Fix private video download

author: Chocobozzz <me@florianbigard.com> 2019-12-03 10:41:23 +0100
committer: Chocobozzz <me@florianbigard.com> 2019-12-03 10:41:23 +0100
commit: eccf70f020cb8b0d9ceddc2561713ccfddb72095 (patch)
tree: bae9d9285a00c2958666becbb50427cabcea7aed /server
parent: 3f6b7aa1cfa28ee02eec8c8ab16b623f2bbab928 (diff)
download: PeerTube-eccf70f020cb8b0d9ceddc2561713ccfddb72095.tar.gz
PeerTube-eccf70f020cb8b0d9ceddc2561713ccfddb72095.tar.zst
PeerTube-eccf70f020cb8b0d9ceddc2561713ccfddb72095.zip
3 files changed, 15 insertions, 13 deletions
diff --git a/server/controllers/static.ts b/server/controllers/static.ts
index 7c900be92..0aab12756 100644
--- a/server/controllers/static.ts
+++ b/server/controllers/static.ts
@@ -10,7 +10,7 @@ import {
  WEBSERVER
 } from '../initializers/constants'
 import { cacheRoute } from '../middlewares/cache'
-import { asyncMiddleware, videosGetValidator } from '../middlewares'
+import { asyncMiddleware, videosDownloadValidator } from '../middlewares'
 import { VideoModel } from '../models/video/video'
 import { UserModel } from '../models/account/user'
 import { VideoCommentModel } from '../models/video/video-comment'
@@ -39,12 +39,12 @@ staticRouter.use(
 )
 staticRouter.use(
  STATIC_DOWNLOAD_PATHS.TORRENTS + ':id-:resolution([0-9]+).torrent',
-  asyncMiddleware(videosGetValidator),
+  asyncMiddleware(videosDownloadValidator),
  asyncMiddleware(downloadTorrent)
 )
 staticRouter.use(
  STATIC_DOWNLOAD_PATHS.TORRENTS + ':id-:resolution([0-9]+)-hls.torrent',
-  asyncMiddleware(videosGetValidator),
+  asyncMiddleware(videosDownloadValidator),
  asyncMiddleware(downloadHLSVideoFileTorrent)
 )
@@ -62,13 +62,13 @@ staticRouter.use(
 staticRouter.use(
  STATIC_DOWNLOAD_PATHS.VIDEOS + ':id-:resolution([0-9]+).:extension',
-  asyncMiddleware(videosGetValidator),
+  asyncMiddleware(videosDownloadValidator),
  asyncMiddleware(downloadVideoFile)
 )
 staticRouter.use(
  STATIC_DOWNLOAD_PATHS.HLS_VIDEOS + ':id-:resolution([0-9]+)-fragmented.:extension',
-  asyncMiddleware(videosGetValidator),
+  asyncMiddleware(videosDownloadValidator),
  asyncMiddleware(downloadHLSVideoFile)
 )
diff --git a/server/middlewares/oauth.ts b/server/middlewares/oauth.ts
index 77fb305dd..bb90dac47 100644
--- a/server/middlewares/oauth.ts
+++ b/server/middlewares/oauth.ts
@@ -12,8 +12,10 @@ const oAuthServer = new OAuthServer({
  model: require('../lib/oauth-model')
 })
-function authenticate (req: express.Request, res: express.Response, next: express.NextFunction) {
+function authenticate (req: express.Request, res: express.Response, next: express.NextFunction, authenticateInQuery = false) {
-  oAuthServer.authenticate()(req, res, err => {
+  const options = authenticateInQuery ? { allowBearerTokensInQueryString: true } : {}
+  oAuthServer.authenticate(options)(req, res, err => {
    if (err) {
      logger.warn('Cannot authenticate.', { err })
@@ -50,16 +52,14 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) {
    })
 }
-function authenticatePromiseIfNeeded (req: express.Request, res: express.Response) {
+function authenticatePromiseIfNeeded (req: express.Request, res: express.Response, authenticateInQuery = false) {
  return new Promise(resolve => {
    // Already authenticated? (or tried to)
    if (res.locals.oauth && res.locals.oauth.token.User) return resolve()
    if (res.locals.authenticated === false) return res.sendStatus(401)
-    authenticate(req, res, () => {
+    authenticate(req, res, () => resolve(), authenticateInQuery)
-      return resolve()
-    })
  })
 }
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index 53a2f193d..ab984d84a 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -147,7 +147,7 @@ async function checkVideoFollowConstraints (req: express.Request, res: express.R
            })
 }
-const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video-with-rights') => {
+const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video-with-rights', authenticateInQuery = false) => {
  return [
    param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -162,7 +162,7 @@ const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video-
      // Video private or blacklisted
      if (video.privacy === VideoPrivacy.PRIVATE || videoAll.VideoBlacklist) {
-        await authenticatePromiseIfNeeded(req, res)
+        await authenticatePromiseIfNeeded(req, res, authenticateInQuery)
        const user = res.locals.oauth ? res.locals.oauth.token.User : null
@@ -193,6 +193,7 @@ const videosCustomGetValidator = (fetchType: 'all' | 'only-video' | 'only-video-
 }
 const videosGetValidator = videosCustomGetValidator('all')
+const videosDownloadValidator = videosCustomGetValidator('all', true)
 const videosRemoveValidator = [
  param('id').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid id'),
@@ -407,6 +408,7 @@ export {
  videosAddValidator,
  videosUpdateValidator,
  videosGetValidator,
+  videosDownloadValidator,
  checkVideoFollowConstraints,
  videosCustomGetValidator,
  videosRemoveValidator,
author	Chocobozzz <me@florianbigard.com>	2019-12-03 10:41:23 +0100
committer	Chocobozzz <me@florianbigard.com>	2019-12-03 10:41:23 +0100
commit	eccf70f020cb8b0d9ceddc2561713ccfddb72095 (patch)
tree	bae9d9285a00c2958666becbb50427cabcea7aed /server
parent	3f6b7aa1cfa28ee02eec8c8ab16b623f2bbab928 (diff)
download	PeerTube-eccf70f020cb8b0d9ceddc2561713ccfddb72095.tar.gz PeerTube-eccf70f020cb8b0d9ceddc2561713ccfddb72095.tar.zst PeerTube-eccf70f020cb8b0d9ceddc2561713ccfddb72095.zip