26 files changed, 474 insertions, 151 deletions

diff --git a/server/lib/auth/external-auth.ts b/server/lib/auth/external-auth.ts
index 053112801..bc5b74257 100644
--- a/server/lib/auth/external-auth.ts
+++ b/server/lib/auth/external-auth.ts
@@ -1,26 +1,35 @@
 
-import { isUserDisplayNameValid, isUserRoleValid, isUserUsernameValid } from '@server/helpers/custom-validators/users'
+import {
+  isUserAdminFlagsValid,
+  isUserDisplayNameValid,
+  isUserRoleValid,
+  isUserUsernameValid,
+  isUserVideoQuotaDailyValid,
+  isUserVideoQuotaValid
+} from '@server/helpers/custom-validators/users'
 import { logger } from '@server/helpers/logger'
 import { generateRandomString } from '@server/helpers/utils'
 import { PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME } from '@server/initializers/constants'
 import { PluginManager } from '@server/lib/plugins/plugin-manager'
 import { OAuthTokenModel } from '@server/models/oauth/oauth-token'
+import { MUser } from '@server/types/models'
 import {
   RegisterServerAuthenticatedResult,
   RegisterServerAuthPassOptions,
   RegisterServerExternalAuthenticatedResult
 } from '@server/types/plugins/register-server-auth.model'
-import { UserRole } from '@shared/models'
+import { UserAdminFlag, UserRole } from '@shared/models'
+import { BypassLogin } from './oauth-model'
+
+export type ExternalUser =
+  Pick<MUser, 'username' | 'email' | 'role' | 'adminFlags' | 'videoQuotaDaily' | 'videoQuota'> &
+  { displayName: string }
 
 // Token is the key, expiration date is the value
 const authBypassTokens = new Map<string, {
   expires: Date
-  user: {
-    username: string
-    email: string
-    displayName: string
-    role: UserRole
-  }
+  user: ExternalUser
+  userUpdater: RegisterServerAuthenticatedResult['userUpdater']
   authName: string
   npmName: string
 }>()
@@ -56,7 +65,8 @@ async function onExternalUserAuthenticated (options: {
     expires,
     user,
     npmName,
-    authName
+    authName,
+    userUpdater: authResult.userUpdater
   })
 
   // Cleanup expired tokens
@@ -78,7 +88,7 @@ async function getAuthNameFromRefreshGrant (refreshToken?: string) {
   return tokenModel?.authName
 }
 
-async function getBypassFromPasswordGrant (username: string, password: string) {
+async function getBypassFromPasswordGrant (username: string, password: string): Promise<BypassLogin> {
   const plugins = PluginManager.Instance.getIdAndPassAuths()
   const pluginAuths: { npmName?: string, registerAuthOptions: RegisterServerAuthPassOptions }[] = []
 
@@ -133,7 +143,8 @@ async function getBypassFromPasswordGrant (username: string, password: string) {
         bypass: true,
         pluginName: pluginAuth.npmName,
         authName: authOptions.authName,
-        user: buildUserResult(loginResult)
+        user: buildUserResult(loginResult),
+        userUpdater: loginResult.userUpdater
       }
     } catch (err) {
       logger.error('Error in auth method %s of plugin %s', authOptions.authName, pluginAuth.npmName, { err })
@@ -143,7 +154,7 @@ async function getBypassFromPasswordGrant (username: string, password: string) {
   return undefined
 }
 
-function getBypassFromExternalAuth (username: string, externalAuthToken: string) {
+function getBypassFromExternalAuth (username: string, externalAuthToken: string): BypassLogin {
   const obj = authBypassTokens.get(externalAuthToken)
   if (!obj) throw new Error('Cannot authenticate user with unknown bypass token')
 
@@ -167,33 +178,29 @@ function getBypassFromExternalAuth (username: string, externalAuthToken: string)
     bypass: true,
     pluginName: npmName,
     authName,
+    userUpdater: obj.userUpdater,
     user
   }
 }
 
 function isAuthResultValid (npmName: string, authName: string, result: RegisterServerAuthenticatedResult) {
-  if (!isUserUsernameValid(result.username)) {
-    logger.error('Auth method %s of plugin %s did not provide a valid username.', authName, npmName, { username: result.username })
+  const returnError = (field: string) => {
+    logger.error('Auth method %s of plugin %s did not provide a valid %s.', authName, npmName, field, { [field]: result[field] })
     return false
   }
 
-  if (!result.email) {
-    logger.error('Auth method %s of plugin %s did not provide a valid email.', authName, npmName, { email: result.email })
-    return false
-  }
+  if (!isUserUsernameValid(result.username)) return returnError('username')
+  if (!result.email) return returnError('email')
 
-  // role is optional
-  if (result.role && !isUserRoleValid(result.role)) {
-    logger.error('Auth method %s of plugin %s did not provide a valid role.', authName, npmName, { role: result.role })
-    return false
-  }
+  // Following fields are optional
+  if (result.role && !isUserRoleValid(result.role)) return returnError('role')
+  if (result.displayName && !isUserDisplayNameValid(result.displayName)) return returnError('displayName')
+  if (result.adminFlags && !isUserAdminFlagsValid(result.adminFlags)) return returnError('adminFlags')
+  if (result.videoQuota && !isUserVideoQuotaValid(result.videoQuota + '')) return returnError('videoQuota')
+  if (result.videoQuotaDaily && !isUserVideoQuotaDailyValid(result.videoQuotaDaily + '')) return returnError('videoQuotaDaily')
 
-  // display name is optional
-  if (result.displayName && !isUserDisplayNameValid(result.displayName)) {
-    logger.error(
-      'Auth method %s of plugin %s did not provide a valid display name.',
-      authName, npmName, { displayName: result.displayName }
-    )
+  if (result.userUpdater && typeof result.userUpdater !== 'function') {
+    logger.error('Auth method %s of plugin %s did not provide a valid user updater function.', authName, npmName)
     return false
   }
 
@@ -205,7 +212,12 @@ function buildUserResult (pluginResult: RegisterServerAuthenticatedResult) {
     username: pluginResult.username,
     email: pluginResult.email,
     role: pluginResult.role ?? UserRole.USER,
-    displayName: pluginResult.displayName || pluginResult.username
+    displayName: pluginResult.displayName || pluginResult.username,
+
+    adminFlags: pluginResult.adminFlags ?? UserAdminFlag.NONE,
+
+    videoQuota: pluginResult.videoQuota,
+    videoQuotaDaily: pluginResult.videoQuotaDaily
   }
 }
 
diff --git a/server/lib/auth/oauth-model.ts b/server/lib/auth/oauth-model.ts
index 322b69e3a..43909284f 100644
--- a/server/lib/auth/oauth-model.ts
+++ b/server/lib/auth/oauth-model.ts
@@ -1,11 +1,13 @@
 import express from 'express'
 import { AccessDeniedError } from '@node-oauth/oauth2-server'
 import { PluginManager } from '@server/lib/plugins/plugin-manager'
+import { AccountModel } from '@server/models/account/account'
+import { AuthenticatedResultUpdaterFieldName, RegisterServerAuthenticatedResult } from '@server/types'
 import { MOAuthClient } from '@server/types/models'
 import { MOAuthTokenUser } from '@server/types/models/oauth/oauth-token'
-import { MUser } from '@server/types/models/user/user'
+import { MUser, MUserDefault } from '@server/types/models/user/user'
 import { pick } from '@shared/core-utils'
-import { UserRole } from '@shared/models/users/user-role'
+import { AttributesOnly } from '@shared/typescript-utils'
 import { logger } from '../../helpers/logger'
 import { CONFIG } from '../../initializers/config'
 import { OAuthClientModel } from '../../models/oauth/oauth-client'
@@ -13,6 +15,7 @@ import { OAuthTokenModel } from '../../models/oauth/oauth-token'
 import { UserModel } from '../../models/user/user'
 import { findAvailableLocalActorName } from '../local-actor'
 import { buildUser, createUserAccountAndChannelAndPlaylist } from '../user'
+import { ExternalUser } from './external-auth'
 import { TokensCache } from './tokens-cache'
 
 type TokenInfo = {
@@ -26,12 +29,8 @@ export type BypassLogin = {
   bypass: boolean
   pluginName: string
   authName?: string
-  user: {
-    username: string
-    email: string
-    displayName: string
-    role: UserRole
-  }
+  user: ExternalUser
+  userUpdater: RegisterServerAuthenticatedResult['userUpdater']
 }
 
 async function getAccessToken (bearerToken: string) {
@@ -89,7 +88,9 @@ async function getUser (usernameOrEmail?: string, password?: string, bypassLogin
     logger.info('Bypassing oauth login by plugin %s.', bypassLogin.pluginName)
 
     let user = await UserModel.loadByEmail(bypassLogin.user.email)
+
     if (!user) user = await createUserFromExternal(bypassLogin.pluginName, bypassLogin.user)
+    else user = await updateUserFromExternal(user, bypassLogin.user, bypassLogin.userUpdater)
 
     // Cannot create a user
     if (!user) throw new AccessDeniedError('Cannot create such user: an actor with that name already exists.')
@@ -219,16 +220,11 @@ export {
 
 // ---------------------------------------------------------------------------
 
-async function createUserFromExternal (pluginAuth: string, options: {
-  username: string
-  email: string
-  role: UserRole
-  displayName: string
-}) {
-  const username = await findAvailableLocalActorName(options.username)
+async function createUserFromExternal (pluginAuth: string, userOptions: ExternalUser) {
+  const username = await findAvailableLocalActorName(userOptions.username)
 
   const userToCreate = buildUser({
-    ...pick(options, [ 'email', 'role' ]),
+    ...pick(userOptions, [ 'email', 'role', 'adminFlags', 'videoQuota', 'videoQuotaDaily' ]),
 
     username,
     emailVerified: null,
@@ -238,12 +234,57 @@ async function createUserFromExternal (pluginAuth: string, options: {
 
   const { user } = await createUserAccountAndChannelAndPlaylist({
     userToCreate,
-    userDisplayName: options.displayName
+    userDisplayName: userOptions.displayName
   })
 
   return user
 }
 
+async function updateUserFromExternal (
+  user: MUserDefault,
+  userOptions: ExternalUser,
+  userUpdater: RegisterServerAuthenticatedResult['userUpdater']
+) {
+  if (!userUpdater) return user
+
+  {
+    type UserAttributeKeys = keyof AttributesOnly<UserModel>
+    const mappingKeys: { [ id in UserAttributeKeys ]?: AuthenticatedResultUpdaterFieldName } = {
+      role: 'role',
+      adminFlags: 'adminFlags',
+      videoQuota: 'videoQuota',
+      videoQuotaDaily: 'videoQuotaDaily'
+    }
+
+    for (const modelKey of Object.keys(mappingKeys)) {
+      const pluginOptionKey = mappingKeys[modelKey]
+
+      const newValue = userUpdater({ fieldName: pluginOptionKey, currentValue: user[modelKey], newValue: userOptions[pluginOptionKey] })
+      user.set(modelKey, newValue)
+    }
+  }
+
+  {
+    type AccountAttributeKeys = keyof Partial<AttributesOnly<AccountModel>>
+    const mappingKeys: { [ id in AccountAttributeKeys ]?: AuthenticatedResultUpdaterFieldName } = {
+      name: 'displayName'
+    }
+
+    for (const modelKey of Object.keys(mappingKeys)) {
+      const optionKey = mappingKeys[modelKey]
+
+      const newValue = userUpdater({ fieldName: optionKey, currentValue: user.Account[modelKey], newValue: userOptions[optionKey] })
+      user.Account.set(modelKey, newValue)
+    }
+  }
+
+  logger.debug('Updated user %s with plugin userUpdated function.', user.email, { user, userOptions })
+
+  user.Account = await user.Account.save()
+
+  return user.save()
+}
+
 function checkUserValidityOrThrow (user: MUser) {
   if (user.blocked) throw new AccessDeniedError('User is blocked.')
 }
diff --git a/server/lib/auth/oauth.ts b/server/lib/auth/oauth.ts
index bc0d4301f..887c4f7c9 100644
--- a/server/lib/auth/oauth.ts
+++ b/server/lib/auth/oauth.ts
@@ -10,20 +10,32 @@ import OAuth2Server, {
 } from '@node-oauth/oauth2-server'
 import { randomBytesPromise } from '@server/helpers/core-utils'
 import { isOTPValid } from '@server/helpers/otp'
+import { CONFIG } from '@server/initializers/config'
+import { UserRegistrationModel } from '@server/models/user/user-registration'
 import { MOAuthClient } from '@server/types/models'
 import { sha1 } from '@shared/extra-utils'
-import { HttpStatusCode } from '@shared/models'
-import { OAUTH_LIFETIME, OTP } from '../../initializers/constants'
+import { HttpStatusCode, ServerErrorCode, UserRegistrationState } from '@shared/models'
+import { OTP } from '../../initializers/constants'
 import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model'
 
 class MissingTwoFactorError extends Error {
   code = HttpStatusCode.UNAUTHORIZED_401
-  name = 'missing_two_factor'
+  name = ServerErrorCode.MISSING_TWO_FACTOR
 }
 
 class InvalidTwoFactorError extends Error {
   code = HttpStatusCode.BAD_REQUEST_400
-  name = 'invalid_two_factor'
+  name = ServerErrorCode.INVALID_TWO_FACTOR
+}
+
+class RegistrationWaitingForApproval extends Error {
+  code = HttpStatusCode.BAD_REQUEST_400
+  name = ServerErrorCode.ACCOUNT_WAITING_FOR_APPROVAL
+}
+
+class RegistrationApprovalRejected extends Error {
+  code = HttpStatusCode.BAD_REQUEST_400
+  name = ServerErrorCode.ACCOUNT_APPROVAL_REJECTED
 }
 
 /**
@@ -32,8 +44,9 @@ class InvalidTwoFactorError extends Error {
  *
  */
 const oAuthServer = new OAuth2Server({
-  accessTokenLifetime: OAUTH_LIFETIME.ACCESS_TOKEN,
-  refreshTokenLifetime: OAUTH_LIFETIME.REFRESH_TOKEN,
+  // Wants seconds
+  accessTokenLifetime: CONFIG.OAUTH2.TOKEN_LIFETIME.ACCESS_TOKEN / 1000,
+  refreshTokenLifetime: CONFIG.OAUTH2.TOKEN_LIFETIME.REFRESH_TOKEN / 1000,
 
   // See https://github.com/oauthjs/node-oauth2-server/wiki/Model-specification for the model specifications
   model: require('./oauth-model')
@@ -126,7 +139,17 @@ async function handlePasswordGrant (options: {
   }
 
   const user = await getUser(request.body.username, request.body.password, bypassLogin)
-  if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid')
+  if (!user) {
+    const registration = await UserRegistrationModel.loadByEmailOrUsername(request.body.username)
+
+    if (registration?.state === UserRegistrationState.REJECTED) {
+      throw new RegistrationApprovalRejected('Registration approval for this account has been rejected')
+    } else if (registration?.state === UserRegistrationState.PENDING) {
+      throw new RegistrationWaitingForApproval('Registration for this account is awaiting approval')
+    }
+
+    throw new InvalidGrantError('Invalid grant: user credentials are invalid')
+  }
 
   if (user.otpSecret) {
     if (!request.headers[OTP.HEADER_NAME]) {
@@ -182,10 +205,10 @@ function generateRandomToken () {
 
 function getTokenExpiresAt (type: 'access' | 'refresh') {
   const lifetime = type === 'access'
-    ? OAUTH_LIFETIME.ACCESS_TOKEN
-    : OAUTH_LIFETIME.REFRESH_TOKEN
+    ? CONFIG.OAUTH2.TOKEN_LIFETIME.ACCESS_TOKEN
+    : CONFIG.OAUTH2.TOKEN_LIFETIME.REFRESH_TOKEN
 
-  return new Date(Date.now() + lifetime * 1000)
+  return new Date(Date.now() + lifetime)
 }
 
 async function buildToken () {
diff --git a/server/lib/auth/tokens-cache.ts b/server/lib/auth/tokens-cache.ts
index 410708a35..43efc7d02 100644
--- a/server/lib/auth/tokens-cache.ts
+++ b/server/lib/auth/tokens-cache.ts
@@ -36,8 +36,8 @@ export class TokensCache {
     const token = this.userHavingToken.get(userId)
 
     if (token !== undefined) {
-      this.accessTokenCache.del(token)
-      this.userHavingToken.del(userId)
+      this.accessTokenCache.delete(token)
+      this.userHavingToken.delete(userId)
     }
   }
 
@@ -45,8 +45,8 @@ export class TokensCache {
     const tokenModel = this.accessTokenCache.get(token)
 
     if (tokenModel !== undefined) {
-      this.userHavingToken.del(tokenModel.userId)
-      this.accessTokenCache.del(token)
+      this.userHavingToken.delete(tokenModel.userId)
+      this.accessTokenCache.delete(token)
     }
   }
 }
diff --git a/server/lib/emailer.ts b/server/lib/emailer.ts
index 39b662eb2..f5c3e4745 100644
--- a/server/lib/emailer.ts
+++ b/server/lib/emailer.ts
@@ -3,13 +3,13 @@ import { merge } from 'lodash'
 import { createTransport, Transporter } from 'nodemailer'
 import { join } from 'path'
 import { arrayify, root } from '@shared/core-utils'
-import { EmailPayload } from '@shared/models'
+import { EmailPayload, UserRegistrationState } from '@shared/models'
 import { SendEmailDefaultOptions } from '../../shared/models/server/emailer.model'
 import { isTestOrDevInstance } from '../helpers/core-utils'
 import { bunyanLogger, logger } from '../helpers/logger'
 import { CONFIG, isEmailEnabled } from '../initializers/config'
 import { WEBSERVER } from '../initializers/constants'
-import { MUser } from '../types/models'
+import { MRegistration, MUser } from '../types/models'
 import { JobQueue } from './job-queue'
 
 const Email = require('email-templates')
@@ -62,7 +62,9 @@ class Emailer {
       subject: 'Reset your account password',
       locals: {
         username,
-        resetPasswordUrl
+        resetPasswordUrl,
+
+        hideNotificationPreferencesLink: true
       }
     }
 
@@ -76,21 +78,33 @@ class Emailer {
       subject: 'Create your account password',
       locals: {
         username,
-        createPasswordUrl
+        createPasswordUrl,
+
+        hideNotificationPreferencesLink: true
       }
     }
 
     return JobQueue.Instance.createJobAsync({ type: 'email', payload: emailPayload })
   }
 
-  addVerifyEmailJob (username: string, to: string, verifyEmailUrl: string) {
+  addVerifyEmailJob (options: {
+    username: string
+    isRegistrationRequest: boolean
+    to: string
+    verifyEmailUrl: string
+  }) {
+    const { username, isRegistrationRequest, to, verifyEmailUrl } = options
+
     const emailPayload: EmailPayload = {
       template: 'verify-email',
       to: [ to ],
       subject: `Verify your email on ${CONFIG.INSTANCE.NAME}`,
       locals: {
         username,
-        verifyEmailUrl
+        verifyEmailUrl,
+        isRegistrationRequest,
+
+        hideNotificationPreferencesLink: true
       }
     }
 
@@ -123,7 +137,33 @@ class Emailer {
         body,
 
         // There are not notification preferences for the contact form
-        hideNotificationPreferences: true
+        hideNotificationPreferencesLink: true
+      }
+    }
+
+    return JobQueue.Instance.createJobAsync({ type: 'email', payload: emailPayload })
+  }
+
+  addUserRegistrationRequestProcessedJob (registration: MRegistration) {
+    let template: string
+    let subject: string
+    if (registration.state === UserRegistrationState.ACCEPTED) {
+      template = 'user-registration-request-accepted'
+      subject = `Your registration request for ${registration.username} has been accepted`
+    } else {
+      template = 'user-registration-request-rejected'
+      subject = `Your registration request for ${registration.username} has been rejected`
+    }
+
+    const to = registration.email
+    const emailPayload: EmailPayload = {
+      to: [ to ],
+      template,
+      subject,
+      locals: {
+        username: registration.username,
+        moderationResponse: registration.moderationResponse,
+        loginLink: WEBSERVER.URL + '/login'
       }
     }
 
diff --git a/server/lib/emails/common/base.pug b/server/lib/emails/common/base.pug
index 6da5648e4..41e94564d 100644
--- a/server/lib/emails/common/base.pug
+++ b/server/lib/emails/common/base.pug
@@ -222,19 +222,9 @@ body(width="100%" style="margin: 0; padding: 0 !important; mso-line-height-rule:
           td(aria-hidden='true' height='20' style='font-size: 0px; line-height: 0px;')
         br
         //- Clear Spacer : END
-        //- 1 Column Text : BEGIN
-        if username
-          tr
-            td(style='background-color: #cccccc;')
-              table(role='presentation' cellspacing='0' cellpadding='0' border='0' width='100%')
-                tr
-                  td(style='padding: 20px; font-family: sans-serif; font-size: 15px; line-height: 20px; color: #555555;')
-                    p(style='margin: 0;')
-                      | You are receiving this email as part of your notification settings on #{instanceName} for your account #{username}.
-        //- 1 Column Text : END
       //- Email Body : END
       //- Email Footer : BEGIN
-      unless hideNotificationPreferences
+      unless hideNotificationPreferencesLink
         table(align='center' role='presentation' cellspacing='0' cellpadding='0' border='0' width='100%' style='margin: auto;')
           tr
             td(style='padding: 20px; padding-bottom: 0px; font-family: sans-serif; font-size: 12px; line-height: 15px; text-align: center; color: #888888;')
diff --git a/server/lib/emails/user-registration-request-accepted/html.pug b/server/lib/emails/user-registration-request-accepted/html.pug
new file mode 100644
index 000000000..7a52c3fe1
--- /dev/null
+++ b/server/lib/emails/user-registration-request-accepted/html.pug
@@ -0,0 +1,10 @@
+extends ../common/greetings
+
+block title
+  | Congratulation #{username}, your registration request has been accepted!
+
+block content
+  p Your registration request has been accepted.
+  p Moderators sent you the following message:
+  blockquote(style='white-space: pre-wrap') #{moderationResponse}
+  p Your account has been created and you can login on #[a(href=loginLink) #{loginLink}]
diff --git a/server/lib/emails/user-registration-request-rejected/html.pug b/server/lib/emails/user-registration-request-rejected/html.pug
new file mode 100644
index 000000000..ec0aa8dfe
--- /dev/null
+++ b/server/lib/emails/user-registration-request-rejected/html.pug
@@ -0,0 +1,9 @@
+extends ../common/greetings
+
+block title
+  | Registration request of your account #{username} has rejected
+
+block content
+  p Your registration request has been rejected.
+  p Moderators sent you the following message:
+  blockquote(style='white-space: pre-wrap') #{moderationResponse}
diff --git a/server/lib/emails/user-registration-request/html.pug b/server/lib/emails/user-registration-request/html.pug
new file mode 100644
index 000000000..64898f3f2
--- /dev/null
+++ b/server/lib/emails/user-registration-request/html.pug
@@ -0,0 +1,9 @@
+extends ../common/greetings
+
+block title
+  | A new user wants to register
+
+block content
+  p User #{registration.username} wants to register on your PeerTube instance with the following reason:
+  blockquote(style='white-space: pre-wrap') #{registration.registrationReason}
+  p You can accept or reject the registration request in the #[a(href=`${WEBSERVER.URL}/admin/moderation/registrations/list`) administration].
diff --git a/server/lib/emails/verify-email/html.pug b/server/lib/emails/verify-email/html.pug
index be9dde21b..19ef65f75 100644
--- a/server/lib/emails/verify-email/html.pug
+++ b/server/lib/emails/verify-email/html.pug
@@ -1,17 +1,19 @@
 extends ../common/greetings
 
 block title
-  | Account verification
+  | Email verification
 
 block content
-  p Welcome to #{instanceName}!
-  p.
-    You just created an account at #[a(href=WEBSERVER.URL) #{instanceName}].
-    Your username there is: #{username}.
-  p.
-    To start using your account you must verify your email first!
-    Please follow #[a(href=verifyEmailUrl) this link] to verify this email belongs to you.
-  p.
-    If you can't see the verification link above you can use the following link #[a(href=verifyEmailUrl) #{verifyEmailUrl}]
-  p.
-    If you are not the person who initiated this request, please ignore this email.
+  if isRegistrationRequest
+    p You just requested an account on #[a(href=WEBSERVER.URL) #{instanceName}].
+  else
+    p You just created an account on #[a(href=WEBSERVER.URL) #{instanceName}].
+
+  if isRegistrationRequest
+    p To complete your registration request you must verify your email first!
+  else
+    p To start using your account you must verify your email first!
+
+  p Please follow #[a(href=verifyEmailUrl) this link] to verify this email belongs to you.
+  p If you can't see the verification link above you can use the following link #[a(href=verifyEmailUrl) #{verifyEmailUrl}]
+  p If you are not the person who initiated this request, please ignore this email.
diff --git a/server/lib/job-queue/job-queue.ts b/server/lib/job-queue/job-queue.ts
index 866aa1ed0..8597eb000 100644
--- a/server/lib/job-queue/job-queue.ts
+++ b/server/lib/job-queue/job-queue.ts
@@ -184,7 +184,7 @@ class JobQueue {
 
     this.jobRedisPrefix = 'bull-' + WEBSERVER.HOST
 
-    for (const handlerName of (Object.keys(handlers) as JobType[])) {
+    for (const handlerName of Object.keys(handlers)) {
       this.buildWorker(handlerName)
       this.buildQueue(handlerName)
       this.buildQueueScheduler(handlerName)
diff --git a/server/lib/notifier/notifier.ts b/server/lib/notifier/notifier.ts
index 66cfc31c4..920c55df0 100644
--- a/server/lib/notifier/notifier.ts
+++ b/server/lib/notifier/notifier.ts
@@ -1,4 +1,4 @@
-import { MUser, MUserDefault } from '@server/types/models/user'
+import { MRegistration, MUser, MUserDefault } from '@server/types/models/user'
 import { MVideoBlacklistLightVideo, MVideoBlacklistVideo } from '@server/types/models/video/video-blacklist'
 import { UserNotificationSettingValue } from '../../../shared/models/users'
 import { logger } from '../../helpers/logger'
@@ -13,6 +13,7 @@ import {
   AbuseStateChangeForReporter,
   AutoFollowForInstance,
   CommentMention,
+  DirectRegistrationForModerators,
   FollowForInstance,
   FollowForUser,
   ImportFinishedForOwner,
@@ -30,7 +31,7 @@ import {
   OwnedPublicationAfterAutoUnblacklist,
   OwnedPublicationAfterScheduleUpdate,
   OwnedPublicationAfterTranscoding,
-  RegistrationForModerators,
+  RegistrationRequestForModerators,
   StudioEditionFinishedForOwner,
   UnblacklistForOwner
 } from './shared'
@@ -47,7 +48,8 @@ class Notifier {
     newBlacklist: [ NewBlacklistForOwner ],
     unblacklist: [ UnblacklistForOwner ],
     importFinished: [ ImportFinishedForOwner ],
-    userRegistration: [ RegistrationForModerators ],
+    directRegistration: [ DirectRegistrationForModerators ],
+    registrationRequest: [ RegistrationRequestForModerators ],
     userFollow: [ FollowForUser ],
     instanceFollow: [ FollowForInstance ],
     autoInstanceFollow: [ AutoFollowForInstance ],
@@ -138,13 +140,20 @@ class Notifier {
         })
   }
 
-  notifyOnNewUserRegistration (user: MUserDefault): void {
-    const models = this.notificationModels.userRegistration
+  notifyOnNewDirectRegistration (user: MUserDefault): void {
+    const models = this.notificationModels.directRegistration
 
     this.sendNotifications(models, user)
       .catch(err => logger.error('Cannot notify moderators of new user registration (%s).', user.username, { err }))
   }
 
+  notifyOnNewRegistrationRequest (registration: MRegistration): void {
+    const models = this.notificationModels.registrationRequest
+
+    this.sendNotifications(models, registration)
+      .catch(err => logger.error('Cannot notify moderators of new registration request (%s).', registration.username, { err }))
+  }
+
   notifyOfNewUserFollow (actorFollow: MActorFollowFull): void {
     const models = this.notificationModels.userFollow
 
diff --git a/server/lib/notifier/shared/instance/registration-for-moderators.ts b/server/lib/notifier/shared/instance/direct-registration-for-moderators.ts
index e92467424..5044f2068 100644
--- a/server/lib/notifier/shared/instance/registration-for-moderators.ts
+++ b/server/lib/notifier/shared/instance/direct-registration-for-moderators.ts
@@ -6,7 +6,7 @@ import { MUserDefault, MUserWithNotificationSetting, UserNotificationModelForApi
 import { UserNotificationType, UserRight } from '@shared/models'
 import { AbstractNotification } from '../common/abstract-notification'
 
-export class RegistrationForModerators extends AbstractNotification <MUserDefault> {
+export class DirectRegistrationForModerators extends AbstractNotification <MUserDefault> {
   private moderators: MUserDefault[]
 
   async prepare () {
@@ -40,7 +40,7 @@ export class RegistrationForModerators extends AbstractNotification <MUserDefaul
     return {
       template: 'user-registered',
       to,
-      subject: `a new user registered on ${CONFIG.INSTANCE.NAME}: ${this.payload.username}`,
+      subject: `A new user registered on ${CONFIG.INSTANCE.NAME}: ${this.payload.username}`,
       locals: {
         user: this.payload
       }
diff --git a/server/lib/notifier/shared/instance/index.ts b/server/lib/notifier/shared/instance/index.ts
index c3bb22aec..8c75a8ee9 100644
--- a/server/lib/notifier/shared/instance/index.ts
+++ b/server/lib/notifier/shared/instance/index.ts
@@ -1,3 +1,4 @@
 export * from './new-peertube-version-for-admins'
 export * from './new-plugin-version-for-admins'
-export * from './registration-for-moderators'
+export * from './direct-registration-for-moderators'
+export * from './registration-request-for-moderators'
diff --git a/server/lib/notifier/shared/instance/registration-request-for-moderators.ts b/server/lib/notifier/shared/instance/registration-request-for-moderators.ts
new file mode 100644
index 000000000..79920245a
--- /dev/null
+++ b/server/lib/notifier/shared/instance/registration-request-for-moderators.ts
@@ -0,0 +1,48 @@
+import { logger } from '@server/helpers/logger'
+import { UserModel } from '@server/models/user/user'
+import { UserNotificationModel } from '@server/models/user/user-notification'
+import { MRegistration, MUserDefault, MUserWithNotificationSetting, UserNotificationModelForApi } from '@server/types/models'
+import { UserNotificationType, UserRight } from '@shared/models'
+import { AbstractNotification } from '../common/abstract-notification'
+
+export class RegistrationRequestForModerators extends AbstractNotification <MRegistration> {
+  private moderators: MUserDefault[]
+
+  async prepare () {
+    this.moderators = await UserModel.listWithRight(UserRight.MANAGE_REGISTRATIONS)
+  }
+
+  log () {
+    logger.info('Notifying %s moderators of new user registration request of %s.', this.moderators.length, this.payload.username)
+  }
+
+  getSetting (user: MUserWithNotificationSetting) {
+    return user.NotificationSetting.newUserRegistration
+  }
+
+  getTargetUsers () {
+    return this.moderators
+  }
+
+  createNotification (user: MUserWithNotificationSetting) {
+    const notification = UserNotificationModel.build<UserNotificationModelForApi>({
+      type: UserNotificationType.NEW_USER_REGISTRATION_REQUEST,
+      userId: user.id,
+      userRegistrationId: this.payload.id
+    })
+    notification.UserRegistration = this.payload
+
+    return notification
+  }
+
+  createEmail (to: string) {
+    return {
+      template: 'user-registration-request',
+      to,
+      subject: `A new user wants to register: ${this.payload.username}`,
+      locals: {
+        registration: this.payload
+      }
+    }
+  }
+}
diff --git a/server/lib/opentelemetry/metric-helpers/bittorrent-tracker-observers-builder.ts b/server/lib/opentelemetry/metric-helpers/bittorrent-tracker-observers-builder.ts
new file mode 100644
index 000000000..ef40c0fa9
--- /dev/null
+++ b/server/lib/opentelemetry/metric-helpers/bittorrent-tracker-observers-builder.ts
@@ -0,0 +1,51 @@
+import { Meter } from '@opentelemetry/api'
+
+export class BittorrentTrackerObserversBuilder {
+
+  constructor (private readonly meter: Meter, private readonly trackerServer: any) {
+
+  }
+
+  buildObservers () {
+    const activeInfohashes = this.meter.createObservableGauge('peertube_bittorrent_tracker_active_infohashes_total', {
+      description: 'Total active infohashes in the PeerTube BitTorrent Tracker'
+    })
+    const inactiveInfohashes = this.meter.createObservableGauge('peertube_bittorrent_tracker_inactive_infohashes_total', {
+      description: 'Total inactive infohashes in the PeerTube BitTorrent Tracker'
+    })
+    const peers = this.meter.createObservableGauge('peertube_bittorrent_tracker_peers_total', {
+      description: 'Total peers in the PeerTube BitTorrent Tracker'
+    })
+
+    this.meter.addBatchObservableCallback(observableResult => {
+      const infohashes = Object.keys(this.trackerServer.torrents)
+
+      const counters = {
+        activeInfohashes: 0,
+        inactiveInfohashes: 0,
+        peers: 0,
+        uncompletedPeers: 0
+      }
+
+      for (const infohash of infohashes) {
+        const content = this.trackerServer.torrents[infohash]
+
+        const peers = content.peers
+        if (peers.keys.length !== 0) counters.activeInfohashes++
+        else counters.inactiveInfohashes++
+
+        for (const peerId of peers.keys) {
+          const peer = peers.peek(peerId)
+          if (peer == null) return
+
+          counters.peers++
+        }
+      }
+
+      observableResult.observe(activeInfohashes, counters.activeInfohashes)
+      observableResult.observe(inactiveInfohashes, counters.inactiveInfohashes)
+      observableResult.observe(peers, counters.peers)
+    }, [ activeInfohashes, inactiveInfohashes, peers ])
+  }
+
+}
diff --git a/server/lib/opentelemetry/metric-helpers/index.ts b/server/lib/opentelemetry/metric-helpers/index.ts
index 775d954ba..47b24a54f 100644
--- a/server/lib/opentelemetry/metric-helpers/index.ts
+++ b/server/lib/opentelemetry/metric-helpers/index.ts
@@ -1,3 +1,4 @@
+export * from './bittorrent-tracker-observers-builder'
 export * from './lives-observers-builder'
 export * from './job-queue-observers-builder'
 export * from './nodejs-observers-builder'
diff --git a/server/lib/opentelemetry/metrics.ts b/server/lib/opentelemetry/metrics.ts
index 226d514c0..9cc067e4a 100644
--- a/server/lib/opentelemetry/metrics.ts
+++ b/server/lib/opentelemetry/metrics.ts
@@ -7,6 +7,7 @@ import { CONFIG } from '@server/initializers/config'
 import { MVideoImmutable } from '@server/types/models'
 import { PlaybackMetricCreate } from '@shared/models'
 import {
+  BittorrentTrackerObserversBuilder,
   JobQueueObserversBuilder,
   LivesObserversBuilder,
   NodeJSObserversBuilder,
@@ -41,7 +42,7 @@ class OpenTelemetryMetrics {
     })
   }
 
-  registerMetrics () {
+  registerMetrics (options: { trackerServer: any }) {
     if (CONFIG.OPEN_TELEMETRY.METRICS.ENABLED !== true) return
 
     logger.info('Registering Open Telemetry metrics')
@@ -80,6 +81,9 @@ class OpenTelemetryMetrics {
 
     const viewersObserversBuilder = new ViewersObserversBuilder(this.meter)
     viewersObserversBuilder.buildObservers()
+
+    const bittorrentTrackerObserversBuilder = new BittorrentTrackerObserversBuilder(this.meter, options.trackerServer)
+    bittorrentTrackerObserversBuilder.buildObservers()
   }
 
   observePlaybackMetric (video: MVideoImmutable, metrics: PlaybackMetricCreate) {
diff --git a/server/lib/plugins/plugin-helpers-builder.ts b/server/lib/plugins/plugin-helpers-builder.ts
index 7b1def6e3..66383af46 100644
--- a/server/lib/plugins/plugin-helpers-builder.ts
+++ b/server/lib/plugins/plugin-helpers-builder.ts
@@ -209,6 +209,10 @@ function buildConfigHelpers () {
       return WEBSERVER.URL
     },
 
+    getServerListeningConfig () {
+      return { hostname: CONFIG.LISTEN.HOSTNAME, port: CONFIG.LISTEN.PORT }
+    },
+
     getServerConfig () {
       return ServerConfigManager.Instance.getServerConfig()
     }
@@ -245,7 +249,7 @@ function buildUserHelpers () {
     },
 
     getAuthUser: (res: express.Response) => {
-      const user = res.locals.oauth?.token?.User
+      const user = res.locals.oauth?.token?.User || res.locals.videoFileToken?.user
       if (!user) return undefined
 
       return UserModel.loadByIdFull(user.id)
diff --git a/server/lib/redis.ts b/server/lib/redis.ts
index c0e9aece7..3706d2228 100644
--- a/server/lib/redis.ts
+++ b/server/lib/redis.ts
@@ -8,9 +8,8 @@ import {
   AP_CLEANER,
   CONTACT_FORM_LIFETIME,
   RESUMABLE_UPLOAD_SESSION_LIFETIME,
-  TRACKER_RATE_LIMITS,
   TWO_FACTOR_AUTH_REQUEST_TOKEN_LIFETIME,
-  USER_EMAIL_VERIFY_LIFETIME,
+  EMAIL_VERIFY_LIFETIME,
   USER_PASSWORD_CREATE_LIFETIME,
   USER_PASSWORD_RESET_LIFETIME,
   VIEW_LIFETIME,
@@ -125,16 +124,28 @@ class Redis {
 
   /* ************ Email verification ************ */
 
-  async setVerifyEmailVerificationString (userId: number) {
+  async setUserVerifyEmailVerificationString (userId: number) {
     const generatedString = await generateRandomString(32)
 
-    await this.setValue(this.generateVerifyEmailKey(userId), generatedString, USER_EMAIL_VERIFY_LIFETIME)
+    await this.setValue(this.generateUserVerifyEmailKey(userId), generatedString, EMAIL_VERIFY_LIFETIME)
 
     return generatedString
   }
 
-  async getVerifyEmailLink (userId: number) {
-    return this.getValue(this.generateVerifyEmailKey(userId))
+  async getUserVerifyEmailLink (userId: number) {
+    return this.getValue(this.generateUserVerifyEmailKey(userId))
+  }
+
+  async setRegistrationVerifyEmailVerificationString (registrationId: number) {
+    const generatedString = await generateRandomString(32)
+
+    await this.setValue(this.generateRegistrationVerifyEmailKey(registrationId), generatedString, EMAIL_VERIFY_LIFETIME)
+
+    return generatedString
+  }
+
+  async getRegistrationVerifyEmailLink (registrationId: number) {
+    return this.getValue(this.generateRegistrationVerifyEmailKey(registrationId))
   }
 
   /* ************ Contact form per IP ************ */
@@ -157,16 +168,6 @@ class Redis {
     return this.exists(this.generateIPViewKey(ip, videoUUID))
   }
 
-  /* ************ Tracker IP block ************ */
-
-  setTrackerBlockIP (ip: string) {
-    return this.setValue(this.generateTrackerBlockIPKey(ip), '1', TRACKER_RATE_LIMITS.BLOCK_IP_LIFETIME)
-  }
-
-  async doesTrackerBlockIPExist (ip: string) {
-    return this.exists(this.generateTrackerBlockIPKey(ip))
-  }
-
   /* ************ Video views stats ************ */
 
   addVideoViewStats (videoId: number) {
@@ -357,16 +358,16 @@ class Redis {
     return 'two-factor-request-' + userId + '-' + token
   }
 
-  private generateVerifyEmailKey (userId: number) {
-    return 'verify-email-' + userId
+  private generateUserVerifyEmailKey (userId: number) {
+    return 'verify-email-user-' + userId
   }
 
-  private generateIPViewKey (ip: string, videoUUID: string) {
-    return `views-${videoUUID}-${ip}`
+  private generateRegistrationVerifyEmailKey (registrationId: number) {
+    return 'verify-email-registration-' + registrationId
   }
 
-  private generateTrackerBlockIPKey (ip: string) {
-    return `tracker-block-ip-${ip}`
+  private generateIPViewKey (ip: string, videoUUID: string) {
+    return `views-${videoUUID}-${ip}`
   }
 
   private generateContactFormKey (ip: string) {
diff --git a/server/lib/server-config-manager.ts b/server/lib/server-config-manager.ts
index 78a9546ae..e87e2854f 100644
--- a/server/lib/server-config-manager.ts
+++ b/server/lib/server-config-manager.ts
@@ -261,10 +261,17 @@ class ServerConfigManager {
   async getServerConfig (ip?: string): Promise<ServerConfig> {
     const { allowed } = await Hooks.wrapPromiseFun(
       isSignupAllowed,
+
       {
-        ip
+        ip,
+        signupMode: CONFIG.SIGNUP.REQUIRES_APPROVAL
+          ? 'request-registration'
+          : 'direct-registration'
       },
-      'filter:api.user.signup.allowed.result'
+
+      CONFIG.SIGNUP.REQUIRES_APPROVAL
+        ? 'filter:api.user.request-signup.allowed.result'
+        : 'filter:api.user.signup.allowed.result'
     )
 
     const allowedForCurrentIP = isSignupAllowedForCurrentIP(ip)
@@ -273,6 +280,7 @@ class ServerConfigManager {
       allowed,
       allowedForCurrentIP,
       minimumAge: CONFIG.SIGNUP.MINIMUM_AGE,
+      requiresApproval: CONFIG.SIGNUP.REQUIRES_APPROVAL,
       requiresEmailVerification: CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION
     }
 
diff --git a/server/lib/signup.ts b/server/lib/signup.ts
index f094531eb..f19232621 100644
--- a/server/lib/signup.ts
+++ b/server/lib/signup.ts
@@ -4,11 +4,24 @@ import { UserModel } from '../models/user/user'
 
 const isCidr = require('is-cidr')
 
-async function isSignupAllowed (): Promise<{ allowed: boolean, errorMessage?: string }> {
+export type SignupMode = 'direct-registration' | 'request-registration'
+
+async function isSignupAllowed (options: {
+  signupMode: SignupMode
+
+  ip: string // For plugins
+  body?: any
+}): Promise<{ allowed: boolean, errorMessage?: string }> {
+  const { signupMode } = options
+
   if (CONFIG.SIGNUP.ENABLED === false) {
     return { allowed: false }
   }
 
+  if (signupMode === 'direct-registration' && CONFIG.SIGNUP.REQUIRES_APPROVAL === true) {
+    return { allowed: false }
+  }
+
   // No limit and signup is enabled
   if (CONFIG.SIGNUP.LIMIT === -1) {
     return { allowed: true }
diff --git a/server/lib/sync-channel.ts b/server/lib/sync-channel.ts
index 10167ee38..3a805a943 100644
--- a/server/lib/sync-channel.ts
+++ b/server/lib/sync-channel.ts
@@ -76,7 +76,7 @@ export async function synchronizeChannel (options: {
 
     await JobQueue.Instance.createJobWithChildren(parent, children)
   } catch (err) {
-    logger.error(`Failed to import channel ${channel.name}`, { err })
+    logger.error(`Failed to import ${externalChannelUrl} in channel ${channel.name}`, { err })
     channelSync.state = VideoChannelSyncState.FAILED
     await channelSync.save()
   }
diff --git a/server/lib/user.ts b/server/lib/user.ts
index 2e433da04..ffb57944a 100644
--- a/server/lib/user.ts
+++ b/server/lib/user.ts
@@ -10,7 +10,7 @@ import { sequelizeTypescript } from '../initializers/database'
 import { AccountModel } from '../models/account/account'
 import { UserNotificationSettingModel } from '../models/user/user-notification-setting'
 import { MAccountDefault, MChannelActor } from '../types/models'
-import { MUser, MUserDefault, MUserId } from '../types/models/user'
+import { MRegistration, MUser, MUserDefault, MUserId } from '../types/models/user'
 import { generateAndSaveActorKeys } from './activitypub/actors'
 import { getLocalAccountActivityPubUrl } from './activitypub/url'
 import { Emailer } from './emailer'
@@ -97,7 +97,7 @@ async function createUserAccountAndChannelAndPlaylist (parameters: {
     })
     userCreated.Account = accountCreated
 
-    const channelAttributes = await buildChannelAttributes(userCreated, t, channelNames)
+    const channelAttributes = await buildChannelAttributes({ user: userCreated, transaction: t, channelNames })
     const videoChannel = await createLocalVideoChannel(channelAttributes, accountCreated, t)
 
     const videoPlaylist = await createWatchLaterPlaylist(accountCreated, t)
@@ -160,15 +160,28 @@ async function createApplicationActor (applicationId: number) {
 // ---------------------------------------------------------------------------
 
 async function sendVerifyUserEmail (user: MUser, isPendingEmail = false) {
-  const verificationString = await Redis.Instance.setVerifyEmailVerificationString(user.id)
-  let url = WEBSERVER.URL + '/verify-account/email?userId=' + user.id + '&verificationString=' + verificationString
+  const verificationString = await Redis.Instance.setUserVerifyEmailVerificationString(user.id)
+  let verifyEmailUrl = `${WEBSERVER.URL}/verify-account/email?userId=${user.id}&verificationString=${verificationString}`
 
-  if (isPendingEmail) url += '&isPendingEmail=true'
+  if (isPendingEmail) verifyEmailUrl += '&isPendingEmail=true'
+
+  const to = isPendingEmail
+    ? user.pendingEmail
+    : user.email
 
-  const email = isPendingEmail ? user.pendingEmail : user.email
   const username = user.username
 
-  Emailer.Instance.addVerifyEmailJob(username, email, url)
+  Emailer.Instance.addVerifyEmailJob({ username, to, verifyEmailUrl, isRegistrationRequest: false })
+}
+
+async function sendVerifyRegistrationEmail (registration: MRegistration) {
+  const verificationString = await Redis.Instance.setRegistrationVerifyEmailVerificationString(registration.id)
+  const verifyEmailUrl = `${WEBSERVER.URL}/verify-account/email?registrationId=${registration.id}&verificationString=${verificationString}`
+
+  const to = registration.email
+  const username = registration.username
+
+  Emailer.Instance.addVerifyEmailJob({ username, to, verifyEmailUrl, isRegistrationRequest: true })
 }
 
 // ---------------------------------------------------------------------------
@@ -232,7 +245,10 @@ export {
   createApplicationActor,
   createUserAccountAndChannelAndPlaylist,
   createLocalAccountWithoutKeys,
+
   sendVerifyUserEmail,
+  sendVerifyRegistrationEmail,
+
   isAbleToUploadVideo,
   buildUser
 }
@@ -264,7 +280,13 @@ function createDefaultUserNotificationSettings (user: MUserId, t: Transaction |
   return UserNotificationSettingModel.create(values, { transaction: t })
 }
 
-async function buildChannelAttributes (user: MUser, transaction?: Transaction, channelNames?: ChannelNames) {
+async function buildChannelAttributes (options: {
+  user: MUser
+  transaction?: Transaction
+  channelNames?: ChannelNames
+}) {
+  const { user, transaction, channelNames } = options
+
   if (channelNames) return channelNames
 
   const channelName = await findAvailableLocalActorName(user.username + '_channel', transaction)
diff --git a/server/lib/video-comment.ts b/server/lib/video-comment.ts
index 02f160fe8..6eb865f7f 100644
--- a/server/lib/video-comment.ts
+++ b/server/lib/video-comment.ts
@@ -1,30 +1,41 @@
+import express from 'express'
 import { cloneDeep } from 'lodash'
 import * as Sequelize from 'sequelize'
-import express from 'express'
 import { logger } from '@server/helpers/logger'
 import { sequelizeTypescript } from '@server/initializers/database'
 import { ResultList } from '../../shared/models'
 import { VideoCommentThreadTree } from '../../shared/models/videos/comment/video-comment.model'
 import { VideoCommentModel } from '../models/video/video-comment'
-import { MAccountDefault, MComment, MCommentOwnerVideo, MCommentOwnerVideoReply, MVideoFullLight } from '../types/models'
+import {
+  MAccountDefault,
+  MComment,
+  MCommentFormattable,
+  MCommentOwnerVideo,
+  MCommentOwnerVideoReply,
+  MVideoFullLight
+} from '../types/models'
 import { sendCreateVideoComment, sendDeleteVideoComment } from './activitypub/send'
 import { getLocalVideoCommentActivityPubUrl } from './activitypub/url'
 import { Hooks } from './plugins/hooks'
 
-async function removeComment (videoCommentInstance: MCommentOwnerVideo, req: express.Request, res: express.Response) {
-  const videoCommentInstanceBefore = cloneDeep(videoCommentInstance)
+async function removeComment (commentArg: MComment, req: express.Request, res: express.Response) {
+  let videoCommentInstanceBefore: MCommentOwnerVideo
 
   await sequelizeTypescript.transaction(async t => {
-    if (videoCommentInstance.isOwned() || videoCommentInstance.Video.isOwned()) {
-      await sendDeleteVideoComment(videoCommentInstance, t)
+    const comment = await VideoCommentModel.loadByUrlAndPopulateAccountAndVideo(commentArg.url, t)
+
+    videoCommentInstanceBefore = cloneDeep(comment)
+
+    if (comment.isOwned() || comment.Video.isOwned()) {
+      await sendDeleteVideoComment(comment, t)
     }
 
-    videoCommentInstance.markAsDeleted()
+    comment.markAsDeleted()
 
-    await videoCommentInstance.save({ transaction: t })
-  })
+    await comment.save({ transaction: t })
 
-  logger.info('Video comment %d deleted.', videoCommentInstance.id)
+    logger.info('Video comment %d deleted.', comment.id)
+  })
 
   Hooks.runAction('action:api.video-comment.deleted', { comment: videoCommentInstanceBefore, req, res })
 }
@@ -64,7 +75,7 @@ async function createVideoComment (obj: {
   return savedComment
 }
 
-function buildFormattedCommentTree (resultList: ResultList<VideoCommentModel>): VideoCommentThreadTree {
+function buildFormattedCommentTree (resultList: ResultList<MCommentFormattable>): VideoCommentThreadTree {
   // Comments are sorted by id ASC
   const comments = resultList.data
 
diff --git a/server/lib/video-tokens-manager.ts b/server/lib/video-tokens-manager.ts
index c43085d16..17aa29cdd 100644
--- a/server/lib/video-tokens-manager.ts
+++ b/server/lib/video-tokens-manager.ts
@@ -1,5 +1,7 @@
 import LRUCache from 'lru-cache'
 import { LRU_CACHE } from '@server/initializers/constants'
+import { MUserAccountUrl } from '@server/types/models'
+import { pick } from '@shared/core-utils'
 import { buildUUID } from '@shared/extra-utils'
 
 // ---------------------------------------------------------------------------
@@ -10,19 +12,22 @@ class VideoTokensManager {
 
   private static instance: VideoTokensManager
 
-  private readonly lruCache = new LRUCache<string, string>({
+  private readonly lruCache = new LRUCache<string, { videoUUID: string, user: MUserAccountUrl }>({
     max: LRU_CACHE.VIDEO_TOKENS.MAX_SIZE,
     ttl: LRU_CACHE.VIDEO_TOKENS.TTL
   })
 
   private constructor () {}
 
-  create (videoUUID: string) {
+  create (options: {
+    user: MUserAccountUrl
+    videoUUID: string
+  }) {
     const token = buildUUID()
 
     const expires = new Date(new Date().getTime() + LRU_CACHE.VIDEO_TOKENS.TTL)
 
-    this.lruCache.set(token, videoUUID)
+    this.lruCache.set(token, pick(options, [ 'user', 'videoUUID' ]))
 
     return { token, expires }
   }
@@ -34,7 +39,16 @@ class VideoTokensManager {
     const value = this.lruCache.get(options.token)
     if (!value) return false
 
-    return value === options.videoUUID
+    return value.videoUUID === options.videoUUID
+  }
+
+  getUserFromToken (options: {
+    token: string
+  }) {
+    const value = this.lruCache.get(options.token)
+    if (!value) return undefined
+
+    return value.user
   }
 
   static get Instance () {