Merge branch 'release/v1.2.0'

9 files changed, 242 insertions, 69 deletions

diff --git a/support/doc/api/openapi.yaml b/support/doc/api/openapi.yaml
index 9848c93ee..f2bb945f9 100644
--- a/support/doc/api/openapi.yaml
+++ b/support/doc/api/openapi.yaml
@@ -1,7 +1,7 @@
 openapi: 3.0.0
 info:
   title: PeerTube
-  version: 1.1.0
+  version: 1.2.0
   contact:
     name: PeerTube Community
     url: 'https://joinpeertube.org'
@@ -23,7 +23,7 @@ info:
 
     # Authentication
     When you sign up for an account, you are given the possibility to generate
-    sessions, and authenticate using this session token. One session token can 
+    sessions, and authenticate using this session token. One session token can
     currently be used at a time.
 
     # Errors
@@ -61,7 +61,7 @@ tags:
     description: >
       Managing servers which the instance interacts with is crucial to the
       concept of federation in PeerTube and external video indexation. The PeerTube
-      server then deals with inter-server ActivityPub operations and propagates 
+      server then deals with inter-server ActivityPub operations and propagates
       information across its social graph by posting activities to actors' inbox
       endpoints.
   - name: Video Abuse
@@ -492,7 +492,8 @@ paths:
     get:
       summary: Get current user information
       security:
-        - OAuth2: []
+        - OAuth2:
+          - user
       tags:
         - User
       responses:
@@ -507,7 +508,8 @@ paths:
     put:
       summary: Update current user information
       security:
-        - OAuth2: []
+        - OAuth2:
+          - user
       tags:
         - User
       responses:
@@ -523,7 +525,8 @@ paths:
     get:
       summary: Get current user used quota
       security:
-        - OAuth2: []
+        - OAuth2:
+          - user
       tags:
         - User
       responses:
@@ -558,7 +561,71 @@ paths:
     get:
       summary: Get videos of the current user
       security:
-        - OAuth2: []
+        - OAuth2:
+          - user
+      tags:
+        - User
+      parameters:
+        - $ref: '#/components/parameters/start'
+        - $ref: '#/components/parameters/count'
+        - $ref: '#/components/parameters/sort'
+      responses:
+        '200':
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Video'
+  /users/me/subscriptions:
+    get:
+      summary: Get subscriptions of the current user
+      security:
+        - OAuth2:
+            - user
+      tags:
+        - User
+      parameters:
+        - $ref: '#/components/parameters/start'
+        - $ref: '#/components/parameters/count'
+        - $ref: '#/components/parameters/sort'
+      responses:
+        '200':
+          description: successful operation
+    post:
+      summary: Add subscription to the current user
+      security:
+        - OAuth2:
+            - user
+      tags:
+        - User
+      responses:
+        '200':
+          description: successful operation
+  /users/me/subscriptions/exist:
+    get:
+      summary: Get if subscriptions exist for the current user
+      security:
+        - OAuth2:
+            - user
+      tags:
+        - User
+      parameters:
+        - $ref: '#/components/parameters/subscriptionsUris'
+      responses:
+        '200':
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                type: object
+  /users/me/subscriptions/videos:
+    get:
+      summary: Get videos of subscriptions of the current user
+      security:
+        - OAuth2:
+          - user
       tags:
         - User
       parameters:
@@ -574,6 +641,31 @@ paths:
                 type: array
                 items:
                   $ref: '#/components/schemas/Video'
+  '/users/me/subscriptions/{uri}':
+    get:
+      summary: Get subscription of the current user for a given uri
+      security:
+        - OAuth2:
+            - user
+      tags:
+        - User
+      responses:
+        '200':
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/VideoChannel'
+    delete:
+      summary: Delete subscription of the current user for a given uri
+      security:
+        - OAuth2:
+            - user
+      tags:
+        - User
+      responses:
+        '200':
+          description: successful operation
   /users/register:
     post:
       summary: Register a user
@@ -751,7 +843,9 @@ paths:
                   type: string
                 tags:
                   description: Video tags
-                  type: string
+                  type: array
+                  items:
+                    type: string
                 commentsEnabled:
                   description: Enable or disable comments for this video
                   type: string
@@ -820,7 +914,7 @@ paths:
           $ref: '#/paths/~1users~1me/put/responses/204'
   '/videos/{id}/watching':
     put:
-      summary: Indicate progress of in watching the video by its id for a user
+      summary: Set watching progress of a video by its id for a user
       tags:
         - Video
       security:
@@ -958,7 +1052,9 @@ paths:
                   type: string
                 tags:
                   description: Video tags
-                  type: string
+                  type: array
+                  items:
+                    type: string
                 commentsEnabled:
                   description: Enable or disable comments for this video
                   type: string
@@ -1434,6 +1530,8 @@ components:
         - type: array
           items:
             type: number
+      style: form
+      explode: false
     tagsOneOf:
       name: tagsOneOf
       in: query
@@ -1445,6 +1543,8 @@ components:
         - type: array
           items:
             type: string
+      style: form
+      explode: false
     tagsAllOf:
       name: tagsAllOf
       in: query
@@ -1456,6 +1556,8 @@ components:
         - type: array
           items:
             type: string
+      style: form
+      explode: false
     languageOneOf:
       name: languageOneOf
       in: query
@@ -1463,10 +1565,12 @@ components:
       description: language id of the video
       schema:
         oneOf:
-        - type: number
+        - type: string
         - type: array
           items:
-            type: number
+            type: string
+      style: form
+      explode: false
     licenceOneOf:
       name: licenceOneOf
       in: query
@@ -1478,6 +1582,8 @@ components:
         - type: array
           items:
             type: number
+      style: form
+      explode: false
     nsfw:
       name: nsfw
       in: query
@@ -1501,6 +1607,15 @@ components:
         enum:
         - local
         - all-local
+    subscriptionsUris:
+      name: uris
+      in: query
+      required: true
+      description: list of uris to check if each is part of the user subscriptions
+      schema:
+        type: array
+        items:
+          type: string
   requestBodies:
     VideoChannelInput:
       content:
diff --git a/support/doc/tools.md b/support/doc/tools.md
index 1c7739525..1a9ba7d2b 100644
--- a/support/doc/tools.md
+++ b/support/doc/tools.md
@@ -4,13 +4,13 @@
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 **Table of Contents**  
 
-- [CLI wrapper](#cli-wrapper)
 - [Remote Tools](#remote-tools)
   - [Dependencies](#dependencies)
   - [Installation](#installation)
-  - [peertube-import-videos.js](#peertube-import-videosjs)
-  - [peertube-upload.js](#peertube-uploadjs)
-  - [peertube-watch.js](#peertube-watchjs)
+  - [CLI wrapper](#cli-wrapper)
+    - [peertube-import-videos.js](#peertube-import-videosjs)
+    - [peertube-upload.js](#peertube-uploadjs)
+    - [peertube-watch.js](#peertube-watchjs)
 - [Server tools](#server-tools)
   - [parse-log](#parse-log)
   - [create-transcoding-job.js](#create-transcoding-jobjs)
@@ -26,9 +26,41 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-## CLI wrapper
+## Remote Tools
+
+You need at least 512MB RAM to run the script.
+Scripts can be launched directly from a PeerTube server, or from a separate server, even a desktop PC.
+You need to follow all the following steps even if you are on a PeerTube server (including cloning the git repository in a different directory than your production installation because the scripts utilize non-production dependencies).
+
+### Dependencies
+
+Install the [PeerTube dependencies](dependencies.md).
+
+### Installation
+
+Clone the PeerTube repo to get the latest version (even if you are on your PeerTube server):
+
+```
+$ git clone https://github.com/Chocobozzz/PeerTube.git
+$ CLONE="$(pwd)/PeerTube"
+```
+
+Run ``yarn install --pure-lockfile``
+```
+$ cd ${CLONE}
+$ yarn install --pure-lockfile
+```
+
+Build server tools:
+```
+$ cd ${CLONE}
+$ npm run build:server
+```
+
+### CLI wrapper
 
-The wrapper provides a convenient interface to most scripts, and requires the [same dependencies](#dependencies). You can access it as `peertube` via an alias in your `.bashrc` like `alias peertube="node ${PEERTUBE_PATH}/dist/server/tools/peertube.js"`:
+The wrapper provides a convenient interface to the following scripts.
+You can access it as `peertube` via an alias in your `.bashrc` like `alias peertube="cd /your/peertube/directory/ && node ./dist/server/tools/peertube.js"` (you have to keep the `cd` command):
 
 ```
   Usage: peertube [command] [options]
@@ -51,12 +83,12 @@ The wrapper provides a convenient interface to most scripts, and requires the [s
 The wrapper can keep track of instances you have an account on. We limit to one account per instance for now.
 
 ```bash
-$ peertube auth add -u "PEERTUBE_URL" -U "PEERTUBE_USER" --password "PEERTUBE_PASSWORD"
+$ peertube auth add -u 'PEERTUBE_URL' -U 'PEERTUBE_USER' --password 'PEERTUBE_PASSWORD'
 $ peertube auth list
 ┌──────────────────────────────┬──────────────────────────────┐
 │ instance                     │ login                        │
 ├──────────────────────────────┼──────────────────────────────┤
-│ "PEERTUBE_URL"               │ "PEERTUBE_USER"              │
+│ 'PEERTUBE_URL'               │ 'PEERTUBE_USER'              │
 └──────────────────────────────┴──────────────────────────────┘
 ```
 
@@ -72,53 +104,22 @@ And now that your video is online, you can watch it from the confort of your ter
 $ peertube watch https://peertube.cpy.re/videos/watch/e8a1af4e-414a-4d58-bfe6-2146eed06d10
 ```
 
-## Remote Tools
-
-You need at least 512MB RAM to run the script.
-Scripts can be launched directly from a PeerTube server, or from a separate server, even a desktop PC.
-You need to follow all the following steps even if you are on a PeerTube server (including cloning the git repository in a different directory than your production installation because the scripts utilize non-production dependencies).
-
-### Dependencies
-
-Install the [PeerTube dependencies](dependencies.md).
-
-### Installation
-
-Clone the PeerTube repo to get the latest version (even if you are on your PeerTube server):
-
-```
-$ git clone https://github.com/Chocobozzz/PeerTube.git
-$ CLONE="$(pwd)/PeerTube"
-```
-
-Run ``yarn install``
-```
-$ cd ${CLONE}
-$ yarn install
-```
-
-Build server tools:
-```
-$ cd ${CLONE}
-$ npm run build:server
-```
-
-### peertube-import-videos.js
+#### peertube-import-videos.js
 
 You can use this script to import videos from all [supported sites of youtube-dl](https://rg3.github.io/youtube-dl/supportedsites.html) into PeerTube.  
 Be sure you own the videos or have the author's authorization to do so.
 
 ```sh
 $ node dist/server/tools/peertube-import-videos.js \
-    -u "PEERTUBE_URL" \
-    -U "PEERTUBE_USER" \
-    --password "PEERTUBE_PASSWORD" \
-    -t "TARGET_URL"
+    -u 'PEERTUBE_URL' \
+    -U 'PEERTUBE_USER' \
+    --password 'PEERTUBE_PASSWORD' \
+    -t 'TARGET_URL'
 ```
 
 * `PEERTUBE_URL` : the full URL of your PeerTube server where you want to import, eg: https://peertube.cpy.re
 * `PEERTUBE_USER` : your PeerTube account where videos will be uploaded
-* `PEERTUBE_PASSWORD` : password of your PeerTube account (if omitted, you will be prompted for it)
+* `PEERTUBE_PASSWORD` : password of your PeerTube account (if `PEERTUBE_PASSWORD` is omitted, you will be prompted for it)
 * `TARGET_URL` : the target url you want to import. Examples:
   * YouTube:
     * Channel: https://www.youtube.com/channel/ChannelId
@@ -133,7 +134,7 @@ Already downloaded videos will not be uploaded twice, so you can run and re-run
 Videos will be publicly available after transcoding (you can see them before that in your account on the web interface).
 
 
-### peertube-upload.js
+#### peertube-upload.js
 
 You can use this script to import videos directly from the CLI.
 
@@ -144,7 +145,7 @@ $ cd ${CLONE}
 $ node dist/server/tools/peertube-upload.js --help
 ```
 
-### peertube-watch.js
+#### peertube-watch.js
 
 You can use this script to play videos directly from the CLI.
 
@@ -198,10 +199,10 @@ $ sudo -u peertube NODE_CONFIG_DIR=/var/www/peertube/config NODE_ENV=production
 ### prune-storage.js
 
 Some transcoded videos or shutdown at a bad time can leave some unused files on your storage.
-To delete them (a confirmation will be demanded first):
+Stop PeerTube and delete these files (a confirmation will be demanded first):
 
 ```
-$ sudo -u peertube NODE_CONFIG_DIR=/var/www/peertube/config NODE_ENV=production npm run prune-storage
+$ sudo systemctl stop peertube && sudo -u peertube NODE_CONFIG_DIR=/var/www/peertube/config NODE_ENV=production npm run prune-storage
 ```
 
 ### optimize-old-videos.js
diff --git a/support/docker/production/.env b/support/docker/production/.env
index f27def3b4..802d6b2ca 100644
--- a/support/docker/production/.env
+++ b/support/docker/production/.env
@@ -18,3 +18,4 @@ PEERTUBE_ADMIN_EMAIL=admin@domain.tld
 # /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\
 #PEERTUBE_SIGNUP_ENABLED=true
 #PEERTUBE_TRANSCODING_ENABLED=true
+#PEERTUBE_CONTACT_FORM_ENABLED=true
diff --git a/support/docker/production/config/custom-environment-variables.yaml b/support/docker/production/config/custom-environment-variables.yaml
index cfc30632c..8604939aa 100644
--- a/support/docker/production/config/custom-environment-variables.yaml
+++ b/support/docker/production/config/custom-environment-variables.yaml
@@ -50,6 +50,11 @@ user:
 admin:
   email: "PEERTUBE_ADMIN_EMAIL"
 
+contact_form:
+  enabled:
+    __name: "PEERTUBE_CONTACT_FORM_ENABLED"
+    __format: "json"
+
 signup:
   enabled:
     __name: "PEERTUBE_SIGNUP_ENABLED"
@@ -101,9 +106,11 @@ transcoding:
     1080:
       __name: "PEERTUBE_TRANSCODING_1080P"
       __format: "json"
-    
 
 instance:
   name: "PEERTUBE_INSTANCE_NAME"
   description: "PEERTUBE_INSTANCE_DESCRIPTION"
   terms: "PEERTUBE_INSTANCE_TERMS"
+
+services:
+  csp-logger: "PEERTUBE_SERVICES_CSPLOGGER"
diff --git a/support/docker/production/config/production.yaml b/support/docker/production/config/production.yaml
index 4970bbcca..846c838e8 100644
--- a/support/docker/production/config/production.yaml
+++ b/support/docker/production/config/production.yaml
@@ -32,8 +32,10 @@ redis:
 
 # From the project root directory
 storage:
+  tmp: '../data/tmp/'
   avatars: '../data/avatars/'
   videos: '../data/videos/'
+  redundancy: '../data/redundancy/'
   logs: '../data/logs/'
   previews: '../data/previews/'
   thumbnails: '../data/thumbnails/'
diff --git a/support/docker/production/docker-entrypoint.sh b/support/docker/production/docker-entrypoint.sh
index 6dbbfddf6..7dd626b9f 100755
--- a/support/docker/production/docker-entrypoint.sh
+++ b/support/docker/production/docker-entrypoint.sh
@@ -9,7 +9,7 @@ fi
 # Always copy default and custom env configuration file, in cases where new keys were added
 cp /app/config/default.yaml /config
 cp /app/support/docker/production/config/custom-environment-variables.yaml /config
-chown -R peertube:peertube /config
+find /config ! -user peertube -exec chown peertube:peertube {} \;
 
 # first arg is `-f` or `--some-option`
 # or first arg is `something.conf`
@@ -19,7 +19,7 @@ fi
 
 # allow the container to be started with `--user`
 if [ "$1" = 'npm' -a "$(id -u)" = '0' ]; then
-    chown -R peertube:peertube /data
+    find /data ! -user peertube -exec  chown peertube:peertube {} \;
     exec gosu peertube "$0" "$@"
 fi
 
diff --git a/support/freebsd/peertube b/support/freebsd/peertube
index 78fdf5848..5d14c58ae 100755
--- a/support/freebsd/peertube
+++ b/support/freebsd/peertube
@@ -16,6 +16,7 @@ load_rc_config $name
 
 : ${peertube_enable:=NO}
 
+sig_stop=-KILL
 peertube_chdir="/var/www/peertube/peertube-latest"
 peertube_env="HOME=/var/www/peertube \
 NODE_ENV=production \
@@ -23,7 +24,7 @@ NODE_CONFIG_DIR=/var/www/peertube/config \
 USER=peertube"
 peertube_user=peertube
 
-command="/usr/local/bin/npm"
-command_args="start >> /var/log/peertube/${name}.log 2>&1 &"
+command="/usr/local/bin/node"
+command_args="dist/server >> /var/log/peertube/${name}.log 2>&1 &"
 
 run_rc_command "$1"
diff --git a/support/nginx/peertube b/support/nginx/peertube
index b00031133..54ffdcc32 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -96,8 +96,18 @@ server {
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
-    # Hard limit, PeerTube does not support videos > 8GB
+    # This is the maximum upload size, which roughly matches the maximum size of a video file
+    # you can send via the API or the web interface. By default this is 8GB, but administrators
+    # can increase or decrease the limit. Currently there's no way to communicate this limit
+    # to users automatically, so you may want to leave a note in your instance 'about' page if
+    # you change this.
+    #
+    # Note that temporary space is needed equal to the total size of all concurrent uploads.
+    # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
+    # on a dedicated filesystem.
+    #
     client_max_body_size 8G;
+
     proxy_connect_timeout       600;
     proxy_send_timeout          600;
     proxy_read_timeout          600;
@@ -105,7 +115,7 @@ server {
   }
 
   # Bypass PeerTube for performance reasons. Could be removed
-  location /static/webseed {
+  location ~ ^/static/(webseed|redundancy)/ {
     # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
     limit_rate 800k;
 
@@ -128,7 +138,12 @@ server {
       access_log off;
     }
 
-    alias /var/www/peertube/storage/videos;
+    root /var/www/peertube/storage;
+
+    rewrite ^/static/webseed/(.*)$ /videos/$1 break;
+    rewrite ^/static/redundancy/(.*)$ /redundancy/$1 break;
+
+    try_files $uri /;
   }
 
   # Websocket tracker
@@ -143,4 +158,16 @@ server {
     proxy_set_header Host $host;
     proxy_pass http://localhost:9000;
   }
+
+  location /socket.io {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+
+    proxy_pass http://localhost:9000;
+
+    # enable WebSockets
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
 }
diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service
index 88856385c..fba644788 100644
--- a/support/systemd/peertube.service
+++ b/support/systemd/peertube.service
@@ -15,5 +15,24 @@ StandardError=syslog
 SyslogIdentifier=peertube
 Restart=always
 
+; Some security directives.
+; Use private /tmp and /var/tmp folders inside a new file system namespace,
+; which are discarded after the process stops.
+PrivateTmp=true
+; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices
+; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
+; by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new
+; privileges through execve().
+NoNewPrivileges=true
+; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
+; by this unit. Make sure that you do not depend on data inside these folders.
+ProtectHome=true
+; Drops the sys admin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+
 [Install]
 WantedBy=multi-user.target