1 files changed, 121 insertions, 8 deletions
diff --git a/server/tests/api/videos/video-static-file-privacy.ts b/server/tests/api/videos/video-static-file-privacy.ts
index 542848533..0a9864134 100644
--- a/server/tests/api/videos/video-static-file-privacy.ts
+++ b/server/tests/api/videos/video-static-file-privacy.ts
@@ -41,7 +41,7 @@ describe('Test video static file privacy', function () {
        for (const file of video.files) {
          expect(file.fileDownloadUrl).to.not.include('/private/')
-          expectStartWith(file.fileUrl, server.url + '/static/webseed/private/')
+          expectStartWith(file.fileUrl, server.url + '/static/web-videos/private/')
          const torrent = await parseTorrentVideo(server, file)
          expect(torrent.urlList).to.have.lengthOf(0)
@@ -90,7 +90,7 @@ describe('Test video static file privacy', function () {
        }
      }
-      it('Should upload a private/internal video and have a private static path', async function () {
+      it('Should upload a private/internal/password protected video and have a private static path', async function () {
        this.timeout(120000)
        for (const privacy of [ VideoPrivacy.PRIVATE, VideoPrivacy.INTERNAL ]) {
@@ -99,6 +99,15 @@ describe('Test video static file privacy', function () {
          await checkPrivateFiles(uuid)
        }
+        const { uuid } = await server.videos.quickUpload({
+          name: 'video',
+          privacy: VideoPrivacy.PASSWORD_PROTECTED,
+          videoPasswords: [ 'my super password' ]
+        })
+        await waitJobs([ server ])
+        await checkPrivateFiles(uuid)
      })
      it('Should upload a public video and update it as private/internal to have a private static path', async function () {
@@ -185,8 +194,9 @@ describe('Test video static file privacy', function () {
      expectedStatus: HttpStatusCode
      token: string
      videoFileToken: string
+      videoPassword?: string
    }) {
-      const { id, expectedStatus, token, videoFileToken } = options
+      const { id, expectedStatus, token, videoFileToken, videoPassword } = options
      const video = await server.videos.getWithToken({ id })
@@ -196,6 +206,12 @@ describe('Test video static file privacy', function () {
        await makeRawRequest({ url: file.fileUrl, query: { videoFileToken }, expectedStatus })
        await makeRawRequest({ url: file.fileDownloadUrl, query: { videoFileToken }, expectedStatus })
+        if (videoPassword) {
+          const headers = { 'x-peertube-video-password': videoPassword }
+          await makeRawRequest({ url: file.fileUrl, headers, expectedStatus })
+          await makeRawRequest({ url: file.fileDownloadUrl, headers, expectedStatus })
+        }
      }
      const hls = video.streamingPlaylists[0]
@@ -204,6 +220,12 @@ describe('Test video static file privacy', function () {
      await makeRawRequest({ url: hls.playlistUrl, query: { videoFileToken }, expectedStatus })
      await makeRawRequest({ url: hls.segmentsSha256Url, query: { videoFileToken }, expectedStatus })
+      if (videoPassword) {
+        const headers = { 'x-peertube-video-password': videoPassword }
+        await makeRawRequest({ url: hls.playlistUrl, token: null, headers, expectedStatus })
+        await makeRawRequest({ url: hls.segmentsSha256Url, token: null, headers, expectedStatus })
+      }
    }
    before(async function () {
@@ -216,13 +238,53 @@ describe('Test video static file privacy', function () {
    it('Should not be able to access a private video files without OAuth token and file token', async function () {
      this.timeout(120000)
-      const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.INTERNAL })
+      const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
      await waitJobs([ server ])
      await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.FORBIDDEN_403, token: null, videoFileToken: null })
    })
-    it('Should not be able to access an internal video files without appropriate OAuth token and file token', async function () {
+    it('Should not be able to access password protected video files without OAuth token, file token and password', async function () {
+      this.timeout(120000)
+      const videoPassword = 'my super password'
+      const { uuid } = await server.videos.quickUpload({
+        name: 'password protected video',
+        privacy: VideoPrivacy.PASSWORD_PROTECTED,
+        videoPasswords: [ videoPassword ]
+      })
+      await waitJobs([ server ])
+      await checkVideoFiles({
+        id: uuid,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403,
+        token: null,
+        videoFileToken: null,
+        videoPassword: null
+      })
+    })
+    it('Should not be able to access an password video files with incorrect OAuth token, file token and password', async function () {
+      this.timeout(120000)
+      const videoPassword = 'my super password'
+      const { uuid } = await server.videos.quickUpload({
+        name: 'password protected video',
+        privacy: VideoPrivacy.PASSWORD_PROTECTED,
+        videoPasswords: [ videoPassword ]
+      })
+      await waitJobs([ server ])
+      await checkVideoFiles({
+        id: uuid,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403,
+        token: userToken,
+        videoFileToken: unrelatedFileToken,
+        videoPassword: 'incorrectPassword'
+      })
+    })
+    it('Should not be able to access an private video files without appropriate OAuth token and file token', async function () {
      this.timeout(120000)
      const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
@@ -247,6 +309,23 @@ describe('Test video static file privacy', function () {
      await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.OK_200, token: server.accessToken, videoFileToken })
    })
+    it('Should be able to access a password protected video files with appropriate OAuth token or file token', async function () {
+      this.timeout(120000)
+      const videoPassword = 'my super password'
+      const { uuid } = await server.videos.quickUpload({
+        name: 'video',
+        privacy: VideoPrivacy.PASSWORD_PROTECTED,
+        videoPasswords: [ videoPassword ]
+      })
+      const videoFileToken = await server.videoToken.getVideoFileToken({ token: null, videoId: uuid, videoPassword })
+      await waitJobs([ server ])
+      await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.OK_200, token: server.accessToken, videoFileToken, videoPassword })
+    })
    it('Should reinject video file token', async function () {
      this.timeout(120000)
@@ -294,13 +373,20 @@ describe('Test video static file privacy', function () {
    let permanentLiveId: string
    let permanentLive: LiveVideo
+    let passwordProtectedLiveId: string
+    let passwordProtectedLive: LiveVideo
+    const correctPassword = 'my super password'
    let unrelatedFileToken: string
-    async function checkLiveFiles (live: LiveVideo, liveId: string) {
+    async function checkLiveFiles (options: { live: LiveVideo, liveId: string, videoPassword?: string }) {
+      const { live, liveId, videoPassword } = options
      const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: live.rtmpUrl, streamKey: live.streamKey })
      await server.live.waitUntilPublished({ videoId: liveId })
      const video = await server.videos.getWithToken({ id: liveId })
      const fileToken = await server.videoToken.getVideoFileToken({ videoId: video.uuid })
      const hls = video.streamingPlaylists[0]
@@ -314,6 +400,16 @@ describe('Test video static file privacy', function () {
        await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
        await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
        await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+        if (videoPassword) {
+          await makeRawRequest({ url, headers: { 'x-peertube-video-password': videoPassword }, expectedStatus: HttpStatusCode.OK_200 })
+          await makeRawRequest({
+            url,
+            headers: { 'x-peertube-video-password': 'incorrectPassword' },
+            expectedStatus: HttpStatusCode.FORBIDDEN_403
+          })
+        }
      }
      await stopFfmpeg(ffmpegCommand)
@@ -381,18 +477,35 @@ describe('Test video static file privacy', function () {
        permanentLiveId = video.uuid
        permanentLive = live
      }
+      {
+        const { video, live } = await server.live.quickCreate({
+          saveReplay: false,
+          permanentLive: false,
+          privacy: VideoPrivacy.PASSWORD_PROTECTED,
+          videoPasswords: [ correctPassword ]
+        })
+        passwordProtectedLiveId = video.uuid
+        passwordProtectedLive = live
+      }
    })
    it('Should create a private normal live and have a private static path', async function () {
      this.timeout(240000)
-      await checkLiveFiles(normalLive, normalLiveId)
+      await checkLiveFiles({ live: normalLive, liveId: normalLiveId })
    })
    it('Should create a private permanent live and have a private static path', async function () {
      this.timeout(240000)
-      await checkLiveFiles(permanentLive, permanentLiveId)
+      await checkLiveFiles({ live: permanentLive, liveId: permanentLiveId })
+    })
+    it('Should create a password protected live and have a private static path', async function () {
+      this.timeout(240000)
+      await checkLiveFiles({ live: passwordProtectedLive, liveId: passwordProtectedLiveId, videoPassword: correctPassword })
    })
    it('Should reinject video file token on permanent live', async function () {

diff --git a/server/tests/api/videos/video-static-file-privacy.ts b/server/tests/api/videos/video-static-file-privacy.ts index 542848533..0a9864134 100644 --- a/server/tests/api/videos/video-static-file-privacy.ts +++ b/server/tests/api/videos/video-static-file-privacy.ts
@@ -41,7 +41,7 @@ describe('Test video static file privacy', function () {
41		41
42	for (const file of video.files) {	42	for (const file of video.files) {
43	expect(file.fileDownloadUrl).to.not.include('/private/')	43	expect(file.fileDownloadUrl).to.not.include('/private/')
44	expectStartWith(file.fileUrl, server.url + '/static/webseed/private/')	44	expectStartWith(file.fileUrl, server.url + '/static/web-videos/private/')
45		45
46	const torrent = await parseTorrentVideo(server, file)	46	const torrent = await parseTorrentVideo(server, file)
47	expect(torrent.urlList).to.have.lengthOf(0)	47	expect(torrent.urlList).to.have.lengthOf(0)
@@ -90,7 +90,7 @@ describe('Test video static file privacy', function () {
90	}	90	}
91	}	91	}
92		92
93	it('Should upload a private/internal video and have a private static path', async function () {	93	it('Should upload a private/internal/password protected video and have a private static path', async function () {
94	this.timeout(120000)	94	this.timeout(120000)
95		95
96	for (const privacy of [ VideoPrivacy.PRIVATE, VideoPrivacy.INTERNAL ]) {	96	for (const privacy of [ VideoPrivacy.PRIVATE, VideoPrivacy.INTERNAL ]) {
@@ -99,6 +99,15 @@ describe('Test video static file privacy', function () {
99		99
100	await checkPrivateFiles(uuid)	100	await checkPrivateFiles(uuid)
101	}	101	}
		102
		103	const { uuid } = await server.videos.quickUpload({
		104	name: 'video',
		105	privacy: VideoPrivacy.PASSWORD_PROTECTED,
		106	videoPasswords: [ 'my super password' ]
		107	})
		108	await waitJobs([ server ])
		109
		110	await checkPrivateFiles(uuid)
102	})	111	})
103		112
104	it('Should upload a public video and update it as private/internal to have a private static path', async function () {	113	it('Should upload a public video and update it as private/internal to have a private static path', async function () {
@@ -185,8 +194,9 @@ describe('Test video static file privacy', function () {
185	expectedStatus: HttpStatusCode	194	expectedStatus: HttpStatusCode
186	token: string	195	token: string
187	videoFileToken: string	196	videoFileToken: string
		197	videoPassword?: string
188	}) {	198	}) {
189	const { id, expectedStatus, token, videoFileToken } = options	199	const { id, expectedStatus, token, videoFileToken, videoPassword } = options
190		200
191	const video = await server.videos.getWithToken({ id })	201	const video = await server.videos.getWithToken({ id })
192		202
@@ -196,6 +206,12 @@ describe('Test video static file privacy', function () {
196		206
197	await makeRawRequest({ url: file.fileUrl, query: { videoFileToken }, expectedStatus })	207	await makeRawRequest({ url: file.fileUrl, query: { videoFileToken }, expectedStatus })
198	await makeRawRequest({ url: file.fileDownloadUrl, query: { videoFileToken }, expectedStatus })	208	await makeRawRequest({ url: file.fileDownloadUrl, query: { videoFileToken }, expectedStatus })
		209
		210	if (videoPassword) {
		211	const headers = { 'x-peertube-video-password': videoPassword }
		212	await makeRawRequest({ url: file.fileUrl, headers, expectedStatus })
		213	await makeRawRequest({ url: file.fileDownloadUrl, headers, expectedStatus })
		214	}
199	}	215	}
200		216
201	const hls = video.streamingPlaylists[0]	217	const hls = video.streamingPlaylists[0]
@@ -204,6 +220,12 @@ describe('Test video static file privacy', function () {
204		220
205	await makeRawRequest({ url: hls.playlistUrl, query: { videoFileToken }, expectedStatus })	221	await makeRawRequest({ url: hls.playlistUrl, query: { videoFileToken }, expectedStatus })
206	await makeRawRequest({ url: hls.segmentsSha256Url, query: { videoFileToken }, expectedStatus })	222	await makeRawRequest({ url: hls.segmentsSha256Url, query: { videoFileToken }, expectedStatus })
		223
		224	if (videoPassword) {
		225	const headers = { 'x-peertube-video-password': videoPassword }
		226	await makeRawRequest({ url: hls.playlistUrl, token: null, headers, expectedStatus })
		227	await makeRawRequest({ url: hls.segmentsSha256Url, token: null, headers, expectedStatus })
		228	}
207	}	229	}
208		230
209	before(async function () {	231	before(async function () {
@@ -216,13 +238,53 @@ describe('Test video static file privacy', function () {
216	it('Should not be able to access a private video files without OAuth token and file token', async function () {	238	it('Should not be able to access a private video files without OAuth token and file token', async function () {
217	this.timeout(120000)	239	this.timeout(120000)
218		240
219	const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.INTERNAL })	241	const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
220	await waitJobs([ server ])	242	await waitJobs([ server ])
221		243
222	await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.FORBIDDEN_403, token: null, videoFileToken: null })	244	await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.FORBIDDEN_403, token: null, videoFileToken: null })
223	})	245	})
224		246
225	it('Should not be able to access an internal video files without appropriate OAuth token and file token', async function () {	247	it('Should not be able to access password protected video files without OAuth token, file token and password', async function () {
		248	this.timeout(120000)
		249	const videoPassword = 'my super password'
		250
		251	const { uuid } = await server.videos.quickUpload({
		252	name: 'password protected video',
		253	privacy: VideoPrivacy.PASSWORD_PROTECTED,
		254	videoPasswords: [ videoPassword ]
		255	})
		256	await waitJobs([ server ])
		257
		258	await checkVideoFiles({
		259	id: uuid,
		260	expectedStatus: HttpStatusCode.FORBIDDEN_403,
		261	token: null,
		262	videoFileToken: null,
		263	videoPassword: null
		264	})
		265	})
		266
		267	it('Should not be able to access an password video files with incorrect OAuth token, file token and password', async function () {
		268	this.timeout(120000)
		269	const videoPassword = 'my super password'
		270
		271	const { uuid } = await server.videos.quickUpload({
		272	name: 'password protected video',
		273	privacy: VideoPrivacy.PASSWORD_PROTECTED,
		274	videoPasswords: [ videoPassword ]
		275	})
		276	await waitJobs([ server ])
		277
		278	await checkVideoFiles({
		279	id: uuid,
		280	expectedStatus: HttpStatusCode.FORBIDDEN_403,
		281	token: userToken,
		282	videoFileToken: unrelatedFileToken,
		283	videoPassword: 'incorrectPassword'
		284	})
		285	})
		286
		287	it('Should not be able to access an private video files without appropriate OAuth token and file token', async function () {
226	this.timeout(120000)	288	this.timeout(120000)
227		289
228	const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })	290	const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
@@ -247,6 +309,23 @@ describe('Test video static file privacy', function () {
247	await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.OK_200, token: server.accessToken, videoFileToken })	309	await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.OK_200, token: server.accessToken, videoFileToken })
248	})	310	})
249		311
		312	it('Should be able to access a password protected video files with appropriate OAuth token or file token', async function () {
		313	this.timeout(120000)
		314	const videoPassword = 'my super password'
		315
		316	const { uuid } = await server.videos.quickUpload({
		317	name: 'video',
		318	privacy: VideoPrivacy.PASSWORD_PROTECTED,
		319	videoPasswords: [ videoPassword ]
		320	})
		321
		322	const videoFileToken = await server.videoToken.getVideoFileToken({ token: null, videoId: uuid, videoPassword })
		323
		324	await waitJobs([ server ])
		325
		326	await checkVideoFiles({ id: uuid, expectedStatus: HttpStatusCode.OK_200, token: server.accessToken, videoFileToken, videoPassword })
		327	})
		328
250	it('Should reinject video file token', async function () {	329	it('Should reinject video file token', async function () {
251	this.timeout(120000)	330	this.timeout(120000)
252		331
@@ -294,13 +373,20 @@ describe('Test video static file privacy', function () {
294	let permanentLiveId: string	373	let permanentLiveId: string
295	let permanentLive: LiveVideo	374	let permanentLive: LiveVideo
296		375
		376	let passwordProtectedLiveId: string
		377	let passwordProtectedLive: LiveVideo
		378
		379	const correctPassword = 'my super password'
		380
297	let unrelatedFileToken: string	381	let unrelatedFileToken: string
298		382
299	async function checkLiveFiles (live: LiveVideo, liveId: string) {	383	async function checkLiveFiles (options: { live: LiveVideo, liveId: string, videoPassword?: string }) {
		384	const { live, liveId, videoPassword } = options
300	const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: live.rtmpUrl, streamKey: live.streamKey })	385	const ffmpegCommand = sendRTMPStream({ rtmpBaseUrl: live.rtmpUrl, streamKey: live.streamKey })
301	await server.live.waitUntilPublished({ videoId: liveId })	386	await server.live.waitUntilPublished({ videoId: liveId })
302		387
303	const video = await server.videos.getWithToken({ id: liveId })	388	const video = await server.videos.getWithToken({ id: liveId })
		389
304	const fileToken = await server.videoToken.getVideoFileToken({ videoId: video.uuid })	390	const fileToken = await server.videoToken.getVideoFileToken({ videoId: video.uuid })
305		391
306	const hls = video.streamingPlaylists[0]	392	const hls = video.streamingPlaylists[0]
@@ -314,6 +400,16 @@ describe('Test video static file privacy', function () {
314	await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })	400	await makeRawRequest({ url, token: userToken, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
315	await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })	401	await makeRawRequest({ url, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
316	await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })	402	await makeRawRequest({ url, query: { videoFileToken: unrelatedFileToken }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
		403
		404	if (videoPassword) {
		405	await makeRawRequest({ url, headers: { 'x-peertube-video-password': videoPassword }, expectedStatus: HttpStatusCode.OK_200 })
		406	await makeRawRequest({
		407	url,
		408	headers: { 'x-peertube-video-password': 'incorrectPassword' },
		409	expectedStatus: HttpStatusCode.FORBIDDEN_403
		410	})
		411	}
		412
317	}	413	}
318		414
319	await stopFfmpeg(ffmpegCommand)	415	await stopFfmpeg(ffmpegCommand)
@@ -381,18 +477,35 @@ describe('Test video static file privacy', function () {
381	permanentLiveId = video.uuid	477	permanentLiveId = video.uuid
382	permanentLive = live	478	permanentLive = live
383	}	479	}
		480
		481	{
		482	const { video, live } = await server.live.quickCreate({
		483	saveReplay: false,
		484	permanentLive: false,
		485	privacy: VideoPrivacy.PASSWORD_PROTECTED,
		486	videoPasswords: [ correctPassword ]
		487	})
		488	passwordProtectedLiveId = video.uuid
		489	passwordProtectedLive = live
		490	}
384	})	491	})
385		492
386	it('Should create a private normal live and have a private static path', async function () {	493	it('Should create a private normal live and have a private static path', async function () {
387	this.timeout(240000)	494	this.timeout(240000)
388		495
389	await checkLiveFiles(normalLive, normalLiveId)	496	await checkLiveFiles({ live: normalLive, liveId: normalLiveId })
390	})	497	})
391		498
392	it('Should create a private permanent live and have a private static path', async function () {	499	it('Should create a private permanent live and have a private static path', async function () {
393	this.timeout(240000)	500	this.timeout(240000)
394		501
395	await checkLiveFiles(permanentLive, permanentLiveId)	502	await checkLiveFiles({ live: permanentLive, liveId: permanentLiveId })
		503	})
		504
		505	it('Should create a password protected live and have a private static path', async function () {
		506	this.timeout(240000)
		507
		508	await checkLiveFiles({ live: passwordProtectedLive, liveId: passwordProtectedLiveId, videoPassword: correctPassword })
396	})	509	})
397		510
398	it('Should reinject video file token on permanent live', async function () {	511	it('Should reinject video file token on permanent live', async function () {