1 files changed, 11 insertions, 7 deletions

diff --git a/server/middlewares/validators/static.ts b/server/middlewares/validators/static.ts
index 9c2d890ba..86cc0a8d7 100644
--- a/server/middlewares/validators/static.ts
+++ b/server/middlewares/validators/static.ts
@@ -9,7 +9,7 @@ import { VideoModel } from '@server/models/video/video'
 import { VideoFileModel } from '@server/models/video/video-file'
 import { MStreamingPlaylist, MVideoFile, MVideoThumbnail } from '@server/types/models'
 import { HttpStatusCode } from '@shared/models'
-import { areValidationErrors, checkCanAccessVideoStaticFiles } from './shared'
+import { areValidationErrors, checkCanAccessVideoStaticFiles, isValidVideoPasswordHeader } from './shared'
 
 type LRUValue = {
   allowed: boolean
@@ -22,9 +22,11 @@ const staticFileTokenBypass = new LRUCache<string, LRUValue>({
   ttl: LRU_CACHE.STATIC_VIDEO_FILES_RIGHTS_CHECK.TTL
 })
 
-const ensureCanAccessVideoPrivateWebTorrentFiles = [
+const ensureCanAccessVideoPrivateWebVideoFiles = [
   query('videoFileToken').optional().custom(exists),
 
+  isValidVideoPasswordHeader(),
+
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return
 
@@ -46,7 +48,7 @@ const ensureCanAccessVideoPrivateWebTorrentFiles = [
       return res.sendStatus(HttpStatusCode.FORBIDDEN_403)
     }
 
-    const result = await isWebTorrentAllowed(req, res)
+    const result = await isWebVideoAllowed(req, res)
 
     staticFileTokenBypass.set(cacheKey, result)
 
@@ -73,6 +75,8 @@ const ensureCanAccessPrivateVideoHLSFiles = [
     .optional()
     .customSanitizer(isSafePeerTubeFilenameWithoutExtension),
 
+  isValidVideoPasswordHeader(),
+
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return
 
@@ -118,13 +122,13 @@ const ensureCanAccessPrivateVideoHLSFiles = [
 ]
 
 export {
-  ensureCanAccessVideoPrivateWebTorrentFiles,
+  ensureCanAccessVideoPrivateWebVideoFiles,
   ensureCanAccessPrivateVideoHLSFiles
 }
 
 // ---------------------------------------------------------------------------
 
-async function isWebTorrentAllowed (req: express.Request, res: express.Response) {
+async function isWebVideoAllowed (req: express.Request, res: express.Response) {
   const filename = basename(req.path)
 
   const file = await VideoFileModel.loadWithVideoByFilename(filename)
@@ -167,11 +171,11 @@ async function isHLSAllowed (req: express.Request, res: express.Response, videoU
 }
 
 function extractTokenOrDie (req: express.Request, res: express.Response) {
-  const token = res.locals.oauth?.token.accessToken || req.query.videoFileToken
+  const token = req.header('x-peertube-video-password') || req.query.videoFileToken || res.locals.oauth?.token.accessToken
 
   if (!token) {
     return res.fail({
-      message: 'Bearer token is missing in headers or video file token is missing in URL query parameters',
+      message: 'Video password header, video file token query parameter and bearer token are all missing', //
       status: HttpStatusCode.FORBIDDEN_403
     })
   }