25 files changed, 512 insertions, 113 deletions

diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts
index 0064a4760..261b9f690 100644
--- a/server/middlewares/activitypub.ts
+++ b/server/middlewares/activitypub.ts
@@ -125,7 +125,7 @@ async function checkJsonLDSignature (req: Request, res: Response) {
   return wrapWithSpanAndContext('peertube.activitypub.JSONLDSignature', async () => {
     const signatureObject: ActivityPubSignature = req.body.signature
 
-    if (!signatureObject || !signatureObject.creator) {
+    if (!signatureObject?.creator) {
       res.fail({
         status: HttpStatusCode.FORBIDDEN_403,
         message: 'Object and creator signature do not match'
diff --git a/server/middlewares/auth.ts b/server/middlewares/auth.ts
index 904d47efd..e6025c8ce 100644
--- a/server/middlewares/auth.ts
+++ b/server/middlewares/auth.ts
@@ -5,8 +5,8 @@ import { HttpStatusCode } from '../../shared/models/http/http-error-codes'
 import { logger } from '../helpers/logger'
 import { handleOAuthAuthenticate } from '../lib/auth/oauth'
 
-function authenticate (req: express.Request, res: express.Response, next: express.NextFunction, authenticateInQuery = false) {
-  handleOAuthAuthenticate(req, res, authenticateInQuery)
+function authenticate (req: express.Request, res: express.Response, next: express.NextFunction) {
+  handleOAuthAuthenticate(req, res)
     .then((token: any) => {
       res.locals.oauth = { token }
       res.locals.authenticated = true
@@ -47,7 +47,7 @@ function authenticateSocket (socket: Socket, next: (err?: any) => void) {
     .catch(err => logger.error('Cannot get access token.', { err }))
 }
 
-function authenticatePromise (req: express.Request, res: express.Response, authenticateInQuery = false) {
+function authenticatePromise (req: express.Request, res: express.Response) {
   return new Promise<void>(resolve => {
     // Already authenticated? (or tried to)
     if (res.locals.oauth?.token.User) return resolve()
@@ -59,7 +59,7 @@ function authenticatePromise (req: express.Request, res: express.Response, authe
       })
     }
 
-    authenticate(req, res, () => resolve(), authenticateInQuery)
+    authenticate(req, res, () => resolve())
   })
 }
 
diff --git a/server/middlewares/cache/shared/api-cache.ts b/server/middlewares/cache/shared/api-cache.ts
index abc919339..9e15bf2d6 100644
--- a/server/middlewares/cache/shared/api-cache.ts
+++ b/server/middlewares/cache/shared/api-cache.ts
@@ -49,7 +49,7 @@ export class ApiCache {
         if (!Redis.Instance.isConnected()) return this.makeResponseCacheable(res, next, key, duration)
 
         try {
-          const obj = await redis.hGetAll(key)
+          const obj = await redis.hgetall(key)
           if (obj?.response) {
             return this.sendCachedResponse(req, res, JSON.parse(obj.response), duration)
           }
@@ -100,8 +100,8 @@ export class ApiCache {
 
     if (Redis.Instance.isConnected()) {
       await Promise.all([
-        redis.hSet(key, 'response', JSON.stringify(value)),
-        redis.hSet(key, 'duration', duration + ''),
+        redis.hset(key, 'response', JSON.stringify(value)),
+        redis.hset(key, 'duration', duration + ''),
         redis.expire(key, duration / 1000)
       ])
     }
diff --git a/server/middlewares/pagination.ts b/server/middlewares/pagination.ts
index 9812af9e4..17e43f743 100644
--- a/server/middlewares/pagination.ts
+++ b/server/middlewares/pagination.ts
@@ -1,12 +1,13 @@
 import express from 'express'
+import { forceNumber } from '@shared/core-utils'
 import { PAGINATION } from '../initializers/constants'
 
 function setDefaultPagination (req: express.Request, res: express.Response, next: express.NextFunction) {
   if (!req.query.start) req.query.start = 0
-  else req.query.start = parseInt(req.query.start, 10)
+  else req.query.start = forceNumber(req.query.start)
 
   if (!req.query.count) req.query.count = PAGINATION.GLOBAL.COUNT.DEFAULT
-  else req.query.count = parseInt(req.query.count, 10)
+  else req.query.count = forceNumber(req.query.count)
 
   return next()
 }
diff --git a/server/middlewares/validators/abuse.ts b/server/middlewares/validators/abuse.ts
index 9b94008ce..70bae1775 100644
--- a/server/middlewares/validators/abuse.ts
+++ b/server/middlewares/validators/abuse.ts
@@ -18,6 +18,7 @@ import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
 import { AbuseCreate, UserRight } from '@shared/models'
 import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
 import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared'
+import { forceNumber } from '@shared/core-utils'
 
 const abuseReportValidator = [
   body('account.id')
@@ -216,7 +217,7 @@ const deleteAbuseMessageValidator = [
     const user = res.locals.oauth.token.user
     const abuse = res.locals.abuse
 
-    const messageId = parseInt(req.params.messageId + '', 10)
+    const messageId = forceNumber(req.params.messageId)
     const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)
 
     if (!abuseMessage) {
diff --git a/server/middlewares/validators/index.ts b/server/middlewares/validators/index.ts
index ffadb3b49..9bc8887ff 100644
--- a/server/middlewares/validators/index.ts
+++ b/server/middlewares/validators/index.ts
@@ -1,7 +1,6 @@
-export * from './activitypub'
-export * from './videos'
 export * from './abuse'
 export * from './account'
+export * from './activitypub'
 export * from './actor-image'
 export * from './blocklist'
 export * from './bulk'
@@ -10,8 +9,9 @@ export * from './express'
 export * from './feeds'
 export * from './follows'
 export * from './jobs'
-export * from './metrics'
 export * from './logs'
+export * from './metrics'
+export * from './object-storage-proxy'
 export * from './oembed'
 export * from './pagination'
 export * from './plugins'
@@ -19,9 +19,11 @@ export * from './redundancy'
 export * from './search'
 export * from './server'
 export * from './sort'
+export * from './static'
 export * from './themes'
 export * from './user-history'
 export * from './user-notifications'
 export * from './user-subscriptions'
 export * from './users'
+export * from './videos'
 export * from './webfinger'
diff --git a/server/middlewares/validators/object-storage-proxy.ts b/server/middlewares/validators/object-storage-proxy.ts
new file mode 100644
index 000000000..bbd77f262
--- /dev/null
+++ b/server/middlewares/validators/object-storage-proxy.ts
@@ -0,0 +1,20 @@
+import express from 'express'
+import { CONFIG } from '@server/initializers/config'
+import { HttpStatusCode } from '@shared/models'
+
+const ensurePrivateObjectStorageProxyIsEnabled = [
+  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (CONFIG.OBJECT_STORAGE.PROXY.PROXIFY_PRIVATE_FILES !== true) {
+      return res.fail({
+        message: 'Private object storage proxy is not enabled',
+        status: HttpStatusCode.BAD_REQUEST_400
+      })
+    }
+
+    return next()
+  }
+]
+
+export {
+  ensurePrivateObjectStorageProxyIsEnabled
+}
diff --git a/server/middlewares/validators/plugins.ts b/server/middlewares/validators/plugins.ts
index 78c030333..64bef2648 100644
--- a/server/middlewares/validators/plugins.ts
+++ b/server/middlewares/validators/plugins.ts
@@ -4,7 +4,12 @@ import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
 import { PluginType } from '../../../shared/models/plugins/plugin.type'
 import { InstallOrUpdatePlugin } from '../../../shared/models/plugins/server/api/install-plugin.model'
 import { exists, isBooleanValid, isSafePath, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
-import { isNpmPluginNameValid, isPluginNameValid, isPluginTypeValid, isPluginVersionValid } from '../../helpers/custom-validators/plugins'
+import {
+  isNpmPluginNameValid,
+  isPluginNameValid,
+  isPluginStableOrUnstableVersionValid,
+  isPluginTypeValid
+} from '../../helpers/custom-validators/plugins'
 import { CONFIG } from '../../initializers/config'
 import { PluginManager } from '../../lib/plugins/plugin-manager'
 import { PluginModel } from '../../models/server/plugin'
@@ -19,7 +24,7 @@ const getPluginValidator = (pluginType: PluginType, withVersion = true) => {
   if (withVersion) {
     validators.push(
       param('pluginVersion')
-        .custom(isPluginVersionValid)
+        .custom(isPluginStableOrUnstableVersionValid)
     )
   }
 
@@ -113,7 +118,7 @@ const installOrUpdatePluginValidator = [
     .custom(isNpmPluginNameValid),
   body('pluginVersion')
     .optional()
-    .custom(isPluginVersionValid),
+    .custom(isPluginStableOrUnstableVersionValid),
   body('path')
     .optional()
     .custom(isSafePath),
@@ -185,7 +190,7 @@ const listAvailablePluginsValidator = [
     .custom(isPluginTypeValid),
   query('currentPeerTubeEngine')
     .optional()
-    .custom(isPluginVersionValid),
+    .custom(isPluginStableOrUnstableVersionValid),
 
   (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return
diff --git a/server/middlewares/validators/redundancy.ts b/server/middlewares/validators/redundancy.ts
index 79460f63c..c80f9b728 100644
--- a/server/middlewares/validators/redundancy.ts
+++ b/server/middlewares/validators/redundancy.ts
@@ -1,6 +1,7 @@
 import express from 'express'
 import { body, param, query } from 'express-validator'
 import { isVideoRedundancyTarget } from '@server/helpers/custom-validators/video-redundancies'
+import { forceNumber } from '@shared/core-utils'
 import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
 import {
   exists,
@@ -171,7 +172,7 @@ const removeVideoRedundancyValidator = [
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return
 
-    const redundancy = await VideoRedundancyModel.loadByIdWithVideo(parseInt(req.params.redundancyId, 10))
+    const redundancy = await VideoRedundancyModel.loadByIdWithVideo(forceNumber(req.params.redundancyId))
     if (!redundancy) {
       return res.fail({
         status: HttpStatusCode.NOT_FOUND_404,
diff --git a/server/middlewares/validators/shared/abuses.ts b/server/middlewares/validators/shared/abuses.ts
index 2b8d86ba5..2c988f9ec 100644
--- a/server/middlewares/validators/shared/abuses.ts
+++ b/server/middlewares/validators/shared/abuses.ts
@@ -1,9 +1,10 @@
 import { Response } from 'express'
 import { AbuseModel } from '@server/models/abuse/abuse'
 import { HttpStatusCode } from '@shared/models'
+import { forceNumber } from '@shared/core-utils'
 
 async function doesAbuseExist (abuseId: number | string, res: Response) {
-  const abuse = await AbuseModel.loadByIdWithReporter(parseInt(abuseId + '', 10))
+  const abuse = await AbuseModel.loadByIdWithReporter(forceNumber(abuseId))
 
   if (!abuse) {
     res.fail({
diff --git a/server/middlewares/validators/shared/accounts.ts b/server/middlewares/validators/shared/accounts.ts
index fe4f83aa0..72b0e235e 100644
--- a/server/middlewares/validators/shared/accounts.ts
+++ b/server/middlewares/validators/shared/accounts.ts
@@ -2,10 +2,11 @@ import { Response } from 'express'
 import { AccountModel } from '@server/models/account/account'
 import { UserModel } from '@server/models/user/user'
 import { MAccountDefault } from '@server/types/models'
+import { forceNumber } from '@shared/core-utils'
 import { HttpStatusCode } from '@shared/models'
 
 function doesAccountIdExist (id: number | string, res: Response, sendNotFound = true) {
-  const promise = AccountModel.load(parseInt(id + '', 10))
+  const promise = AccountModel.load(forceNumber(id))
 
   return doesAccountExist(promise, res, sendNotFound)
 }
@@ -40,7 +41,7 @@ async function doesAccountExist (p: Promise<MAccountDefault>, res: Response, sen
 }
 
 async function doesUserFeedTokenCorrespond (id: number, token: string, res: Response) {
-  const user = await UserModel.loadByIdWithChannels(parseInt(id + '', 10))
+  const user = await UserModel.loadByIdWithChannels(forceNumber(id))
 
   if (token !== user.feedToken) {
     res.fail({
diff --git a/server/middlewares/validators/shared/index.ts b/server/middlewares/validators/shared/index.ts
index bbd03b248..de98cd442 100644
--- a/server/middlewares/validators/shared/index.ts
+++ b/server/middlewares/validators/shared/index.ts
@@ -1,5 +1,6 @@
 export * from './abuses'
 export * from './accounts'
+export * from './users'
 export * from './utils'
 export * from './video-blacklists'
 export * from './video-captions'
diff --git a/server/middlewares/validators/shared/users.ts b/server/middlewares/validators/shared/users.ts
new file mode 100644
index 000000000..b8f1436d3
--- /dev/null
+++ b/server/middlewares/validators/shared/users.ts
@@ -0,0 +1,63 @@
+import express from 'express'
+import { ActorModel } from '@server/models/actor/actor'
+import { UserModel } from '@server/models/user/user'
+import { MUserDefault } from '@server/types/models'
+import { forceNumber } from '@shared/core-utils'
+import { HttpStatusCode } from '@shared/models'
+
+function checkUserIdExist (idArg: number | string, res: express.Response, withStats = false) {
+  const id = forceNumber(idArg)
+  return checkUserExist(() => UserModel.loadByIdWithChannels(id, withStats), res)
+}
+
+function checkUserEmailExist (email: string, res: express.Response, abortResponse = true) {
+  return checkUserExist(() => UserModel.loadByEmail(email), res, abortResponse)
+}
+
+async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email: string, res: express.Response) {
+  const user = await UserModel.loadByUsernameOrEmail(username, email)
+
+  if (user) {
+    res.fail({
+      status: HttpStatusCode.CONFLICT_409,
+      message: 'User with this username or email already exists.'
+    })
+    return false
+  }
+
+  const actor = await ActorModel.loadLocalByName(username)
+  if (actor) {
+    res.fail({
+      status: HttpStatusCode.CONFLICT_409,
+      message: 'Another actor (account/channel) with this name on this instance already exists or has already existed.'
+    })
+    return false
+  }
+
+  return true
+}
+
+async function checkUserExist (finder: () => Promise<MUserDefault>, res: express.Response, abortResponse = true) {
+  const user = await finder()
+
+  if (!user) {
+    if (abortResponse === true) {
+      res.fail({
+        status: HttpStatusCode.NOT_FOUND_404,
+        message: 'User not found'
+      })
+    }
+
+    return false
+  }
+
+  res.locals.user = user
+  return true
+}
+
+export {
+  checkUserIdExist,
+  checkUserEmailExist,
+  checkUserNameOrEmailDoesNotAlreadyExist,
+  checkUserExist
+}
diff --git a/server/middlewares/validators/shared/video-comments.ts b/server/middlewares/validators/shared/video-comments.ts
index 8d1a16294..0961b3ec9 100644
--- a/server/middlewares/validators/shared/video-comments.ts
+++ b/server/middlewares/validators/shared/video-comments.ts
@@ -1,10 +1,11 @@
 import express from 'express'
 import { VideoCommentModel } from '@server/models/video/video-comment'
 import { MVideoId } from '@server/types/models'
+import { forceNumber } from '@shared/core-utils'
 import { HttpStatusCode, ServerErrorCode } from '@shared/models'
 
 async function doesVideoCommentThreadExist (idArg: number | string, video: MVideoId, res: express.Response) {
-  const id = parseInt(idArg + '', 10)
+  const id = forceNumber(idArg)
   const videoComment = await VideoCommentModel.loadById(id)
 
   if (!videoComment) {
@@ -33,7 +34,7 @@ async function doesVideoCommentThreadExist (idArg: number | string, video: MVide
 }
 
 async function doesVideoCommentExist (idArg: number | string, video: MVideoId, res: express.Response) {
-  const id = parseInt(idArg + '', 10)
+  const id = forceNumber(idArg)
   const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id)
 
   if (!videoComment) {
@@ -57,7 +58,7 @@ async function doesVideoCommentExist (idArg: number | string, video: MVideoId, r
 }
 
 async function doesCommentIdExist (idArg: number | string, res: express.Response) {
-  const id = parseInt(idArg + '', 10)
+  const id = forceNumber(idArg)
   const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id)
 
   if (!videoComment) {
diff --git a/server/middlewares/validators/shared/video-ownerships.ts b/server/middlewares/validators/shared/video-ownerships.ts
index 680613cda..33ac9c8b6 100644
--- a/server/middlewares/validators/shared/video-ownerships.ts
+++ b/server/middlewares/validators/shared/video-ownerships.ts
@@ -1,9 +1,10 @@
 import express from 'express'
 import { VideoChangeOwnershipModel } from '@server/models/video/video-change-ownership'
+import { forceNumber } from '@shared/core-utils'
 import { HttpStatusCode } from '@shared/models'
 
 async function doesChangeVideoOwnershipExist (idArg: number | string, res: express.Response) {
-  const id = parseInt(idArg + '', 10)
+  const id = forceNumber(idArg)
   const videoChangeOwnership = await VideoChangeOwnershipModel.load(id)
 
   if (!videoChangeOwnership) {
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index e3a98c58f..ebbfc0a0a 100644
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -1,7 +1,7 @@
 import { Request, Response } from 'express'
-import { isUUIDValid } from '@server/helpers/custom-validators/misc'
 import { loadVideo, VideoLoadType } from '@server/lib/model-loaders'
 import { isAbleToUploadVideo } from '@server/lib/user'
+import { VideoTokensManager } from '@server/lib/video-tokens-manager'
 import { authenticatePromise } from '@server/middlewares/auth'
 import { VideoModel } from '@server/models/video/video'
 import { VideoChannelModel } from '@server/models/video/video-channel'
@@ -108,26 +108,21 @@ async function checkCanSeeVideo (options: {
   res: Response
   paramId: string
   video: MVideo
-  authenticateInQuery?: boolean // default false
 }) {
-  const { req, res, video, paramId, authenticateInQuery = false } = options
+  const { req, res, video, paramId } = options
 
-  if (video.requiresAuth()) {
-    return checkCanSeeAuthVideo(req, res, video, authenticateInQuery)
+  if (video.requiresAuth({ urlParamId: paramId, checkBlacklist: true })) {
+    return checkCanSeeAuthVideo(req, res, video)
   }
 
-  if (video.privacy === VideoPrivacy.UNLISTED) {
-    if (isUUIDValid(paramId)) return true
-
-    return checkCanSeeAuthVideo(req, res, video, authenticateInQuery)
+  if (video.privacy === VideoPrivacy.UNLISTED || video.privacy === VideoPrivacy.PUBLIC) {
+    return true
   }
 
-  if (video.privacy === VideoPrivacy.PUBLIC) return true
-
-  throw new Error('Fatal error when checking video right ' + video.url)
+  throw new Error('Unknown video privacy when checking video right ' + video.url)
 }
 
-async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoId | MVideoWithRights, authenticateInQuery = false) {
+async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoId | MVideoWithRights) {
   const fail = () => {
     res.fail({
       status: HttpStatusCode.FORBIDDEN_403,
@@ -137,7 +132,7 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
     return false
   }
 
-  await authenticatePromise(req, res, authenticateInQuery)
+  await authenticatePromise(req, res)
 
   const user = res.locals.oauth?.token.User
   if (!user) return fail()
@@ -173,6 +168,36 @@ async function checkCanSeeAuthVideo (req: Request, res: Response, video: MVideoI
 
 // ---------------------------------------------------------------------------
 
+async function checkCanAccessVideoStaticFiles (options: {
+  video: MVideo
+  req: Request
+  res: Response
+  paramId: string
+}) {
+  const { video, req, res } = options
+
+  if (res.locals.oauth?.token.User) {
+    return checkCanSeeVideo(options)
+  }
+
+  if (!video.hasPrivateStaticPath()) return true
+
+  const videoFileToken = req.query.videoFileToken
+  if (!videoFileToken) {
+    res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+    return false
+  }
+
+  if (VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) {
+    return true
+  }
+
+  res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+  return false
+}
+
+// ---------------------------------------------------------------------------
+
 function checkUserCanManageVideo (user: MUser, video: MVideoAccountLight, right: UserRight, res: Response, onlyOwned = true) {
   // Retrieve the user who did the request
   if (onlyOwned && video.isOwned() === false) {
@@ -220,6 +245,7 @@ export {
   doesVideoExist,
   doesVideoFileOfVideoExist,
 
+  checkCanAccessVideoStaticFiles,
   checkUserCanManageVideo,
   checkCanSeeVideo,
   checkUserQuota
diff --git a/server/middlewares/validators/static.ts b/server/middlewares/validators/static.ts
new file mode 100644
index 000000000..13fde6dd1
--- /dev/null
+++ b/server/middlewares/validators/static.ts
@@ -0,0 +1,169 @@
+import express from 'express'
+import { query } from 'express-validator'
+import LRUCache from 'lru-cache'
+import { basename, dirname } from 'path'
+import { exists, isUUIDValid } from '@server/helpers/custom-validators/misc'
+import { logger } from '@server/helpers/logger'
+import { LRU_CACHE } from '@server/initializers/constants'
+import { VideoModel } from '@server/models/video/video'
+import { VideoFileModel } from '@server/models/video/video-file'
+import { MStreamingPlaylist, MVideoFile, MVideoThumbnail } from '@server/types/models'
+import { HttpStatusCode } from '@shared/models'
+import { areValidationErrors, checkCanAccessVideoStaticFiles } from './shared'
+
+type LRUValue = {
+  allowed: boolean
+  video?: MVideoThumbnail
+  file?: MVideoFile
+  playlist?: MStreamingPlaylist }
+
+const staticFileTokenBypass = new LRUCache<string, LRUValue>({
+  max: LRU_CACHE.STATIC_VIDEO_FILES_RIGHTS_CHECK.MAX_SIZE,
+  ttl: LRU_CACHE.STATIC_VIDEO_FILES_RIGHTS_CHECK.TTL
+})
+
+const ensureCanAccessVideoPrivateWebTorrentFiles = [
+  query('videoFileToken').optional().custom(exists),
+
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+
+    const token = extractTokenOrDie(req, res)
+    if (!token) return
+
+    const cacheKey = token + '-' + req.originalUrl
+
+    if (staticFileTokenBypass.has(cacheKey)) {
+      const { allowed, file, video } = staticFileTokenBypass.get(cacheKey)
+
+      if (allowed === true) {
+        res.locals.onlyVideo = video
+        res.locals.videoFile = file
+
+        return next()
+      }
+
+      return res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+    }
+
+    const result = await isWebTorrentAllowed(req, res)
+
+    staticFileTokenBypass.set(cacheKey, result)
+
+    if (result.allowed !== true) return
+
+    res.locals.onlyVideo = result.video
+    res.locals.videoFile = result.file
+
+    return next()
+  }
+]
+
+const ensureCanAccessPrivateVideoHLSFiles = [
+  query('videoFileToken').optional().custom(exists),
+
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+
+    const videoUUID = basename(dirname(req.originalUrl))
+
+    if (!isUUIDValid(videoUUID)) {
+      logger.debug('Path does not contain valid video UUID to serve static file %s', req.originalUrl)
+
+      return res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+    }
+
+    const token = extractTokenOrDie(req, res)
+    if (!token) return
+
+    const cacheKey = token + '-' + videoUUID
+
+    if (staticFileTokenBypass.has(cacheKey)) {
+      const { allowed, file, playlist, video } = staticFileTokenBypass.get(cacheKey)
+
+      if (allowed === true) {
+        res.locals.onlyVideo = video
+        res.locals.videoFile = file
+        res.locals.videoStreamingPlaylist = playlist
+
+        return next()
+      }
+
+      return res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+    }
+
+    const result = await isHLSAllowed(req, res, videoUUID)
+
+    staticFileTokenBypass.set(cacheKey, result)
+
+    if (result.allowed !== true) return
+
+    res.locals.onlyVideo = result.video
+    res.locals.videoFile = result.file
+    res.locals.videoStreamingPlaylist = result.playlist
+
+    return next()
+  }
+]
+
+export {
+  ensureCanAccessVideoPrivateWebTorrentFiles,
+  ensureCanAccessPrivateVideoHLSFiles
+}
+
+// ---------------------------------------------------------------------------
+
+async function isWebTorrentAllowed (req: express.Request, res: express.Response) {
+  const filename = basename(req.path)
+
+  const file = await VideoFileModel.loadWithVideoByFilename(filename)
+  if (!file) {
+    logger.debug('Unknown static file %s to serve', req.originalUrl, { filename })
+
+    res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+    return { allowed: false }
+  }
+
+  const video = await VideoModel.load(file.getVideo().id)
+
+  return {
+    file,
+    video,
+    allowed: await checkCanAccessVideoStaticFiles({ req, res, video, paramId: video.uuid })
+  }
+}
+
+async function isHLSAllowed (req: express.Request, res: express.Response, videoUUID: string) {
+  const filename = basename(req.path)
+
+  const video = await VideoModel.loadWithFiles(videoUUID)
+
+  if (!video) {
+    logger.debug('Unknown static file %s to serve', req.originalUrl, { videoUUID })
+
+    res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+    return { allowed: false }
+  }
+
+  const file = await VideoFileModel.loadByFilename(filename)
+
+  return {
+    file,
+    video,
+    playlist: video.getHLSPlaylist(),
+    allowed: await checkCanAccessVideoStaticFiles({ req, res, video, paramId: video.uuid })
+  }
+}
+
+function extractTokenOrDie (req: express.Request, res: express.Response) {
+  const token = res.locals.oauth?.token.accessToken || req.query.videoFileToken
+
+  if (!token) {
+    return res.fail({
+      message: 'Bearer token is missing in headers or video file token is missing in URL query parameters',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+
+  return token
+}
diff --git a/server/middlewares/validators/themes.ts b/server/middlewares/validators/themes.ts
index c130801a0..080b3e096 100644
--- a/server/middlewares/validators/themes.ts
+++ b/server/middlewares/validators/themes.ts
@@ -2,7 +2,7 @@ import express from 'express'
 import { param } from 'express-validator'
 import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
 import { isSafePath } from '../../helpers/custom-validators/misc'
-import { isPluginNameValid, isPluginVersionValid } from '../../helpers/custom-validators/plugins'
+import { isPluginNameValid, isPluginStableOrUnstableVersionValid } from '../../helpers/custom-validators/plugins'
 import { PluginManager } from '../../lib/plugins/plugin-manager'
 import { areValidationErrors } from './shared'
 
@@ -10,7 +10,7 @@ const serveThemeCSSValidator = [
   param('themeName')
     .custom(isPluginNameValid),
   param('themeVersion')
-    .custom(isPluginVersionValid),
+    .custom(isPluginStableOrUnstableVersionValid),
   param('staticEndpoint')
     .custom(isSafePath),
 
diff --git a/server/middlewares/validators/two-factor.ts b/server/middlewares/validators/two-factor.ts
new file mode 100644
index 000000000..106b579b5
--- /dev/null
+++ b/server/middlewares/validators/two-factor.ts
@@ -0,0 +1,81 @@
+import express from 'express'
+import { body, param } from 'express-validator'
+import { HttpStatusCode, UserRight } from '@shared/models'
+import { exists, isIdValid } from '../../helpers/custom-validators/misc'
+import { areValidationErrors, checkUserIdExist } from './shared'
+
+const requestOrConfirmTwoFactorValidator = [
+  param('id').custom(isIdValid),
+
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+
+    if (!await checkCanEnableOrDisableTwoFactor(req.params.id, res)) return
+
+    if (res.locals.user.otpSecret) {
+      return res.fail({
+        status: HttpStatusCode.BAD_REQUEST_400,
+        message: `Two factor is already enabled.`
+      })
+    }
+
+    return next()
+  }
+]
+
+const confirmTwoFactorValidator = [
+  body('requestToken').custom(exists),
+  body('otpToken').custom(exists),
+
+  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+
+    return next()
+  }
+]
+
+const disableTwoFactorValidator = [
+  param('id').custom(isIdValid),
+
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+
+    if (!await checkCanEnableOrDisableTwoFactor(req.params.id, res)) return
+
+    if (!res.locals.user.otpSecret) {
+      return res.fail({
+        status: HttpStatusCode.BAD_REQUEST_400,
+        message: `Two factor is already disabled.`
+      })
+    }
+
+    return next()
+  }
+]
+
+// ---------------------------------------------------------------------------
+
+export {
+  requestOrConfirmTwoFactorValidator,
+  confirmTwoFactorValidator,
+  disableTwoFactorValidator
+}
+
+// ---------------------------------------------------------------------------
+
+async function checkCanEnableOrDisableTwoFactor (userId: number | string, res: express.Response) {
+  const authUser = res.locals.oauth.token.user
+
+  if (!await checkUserIdExist(userId, res)) return
+
+  if (res.locals.user.id !== authUser.id && authUser.hasRight(UserRight.MANAGE_USERS) !== true) {
+    res.fail({
+      status: HttpStatusCode.FORBIDDEN_403,
+      message: `User ${authUser.username} does not have right to change two factor setting of this user.`
+    })
+
+    return false
+  }
+
+  return true
+}
diff --git a/server/middlewares/validators/user-subscriptions.ts b/server/middlewares/validators/user-subscriptions.ts
index d01043c17..d8d3fc28b 100644
--- a/server/middlewares/validators/user-subscriptions.ts
+++ b/server/middlewares/validators/user-subscriptions.ts
@@ -1,6 +1,6 @@
-import { arrayify } from '@shared/core-utils'
 import express from 'express'
 import { body, param, query } from 'express-validator'
+import { arrayify } from '@shared/core-utils'
 import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
 import { areValidActorHandles, isValidActorHandle } from '../../helpers/custom-validators/activitypub/actor'
 import { WEBSERVER } from '../../initializers/constants'
@@ -60,7 +60,7 @@ const userSubscriptionGetValidator = [
       state: 'accepted'
     })
 
-    if (!subscription || !subscription.ActorFollowing.VideoChannel) {
+    if (!subscription?.ActorFollowing.VideoChannel) {
       return res.fail({
         status: HttpStatusCode.NOT_FOUND_404,
         message: `Subscription ${req.params.uri} not found.`
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 2de5265fb..50327b6ae 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -1,9 +1,9 @@
 import express from 'express'
 import { body, param, query } from 'express-validator'
 import { Hooks } from '@server/lib/plugins/hooks'
-import { MUserDefault } from '@server/types/models'
+import { forceNumber } from '@shared/core-utils'
 import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models'
-import { isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
+import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
 import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
 import {
   isUserAdminFlagsValid,
@@ -30,8 +30,15 @@ import { isThemeRegistered } from '../../lib/plugins/theme-utils'
 import { Redis } from '../../lib/redis'
 import { isSignupAllowed, isSignupAllowedForCurrentIP } from '../../lib/signup'
 import { ActorModel } from '../../models/actor/actor'
-import { UserModel } from '../../models/user/user'
-import { areValidationErrors, doesVideoChannelIdExist, doesVideoExist, isValidVideoIdParam } from './shared'
+import {
+  areValidationErrors,
+  checkUserEmailExist,
+  checkUserIdExist,
+  checkUserNameOrEmailDoesNotAlreadyExist,
+  doesVideoChannelIdExist,
+  doesVideoExist,
+  isValidVideoIdParam
+} from './shared'
 
 const usersListValidator = [
   query('blocked')
@@ -411,6 +418,13 @@ const usersAskResetPasswordValidator = [
       return res.status(HttpStatusCode.NO_CONTENT_204).end()
     }
 
+    if (res.locals.user.pluginAuth) {
+      return res.fail({
+        status: HttpStatusCode.CONFLICT_409,
+        message: 'Cannot recover password of a user that uses a plugin authentication.'
+      })
+    }
+
     return next()
   }
 ]
@@ -428,7 +442,7 @@ const usersResetPasswordValidator = [
     if (!await checkUserIdExist(req.params.id, res)) return
 
     const user = res.locals.user
-    const redisVerificationString = await Redis.Instance.getResetPasswordLink(user.id)
+    const redisVerificationString = await Redis.Instance.getResetPasswordVerificationString(user.id)
 
     if (redisVerificationString !== req.body.verificationString) {
       return res.fail({
@@ -454,6 +468,13 @@ const usersAskSendVerifyEmailValidator = [
       return res.status(HttpStatusCode.NO_CONTENT_204).end()
     }
 
+    if (res.locals.user.pluginAuth) {
+      return res.fail({
+        status: HttpStatusCode.CONFLICT_409,
+        message: 'Cannot ask verification email of a user that uses a plugin authentication.'
+      })
+    }
+
     return next()
   }
 ]
@@ -486,6 +507,41 @@ const usersVerifyEmailValidator = [
   }
 ]
 
+const usersCheckCurrentPasswordFactory = (targetUserIdGetter: (req: express.Request) => number | string) => {
+  return [
+    body('currentPassword').optional().custom(exists),
+
+    async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+      if (areValidationErrors(req, res)) return
+
+      const user = res.locals.oauth.token.User
+      const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR
+      const targetUserId = forceNumber(targetUserIdGetter(req))
+
+      // Admin/moderator action on another user, skip the password check
+      if (isAdminOrModerator && targetUserId !== user.id) {
+        return next()
+      }
+
+      if (!req.body.currentPassword) {
+        return res.fail({
+          status: HttpStatusCode.BAD_REQUEST_400,
+          message: 'currentPassword is missing'
+        })
+      }
+
+      if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
+        return res.fail({
+          status: HttpStatusCode.FORBIDDEN_403,
+          message: 'currentPassword is invalid.'
+        })
+      }
+
+      return next()
+    }
+  ]
+}
+
 const userAutocompleteValidator = [
   param('search')
     .isString()
@@ -553,6 +609,7 @@ export {
   usersUpdateValidator,
   usersUpdateMeValidator,
   usersVideoRatingValidator,
+  usersCheckCurrentPasswordFactory,
   ensureUserRegistrationAllowed,
   ensureUserRegistrationAllowedForIP,
   usersGetValidator,
@@ -566,55 +623,3 @@ export {
   ensureCanModerateUser,
   ensureCanManageChannelOrAccount
 }
-
-// ---------------------------------------------------------------------------
-
-function checkUserIdExist (idArg: number | string, res: express.Response, withStats = false) {
-  const id = parseInt(idArg + '', 10)
-  return checkUserExist(() => UserModel.loadByIdWithChannels(id, withStats), res)
-}
-
-function checkUserEmailExist (email: string, res: express.Response, abortResponse = true) {
-  return checkUserExist(() => UserModel.loadByEmail(email), res, abortResponse)
-}
-
-async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email: string, res: express.Response) {
-  const user = await UserModel.loadByUsernameOrEmail(username, email)
-
-  if (user) {
-    res.fail({
-      status: HttpStatusCode.CONFLICT_409,
-      message: 'User with this username or email already exists.'
-    })
-    return false
-  }
-
-  const actor = await ActorModel.loadLocalByName(username)
-  if (actor) {
-    res.fail({
-      status: HttpStatusCode.CONFLICT_409,
-      message: 'Another actor (account/channel) with this name on this instance already exists or has already existed.'
-    })
-    return false
-  }
-
-  return true
-}
-
-async function checkUserExist (finder: () => Promise<MUserDefault>, res: express.Response, abortResponse = true) {
-  const user = await finder()
-
-  if (!user) {
-    if (abortResponse === true) {
-      res.fail({
-        status: HttpStatusCode.NOT_FOUND_404,
-        message: 'User not found'
-      })
-    }
-
-    return false
-  }
-
-  res.locals.user = user
-  return true
-}
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 69062701b..133feb7bd 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -208,7 +208,8 @@ async function isVideoCommentAccepted (req: express.Request, res: express.Respon
   const acceptParameters = {
     video,
     commentBody: req.body,
-    user: res.locals.oauth.token.User
+    user: res.locals.oauth.token.User,
+    req
   }
 
   let acceptedResult: AcceptResult
@@ -234,7 +235,7 @@ async function isVideoCommentAccepted (req: express.Request, res: express.Respon
 
     res.fail({
       status: HttpStatusCode.FORBIDDEN_403,
-      message: acceptedResult?.errorMessage || 'Refused local comment'
+      message: acceptedResult?.errorMessage || 'Comment has been rejected.'
     })
     return false
   }
diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts
index f295b1885..72442aeb6 100644
--- a/server/middlewares/validators/videos/video-imports.ts
+++ b/server/middlewares/validators/videos/video-imports.ts
@@ -4,6 +4,7 @@ import { isResolvingToUnicastOnly } from '@server/helpers/dns'
 import { isPreImportVideoAccepted } from '@server/lib/moderation'
 import { Hooks } from '@server/lib/plugins/hooks'
 import { MUserAccountId, MVideoImport } from '@server/types/models'
+import { forceNumber } from '@shared/core-utils'
 import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models'
 import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model'
 import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc'
@@ -130,7 +131,7 @@ const videoImportCancelValidator = [
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return
 
-    if (!await doesVideoImportExist(parseInt(req.params.id), res)) return
+    if (!await doesVideoImportExist(forceNumber(req.params.id), res)) return
     if (!checkUserCanManageImport(res.locals.oauth.token.user, res.locals.videoImport, res)) return
 
     if (res.locals.videoImport.state !== VideoImportState.PENDING) {
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts
index 6d4b8a6f1..e4b7e5c56 100644
--- a/server/middlewares/validators/videos/video-playlists.ts
+++ b/server/middlewares/validators/videos/video-playlists.ts
@@ -2,6 +2,7 @@ import express from 'express'
 import { body, param, query, ValidationChain } from 'express-validator'
 import { ExpressPromiseHandler } from '@server/types/express-handler'
 import { MUserAccountId } from '@server/types/models'
+import { forceNumber } from '@shared/core-utils'
 import {
   HttpStatusCode,
   UserRight,
@@ -258,7 +259,7 @@ const videoPlaylistElementAPGetValidator = [
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return
 
-    const playlistElementId = parseInt(req.params.playlistElementId + '', 10)
+    const playlistElementId = forceNumber(req.params.playlistElementId)
     const playlistId = req.params.playlistId
 
     const videoPlaylistElement = await VideoPlaylistElementModel.loadByPlaylistAndElementIdForAP(playlistId, playlistElementId)
diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts
index 7fd2b03d1..e29eb4a32 100644
--- a/server/middlewares/validators/videos/videos.ts
+++ b/server/middlewares/validators/videos/videos.ts
@@ -7,7 +7,7 @@ import { getServerActor } from '@server/models/application/application'
 import { ExpressPromiseHandler } from '@server/types/express-handler'
 import { MUserAccountId, MVideoFullLight } from '@server/types/models'
 import { arrayify, getAllPrivacies } from '@shared/core-utils'
-import { HttpStatusCode, ServerErrorCode, UserRight, VideoInclude } from '@shared/models'
+import { HttpStatusCode, ServerErrorCode, UserRight, VideoInclude, VideoState } from '@shared/models'
 import {
   exists,
   isBooleanValid,
@@ -48,6 +48,7 @@ import { Hooks } from '../../../lib/plugins/hooks'
 import { VideoModel } from '../../../models/video/video'
 import {
   areValidationErrors,
+  checkCanAccessVideoStaticFiles,
   checkCanSeeVideo,
   checkUserCanManageVideo,
   checkUserQuota,
@@ -232,6 +233,11 @@ const videosUpdateValidator = getCommonVideoEditAttributes().concat([
     if (areErrorsInScheduleUpdate(req, res)) return cleanUpReqFiles(req)
     if (!await doesVideoExist(req.params.id, res)) return cleanUpReqFiles(req)
 
+    const video = getVideoWithAttributes(res)
+    if (req.body.privacy && video.isLive && video.state !== VideoState.WAITING_FOR_LIVE) {
+      return res.fail({ message: 'Cannot update privacy of a live that has already started' })
+    }
+
     // Check if the user who did the request is able to update the video
     const user = res.locals.oauth.token.User
     if (!checkUserCanManageVideo(user, res.locals.videoAll, UserRight.UPDATE_ANY_VIDEO, res)) return cleanUpReqFiles(req)
@@ -271,10 +277,7 @@ async function checkVideoFollowConstraints (req: express.Request, res: express.R
   })
 }
 
-const videosCustomGetValidator = (
-  fetchType: 'for-api' | 'all' | 'only-video' | 'only-immutable-attributes',
-  authenticateInQuery = false
-) => {
+const videosCustomGetValidator = (fetchType: 'for-api' | 'all' | 'only-video' | 'only-immutable-attributes') => {
   return [
     isValidVideoIdParam('id'),
 
@@ -287,7 +290,7 @@ const videosCustomGetValidator = (
 
       const video = getVideoWithAttributes(res) as MVideoFullLight
 
-      if (!await checkCanSeeVideo({ req, res, video, paramId: req.params.id, authenticateInQuery })) return
+      if (!await checkCanSeeVideo({ req, res, video, paramId: req.params.id })) return
 
       return next()
     }
@@ -295,7 +298,6 @@ const videosCustomGetValidator = (
 }
 
 const videosGetValidator = videosCustomGetValidator('all')
-const videosDownloadValidator = videosCustomGetValidator('all', true)
 
 const videoFileMetadataGetValidator = getCommonVideoEditAttributes().concat([
   isValidVideoIdParam('id'),
@@ -311,6 +313,21 @@ const videoFileMetadataGetValidator = getCommonVideoEditAttributes().concat([
   }
 ])
 
+const videosDownloadValidator = [
+  isValidVideoIdParam('id'),
+
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+    if (!await doesVideoExist(req.params.id, res, 'all')) return
+
+    const video = getVideoWithAttributes(res)
+
+    if (!await checkCanAccessVideoStaticFiles({ req, res, video, paramId: req.params.id })) return
+
+    return next()
+  }
+]
+
 const videosRemoveValidator = [
   isValidVideoIdParam('id'),
 
@@ -372,7 +389,7 @@ function getCommonVideoEditAttributes () {
       .custom(isBooleanValid).withMessage('Should have a valid waitTranscoding boolean'),
     body('privacy')
       .optional()
-      .customSanitizer(toValueOrNull)
+      .customSanitizer(toIntOrNull)
       .custom(isVideoPrivacyValid),
     body('description')
       .optional()