aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--server/controllers/api/videos/token.ts2
-rw-r--r--server/lib/plugins/plugin-helpers-builder.ts2
-rw-r--r--server/lib/video-tokens-manager.ts22
-rw-r--r--server/middlewares/validators/shared/videos.ts12
-rw-r--r--server/tests/fixtures/peertube-plugin-test/main.js5
-rw-r--r--server/tests/plugins/filter-hooks.ts47
-rw-r--r--server/types/express.d.ts5
7 files changed, 64 insertions, 31 deletions
diff --git a/server/controllers/api/videos/token.ts b/server/controllers/api/videos/token.ts
index 009b6dfb6..22387c3e8 100644
--- a/server/controllers/api/videos/token.ts
+++ b/server/controllers/api/videos/token.ts
@@ -22,7 +22,7 @@ export {
22function generateToken (req: express.Request, res: express.Response) { 22function generateToken (req: express.Request, res: express.Response) {
23 const video = res.locals.onlyVideo 23 const video = res.locals.onlyVideo
24 24
25 const { token, expires } = VideoTokensManager.Instance.create(video.uuid) 25 const { token, expires } = VideoTokensManager.Instance.create({ videoUUID: video.uuid, user: res.locals.oauth.token.User })
26 26
27 return res.json({ 27 return res.json({
28 files: { 28 files: {
diff --git a/server/lib/plugins/plugin-helpers-builder.ts b/server/lib/plugins/plugin-helpers-builder.ts
index 7b1def6e3..e75c0b994 100644
--- a/server/lib/plugins/plugin-helpers-builder.ts
+++ b/server/lib/plugins/plugin-helpers-builder.ts
@@ -245,7 +245,7 @@ function buildUserHelpers () {
245 }, 245 },
246 246
247 getAuthUser: (res: express.Response) => { 247 getAuthUser: (res: express.Response) => {
248 const user = res.locals.oauth?.token?.User 248 const user = res.locals.oauth?.token?.User || res.locals.videoFileToken?.user
249 if (!user) return undefined 249 if (!user) return undefined
250 250
251 return UserModel.loadByIdFull(user.id) 251 return UserModel.loadByIdFull(user.id)
diff --git a/server/lib/video-tokens-manager.ts b/server/lib/video-tokens-manager.ts
index c43085d16..17aa29cdd 100644
--- a/server/lib/video-tokens-manager.ts
+++ b/server/lib/video-tokens-manager.ts
@@ -1,5 +1,7 @@
1import LRUCache from 'lru-cache' 1import LRUCache from 'lru-cache'
2import { LRU_CACHE } from '@server/initializers/constants' 2import { LRU_CACHE } from '@server/initializers/constants'
3import { MUserAccountUrl } from '@server/types/models'
4import { pick } from '@shared/core-utils'
3import { buildUUID } from '@shared/extra-utils' 5import { buildUUID } from '@shared/extra-utils'
4 6
5// --------------------------------------------------------------------------- 7// ---------------------------------------------------------------------------
@@ -10,19 +12,22 @@ class VideoTokensManager {
10 12
11 private static instance: VideoTokensManager 13 private static instance: VideoTokensManager
12 14
13 private readonly lruCache = new LRUCache<string, string>({ 15 private readonly lruCache = new LRUCache<string, { videoUUID: string, user: MUserAccountUrl }>({
14 max: LRU_CACHE.VIDEO_TOKENS.MAX_SIZE, 16 max: LRU_CACHE.VIDEO_TOKENS.MAX_SIZE,
15 ttl: LRU_CACHE.VIDEO_TOKENS.TTL 17 ttl: LRU_CACHE.VIDEO_TOKENS.TTL
16 }) 18 })
17 19
18 private constructor () {} 20 private constructor () {}
19 21
20 create (videoUUID: string) { 22 create (options: {
23 user: MUserAccountUrl
24 videoUUID: string
25 }) {
21 const token = buildUUID() 26 const token = buildUUID()
22 27
23 const expires = new Date(new Date().getTime() + LRU_CACHE.VIDEO_TOKENS.TTL) 28 const expires = new Date(new Date().getTime() + LRU_CACHE.VIDEO_TOKENS.TTL)
24 29
25 this.lruCache.set(token, videoUUID) 30 this.lruCache.set(token, pick(options, [ 'user', 'videoUUID' ]))
26 31
27 return { token, expires } 32 return { token, expires }
28 } 33 }
@@ -34,7 +39,16 @@ class VideoTokensManager {
34 const value = this.lruCache.get(options.token) 39 const value = this.lruCache.get(options.token)
35 if (!value) return false 40 if (!value) return false
36 41
37 return value === options.videoUUID 42 return value.videoUUID === options.videoUUID
43 }
44
45 getUserFromToken (options: {
46 token: string
47 }) {
48 const value = this.lruCache.get(options.token)
49 if (!value) return undefined
50
51 return value.user
38 } 52 }
39 53
40 static get Instance () { 54 static get Instance () {
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index ebbfc0a0a..0033a32ff 100644
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -180,18 +180,16 @@ async function checkCanAccessVideoStaticFiles (options: {
180 return checkCanSeeVideo(options) 180 return checkCanSeeVideo(options)
181 } 181 }
182 182
183 if (!video.hasPrivateStaticPath()) return true
184
185 const videoFileToken = req.query.videoFileToken 183 const videoFileToken = req.query.videoFileToken
186 if (!videoFileToken) { 184 if (videoFileToken && VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) {
187 res.sendStatus(HttpStatusCode.FORBIDDEN_403) 185 const user = VideoTokensManager.Instance.getUserFromToken({ token: videoFileToken })
188 return false
189 }
190 186
191 if (VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) { 187 res.locals.videoFileToken = { user }
192 return true 188 return true
193 } 189 }
194 190
191 if (!video.hasPrivateStaticPath()) return true
192
195 res.sendStatus(HttpStatusCode.FORBIDDEN_403) 193 res.sendStatus(HttpStatusCode.FORBIDDEN_403)
196 return false 194 return false
197} 195}
diff --git a/server/tests/fixtures/peertube-plugin-test/main.js b/server/tests/fixtures/peertube-plugin-test/main.js
index 19dccf26e..19ba9f278 100644
--- a/server/tests/fixtures/peertube-plugin-test/main.js
+++ b/server/tests/fixtures/peertube-plugin-test/main.js
@@ -250,7 +250,10 @@ async function register ({ registerHook, registerSetting, settingsManager, stora
250 250
251 registerHook({ 251 registerHook({
252 target: 'filter:api.download.video.allowed.result', 252 target: 'filter:api.download.video.allowed.result',
253 handler: (result, params) => { 253 handler: async (result, params) => {
254 const loggedInUser = await peertubeHelpers.user.getAuthUser(params.res)
255 if (loggedInUser) return { allowed: true }
256
254 if (params && !params.streamingPlaylist && params.video.name.includes('bad file')) { 257 if (params && !params.streamingPlaylist && params.video.name.includes('bad file')) {
255 return { allowed: false, errorMessage: 'Cao Cao' } 258 return { allowed: false, errorMessage: 'Cao Cao' }
256 } 259 }
diff --git a/server/tests/plugins/filter-hooks.ts b/server/tests/plugins/filter-hooks.ts
index 083fd43ca..6724b3bf8 100644
--- a/server/tests/plugins/filter-hooks.ts
+++ b/server/tests/plugins/filter-hooks.ts
@@ -430,6 +430,7 @@ describe('Test plugin filter hooks', function () {
430 430
431 describe('Download hooks', function () { 431 describe('Download hooks', function () {
432 const downloadVideos: VideoDetails[] = [] 432 const downloadVideos: VideoDetails[] = []
433 let downloadVideo2Token: string
433 434
434 before(async function () { 435 before(async function () {
435 this.timeout(120000) 436 this.timeout(120000)
@@ -459,6 +460,8 @@ describe('Test plugin filter hooks', function () {
459 for (const uuid of uuids) { 460 for (const uuid of uuids) {
460 downloadVideos.push(await servers[0].videos.get({ id: uuid })) 461 downloadVideos.push(await servers[0].videos.get({ id: uuid }))
461 } 462 }
463
464 downloadVideo2Token = await servers[0].videoToken.getVideoFileToken({ videoId: downloadVideos[2].uuid })
462 }) 465 })
463 466
464 it('Should run filter:api.download.torrent.allowed.result', async function () { 467 it('Should run filter:api.download.torrent.allowed.result', async function () {
@@ -471,32 +474,42 @@ describe('Test plugin filter hooks', function () {
471 474
472 it('Should run filter:api.download.video.allowed.result', async function () { 475 it('Should run filter:api.download.video.allowed.result', async function () {
473 { 476 {
474 const res = await makeRawRequest({ url: downloadVideos[1].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.FORBIDDEN_403 }) 477 const refused = downloadVideos[1].files[0].fileDownloadUrl
478 const allowed = [
479 downloadVideos[0].files[0].fileDownloadUrl,
480 downloadVideos[2].files[0].fileDownloadUrl
481 ]
482
483 const res = await makeRawRequest({ url: refused, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
475 expect(res.body.error).to.equal('Cao Cao') 484 expect(res.body.error).to.equal('Cao Cao')
476 485
477 await makeRawRequest({ url: downloadVideos[0].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 }) 486 for (const url of allowed) {
478 await makeRawRequest({ url: downloadVideos[2].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 }) 487 await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 })
488 await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 })
489 }
479 } 490 }
480 491
481 { 492 {
482 const res = await makeRawRequest({ 493 const refused = downloadVideos[2].streamingPlaylists[0].files[0].fileDownloadUrl
483 url: downloadVideos[2].streamingPlaylists[0].files[0].fileDownloadUrl,
484 expectedStatus: HttpStatusCode.FORBIDDEN_403
485 })
486 494
487 expect(res.body.error).to.equal('Sun Jian') 495 const allowed = [
496 downloadVideos[2].files[0].fileDownloadUrl,
497 downloadVideos[0].streamingPlaylists[0].files[0].fileDownloadUrl,
498 downloadVideos[1].streamingPlaylists[0].files[0].fileDownloadUrl
499 ]
488 500
489 await makeRawRequest({ url: downloadVideos[2].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 }) 501 // Only streaming playlist is refuse
502 const res = await makeRawRequest({ url: refused, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
503 expect(res.body.error).to.equal('Sun Jian')
490 504
491 await makeRawRequest({ 505 // But not we there is a user in res
492 url: downloadVideos[0].streamingPlaylists[0].files[0].fileDownloadUrl, 506 await makeRawRequest({ url: refused, token: servers[0].accessToken, expectedStatus: HttpStatusCode.OK_200 })
493 expectedStatus: HttpStatusCode.OK_200 507 await makeRawRequest({ url: refused, query: { videoFileToken: downloadVideo2Token }, expectedStatus: HttpStatusCode.OK_200 })
494 })
495 508
496 await makeRawRequest({ 509 // Other files work
497 url: downloadVideos[1].streamingPlaylists[0].files[0].fileDownloadUrl, 510 for (const url of allowed) {
498 expectedStatus: HttpStatusCode.OK_200 511 await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 })
499 }) 512 }
500 } 513 }
501 }) 514 })
502 }) 515 })
diff --git a/server/types/express.d.ts b/server/types/express.d.ts
index 3738ffc47..99244d2a0 100644
--- a/server/types/express.d.ts
+++ b/server/types/express.d.ts
@@ -10,6 +10,7 @@ import {
10 MChannelBannerAccountDefault, 10 MChannelBannerAccountDefault,
11 MChannelSyncChannel, 11 MChannelSyncChannel,
12 MStreamingPlaylist, 12 MStreamingPlaylist,
13 MUserAccountUrl,
13 MVideoChangeOwnershipFull, 14 MVideoChangeOwnershipFull,
14 MVideoFile, 15 MVideoFile,
15 MVideoFormattableDetails, 16 MVideoFormattableDetails,
@@ -187,6 +188,10 @@ declare module 'express' {
187 actor: MActorAccountChannelId 188 actor: MActorAccountChannelId
188 } 189 }
189 190
191 videoFileToken?: {
192 user: MUserAccountUrl
193 }
194
190 authenticated?: boolean 195 authenticated?: boolean
191 196
192 registeredPlugin?: RegisteredPlugin 197 registeredPlugin?: RegisteredPlugin