5 files changed, 479 insertions, 93 deletions
diff --git a/server/tests/api/check-params/index.ts b/server/tests/api/check-params/index.ts
index cd7a38459..961093bb5 100644
--- a/server/tests/api/check-params/index.ts
+++ b/server/tests/api/check-params/index.ts
@@ -2,6 +2,7 @@ import './abuses'
 import './accounts'
 import './blocklist'
 import './bulk'
+import './channel-import-videos'
 import './config'
 import './contact-form'
 import './custom-pages'
@@ -17,6 +18,7 @@ import './redundancy'
 import './search'
 import './services'
 import './transcoding'
+import './two-factor'
 import './upload-quota'
 import './user-notifications'
 import './user-subscriptions'
@@ -24,15 +26,15 @@ import './users-admin'
 import './users'
 import './video-blacklist'
 import './video-captions'
+import './video-channel-syncs'
 import './video-channels'
 import './video-comments'
 import './video-files'
 import './video-imports'
-import './video-channel-syncs'
-import './channel-import-videos'
 import './video-playlists'
 import './video-source'
 import './video-studio'
+import './video-token'
 import './videos-common-filters'
 import './videos-history'
 import './videos-overviews'
diff --git a/server/tests/api/check-params/live.ts b/server/tests/api/check-params/live.ts
index 3f553c42b..2eff9414b 100644
--- a/server/tests/api/check-params/live.ts
+++ b/server/tests/api/check-params/live.ts
@@ -502,6 +502,23 @@ describe('Test video lives API validator', function () {
      await stopFfmpeg(ffmpegCommand)
    })
+    it('Should fail to change live privacy if it has already started', async function () {
+      this.timeout(40000)
+      const live = await command.get({ videoId: video.id })
+      const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: live.rtmpUrl, streamKey: live.streamKey })
+      await command.waitUntilPublished({ videoId: video.id })
+      await server.videos.update({
+        id: video.id,
+        attributes: { privacy: VideoPrivacy.PUBLIC },
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+      await stopFfmpeg(ffmpegCommand)
+    })
    it('Should fail to stream twice in the save live', async function () {
      this.timeout(40000)
diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts
new file mode 100644
index 000000000..f8365f1b5
--- /dev/null
+++ b/server/tests/api/check-params/two-factor.ts
@@ -0,0 +1,288 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+import { HttpStatusCode } from '@shared/models'
+import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
+describe('Test two factor API validators', function () {
+  let server: PeerTubeServer
+  let rootId: number
+  let rootPassword: string
+  let rootRequestToken: string
+  let rootOTPToken: string
+  let userId: number
+  let userToken = ''
+  let userPassword: string
+  let userRequestToken: string
+  let userOTPToken: string
+  // ---------------------------------------------------------------
+  before(async function () {
+    this.timeout(30000)
+    {
+      server = await createSingleServer(1)
+      await setAccessTokensToServers([ server ])
+    }
+    {
+      const result = await server.users.generate('user1')
+      userToken = result.token
+      userId = result.userId
+      userPassword = result.password
+    }
+    {
+      const { id } = await server.users.getMyInfo()
+      rootId = id
+      rootPassword = server.store.user.password
+    }
+  })
+  describe('When requesting two factor', function () {
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+    })
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.request({
+        userId: 'invalid' as any,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail to request another user two factor without the appropriate rights', async function () {
+      await server.twoFactor.request({
+        userId: rootId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should succeed to request another user two factor with the appropriate rights', async function () {
+      await server.twoFactor.request({ userId, currentPassword: rootPassword })
+    })
+    it('Should fail to request two factor without a password', async function () {
+      await server.twoFactor.request({
+        userId,
+        token: userToken,
+        currentPassword: undefined,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail to request two factor with an incorrect password', async function () {
+      await server.twoFactor.request({
+        userId,
+        token: userToken,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
+      await server.twoFactor.request({ userId })
+    })
+    it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
+      await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
+    it('Should succeed to request my two factor auth', async function () {
+      {
+        const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
+        userRequestToken = otpRequest.requestToken
+        userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
+      }
+      {
+        const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
+        rootRequestToken = otpRequest.requestToken
+        rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
+      }
+    })
+  })
+  describe('When confirming two factor request', function () {
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: 42,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.NOT_FOUND_404
+      })
+    })
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: 'invalid' as any,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: rootId,
+        token: userToken,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should fail without request token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: undefined,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail with an invalid request token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: 'toto',
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should fail with request token of another user', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: rootRequestToken,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should fail without an otp token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: undefined,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail with a bad otp token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: '123456',
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken
+      })
+      // Reinit
+      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
+    })
+    it('Should succeed to confirm my two factor request', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        token: userToken,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken
+      })
+    })
+    it('Should fail to confirm again two factor request', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        token: userToken,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+  })
+  describe('When disabling two factor', function () {
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.disable({
+        userId: 42,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.NOT_FOUND_404
+      })
+    })
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.disable({
+        userId: 'invalid' as any,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+    it('Should fail to disable another user two factor without the appropriate rights', async function () {
+      await server.twoFactor.disable({
+        userId: rootId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should fail to disable two factor with an incorrect password', async function () {
+      await server.twoFactor.disable({
+        userId,
+        token: userToken,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+    it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
+      await server.twoFactor.disable({ userId })
+      await server.twoFactor.requestAndConfirm({ userId })
+    })
+    it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
+      await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
+    it('Should succeed to disable another user two factor with the appropriate rights', async function () {
+      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
+      await server.twoFactor.requestAndConfirm({ userId })
+    })
+    it('Should succeed to update my two factor auth', async function () {
+      await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
+    })
+    it('Should fail to disable again two factor', async function () {
+      await server.twoFactor.disable({
+        userId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+  })
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
diff --git a/server/tests/api/check-params/video-files.ts b/server/tests/api/check-params/video-files.ts
index aa4de2c83..9dc59a1b5 100644
--- a/server/tests/api/check-params/video-files.ts
+++ b/server/tests/api/check-params/video-files.ts
@@ -1,10 +1,12 @@
 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
-import { HttpStatusCode, UserRole } from '@shared/models'
+import { getAllFiles } from '@shared/core-utils'
+import { HttpStatusCode, UserRole, VideoDetails, VideoPrivacy } from '@shared/models'
 import {
  cleanupTests,
  createMultipleServers,
  doubleFollow,
+  makeRawRequest,
  PeerTubeServer,
  setAccessTokensToServers,
  waitJobs
@@ -13,22 +15,9 @@ import {
 describe('Test videos files', function () {
  let servers: PeerTubeServer[]
-  let webtorrentId: string
-  let hlsId: string
-  let remoteId: string
  let userToken: string
  let moderatorToken: string
-  let validId1: string
-  let validId2: string
-  let hlsFileId: number
-  let webtorrentFileId: number
-  let remoteHLSFileId: number
-  let remoteWebtorrentFileId: number
  // ---------------------------------------------------------------
  before(async function () {
@@ -41,117 +30,163 @@ describe('Test videos files', function () {
    userToken = await servers[0].users.generateUserAndToken('user', UserRole.USER)
    moderatorToken = await servers[0].users.generateUserAndToken('moderator', UserRole.MODERATOR)
+  })
-    {
+  describe('Getting metadata', function () {
-      const { uuid } = await servers[1].videos.quickUpload({ name: 'remote video' })
+    let video: VideoDetails
-      await waitJobs(servers)
+    before(async function () {
+      const { uuid } = await servers[0].videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
+      video = await servers[0].videos.getWithToken({ id: uuid })
+    })
+    it('Should not get metadata of private video without token', async function () {
+      for (const file of getAllFiles(video)) {
+        await makeRawRequest({ url: file.metadataUrl, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
+      }
+    })
+    it('Should not get metadata of private video without the appropriate token', async function () {
+      for (const file of getAllFiles(video)) {
+        await makeRawRequest({ url: file.metadataUrl, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+      }
+    })
+    it('Should get metadata of private video with the appropriate token', async function () {
+      for (const file of getAllFiles(video)) {
+        await makeRawRequest({ url: file.metadataUrl, token: servers[0].accessToken, expectedStatus: HttpStatusCode.OK_200 })
+      }
+    })
+  })
+  describe('Deleting files', function () {
+    let webtorrentId: string
+    let hlsId: string
+    let remoteId: string
+    let validId1: string
+    let validId2: string
-      const video = await servers[1].videos.get({ id: uuid })
+    let hlsFileId: number
-      remoteId = video.uuid
+    let webtorrentFileId: number
-      remoteHLSFileId = video.streamingPlaylists[0].files[0].id
-      remoteWebtorrentFileId = video.files[0].id
-    }
-    {
+    let remoteHLSFileId: number
-      await servers[0].config.enableTranscoding(true, true)
+    let remoteWebtorrentFileId: number
+    before(async function () {
+      this.timeout(300_000)
      {
-        const { uuid } = await servers[0].videos.quickUpload({ name: 'both 1' })
+        const { uuid } = await servers[1].videos.quickUpload({ name: 'remote video' })
        await waitJobs(servers)
-        const video = await servers[0].videos.get({ id: uuid })
+        const video = await servers[1].videos.get({ id: uuid })
-        validId1 = video.uuid
+        remoteId = video.uuid
-        hlsFileId = video.streamingPlaylists[0].files[0].id
+        remoteHLSFileId = video.streamingPlaylists[0].files[0].id
-        webtorrentFileId = video.files[0].id
+        remoteWebtorrentFileId = video.files[0].id
      }
      {
-        const { uuid } = await servers[0].videos.quickUpload({ name: 'both 2' })
+        await servers[0].config.enableTranscoding(true, true)
-        validId2 = uuid
+        {
+          const { uuid } = await servers[0].videos.quickUpload({ name: 'both 1' })
+          await waitJobs(servers)
+          const video = await servers[0].videos.get({ id: uuid })
+          validId1 = video.uuid
+          hlsFileId = video.streamingPlaylists[0].files[0].id
+          webtorrentFileId = video.files[0].id
+        }
+        {
+          const { uuid } = await servers[0].videos.quickUpload({ name: 'both 2' })
+          validId2 = uuid
+        }
      }
-    }
-    await waitJobs(servers)
+      await waitJobs(servers)
-    {
+      {
-      await servers[0].config.enableTranscoding(false, true)
+        await servers[0].config.enableTranscoding(false, true)
-      const { uuid } = await servers[0].videos.quickUpload({ name: 'hls' })
+        const { uuid } = await servers[0].videos.quickUpload({ name: 'hls' })
-      hlsId = uuid
+        hlsId = uuid
-    }
+      }
-    await waitJobs(servers)
+      await waitJobs(servers)
-    {
+      {
-      await servers[0].config.enableTranscoding(false, true)
+        await servers[0].config.enableTranscoding(false, true)
-      const { uuid } = await servers[0].videos.quickUpload({ name: 'webtorrent' })
+        const { uuid } = await servers[0].videos.quickUpload({ name: 'webtorrent' })
-      webtorrentId = uuid
+        webtorrentId = uuid
-    }
+      }
-    await waitJobs(servers)
+      await waitJobs(servers)
-  })
+    })
-  it('Should not delete files of a unknown video', async function () {
+    it('Should not delete files of a unknown video', async function () {
-    const expectedStatus = HttpStatusCode.NOT_FOUND_404
+      const expectedStatus = HttpStatusCode.NOT_FOUND_404
-    await servers[0].videos.removeHLSPlaylist({ videoId: 404, expectedStatus })
+      await servers[0].videos.removeHLSPlaylist({ videoId: 404, expectedStatus })
-    await servers[0].videos.removeAllWebTorrentFiles({ videoId: 404, expectedStatus })
+      await servers[0].videos.removeAllWebTorrentFiles({ videoId: 404, expectedStatus })
-    await servers[0].videos.removeHLSFile({ videoId: 404, fileId: hlsFileId, expectedStatus })
+      await servers[0].videos.removeHLSFile({ videoId: 404, fileId: hlsFileId, expectedStatus })
-    await servers[0].videos.removeWebTorrentFile({ videoId: 404, fileId: webtorrentFileId, expectedStatus })
+      await servers[0].videos.removeWebTorrentFile({ videoId: 404, fileId: webtorrentFileId, expectedStatus })
-  })
+    })
-  it('Should not delete unknown files', async function () {
+    it('Should not delete unknown files', async function () {
-    const expectedStatus = HttpStatusCode.NOT_FOUND_404
+      const expectedStatus = HttpStatusCode.NOT_FOUND_404
-    await servers[0].videos.removeHLSFile({ videoId: validId1, fileId: webtorrentFileId, expectedStatus })
+      await servers[0].videos.removeHLSFile({ videoId: validId1, fileId: webtorrentFileId, expectedStatus })
-    await servers[0].videos.removeWebTorrentFile({ videoId: validId1, fileId: hlsFileId, expectedStatus })
+      await servers[0].videos.removeWebTorrentFile({ videoId: validId1, fileId: hlsFileId, expectedStatus })
-  })
+    })
-  it('Should not delete files of a remote video', async function () {
+    it('Should not delete files of a remote video', async function () {
-    const expectedStatus = HttpStatusCode.BAD_REQUEST_400
+      const expectedStatus = HttpStatusCode.BAD_REQUEST_400
-    await servers[0].videos.removeHLSPlaylist({ videoId: remoteId, expectedStatus })
+      await servers[0].videos.removeHLSPlaylist({ videoId: remoteId, expectedStatus })
-    await servers[0].videos.removeAllWebTorrentFiles({ videoId: remoteId, expectedStatus })
+      await servers[0].videos.removeAllWebTorrentFiles({ videoId: remoteId, expectedStatus })
-    await servers[0].videos.removeHLSFile({ videoId: remoteId, fileId: remoteHLSFileId, expectedStatus })
+      await servers[0].videos.removeHLSFile({ videoId: remoteId, fileId: remoteHLSFileId, expectedStatus })
-    await servers[0].videos.removeWebTorrentFile({ videoId: remoteId, fileId: remoteWebtorrentFileId, expectedStatus })
+      await servers[0].videos.removeWebTorrentFile({ videoId: remoteId, fileId: remoteWebtorrentFileId, expectedStatus })
-  })
+    })
-  it('Should not delete files by a non admin user', async function () {
+    it('Should not delete files by a non admin user', async function () {
-    const expectedStatus = HttpStatusCode.FORBIDDEN_403
+      const expectedStatus = HttpStatusCode.FORBIDDEN_403
-    await servers[0].videos.removeHLSPlaylist({ videoId: validId1, token: userToken, expectedStatus })
+      await servers[0].videos.removeHLSPlaylist({ videoId: validId1, token: userToken, expectedStatus })
-    await servers[0].videos.removeHLSPlaylist({ videoId: validId1, token: moderatorToken, expectedStatus })
+      await servers[0].videos.removeHLSPlaylist({ videoId: validId1, token: moderatorToken, expectedStatus })
-    await servers[0].videos.removeAllWebTorrentFiles({ videoId: validId1, token: userToken, expectedStatus })
+      await servers[0].videos.removeAllWebTorrentFiles({ videoId: validId1, token: userToken, expectedStatus })
-    await servers[0].videos.removeAllWebTorrentFiles({ videoId: validId1, token: moderatorToken, expectedStatus })
+      await servers[0].videos.removeAllWebTorrentFiles({ videoId: validId1, token: moderatorToken, expectedStatus })
-    await servers[0].videos.removeHLSFile({ videoId: validId1, fileId: hlsFileId, token: userToken, expectedStatus })
+      await servers[0].videos.removeHLSFile({ videoId: validId1, fileId: hlsFileId, token: userToken, expectedStatus })
-    await servers[0].videos.removeHLSFile({ videoId: validId1, fileId: hlsFileId, token: moderatorToken, expectedStatus })
+      await servers[0].videos.removeHLSFile({ videoId: validId1, fileId: hlsFileId, token: moderatorToken, expectedStatus })
-    await servers[0].videos.removeWebTorrentFile({ videoId: validId1, fileId: webtorrentFileId, token: userToken, expectedStatus })
+      await servers[0].videos.removeWebTorrentFile({ videoId: validId1, fileId: webtorrentFileId, token: userToken, expectedStatus })
-    await servers[0].videos.removeWebTorrentFile({ videoId: validId1, fileId: webtorrentFileId, token: moderatorToken, expectedStatus })
+      await servers[0].videos.removeWebTorrentFile({ videoId: validId1, fileId: webtorrentFileId, token: moderatorToken, expectedStatus })
-  })
+    })
-  it('Should not delete files if the files are not available', async function () {
+    it('Should not delete files if the files are not available', async function () {
-    await servers[0].videos.removeHLSPlaylist({ videoId: hlsId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await servers[0].videos.removeHLSPlaylist({ videoId: hlsId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
-    await servers[0].videos.removeAllWebTorrentFiles({ videoId: webtorrentId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await servers[0].videos.removeAllWebTorrentFiles({ videoId: webtorrentId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
-    await servers[0].videos.removeHLSFile({ videoId: hlsId, fileId: 404, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+      await servers[0].videos.removeHLSFile({ videoId: hlsId, fileId: 404, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
-    await servers[0].videos.removeWebTorrentFile({ videoId: webtorrentId, fileId: 404, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+      await servers[0].videos.removeWebTorrentFile({ videoId: webtorrentId, fileId: 404, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
-  })
+    })
-  it('Should not delete files if no both versions are available', async function () {
+    it('Should not delete files if no both versions are available', async function () {
-    await servers[0].videos.removeHLSPlaylist({ videoId: hlsId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await servers[0].videos.removeHLSPlaylist({ videoId: hlsId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
-    await servers[0].videos.removeAllWebTorrentFiles({ videoId: webtorrentId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await servers[0].videos.removeAllWebTorrentFiles({ videoId: webtorrentId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
-  })
+    })
-  it('Should delete files if both versions are available', async function () {
+    it('Should delete files if both versions are available', async function () {
-    await servers[0].videos.removeHLSFile({ videoId: validId1, fileId: hlsFileId })
+      await servers[0].videos.removeHLSFile({ videoId: validId1, fileId: hlsFileId })
-    await servers[0].videos.removeWebTorrentFile({ videoId: validId1, fileId: webtorrentFileId })
+      await servers[0].videos.removeWebTorrentFile({ videoId: validId1, fileId: webtorrentFileId })
-    await servers[0].videos.removeHLSPlaylist({ videoId: validId1 })
+      await servers[0].videos.removeHLSPlaylist({ videoId: validId1 })
-    await servers[0].videos.removeAllWebTorrentFiles({ videoId: validId2 })
+      await servers[0].videos.removeAllWebTorrentFiles({ videoId: validId2 })
+    })
  })
  after(async function () {
diff --git a/server/tests/api/check-params/video-token.ts b/server/tests/api/check-params/video-token.ts
new file mode 100644
index 000000000..7acb9d580
--- /dev/null
+++ b/server/tests/api/check-params/video-token.ts
@@ -0,0 +1,44 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+import { HttpStatusCode, VideoPrivacy } from '@shared/models'
+import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers } from '@shared/server-commands'
+describe('Test video tokens', function () {
+  let server: PeerTubeServer
+  let videoId: string
+  let userToken: string
+  // ---------------------------------------------------------------
+  before(async function () {
+    this.timeout(300_000)
+    server = await createSingleServer(1)
+    await setAccessTokensToServers([ server ])
+    const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
+    videoId = uuid
+    userToken = await server.users.generateUserAndToken('user1')
+  })
+  it('Should not generate tokens for unauthenticated user', async function () {
+    await server.videoToken.create({ videoId, token: null, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
+  })
+  it('Should not generate tokens of unknown video', async function () {
+    await server.videoToken.create({ videoId: 404, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+  })
+  it('Should not generate tokens of a non owned video', async function () {
+    await server.videoToken.create({ videoId, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+  })
+  it('Should generate token', async function () {
+    await server.videoToken.create({ videoId })
+  })
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})