client

* Cannot have password protected replay privacy

* Add migration

* Add tests

* update after review

* Update check params tests

* Add live videos test

* Add more filter test

* Update static file privacy test

* Update object storage tests

* Add test on feeds

* Add missing word

* Fix tests

* Fix tests on live videos

* add embed support on password protected videos

* fix style

* Correcting data leaks

* Unable to add password protected privacy on replay

* Updated code based on review comments

* fix validator and command

* Updated code based on review comments

9 files changed, 1023 insertions, 29 deletions

diff --git a/server/tests/api/check-params/live.ts b/server/tests/api/check-params/live.ts
index 2dc735c23..406a96824 100644
--- a/server/tests/api/check-params/live.ts
+++ b/server/tests/api/check-params/live.ts
@@ -143,7 +143,7 @@ describe('Test video lives API validator', function () {
     })
 
     it('Should fail with a bad privacy for replay settings', async function () {
-      const fields = { ...baseCorrectParams, replaySettings: { privacy: 5 } }
+      const fields = { ...baseCorrectParams, saveReplay: true, replaySettings: { privacy: 999 } }
 
       await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
     })
@@ -472,7 +472,7 @@ describe('Test video lives API validator', function () {
     })
 
     it('Should fail with a bad privacy for replay settings', async function () {
-      const fields = { saveReplay: true, replaySettings: { privacy: 5 } }
+      const fields = { saveReplay: true, replaySettings: { privacy: 999 } }
 
       await command.update({ videoId: video.id, fields, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
     })
diff --git a/server/tests/api/check-params/video-passwords.ts b/server/tests/api/check-params/video-passwords.ts
new file mode 100644
index 000000000..4e936b5d2
--- /dev/null
+++ b/server/tests/api/check-params/video-passwords.ts
@@ -0,0 +1,609 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+import {
+  FIXTURE_URLS,
+  checkBadCountPagination,
+  checkBadSortPagination,
+  checkBadStartPagination,
+  checkUploadVideoParam
+} from '@server/tests/shared'
+import { root } from '@shared/core-utils'
+import {
+  HttpStatusCode,
+  PeerTubeProblemDocument,
+  ServerErrorCode,
+  VideoCreateResult,
+  VideoPrivacy
+} from '@shared/models'
+import {
+  cleanupTests,
+  createSingleServer,
+  makePostBodyRequest,
+  PeerTubeServer,
+  setAccessTokensToServers
+} from '@shared/server-commands'
+import { expect } from 'chai'
+import { join } from 'path'
+
+describe('Test video passwords validator', function () {
+  let path: string
+  let server: PeerTubeServer
+  let userAccessToken = ''
+  let video: VideoCreateResult
+  let channelId: number
+  let publicVideo: VideoCreateResult
+  let commentId: number
+  // ---------------------------------------------------------------
+
+  before(async function () {
+    this.timeout(50000)
+
+    server = await createSingleServer(1)
+
+    await setAccessTokensToServers([ server ])
+
+    await server.config.updateCustomSubConfig({
+      newConfig: {
+        live: {
+          enabled: true,
+          latencySetting: {
+            enabled: false
+          },
+          allowReplay: false
+        },
+        import: {
+          videos: {
+            http:{
+              enabled: true
+            }
+          }
+        }
+      }
+    })
+
+    userAccessToken = await server.users.generateUserAndToken('user1')
+
+    {
+      const body = await server.users.getMyInfo()
+      channelId = body.videoChannels[0].id
+    }
+
+    {
+      video = await server.videos.quickUpload({
+        name: 'password protected video',
+        privacy: VideoPrivacy.PASSWORD_PROTECTED,
+        videoPasswords: [ 'password1', 'password2' ]
+      })
+    }
+    path = '/api/v1/videos/'
+  })
+
+  async function checkVideoPasswordOptions (options: {
+    server: PeerTubeServer
+    token: string
+    videoPasswords: string[]
+    expectedStatus: HttpStatusCode
+    mode: 'uploadLegacy' | 'uploadResumable' | 'import' | 'updateVideo' | 'updatePasswords' | 'live'
+  }) {
+    const { server, token, videoPasswords, expectedStatus = HttpStatusCode.OK_200, mode } = options
+    const attaches = {
+      fixture: join(root(), 'server', 'tests', 'fixtures', 'video_short.webm')
+    }
+    const baseCorrectParams = {
+      name: 'my super name',
+      category: 5,
+      licence: 1,
+      language: 'pt',
+      nsfw: false,
+      commentsEnabled: true,
+      downloadEnabled: true,
+      waitTranscoding: true,
+      description: 'my super description',
+      support: 'my super support text',
+      tags: [ 'tag1', 'tag2' ],
+      privacy: VideoPrivacy.PASSWORD_PROTECTED,
+      channelId,
+      originallyPublishedAt: new Date().toISOString()
+    }
+    if (mode === 'uploadLegacy') {
+      const fields = { ...baseCorrectParams, videoPasswords }
+      return checkUploadVideoParam(server, token, { ...fields, ...attaches }, expectedStatus, 'legacy')
+    }
+
+    if (mode === 'uploadResumable') {
+      const fields = { ...baseCorrectParams, videoPasswords }
+      return checkUploadVideoParam(server, token, { ...fields, ...attaches }, expectedStatus, 'resumable')
+    }
+
+    if (mode === 'import') {
+      const attributes = { ...baseCorrectParams, targetUrl: FIXTURE_URLS.goodVideo, videoPasswords }
+      return server.imports.importVideo({ attributes, expectedStatus })
+    }
+
+    if (mode === 'updateVideo') {
+      const attributes = { ...baseCorrectParams, videoPasswords }
+      return server.videos.update({ token, expectedStatus, id: video.id, attributes })
+    }
+
+    if (mode === 'updatePasswords') {
+      return server.videoPasswords.updateAll({ token, expectedStatus, videoId: video.id, passwords: videoPasswords })
+    }
+
+    if (mode === 'live') {
+      const fields = { ...baseCorrectParams, videoPasswords }
+
+      return server.live.create({ fields, expectedStatus })
+    }
+  }
+
+  function validateVideoPasswordList (mode: 'uploadLegacy' | 'uploadResumable' | 'import' | 'updateVideo' | 'updatePasswords' | 'live') {
+
+    it('Should fail with a password protected privacy without providing a password', async function () {
+      await checkVideoPasswordOptions({
+        server,
+        token: server.accessToken,
+        videoPasswords: undefined,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400,
+        mode
+      })
+    })
+
+    it('Should fail with a password protected privacy and an empty password list', async function () {
+      const videoPasswords = []
+
+      await checkVideoPasswordOptions({
+        server,
+        token: server.accessToken,
+        videoPasswords,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400,
+        mode
+      })
+    })
+
+    it('Should fail with a password protected privacy and a too short password', async function () {
+      const videoPasswords = [ 'p' ]
+
+      await checkVideoPasswordOptions({
+        server,
+        token: server.accessToken,
+        videoPasswords,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400,
+        mode
+      })
+    })
+
+    it('Should fail with a password protected privacy and a too long password', async function () {
+      const videoPasswords = [ 'Very very very very very very very very very very very very very very very very very very long password' ]
+
+      await checkVideoPasswordOptions({
+        server,
+        token: server.accessToken,
+        videoPasswords,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400,
+        mode
+      })
+    })
+
+    it('Should fail with a password protected privacy and an empty password', async function () {
+      const videoPasswords = [ '' ]
+
+      await checkVideoPasswordOptions({
+        server,
+        token: server.accessToken,
+        videoPasswords,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400,
+        mode
+      })
+    })
+
+    it('Should fail with a password protected privacy and duplicated passwords', async function () {
+      const videoPasswords = [ 'password', 'password' ]
+
+      await checkVideoPasswordOptions({
+        server,
+        token: server.accessToken,
+        videoPasswords,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400,
+        mode
+      })
+    })
+
+    if (mode === 'updatePasswords') {
+      it('Should fail for an unauthenticated user', async function () {
+        const videoPasswords = [ 'password' ]
+        await checkVideoPasswordOptions({
+          server,
+          token: null,
+          videoPasswords,
+          expectedStatus: HttpStatusCode.UNAUTHORIZED_401,
+          mode
+        })
+      })
+
+      it('Should fail for an unauthorized user', async function () {
+        const videoPasswords = [ 'password' ]
+        await checkVideoPasswordOptions({
+          server,
+          token: userAccessToken,
+          videoPasswords,
+          expectedStatus: HttpStatusCode.FORBIDDEN_403,
+          mode
+        })
+      })
+    }
+
+    it('Should succeed with a password protected privacy and correct passwords', async function () {
+      const videoPasswords = [ 'password1', 'password2' ]
+      const expectedStatus = mode === 'updatePasswords' || mode === 'updateVideo'
+        ? HttpStatusCode.NO_CONTENT_204
+        : HttpStatusCode.OK_200
+
+      await checkVideoPasswordOptions({ server, token: server.accessToken, videoPasswords, expectedStatus, mode })
+    })
+  }
+
+  describe('When adding or updating a video', function () {
+    describe('Resumable upload', function () {
+      validateVideoPasswordList('uploadResumable')
+    })
+
+    describe('Legacy upload', function () {
+      validateVideoPasswordList('uploadLegacy')
+    })
+
+    describe('When importing a video', function () {
+      validateVideoPasswordList('import')
+    })
+
+    describe('When updating a video', function () {
+      validateVideoPasswordList('updateVideo')
+    })
+
+    describe('When updating the password list of a video', function () {
+      validateVideoPasswordList('updatePasswords')
+    })
+
+    describe('When creating a live', function () {
+      validateVideoPasswordList('live')
+    })
+  })
+
+  async function checkVideoAccessOptions (options: {
+    server: PeerTubeServer
+    token?: string
+    videoPassword?: string
+    expectedStatus: HttpStatusCode
+    mode: 'get' | 'getWithPassword' | 'getWithToken' | 'listCaptions' | 'createThread' | 'listThreads' | 'replyThread' | 'rate' | 'token'
+  }) {
+    const { server, token = null, videoPassword, expectedStatus, mode } = options
+
+    if (mode === 'get') {
+      return server.videos.get({ id: video.id, expectedStatus })
+    }
+
+    if (mode === 'getWithToken') {
+      return server.videos.getWithToken({
+        id: video.id,
+        token,
+        expectedStatus
+      })
+    }
+
+    if (mode === 'getWithPassword') {
+      return server.videos.getWithPassword({
+        id: video.id,
+        token,
+        expectedStatus,
+        password: videoPassword
+      })
+    }
+
+    if (mode === 'rate') {
+      return server.videos.rate({
+        id: video.id,
+        token,
+        expectedStatus,
+        rating: 'like',
+        videoPassword
+      })
+    }
+
+    if (mode === 'createThread') {
+      const fields = { text: 'super comment' }
+      const headers = videoPassword !== undefined && videoPassword !== null
+        ? { 'x-peertube-video-password': videoPassword }
+        : undefined
+      const body = await makePostBodyRequest({
+        url: server.url,
+        path: path + video.uuid + '/comment-threads',
+        token,
+        fields,
+        headers,
+        expectedStatus
+      })
+      return JSON.parse(body.text)
+    }
+
+    if (mode === 'replyThread') {
+      const fields = { text: 'super reply' }
+      const headers = videoPassword !== undefined && videoPassword !== null
+        ? { 'x-peertube-video-password': videoPassword }
+        : undefined
+      return makePostBodyRequest({
+        url: server.url,
+        path: path + video.uuid + '/comments/' + commentId,
+        token,
+        fields,
+        headers,
+        expectedStatus
+      })
+    }
+    if (mode === 'listThreads') {
+      return server.comments.listThreads({
+        videoId: video.id,
+        token,
+        expectedStatus,
+        videoPassword
+      })
+    }
+
+    if (mode === 'listCaptions') {
+      return server.captions.list({
+        videoId: video.id,
+        token,
+        expectedStatus,
+        videoPassword
+      })
+    }
+
+    if (mode === 'token') {
+      return server.videoToken.create({
+        videoId: video.id,
+        token,
+        expectedStatus,
+        videoPassword
+      })
+    }
+  }
+
+  function checkVideoError (error: any, mode: 'providePassword' | 'incorrectPassword') {
+    const serverCode = mode === 'providePassword'
+      ? ServerErrorCode.VIDEO_REQUIRES_PASSWORD
+      : ServerErrorCode.INCORRECT_VIDEO_PASSWORD
+
+    const message = mode === 'providePassword'
+      ? 'Please provide a password to access this password protected video'
+      : 'Incorrect video password. Access to the video is denied.'
+
+    if (!error.code) {
+      error = JSON.parse(error.text)
+    }
+
+    expect(error.code).to.equal(serverCode)
+    expect(error.detail).to.equal(message)
+    expect(error.error).to.equal(message)
+
+    expect(error.status).to.equal(HttpStatusCode.FORBIDDEN_403)
+  }
+
+  function validateVideoAccess (mode: 'get' | 'listCaptions' | 'createThread' | 'listThreads' | 'replyThread' | 'rate' | 'token') {
+    const requiresUserAuth = [ 'createThread', 'replyThread', 'rate' ].includes(mode)
+    let tokens: string[]
+    if (!requiresUserAuth) {
+      it('Should fail without providing a password for an unlogged user', async function () {
+        const body = await checkVideoAccessOptions({ server, expectedStatus: HttpStatusCode.FORBIDDEN_403, mode })
+        const error = body as unknown as PeerTubeProblemDocument
+
+        checkVideoError(error, 'providePassword')
+      })
+    }
+
+    it('Should fail without providing a password for an unauthorised user', async function () {
+      const tmp = mode === 'get' ? 'getWithToken' : mode
+
+      const body = await checkVideoAccessOptions({
+        server,
+        token: userAccessToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403,
+        mode: tmp
+      })
+
+      const error = body as unknown as PeerTubeProblemDocument
+
+      checkVideoError(error, 'providePassword')
+    })
+
+    it('Should fail if a wrong password is entered', async function () {
+      const tmp = mode === 'get' ? 'getWithPassword' : mode
+      tokens = [ userAccessToken, server.accessToken ]
+
+      if (!requiresUserAuth) tokens.push(null)
+
+      for (const token of tokens) {
+        const body = await checkVideoAccessOptions({
+          server,
+          token,
+          videoPassword: 'toto',
+          expectedStatus: HttpStatusCode.FORBIDDEN_403,
+          mode: tmp
+        })
+        const error = body as unknown as PeerTubeProblemDocument
+
+        checkVideoError(error, 'incorrectPassword')
+      }
+    })
+
+    it('Should fail if an empty password is entered', async function () {
+      const tmp = mode === 'get' ? 'getWithPassword' : mode
+
+      for (const token of tokens) {
+        const body = await checkVideoAccessOptions({
+          server,
+          token,
+          videoPassword: '',
+          expectedStatus: HttpStatusCode.FORBIDDEN_403,
+          mode: tmp
+        })
+        const error = body as unknown as PeerTubeProblemDocument
+
+        checkVideoError(error, 'incorrectPassword')
+      }
+    })
+
+    it('Should fail if an inccorect password containing the correct password is entered', async function () {
+      const tmp = mode === 'get' ? 'getWithPassword' : mode
+
+      for (const token of tokens) {
+        const body = await checkVideoAccessOptions({
+          server,
+          token,
+          videoPassword: 'password11',
+          expectedStatus: HttpStatusCode.FORBIDDEN_403,
+          mode: tmp
+        })
+        const error = body as unknown as PeerTubeProblemDocument
+
+        checkVideoError(error, 'incorrectPassword')
+      }
+    })
+
+    it('Should succeed without providing a password for an authorised user', async function () {
+      const tmp = mode === 'get' ? 'getWithToken' : mode
+      const expectedStatus = mode === 'rate' ? HttpStatusCode.NO_CONTENT_204 : HttpStatusCode.OK_200
+
+      const body = await checkVideoAccessOptions({ server, token: server.accessToken, expectedStatus, mode: tmp })
+
+      if (mode === 'createThread') commentId = body.comment.id
+    })
+
+    it('Should succeed using correct passwords', async function () {
+      const tmp = mode === 'get' ? 'getWithPassword' : mode
+      const expectedStatus = mode === 'rate' ? HttpStatusCode.NO_CONTENT_204 : HttpStatusCode.OK_200
+
+      for (const token of tokens) {
+        await checkVideoAccessOptions({ server, videoPassword: 'password1', token, expectedStatus, mode: tmp })
+        await checkVideoAccessOptions({ server, videoPassword: 'password2', token, expectedStatus, mode: tmp })
+      }
+    })
+  }
+
+  describe('When accessing password protected video', function () {
+
+    describe('For getting a password protected video', function () {
+      validateVideoAccess('get')
+    })
+
+    describe('For rating a video', function () {
+      validateVideoAccess('rate')
+    })
+
+    describe('For creating a thread', function () {
+      validateVideoAccess('createThread')
+    })
+
+    describe('For replying to a thread', function () {
+      validateVideoAccess('replyThread')
+    })
+
+    describe('For listing threads', function () {
+      validateVideoAccess('listThreads')
+    })
+
+    describe('For getting captions', function () {
+      validateVideoAccess('listCaptions')
+    })
+
+    describe('For creating video file token', function () {
+      validateVideoAccess('token')
+    })
+  })
+
+  describe('When listing passwords', function () {
+    it('Should fail with a bad start pagination', async function () {
+      await checkBadStartPagination(server.url, path + video.uuid + '/passwords', server.accessToken)
+    })
+
+    it('Should fail with a bad count pagination', async function () {
+      await checkBadCountPagination(server.url, path + video.uuid + '/passwords', server.accessToken)
+    })
+
+    it('Should fail with an incorrect sort', async function () {
+      await checkBadSortPagination(server.url, path + video.uuid + '/passwords', server.accessToken)
+    })
+
+    it('Should fail for unauthenticated user', async function () {
+      await server.videoPasswords.list({
+        token: null,
+        expectedStatus: HttpStatusCode.UNAUTHORIZED_401,
+        videoId: video.id
+      })
+    })
+
+    it('Should fail for unauthorized user', async function () {
+      await server.videoPasswords.list({
+        token: userAccessToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403,
+        videoId: video.id
+      })
+    })
+
+    it('Should succeed with the correct parameters', async function () {
+      await server.videoPasswords.list({
+        token: server.accessToken,
+        expectedStatus: HttpStatusCode.OK_200,
+        videoId: video.id
+      })
+    })
+  })
+
+  describe('When deleting a password', async function () {
+    const passwords = (await server.videoPasswords.list({ videoId: video.id })).data
+
+    it('Should fail with wrong password id', async function () {
+      await server.videoPasswords.remove({ id: -1, videoId: video.id, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+    })
+
+    it('Should fail for unauthenticated user', async function () {
+      await server.videoPasswords.remove({
+        id: passwords[0].id,
+        token: null,
+        videoId: video.id,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should fail for unauthorized user', async function () {
+      await server.videoPasswords.remove({
+        id: passwords[0].id,
+        token: userAccessToken,
+        videoId: video.id,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail for non password protected video', async function () {
+      publicVideo = await server.videos.quickUpload({ name: 'public video' })
+      await server.videoPasswords.remove({ id: passwords[0].id, videoId: publicVideo.id, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    })
+
+    it('Should fail for password not linked to correct video', async function () {
+      const video2 = await server.videos.quickUpload({
+        name: 'password protected video',
+        privacy: VideoPrivacy.PASSWORD_PROTECTED,
+        videoPasswords: [ 'password1', 'password2' ]
+      })
+      await server.videoPasswords.remove({ id: passwords[0].id, videoId: video2.id, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+    })
+
+    it('Should succeed with correct parameter', async function () {
+      await server.videoPasswords.remove({ id: passwords[0].id, videoId: video.id, expectedStatus: HttpStatusCode.NO_CONTENT_204 })
+    })
+
+    it('Should fail for last password of a video', async function () {
+      await server.videoPasswords.remove({ id: passwords[1].id, videoId: video.id, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+    })
+  })
+
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
diff --git a/server/tests/api/check-params/video-token.ts b/server/tests/api/check-params/video-token.ts
index 7acb9d580..7cb3e84a2 100644
--- a/server/tests/api/check-params/video-token.ts
+++ b/server/tests/api/check-params/video-token.ts
@@ -5,9 +5,12 @@ import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServ
 
 describe('Test video tokens', function () {
   let server: PeerTubeServer
-  let videoId: string
+  let privateVideoId: string
+  let passwordProtectedVideoId: string
   let userToken: string
 
+  const videoPassword = 'password'
+
   // ---------------------------------------------------------------
 
   before(async function () {
@@ -15,27 +18,50 @@ describe('Test video tokens', function () {
 
     server = await createSingleServer(1)
     await setAccessTokensToServers([ server ])
-
-    const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
-    videoId = uuid
-
+    {
+      const { uuid } = await server.videos.quickUpload({ name: 'private video', privacy: VideoPrivacy.PRIVATE })
+      privateVideoId = uuid
+    }
+    {
+      const { uuid } = await server.videos.quickUpload({
+        name: 'password protected video',
+        privacy: VideoPrivacy.PASSWORD_PROTECTED,
+        videoPasswords: [ videoPassword ]
+      })
+      passwordProtectedVideoId = uuid
+    }
     userToken = await server.users.generateUserAndToken('user1')
   })
 
-  it('Should not generate tokens for unauthenticated user', async function () {
-    await server.videoToken.create({ videoId, token: null, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
+  it('Should not generate tokens on private video for unauthenticated user', async function () {
+    await server.videoToken.create({ videoId: privateVideoId, token: null, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
   })
 
   it('Should not generate tokens of unknown video', async function () {
     await server.videoToken.create({ videoId: 404, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
   })
 
+  it('Should not generate tokens with incorrect password', async function () {
+    await server.videoToken.create({
+      videoId: passwordProtectedVideoId,
+      token: null,
+      expectedStatus: HttpStatusCode.FORBIDDEN_403,
+      videoPassword: 'incorrectPassword'
+    })
+  })
+
   it('Should not generate tokens of a non owned video', async function () {
-    await server.videoToken.create({ videoId, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    await server.videoToken.create({ videoId: privateVideoId, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
   })
 
   it('Should generate token', async function () {
-    await server.videoToken.create({ videoId })
+    await server.videoToken.create({ videoId: privateVideoId })
+  })
+
+  it('Should generate token on password protected video', async function () {
+    await server.videoToken.create({ videoId: passwordProtectedVideoId, videoPassword, token: null })
+    await server.videoToken.create({ videoId: passwordProtectedVideoId, videoPassword, token: userToken })
+    await server.videoToken.create({ videoId: passwordProtectedVideoId, videoPassword })
   })
 
   after(async function () {
diff --git a/server/tests/api/object-storage/video-static-file-privacy.ts b/server/tests/api/object-storage/video-static-file-privacy.ts
index af9d681b2..2a7c3381d 100644
--- a/server/tests/api/object-storage/video-static-file-privacy.ts
+++ b/server/tests/api/object-storage/video-static-file-privacy.ts
@@ -107,8 +107,13 @@ describe('Object storage for video static file privacy', function () {
   describe('VOD', function () {
     let privateVideoUUID: string
     let publicVideoUUID: string
+    let passwordProtectedVideoUUID: string
     let userPrivateVideoUUID: string
 
+    const correctPassword = 'my super password'
+    const correctPasswordHeader = { 'x-peertube-video-password': correctPassword }
+    const incorrectPasswordHeader = { 'x-peertube-video-password': correctPassword + 'toto' }
+
     // ---------------------------------------------------------------------------
 
     async function getSampleFileUrls (videoId: string) {
@@ -140,6 +145,22 @@ describe('Object storage for video static file privacy', function () {
       await checkPrivateVODFiles(privateVideoUUID)
     })
 
+    it('Should upload a password protected video and have appropriate object storage ACL', async function () {
+      this.timeout(120000)
+
+      {
+        const { uuid } = await server.videos.quickUpload({
+          name: 'video',
+          privacy: VideoPrivacy.PASSWORD_PROTECTED,
+          videoPasswords: [ correctPassword ]
+        })
+        passwordProtectedVideoUUID = uuid
+      }
+      await waitJobs([ server ])
+
+      await checkPrivateVODFiles(passwordProtectedVideoUUID)
+    })
+
     it('Should upload a public video and have appropriate object storage ACL', async function () {
       this.timeout(120000)
 
@@ -163,6 +184,42 @@ describe('Object storage for video static file privacy', function () {
       await makeRawRequest({ url: hlsFile, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
     })
 
+    it('Should not get files without appropriate password or appropriate OAuth token', async function () {
+      this.timeout(60000)
+
+      const { webTorrentFile, hlsFile } = await getSampleFileUrls(passwordProtectedVideoUUID)
+
+      await makeRawRequest({ url: webTorrentFile, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+      await makeRawRequest({
+        url: webTorrentFile,
+        token: null,
+        headers: incorrectPasswordHeader,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+      await makeRawRequest({ url: webTorrentFile, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
+      await makeRawRequest({
+        url: webTorrentFile,
+        token: null,
+        headers: correctPasswordHeader,
+        expectedStatus: HttpStatusCode.OK_200
+      })
+
+      await makeRawRequest({ url: hlsFile, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+      await makeRawRequest({
+        url: hlsFile,
+        token: null,
+        headers: incorrectPasswordHeader,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+      await makeRawRequest({ url: hlsFile, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
+      await makeRawRequest({
+        url: hlsFile,
+        token: null,
+        headers: correctPasswordHeader,
+        expectedStatus: HttpStatusCode.OK_200
+      })
+    })
+
     it('Should not get HLS file of another video', async function () {
       this.timeout(60000)
 
@@ -176,7 +233,7 @@ describe('Object storage for video static file privacy', function () {
       await makeRawRequest({ url: goodUrl, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
     })
 
-    it('Should correctly check OAuth or video file token', async function () {
+    it('Should correctly check OAuth, video file token of private video', async function () {
       this.timeout(60000)
 
       const badVideoFileToken = await server.videoToken.getVideoFileToken({ token: userToken, videoId: userPrivateVideoUUID })
@@ -191,6 +248,35 @@ describe('Object storage for video static file privacy', function () {
 
         await makeRawRequest({ url, query: { videoFileToken: badVideoFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
         await makeRawRequest({ url, query: { videoFileToken: goodVideoFileToken }, expectedStatus: HttpStatusCode.OK_200 })
+
+      }
+    })
+
+    it('Should correctly check OAuth, video file token or video password of password protected video', async function () {
+      this.timeout(60000)
+
+      const badVideoFileToken = await server.videoToken.getVideoFileToken({ token: userToken, videoId: userPrivateVideoUUID })
+      const goodVideoFileToken = await server.videoToken.getVideoFileToken({
+        videoId: passwordProtectedVideoUUID,
+        videoPassword: correctPassword
+      })
+
+      const { webTorrentFile, hlsFile } = await getSampleFileUrls(passwordProtectedVideoUUID)
+
+      for (const url of [ hlsFile, webTorrentFile ]) {
+        await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+        await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+        await makeRawRequest({ url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
+
+        await makeRawRequest({ url, query: { videoFileToken: badVideoFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+        await makeRawRequest({ url, query: { videoFileToken: goodVideoFileToken }, expectedStatus: HttpStatusCode.OK_200 })
+
+        await makeRawRequest({
+          url,
+          headers: incorrectPasswordHeader,
+          expectedStatus: HttpStatusCode.FORBIDDEN_403
+        })
+        await makeRawRequest({ url, headers: correctPasswordHeader, expectedStatus: HttpStatusCode.OK_200 })
       }
     })
 
@@ -232,16 +318,26 @@ describe('Object storage for video static file privacy', function () {
     let permanentLiveId: string
     let permanentLive: LiveVideo
 
+    let passwordProtectedLiveId: string
+    let passwordProtectedLive: LiveVideo
+
+    const correctPassword = 'my super password'
+
     let unrelatedFileToken: string
 
     // ---------------------------------------------------------------------------
 
-    async function checkLiveFiles (live: LiveVideo, liveId: string) {
+    async function checkLiveFiles (live: LiveVideo, liveId: string, videoPassword?: string) {
       const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: live.rtmpUrl, streamKey: live.streamKey })
       await server.live.waitUntilPublished({ videoId: liveId })
 
-      const video = await server.videos.getWithToken({ id: liveId })
-      const fileToken = await server.videoToken.getVideoFileToken({ videoId: video.uuid })
+      const video = videoPassword
+        ? await server.videos.getWithPassword({ id: liveId, password: videoPassword })
+        : await server.videos.getWithToken({ id: liveId })
+
+      const fileToken = videoPassword
+        ? await server.videoToken.getVideoFileToken({ token: null, videoId: video.uuid, videoPassword })
+        : await server.videoToken.getVideoFileToken({ videoId: video.uuid })
 
       const hls = video.streamingPlaylists[0]
 
@@ -253,10 +349,19 @@ describe('Object storage for video static file privacy', function () {
 
         await makeRawRequest({ url, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
         await makeRawRequest({ url, query: { videoFileToken: fileToken }, expectedStatus: HttpStatusCode.OK_200 })
-
+        if (videoPassword) {
+          await makeRawRequest({ url, headers: { 'x-peertube-video-password': videoPassword }, expectedStatus: HttpStatusCode.OK_200 })
+        }
         await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
         await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
         await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+        if (videoPassword) {
+          await makeRawRequest({
+            url,
+            headers: { 'x-peertube-video-password': 'incorrectPassword' },
+            expectedStatus: HttpStatusCode.FORBIDDEN_403
+          })
+        }
       }
 
       await stopFfmpeg(ffmpegCommand)
@@ -326,6 +431,17 @@ describe('Object storage for video static file privacy', function () {
         permanentLiveId = video.uuid
         permanentLive = live
       }
+
+      {
+        const { video, live } = await server.live.quickCreate({
+          saveReplay: false,
+          permanentLive: false,
+          privacy: VideoPrivacy.PASSWORD_PROTECTED,
+          videoPasswords: [ correctPassword ]
+        })
+        passwordProtectedLiveId = video.uuid
+        passwordProtectedLive = live
+      }
     })
 
     it('Should create a private normal live and have a private static path', async function () {
@@ -340,6 +456,12 @@ describe('Object storage for video static file privacy', function () {
       await checkLiveFiles(permanentLive, permanentLiveId)
     })
 
+    it('Should create a password protected live and have a private static path', async function () {
+      this.timeout(240000)
+
+      await checkLiveFiles(passwordProtectedLive, passwordProtectedLiveId, correctPassword)
+    })
+
     it('Should reinject video file token in permanent live', async function () {
       this.timeout(240000)
 
diff --git a/server/tests/api/videos/video-passwords.ts b/server/tests/api/videos/video-passwords.ts
new file mode 100644
index 000000000..e01a93a4d
--- /dev/null
+++ b/server/tests/api/videos/video-passwords.ts
@@ -0,0 +1,97 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+
+import { expect } from 'chai'
+import {
+  cleanupTests,
+  createSingleServer,
+  VideoPasswordsCommand,
+  PeerTubeServer,
+  setAccessTokensToServers,
+  setDefaultAccountAvatar,
+  setDefaultChannelAvatar
+} from '@shared/server-commands'
+import { VideoPrivacy } from '@shared/models'
+
+describe('Test video passwords', function () {
+  let server: PeerTubeServer
+  let videoUUID: string
+
+  let userAccessTokenServer1: string
+
+  let videoPasswords: string[] = []
+  let command: VideoPasswordsCommand
+
+  before(async function () {
+    this.timeout(30000)
+
+    server = await createSingleServer(1)
+
+    await setAccessTokensToServers([ server ])
+
+    for (let i = 0; i < 10; i++) {
+      videoPasswords.push(`password ${i + 1}`)
+    }
+    const { uuid } = await server.videos.upload({ attributes: { privacy: VideoPrivacy.PASSWORD_PROTECTED, videoPasswords } })
+    videoUUID = uuid
+
+    await setDefaultChannelAvatar(server)
+    await setDefaultAccountAvatar(server)
+
+    userAccessTokenServer1 = await server.users.generateUserAndToken('user1')
+    await setDefaultChannelAvatar(server, 'user1_channel')
+    await setDefaultAccountAvatar(server, userAccessTokenServer1)
+
+    command = server.videoPasswords
+  })
+
+  it('Should list video passwords', async function () {
+    const body = await command.list({ videoId: videoUUID })
+
+    expect(body.total).to.equal(10)
+    expect(body.data).to.be.an('array')
+    expect(body.data).to.have.lengthOf(10)
+  })
+
+  it('Should filter passwords on this video', async function () {
+    const body = await command.list({ videoId: videoUUID, count: 2, start: 3, sort: 'createdAt' })
+
+    expect(body.total).to.equal(10)
+    expect(body.data).to.be.an('array')
+    expect(body.data).to.have.lengthOf(2)
+    expect(body.data[0].password).to.equal('password 4')
+    expect(body.data[1].password).to.equal('password 5')
+  })
+
+  it('Should update password for this video', async function () {
+    videoPasswords = [ 'my super new password 1', 'my super new password 2' ]
+
+    await command.updateAll({ videoId: videoUUID, passwords: videoPasswords })
+    const body = await command.list({ videoId: videoUUID })
+    expect(body.total).to.equal(2)
+    expect(body.data).to.be.an('array')
+    expect(body.data).to.have.lengthOf(2)
+    expect(body.data[0].password).to.equal('my super new password 2')
+    expect(body.data[1].password).to.equal('my super new password 1')
+  })
+
+  it('Should delete one password', async function () {
+    {
+      const body = await command.list({ videoId: videoUUID })
+      expect(body.total).to.equal(2)
+      expect(body.data).to.be.an('array')
+      expect(body.data).to.have.lengthOf(2)
+      await command.remove({ id: body.data[0].id, videoId: videoUUID })
+    }
+    {
+      const body = await command.list({ videoId: videoUUID })
+
+      expect(body.total).to.equal(1)
+      expect(body.data).to.be.an('array')
+      expect(body.data).to.have.lengthOf(1)
+    }
+  })
+
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
diff --git a/server/tests/api/videos/video-playlists.ts b/server/tests/api/videos/video-playlists.ts
index d9c5bdf16..9277b49f4 100644
--- a/server/tests/api/videos/video-playlists.ts
+++ b/server/tests/api/videos/video-playlists.ts
@@ -474,7 +474,7 @@ describe('Test video playlists', function () {
       await servers[1].playlists.get({ playlistId: unlistedPlaylist.id, expectedStatus: 404 })
     })
 
-    it('Should get unlisted plyaylist using uuid or shortUUID', async function () {
+    it('Should get unlisted playlist using uuid or shortUUID', async function () {
       await servers[1].playlists.get({ playlistId: unlistedPlaylist.uuid })
       await servers[1].playlists.get({ playlistId: unlistedPlaylist.shortUUID })
     })
@@ -686,7 +686,7 @@ describe('Test video playlists', function () {
       await waitJobs(servers)
     })
 
-    it('Should update the element type if the video is private', async function () {
+    it('Should update the element type if the video is private/password protected', async function () {
       this.timeout(20000)
 
       const name = 'video 89'
@@ -703,6 +703,19 @@ describe('Test video playlists', function () {
       }
 
       {
+        await servers[0].videos.update({
+          id: video1,
+          attributes: { privacy: VideoPrivacy.PASSWORD_PROTECTED, videoPasswords: [ 'password' ] }
+        })
+        await waitJobs(servers)
+
+        await checkPlaylistElementType(groupUser1, playlistServer1UUID2, VideoPlaylistElementType.REGULAR, position, name, 3)
+        await checkPlaylistElementType(groupWithoutToken1, playlistServer1UUID2, VideoPlaylistElementType.PRIVATE, position, name, 3)
+        await checkPlaylistElementType(group1, playlistServer1UUID2, VideoPlaylistElementType.PRIVATE, position, name, 3)
+        await checkPlaylistElementType(group2, playlistServer1UUID2, VideoPlaylistElementType.DELETED, position, name, 3)
+      }
+
+      {
         await servers[0].videos.update({ id: video1, attributes: { privacy: VideoPrivacy.PUBLIC } })
         await waitJobs(servers)
 
diff --git a/server/tests/api/videos/video-static-file-privacy.ts b/server/tests/api/videos/video-static-file-privacy.ts
index 542848533..ec4c697db 100644
--- a/server/tests/api/videos/video-static-file-privacy.ts
+++ b/server/tests/api/videos/video-static-file-privacy.ts
@@ -90,7 +90,7 @@ describe('Test video static file privacy', function () {
         }
       }
 
-      it('Should upload a private/internal video and have a private static path', async function () {
+      it('Should upload a private/internal/password protected video and have a private static path', async function () {
         this.timeout(120000)
 
         for (const privacy of [ VideoPrivacy.PRIVATE, VideoPrivacy.INTERNAL ]) {
@@ -99,6 +99,15 @@ describe('Test video static file privacy', function () {
 
           await checkPrivateFiles(uuid)
         }
+
+        const { uuid } = await server.videos.quickUpload({
+          name: 'video',
+          privacy: VideoPrivacy.PASSWORD_PROTECTED,
+          videoPasswords: [ 'my super password' ]
+        })
+        await waitJobs([ server ])
+
+        await checkPrivateFiles(uuid)
       })
 
       it('Should upload a public video and update it as private/internal to have a private static path', async function () {
@@ -185,8 +194,9 @@ describe('Test video static file privacy', function () {
       expectedStatus: HttpStatusCode
       token: string
       videoFileToken: string
+      videoPassword?: string
     }) {
-      const { id, expectedStatus, token, videoFileToken } = options
+      const { id, expectedStatus, token, videoFileToken, videoPassword } = options
 
       const video = await server.videos.getWithToken({ id })
 
@@ -196,6 +206,12 @@ describe('Test video static file privacy', function () {
 
         await makeRawRequest({ url: file.fileUrl, query: { videoFileToken }, expectedStatus })
         await makeRawRequest({ url: file.fileDownloadUrl, query: { videoFileToken }, expectedStatus })
+
+        if (videoPassword) {
+          const headers = { 'x-peertube-video-password': videoPassword }
+          await makeRawRequest({ url: file.fileUrl, headers, expectedStatus })
+          await makeRawRequest({ url: file.fileDownloadUrl, headers, expectedStatus })
+        }
       }
 
       const hls = video.streamingPlaylists[0]
@@ -204,6 +220,12 @@ describe('Test video static file privacy', function () {
 
       await makeRawRequest({ url: hls.playlistUrl, query: { videoFileToken }, expectedStatus })
       await makeRawRequest({ url: hls.segmentsSha256Url, query: { videoFileToken }, expectedStatus })
+
+      if (videoPassword) {
+        const headers = { 'x-peertube-video-password': videoPassword }
+        await makeRawRequest({ url: hls.playlistUrl, token: null, headers, expectedStatus })
+        await makeRawRequest({ url: hls.segmentsSha256Url, token: null, headers, expectedStatus })
+      }
     }
 
     before(async function () {
@@ -216,13 +238,53 @@ describe('Test video static file privacy', function () {
     it('Should not be able to access a private video files without OAuth token and file token', async function () {
       this.timeout(120000)
 
-      const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.INTERNAL })
+      const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
       await waitJobs([ server ])
 
       await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.FORBIDDEN_403, token: null, videoFileToken: null })
     })
 
-    it('Should not be able to access an internal video files without appropriate OAuth token and file token', async function () {
+    it('Should not be able to access password protected video files without OAuth token, file token and password', async function () {
+      this.timeout(120000)
+      const videoPassword = 'my super password'
+
+      const { uuid } = await server.videos.quickUpload({
+        name: 'password protected video',
+        privacy: VideoPrivacy.PASSWORD_PROTECTED,
+        videoPasswords: [ videoPassword ]
+      })
+      await waitJobs([ server ])
+
+      await checkVideoFiles({
+        id: uuid,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403,
+        token: null,
+        videoFileToken: null,
+        videoPassword: null
+      })
+    })
+
+    it('Should not be able to access an password video files with incorrect OAuth token, file token and password', async function () {
+      this.timeout(120000)
+      const videoPassword = 'my super password'
+
+      const { uuid } = await server.videos.quickUpload({
+        name: 'password protected video',
+        privacy: VideoPrivacy.PASSWORD_PROTECTED,
+        videoPasswords: [ videoPassword ]
+      })
+      await waitJobs([ server ])
+
+      await checkVideoFiles({
+        id: uuid,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403,
+        token: userToken,
+        videoFileToken: unrelatedFileToken,
+        videoPassword: 'incorrectPassword'
+      })
+    })
+
+    it('Should not be able to access an private video files without appropriate OAuth token and file token', async function () {
       this.timeout(120000)
 
       const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
@@ -247,6 +309,23 @@ describe('Test video static file privacy', function () {
       await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.OK_200, token: server.accessToken, videoFileToken })
     })
 
+    it('Should be able to access a password protected video files with appropriate OAuth token or file token', async function () {
+      this.timeout(120000)
+      const videoPassword = 'my super password'
+
+      const { uuid } = await server.videos.quickUpload({
+        name: 'video',
+        privacy: VideoPrivacy.PASSWORD_PROTECTED,
+        videoPasswords: [ videoPassword ]
+      })
+
+      const videoFileToken = await server.videoToken.getVideoFileToken({ token: null, videoId: uuid, videoPassword })
+
+      await waitJobs([ server ])
+
+      await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.OK_200, token: server.accessToken, videoFileToken, videoPassword })
+    })
+
     it('Should reinject video file token', async function () {
       this.timeout(120000)
 
@@ -294,13 +373,20 @@ describe('Test video static file privacy', function () {
     let permanentLiveId: string
     let permanentLive: LiveVideo
 
+    let passwordProtectedLiveId: string
+    let passwordProtectedLive: LiveVideo
+
+    const correctPassword = 'my super password'
+
     let unrelatedFileToken: string
 
-    async function checkLiveFiles (live: LiveVideo, liveId: string) {
+    async function checkLiveFiles (options: { live: LiveVideo, liveId: string, videoPassword?: string }) {
+      const { live, liveId, videoPassword } = options
       const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: live.rtmpUrl, streamKey: live.streamKey })
       await server.live.waitUntilPublished({ videoId: liveId })
 
       const video = await server.videos.getWithToken({ id: liveId })
+
       const fileToken = await server.videoToken.getVideoFileToken({ videoId: video.uuid })
 
       const hls = video.streamingPlaylists[0]
@@ -314,6 +400,16 @@ describe('Test video static file privacy', function () {
         await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
         await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
         await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+
+        if (videoPassword) {
+          await makeRawRequest({ url, headers: { 'x-peertube-video-password': videoPassword }, expectedStatus: HttpStatusCode.OK_200 })
+          await makeRawRequest({
+            url,
+            headers: { 'x-peertube-video-password': 'incorrectPassword' },
+            expectedStatus: HttpStatusCode.FORBIDDEN_403
+          })
+        }
+
       }
 
       await stopFfmpeg(ffmpegCommand)
@@ -381,18 +477,35 @@ describe('Test video static file privacy', function () {
         permanentLiveId = video.uuid
         permanentLive = live
       }
+
+      {
+        const { video, live } = await server.live.quickCreate({
+          saveReplay: false,
+          permanentLive: false,
+          privacy: VideoPrivacy.PASSWORD_PROTECTED,
+          videoPasswords: [ correctPassword ]
+        })
+        passwordProtectedLiveId = video.uuid
+        passwordProtectedLive = live
+      }
     })
 
     it('Should create a private normal live and have a private static path', async function () {
       this.timeout(240000)
 
-      await checkLiveFiles(normalLive, normalLiveId)
+      await checkLiveFiles({ live: normalLive, liveId: normalLiveId })
     })
 
     it('Should create a private permanent live and have a private static path', async function () {
       this.timeout(240000)
 
-      await checkLiveFiles(permanentLive, permanentLiveId)
+      await checkLiveFiles({ live: permanentLive, liveId: permanentLiveId })
+    })
+
+    it('Should create a password protected live and have a private static path', async function () {
+      this.timeout(240000)
+
+      await checkLiveFiles({ live: passwordProtectedLive, liveId: passwordProtectedLiveId, videoPassword: correctPassword })
     })
 
     it('Should reinject video file token on permanent live', async function () {
diff --git a/server/tests/client.ts b/server/tests/client.ts
index e84251561..68f3a1d14 100644
--- a/server/tests/client.ts
+++ b/server/tests/client.ts
@@ -56,6 +56,7 @@ describe('Test a client controllers', function () {
   let privateVideoId: string
   let internalVideoId: string
   let unlistedVideoId: string
+  let passwordProtectedVideoId: string
 
   let playlistIds: (string | number)[] = []
 
@@ -92,7 +93,12 @@ describe('Test a client controllers', function () {
     {
       ({ uuid: privateVideoId } = await servers[0].videos.quickUpload({ name: 'private', privacy: VideoPrivacy.PRIVATE }));
       ({ uuid: unlistedVideoId } = await servers[0].videos.quickUpload({ name: 'unlisted', privacy: VideoPrivacy.UNLISTED }));
-      ({ uuid: internalVideoId } = await servers[0].videos.quickUpload({ name: 'internal', privacy: VideoPrivacy.INTERNAL }))
+      ({ uuid: internalVideoId } = await servers[0].videos.quickUpload({ name: 'internal', privacy: VideoPrivacy.INTERNAL }));
+      ({ uuid: passwordProtectedVideoId } = await servers[0].videos.quickUpload({
+        name: 'password protected',
+        privacy: VideoPrivacy.PASSWORD_PROTECTED,
+        videoPasswords: [ 'password' ]
+      }))
     }
 
     // Playlist
@@ -502,9 +508,9 @@ describe('Test a client controllers', function () {
       }
     })
 
-    it('Should not display internal/private video', async function () {
+    it('Should not display internal/private/password protected video', async function () {
       for (const basePath of watchVideoBasePaths) {
-        for (const id of [ privateVideoId, internalVideoId ]) {
+        for (const id of [ privateVideoId, internalVideoId, passwordProtectedVideoId ]) {
           const res = await makeGetRequest({
             url: servers[0].url,
             path: basePath + id,
@@ -514,6 +520,7 @@ describe('Test a client controllers', function () {
 
           expect(res.text).to.not.contain('internal')
           expect(res.text).to.not.contain('private')
+          expect(res.text).to.not.contain('password protected')
         }
       }
     })
diff --git a/server/tests/feeds/feeds.ts b/server/tests/feeds/feeds.ts
index 8433c873e..83a85be58 100644
--- a/server/tests/feeds/feeds.ts
+++ b/server/tests/feeds/feeds.ts
@@ -99,6 +99,13 @@ describe('Test syndication feeds', () => {
       await servers[0].comments.createThread({ videoId: id, text: 'comment on unlisted video' })
     }
 
+    {
+      const attributes = { name: 'password protected video', privacy: VideoPrivacy.PASSWORD_PROTECTED, videoPasswords: [ 'password' ] }
+      const { id } = await servers[0].videos.upload({ attributes })
+
+      await servers[0].comments.createThread({ videoId: id, text: 'comment on password protected video' })
+    }
+
     await serverHLSOnly.videos.upload({ attributes: { name: 'hls only video' } })
 
     await waitJobs([ ...servers, serverHLSOnly ])
@@ -445,7 +452,7 @@ describe('Test syndication feeds', () => {
 
   describe('Video comments feed', function () {
 
-    it('Should contain valid comments (covers JSON feed 1.0 endpoint) and not from unlisted videos', async function () {
+    it('Should contain valid comments (covers JSON feed 1.0 endpoint) and not from unlisted/password protected videos', async function () {
       for (const server of servers) {
         const json = await server.feed.getJSON({ feed: 'video-comments', ignoreCache: true })