16 files changed, 680 insertions, 126 deletions

diff --git a/server/tests/api/check-params/index.ts b/server/tests/api/check-params/index.ts
index cd7a38459..33dc8fb76 100644
--- a/server/tests/api/check-params/index.ts
+++ b/server/tests/api/check-params/index.ts
@@ -2,6 +2,7 @@ import './abuses'
 import './accounts'
 import './blocklist'
 import './bulk'
+import './channel-import-videos'
 import './config'
 import './contact-form'
 import './custom-pages'
@@ -17,6 +18,7 @@ import './redundancy'
 import './search'
 import './services'
 import './transcoding'
+import './two-factor'
 import './upload-quota'
 import './user-notifications'
 import './user-subscriptions'
@@ -24,12 +26,11 @@ import './users-admin'
 import './users'
 import './video-blacklist'
 import './video-captions'
+import './video-channel-syncs'
 import './video-channels'
 import './video-comments'
 import './video-files'
 import './video-imports'
-import './video-channel-syncs'
-import './channel-import-videos'
 import './video-playlists'
 import './video-source'
 import './video-studio'
diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts
new file mode 100644
index 000000000..f8365f1b5
--- /dev/null
+++ b/server/tests/api/check-params/two-factor.ts
@@ -0,0 +1,288 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+
+import { HttpStatusCode } from '@shared/models'
+import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
+
+describe('Test two factor API validators', function () {
+  let server: PeerTubeServer
+
+  let rootId: number
+  let rootPassword: string
+  let rootRequestToken: string
+  let rootOTPToken: string
+
+  let userId: number
+  let userToken = ''
+  let userPassword: string
+  let userRequestToken: string
+  let userOTPToken: string
+
+  // ---------------------------------------------------------------
+
+  before(async function () {
+    this.timeout(30000)
+
+    {
+      server = await createSingleServer(1)
+      await setAccessTokensToServers([ server ])
+    }
+
+    {
+      const result = await server.users.generate('user1')
+      userToken = result.token
+      userId = result.userId
+      userPassword = result.password
+    }
+
+    {
+      const { id } = await server.users.getMyInfo()
+      rootId = id
+      rootPassword = server.store.user.password
+    }
+  })
+
+  describe('When requesting two factor', function () {
+
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+    })
+
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.request({
+        userId: 'invalid' as any,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail to request another user two factor without the appropriate rights', async function () {
+      await server.twoFactor.request({
+        userId: rootId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should succeed to request another user two factor with the appropriate rights', async function () {
+      await server.twoFactor.request({ userId, currentPassword: rootPassword })
+    })
+
+    it('Should fail to request two factor without a password', async function () {
+      await server.twoFactor.request({
+        userId,
+        token: userToken,
+        currentPassword: undefined,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail to request two factor with an incorrect password', async function () {
+      await server.twoFactor.request({
+        userId,
+        token: userToken,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
+      await server.twoFactor.request({ userId })
+    })
+
+    it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
+      await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
+
+    it('Should succeed to request my two factor auth', async function () {
+      {
+        const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
+        userRequestToken = otpRequest.requestToken
+        userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
+      }
+
+      {
+        const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
+        rootRequestToken = otpRequest.requestToken
+        rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
+      }
+    })
+  })
+
+  describe('When confirming two factor request', function () {
+
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: 42,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.NOT_FOUND_404
+      })
+    })
+
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: 'invalid' as any,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: rootId,
+        token: userToken,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should fail without request token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: undefined,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail with an invalid request token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: 'toto',
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should fail with request token of another user', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: rootRequestToken,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should fail without an otp token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: undefined,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail with a bad otp token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: '123456',
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken
+      })
+
+      // Reinit
+      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
+    })
+
+    it('Should succeed to confirm my two factor request', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        token: userToken,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken
+      })
+    })
+
+    it('Should fail to confirm again two factor request', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        token: userToken,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+  })
+
+  describe('When disabling two factor', function () {
+
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.disable({
+        userId: 42,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.NOT_FOUND_404
+      })
+    })
+
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.disable({
+        userId: 'invalid' as any,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail to disable another user two factor without the appropriate rights', async function () {
+      await server.twoFactor.disable({
+        userId: rootId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should fail to disable two factor with an incorrect password', async function () {
+      await server.twoFactor.disable({
+        userId,
+        token: userToken,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
+      await server.twoFactor.disable({ userId })
+      await server.twoFactor.requestAndConfirm({ userId })
+    })
+
+    it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
+      await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
+
+    it('Should succeed to disable another user two factor with the appropriate rights', async function () {
+      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
+
+      await server.twoFactor.requestAndConfirm({ userId })
+    })
+
+    it('Should succeed to update my two factor auth', async function () {
+      await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
+    })
+
+    it('Should fail to disable again two factor', async function () {
+      await server.twoFactor.disable({
+        userId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+  })
+
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
diff --git a/server/tests/api/live/live-fast-restream.ts b/server/tests/api/live/live-fast-restream.ts
index 502959258..3ea6be9ff 100644
--- a/server/tests/api/live/live-fast-restream.ts
+++ b/server/tests/api/live/live-fast-restream.ts
@@ -59,7 +59,7 @@ describe('Fast restream in live', function () {
       const video = await server.videos.get({ id: liveId })
       expect(video.streamingPlaylists).to.have.lengthOf(1)
 
-      await server.live.getSegment({ videoUUID: liveId, segment: 0, playlistNumber: 0 })
+      await server.live.getSegmentFile({ videoUUID: liveId, segment: 0, playlistNumber: 0 })
       await makeRawRequest(video.streamingPlaylists[0].playlistUrl, HttpStatusCode.OK_200)
       await makeRawRequest(video.streamingPlaylists[0].segmentsSha256Url, HttpStatusCode.OK_200)
 
diff --git a/server/tests/api/live/live.ts b/server/tests/api/live/live.ts
index c436f0f01..5dd2bd9ab 100644
--- a/server/tests/api/live/live.ts
+++ b/server/tests/api/live/live.ts
@@ -3,7 +3,7 @@
 import { expect } from 'chai'
 import { basename, join } from 'path'
 import { ffprobePromise, getVideoStream } from '@server/helpers/ffmpeg'
-import { checkLiveSegmentHash, checkResolutionsInMasterPlaylist, testImage } from '@server/tests/shared'
+import { testImage, testVideoResolutions } from '@server/tests/shared'
 import { getAllFiles, wait } from '@shared/core-utils'
 import {
   HttpStatusCode,
@@ -372,46 +372,6 @@ describe('Test live', function () {
       return uuid
     }
 
-    async function testVideoResolutions (liveVideoId: string, resolutions: number[]) {
-      for (const server of servers) {
-        const { data } = await server.videos.list()
-        expect(data.find(v => v.uuid === liveVideoId)).to.exist
-
-        const video = await server.videos.get({ id: liveVideoId })
-
-        expect(video.streamingPlaylists).to.have.lengthOf(1)
-
-        const hlsPlaylist = video.streamingPlaylists.find(s => s.type === VideoStreamingPlaylistType.HLS)
-        expect(hlsPlaylist).to.exist
-
-        // Only finite files are displayed
-        expect(hlsPlaylist.files).to.have.lengthOf(0)
-
-        await checkResolutionsInMasterPlaylist({ server, playlistUrl: hlsPlaylist.playlistUrl, resolutions })
-
-        for (let i = 0; i < resolutions.length; i++) {
-          const segmentNum = 3
-          const segmentName = `${i}-00000${segmentNum}.ts`
-          await commands[0].waitUntilSegmentGeneration({ videoUUID: video.uuid, playlistNumber: i, segment: segmentNum })
-
-          const subPlaylist = await servers[0].streamingPlaylists.get({
-            url: `${servers[0].url}/static/streaming-playlists/hls/${video.uuid}/${i}.m3u8`
-          })
-
-          expect(subPlaylist).to.contain(segmentName)
-
-          const baseUrlAndPath = servers[0].url + '/static/streaming-playlists/hls'
-          await checkLiveSegmentHash({
-            server,
-            baseUrlSegment: baseUrlAndPath,
-            videoUUID: video.uuid,
-            segmentName,
-            hlsPlaylist
-          })
-        }
-      }
-    }
-
     function updateConf (resolutions: number[]) {
       return servers[0].config.updateCustomSubConfig({
         newConfig: {
@@ -449,7 +409,14 @@ describe('Test live', function () {
       await waitUntilLivePublishedOnAllServers(servers, liveVideoId)
       await waitJobs(servers)
 
-      await testVideoResolutions(liveVideoId, [ 720 ])
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId,
+        resolutions: [ 720 ],
+        objectStorage: false,
+        transcoded: true
+      })
 
       await stopFfmpeg(ffmpegCommand)
     })
@@ -477,7 +444,14 @@ describe('Test live', function () {
       await waitUntilLivePublishedOnAllServers(servers, liveVideoId)
       await waitJobs(servers)
 
-      await testVideoResolutions(liveVideoId, resolutions.concat([ 720 ]))
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId,
+        resolutions: resolutions.concat([ 720 ]),
+        objectStorage: false,
+        transcoded: true
+      })
 
       await stopFfmpeg(ffmpegCommand)
     })
@@ -522,7 +496,14 @@ describe('Test live', function () {
       await waitUntilLivePublishedOnAllServers(servers, liveVideoId)
       await waitJobs(servers)
 
-      await testVideoResolutions(liveVideoId, resolutions)
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId,
+        resolutions,
+        objectStorage: false,
+        transcoded: true
+      })
 
       await stopFfmpeg(ffmpegCommand)
       await commands[0].waitUntilEnded({ videoId: liveVideoId })
@@ -538,7 +519,7 @@ describe('Test live', function () {
       }
 
       const minBitrateLimits = {
-        720: 5500 * 1000,
+        720: 5000 * 1000,
         360: 1000 * 1000,
         240: 550 * 1000
       }
@@ -569,7 +550,7 @@ describe('Test live', function () {
           if (resolution >= 720) {
             expect(file.fps).to.be.approximately(60, 10)
           } else {
-            expect(file.fps).to.be.approximately(30, 2)
+            expect(file.fps).to.be.approximately(30, 3)
           }
 
           const filename = basename(file.fileUrl)
@@ -611,7 +592,14 @@ describe('Test live', function () {
       await waitUntilLivePublishedOnAllServers(servers, liveVideoId)
       await waitJobs(servers)
 
-      await testVideoResolutions(liveVideoId, resolutions)
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId,
+        resolutions,
+        objectStorage: false,
+        transcoded: true
+      })
 
       await stopFfmpeg(ffmpegCommand)
       await commands[0].waitUntilEnded({ videoId: liveVideoId })
@@ -640,7 +628,14 @@ describe('Test live', function () {
       await waitUntilLivePublishedOnAllServers(servers, liveVideoId)
       await waitJobs(servers)
 
-      await testVideoResolutions(liveVideoId, [ 720 ])
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId,
+        resolutions: [ 720 ],
+        objectStorage: false,
+        transcoded: true
+      })
 
       await stopFfmpeg(ffmpegCommand)
       await commands[0].waitUntilEnded({ videoId: liveVideoId })
diff --git a/server/tests/api/notifications/admin-notifications.ts b/server/tests/api/notifications/admin-notifications.ts
index b3bb4888e..07c981a37 100644
--- a/server/tests/api/notifications/admin-notifications.ts
+++ b/server/tests/api/notifications/admin-notifications.ts
@@ -37,7 +37,7 @@ describe('Test admin notifications', function () {
       plugins: {
         index: {
           enabled: true,
-          check_latest_versions_interval: '5 seconds'
+          check_latest_versions_interval: '3 seconds'
         }
       }
     }
@@ -62,7 +62,7 @@ describe('Test admin notifications', function () {
 
   describe('Latest PeerTube version notification', function () {
 
-    it('Should not send a notification to admins if there is not a new version', async function () {
+    it('Should not send a notification to admins if there is no new version', async function () {
       this.timeout(30000)
 
       joinPeerTubeServer.setLatestVersion('1.4.2')
@@ -71,7 +71,7 @@ describe('Test admin notifications', function () {
       await checkNewPeerTubeVersion({ ...baseParams, latestVersion: '1.4.2', checkType: 'absence' })
     })
 
-    it('Should send a notification to admins on new plugin version', async function () {
+    it('Should send a notification to admins on new version', async function () {
       this.timeout(30000)
 
       joinPeerTubeServer.setLatestVersion('15.4.2')
diff --git a/server/tests/api/notifications/moderation-notifications.ts b/server/tests/api/notifications/moderation-notifications.ts
index d8a7d576e..fc953f144 100644
--- a/server/tests/api/notifications/moderation-notifications.ts
+++ b/server/tests/api/notifications/moderation-notifications.ts
@@ -382,7 +382,7 @@ describe('Test moderation notifications', function () {
     })
 
     it('Should send a notification only to admin when there is a new instance follower', async function () {
-      this.timeout(20000)
+      this.timeout(60000)
 
       await servers[2].follows.follow({ hosts: [ servers[0].url ] })
 
diff --git a/server/tests/api/object-storage/live.ts b/server/tests/api/object-storage/live.ts
index 0958ffe0f..7e16b4c89 100644
--- a/server/tests/api/object-storage/live.ts
+++ b/server/tests/api/object-storage/live.ts
@@ -1,9 +1,9 @@
 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
 
 import { expect } from 'chai'
-import { expectStartWith } from '@server/tests/shared'
+import { expectStartWith, testVideoResolutions } from '@server/tests/shared'
 import { areObjectStorageTestsDisabled } from '@shared/core-utils'
-import { HttpStatusCode, LiveVideoCreate, VideoFile, VideoPrivacy } from '@shared/models'
+import { HttpStatusCode, LiveVideoCreate, VideoPrivacy } from '@shared/models'
 import {
   createMultipleServers,
   doubleFollow,
@@ -35,41 +35,43 @@ async function createLive (server: PeerTubeServer, permanent: boolean) {
   return uuid
 }
 
-async function checkFiles (files: VideoFile[]) {
-  for (const file of files) {
-    expectStartWith(file.fileUrl, ObjectStorageCommand.getPlaylistBaseUrl())
+async function checkFilesExist (servers: PeerTubeServer[], videoUUID: string, numberOfFiles: number) {
+  for (const server of servers) {
+    const video = await server.videos.get({ id: videoUUID })
 
-    await makeRawRequest(file.fileUrl, HttpStatusCode.OK_200)
-  }
-}
+    expect(video.files).to.have.lengthOf(0)
+    expect(video.streamingPlaylists).to.have.lengthOf(1)
 
-async function getFiles (server: PeerTubeServer, videoUUID: string) {
-  const video = await server.videos.get({ id: videoUUID })
+    const files = video.streamingPlaylists[0].files
+    expect(files).to.have.lengthOf(numberOfFiles)
 
-  expect(video.files).to.have.lengthOf(0)
-  expect(video.streamingPlaylists).to.have.lengthOf(1)
+    for (const file of files) {
+      expectStartWith(file.fileUrl, ObjectStorageCommand.getPlaylistBaseUrl())
 
-  return video.streamingPlaylists[0].files
+      await makeRawRequest(file.fileUrl, HttpStatusCode.OK_200)
+    }
+  }
 }
 
-async function streamAndEnd (servers: PeerTubeServer[], liveUUID: string) {
-  const ffmpegCommand = await servers[0].live.sendRTMPStreamInVideo({ videoId: liveUUID })
-  await waitUntilLivePublishedOnAllServers(servers, liveUUID)
-
-  const videoLiveDetails = await servers[0].videos.get({ id: liveUUID })
-  const liveDetails = await servers[0].live.get({ videoId: liveUUID })
+async function checkFilesCleanup (server: PeerTubeServer, videoUUID: string, resolutions: number[]) {
+  const resolutionFiles = resolutions.map((_value, i) => `${i}.m3u8`)
 
-  await stopFfmpeg(ffmpegCommand)
-
-  if (liveDetails.permanentLive) {
-    await waitUntilLiveWaitingOnAllServers(servers, liveUUID)
-  } else {
-    await waitUntilLiveReplacedByReplayOnAllServers(servers, liveUUID)
+  for (const playlistName of [ 'master.m3u8' ].concat(resolutionFiles)) {
+    await server.live.getPlaylistFile({
+      videoUUID,
+      playlistName,
+      expectedStatus: HttpStatusCode.NOT_FOUND_404,
+      objectStorage: true
+    })
   }
 
-  await waitJobs(servers)
-
-  return { videoLiveDetails, liveDetails }
+  await server.live.getSegmentFile({
+    videoUUID,
+    playlistNumber: 0,
+    segment: 0,
+    objectStorage: true,
+    expectedStatus: HttpStatusCode.NOT_FOUND_404
+  })
 }
 
 describe('Object storage for lives', function () {
@@ -100,57 +102,124 @@ describe('Object storage for lives', function () {
       videoUUID = await createLive(servers[0], false)
     })
 
-    it('Should create a live and save the replay on object storage', async function () {
+    it('Should create a live and publish it on object storage', async function () {
+      this.timeout(220000)
+
+      const ffmpegCommand = await servers[0].live.sendRTMPStreamInVideo({ videoId: videoUUID })
+      await waitUntilLivePublishedOnAllServers(servers, videoUUID)
+
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId: videoUUID,
+        resolutions: [ 720 ],
+        transcoded: false,
+        objectStorage: true
+      })
+
+      await stopFfmpeg(ffmpegCommand)
+    })
+
+    it('Should have saved the replay on object storage', async function () {
       this.timeout(220000)
 
-      await streamAndEnd(servers, videoUUID)
+      await waitUntilLiveReplacedByReplayOnAllServers(servers, videoUUID)
+      await waitJobs(servers)
 
-      for (const server of servers) {
-        const files = await getFiles(server, videoUUID)
-        expect(files).to.have.lengthOf(1)
+      await checkFilesExist(servers, videoUUID, 1)
+    })
 
-        await checkFiles(files)
-      }
+    it('Should have cleaned up live files from object storage', async function () {
+      await checkFilesCleanup(servers[0], videoUUID, [ 720 ])
     })
   })
 
   describe('With live transcoding', async function () {
-    let videoUUIDPermanent: string
-    let videoUUIDNonPermanent: string
+    const resolutions = [ 720, 480, 360, 240, 144 ]
 
     before(async function () {
       await servers[0].config.enableLive({ transcoding: true })
-
-      videoUUIDPermanent = await createLive(servers[0], true)
-      videoUUIDNonPermanent = await createLive(servers[0], false)
     })
 
-    it('Should create a live and save the replay on object storage', async function () {
-      this.timeout(240000)
+    describe('Normal replay', function () {
+      let videoUUIDNonPermanent: string
+
+      before(async function () {
+        videoUUIDNonPermanent = await createLive(servers[0], false)
+      })
+
+      it('Should create a live and publish it on object storage', async function () {
+        this.timeout(240000)
+
+        const ffmpegCommand = await servers[0].live.sendRTMPStreamInVideo({ videoId: videoUUIDNonPermanent })
+        await waitUntilLivePublishedOnAllServers(servers, videoUUIDNonPermanent)
+
+        await testVideoResolutions({
+          originServer: servers[0],
+          servers,
+          liveVideoId: videoUUIDNonPermanent,
+          resolutions,
+          transcoded: true,
+          objectStorage: true
+        })
+
+        await stopFfmpeg(ffmpegCommand)
+      })
 
-      await streamAndEnd(servers, videoUUIDNonPermanent)
+      it('Should have saved the replay on object storage', async function () {
+        this.timeout(220000)
 
-      for (const server of servers) {
-        const files = await getFiles(server, videoUUIDNonPermanent)
-        expect(files).to.have.lengthOf(5)
+        await waitUntilLiveReplacedByReplayOnAllServers(servers, videoUUIDNonPermanent)
+        await waitJobs(servers)
 
-        await checkFiles(files)
-      }
+        await checkFilesExist(servers, videoUUIDNonPermanent, 5)
+      })
+
+      it('Should have cleaned up live files from object storage', async function () {
+        await checkFilesCleanup(servers[0], videoUUIDNonPermanent, resolutions)
+      })
     })
 
-    it('Should create a live and save the replay of permanent live on object storage', async function () {
-      this.timeout(240000)
+    describe('Permanent replay', function () {
+      let videoUUIDPermanent: string
+
+      before(async function () {
+        videoUUIDPermanent = await createLive(servers[0], true)
+      })
+
+      it('Should create a live and publish it on object storage', async function () {
+        this.timeout(240000)
+
+        const ffmpegCommand = await servers[0].live.sendRTMPStreamInVideo({ videoId: videoUUIDPermanent })
+        await waitUntilLivePublishedOnAllServers(servers, videoUUIDPermanent)
+
+        await testVideoResolutions({
+          originServer: servers[0],
+          servers,
+          liveVideoId: videoUUIDPermanent,
+          resolutions,
+          transcoded: true,
+          objectStorage: true
+        })
+
+        await stopFfmpeg(ffmpegCommand)
+      })
+
+      it('Should have saved the replay on object storage', async function () {
+        this.timeout(220000)
 
-      const { videoLiveDetails } = await streamAndEnd(servers, videoUUIDPermanent)
+        await waitUntilLiveWaitingOnAllServers(servers, videoUUIDPermanent)
+        await waitJobs(servers)
 
-      const replay = await findExternalSavedVideo(servers[0], videoLiveDetails)
+        const videoLiveDetails = await servers[0].videos.get({ id: videoUUIDPermanent })
+        const replay = await findExternalSavedVideo(servers[0], videoLiveDetails)
 
-      for (const server of servers) {
-        const files = await getFiles(server, replay.uuid)
-        expect(files).to.have.lengthOf(5)
+        await checkFilesExist(servers, replay.uuid, 5)
+      })
 
-        await checkFiles(files)
-      }
+      it('Should have cleaned up live files from object storage', async function () {
+        await checkFilesCleanup(servers[0], videoUUIDPermanent, resolutions)
+      })
     })
   })
 
diff --git a/server/tests/api/redundancy/redundancy.ts b/server/tests/api/redundancy/redundancy.ts
index 5abed358f..f349a7a76 100644
--- a/server/tests/api/redundancy/redundancy.ts
+++ b/server/tests/api/redundancy/redundancy.ts
@@ -5,7 +5,7 @@ import { readdir } from 'fs-extra'
 import magnetUtil from 'magnet-uri'
 import { basename, join } from 'path'
 import { checkSegmentHash, checkVideoFilesWereRemoved, saveVideoInServers } from '@server/tests/shared'
-import { root, wait } from '@shared/core-utils'
+import { wait } from '@shared/core-utils'
 import {
   HttpStatusCode,
   VideoDetails,
@@ -159,12 +159,12 @@ async function check2Webseeds (videoUUID?: string) {
   const { webtorrentFilenames } = await ensureSameFilenames(videoUUID)
 
   const directories = [
-    'test' + servers[0].internalServerNumber + '/redundancy',
-    'test' + servers[1].internalServerNumber + '/videos'
+    servers[0].getDirectoryPath('redundancy'),
+    servers[1].getDirectoryPath('videos')
   ]
 
   for (const directory of directories) {
-    const files = await readdir(join(root(), directory))
+    const files = await readdir(directory)
     expect(files).to.have.length.at.least(4)
 
     // Ensure we files exist on disk
@@ -214,12 +214,12 @@ async function check1PlaylistRedundancies (videoUUID?: string) {
   const { hlsFilenames } = await ensureSameFilenames(videoUUID)
 
   const directories = [
-    'test' + servers[0].internalServerNumber + '/redundancy/hls',
-    'test' + servers[1].internalServerNumber + '/streaming-playlists/hls'
+    servers[0].getDirectoryPath('redundancy/hls'),
+    servers[1].getDirectoryPath('streaming-playlists/hls')
   ]
 
   for (const directory of directories) {
-    const files = await readdir(join(root(), directory, videoUUID))
+    const files = await readdir(join(directory, videoUUID))
     expect(files).to.have.length.at.least(4)
 
     // Ensure we files exist on disk
diff --git a/server/tests/api/users/index.ts b/server/tests/api/users/index.ts
index c65152c6f..643f1a531 100644
--- a/server/tests/api/users/index.ts
+++ b/server/tests/api/users/index.ts
@@ -1,3 +1,4 @@
+import './two-factor'
 import './user-subscriptions'
 import './user-videos'
 import './users'
diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts
new file mode 100644
index 000000000..0dcab9e17
--- /dev/null
+++ b/server/tests/api/users/two-factor.ts
@@ -0,0 +1,200 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+
+import { expect } from 'chai'
+import { expectStartWith } from '@server/tests/shared'
+import { HttpStatusCode } from '@shared/models'
+import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
+
+async function login (options: {
+  server: PeerTubeServer
+  username: string
+  password: string
+  otpToken?: string
+  expectedStatus?: HttpStatusCode
+}) {
+  const { server, username, password, otpToken, expectedStatus } = options
+
+  const user = { username, password }
+  const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
+
+  return { res, token }
+}
+
+describe('Test users', function () {
+  let server: PeerTubeServer
+  let otpSecret: string
+  let requestToken: string
+
+  const userUsername = 'user1'
+  let userId: number
+  let userPassword: string
+  let userToken: string
+
+  before(async function () {
+    this.timeout(30000)
+
+    server = await createSingleServer(1)
+
+    await setAccessTokensToServers([ server ])
+    const res = await server.users.generate(userUsername)
+    userId = res.userId
+    userPassword = res.password
+    userToken = res.token
+  })
+
+  it('Should not add the header on login if two factor is not enabled', async function () {
+    const { res, token } = await login({ server, username: userUsername, password: userPassword })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+
+    await server.users.getMyInfo({ token })
+  })
+
+  it('Should request two factor and get the secret and uri', async function () {
+    const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
+
+    expect(otpRequest.requestToken).to.exist
+
+    expect(otpRequest.secret).to.exist
+    expect(otpRequest.secret).to.have.lengthOf(32)
+
+    expect(otpRequest.uri).to.exist
+    expectStartWith(otpRequest.uri, 'otpauth://')
+    expect(otpRequest.uri).to.include(otpRequest.secret)
+
+    requestToken = otpRequest.requestToken
+    otpSecret = otpRequest.secret
+  })
+
+  it('Should not have two factor confirmed yet', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.false
+  })
+
+  it('Should confirm two factor', async function () {
+    await server.twoFactor.confirmRequest({
+      userId,
+      token: userToken,
+      otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
+      requestToken
+    })
+  })
+
+  it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
+    const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+
+  it('Should add the header on login if two factor is enabled and password is correct', async function () {
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      expectedStatus: HttpStatusCode.UNAUTHORIZED_401
+    })
+
+    expect(res.header['x-peertube-otp']).to.exist
+    expect(token).to.not.exist
+
+    await server.users.getMyInfo({ token })
+  })
+
+  it('Should not login with correct password and incorrect otp secret', async function () {
+    const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
+
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      otpToken: otp.generate(),
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+
+  it('Should not login with correct password and incorrect otp code', async function () {
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      otpToken: '123456',
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+
+  it('Should not login with incorrect password and correct otp code', async function () {
+    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
+
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: 'fake',
+      otpToken,
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+
+  it('Should correctly login with correct password and otp code', async function () {
+    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
+
+    const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.exist
+
+    await server.users.getMyInfo({ token })
+  })
+
+  it('Should have two factor enabled when getting my info', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.true
+  })
+
+  it('Should disable two factor and be able to login without otp token', async function () {
+    await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
+
+    const { res, token } = await login({ server, username: userUsername, password: userPassword })
+    expect(res.header['x-peertube-otp']).to.not.exist
+
+    await server.users.getMyInfo({ token })
+  })
+
+  it('Should have two factor disabled when getting my info', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.false
+  })
+
+  it('Should enable two factor auth without password from an admin', async function () {
+    const { otpRequest } = await server.twoFactor.request({ userId })
+
+    await server.twoFactor.confirmRequest({
+      userId,
+      otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(),
+      requestToken: otpRequest.requestToken
+    })
+
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.true
+  })
+
+  it('Should disable two factor auth without password from an admin', async function () {
+    await server.twoFactor.disable({ userId })
+
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.false
+  })
+
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
diff --git a/server/tests/api/users/users-multiple-servers.ts b/server/tests/api/users/users-multiple-servers.ts
index 62d668d1e..188e6f137 100644
--- a/server/tests/api/users/users-multiple-servers.ts
+++ b/server/tests/api/users/users-multiple-servers.ts
@@ -197,7 +197,7 @@ describe('Test users with multiple servers', function () {
   it('Should not have actor files', async () => {
     for (const server of servers) {
       for (const userAvatarFilename of userAvatarFilenames) {
-        await checkActorFilesWereRemoved(userAvatarFilename, server.internalServerNumber)
+        await checkActorFilesWereRemoved(userAvatarFilename, server)
       }
     }
   })
diff --git a/server/tests/api/videos/multiple-servers.ts b/server/tests/api/videos/multiple-servers.ts
index d47807a79..2ad749fd4 100644
--- a/server/tests/api/videos/multiple-servers.ts
+++ b/server/tests/api/videos/multiple-servers.ts
@@ -156,7 +156,7 @@ describe('Test multiple servers', function () {
     })
 
     it('Should upload the video on server 2 and propagate on each server', async function () {
-      this.timeout(100000)
+      this.timeout(240000)
 
       const user = {
         username: 'user1',
diff --git a/server/tests/api/videos/video-files.ts b/server/tests/api/videos/video-files.ts
index 10277b9cf..c0b886aad 100644
--- a/server/tests/api/videos/video-files.ts
+++ b/server/tests/api/videos/video-files.ts
@@ -33,7 +33,7 @@ describe('Test videos files', function () {
     let validId2: string
 
     before(async function () {
-      this.timeout(120_000)
+      this.timeout(360_000)
 
       {
         const { uuid } = await servers[0].videos.quickUpload({ name: 'video 1' })
diff --git a/server/tests/api/videos/video-playlists.ts b/server/tests/api/videos/video-playlists.ts
index 47b8c7b1e..9d223de48 100644
--- a/server/tests/api/videos/video-playlists.ts
+++ b/server/tests/api/videos/video-playlists.ts
@@ -70,7 +70,7 @@ describe('Test video playlists', function () {
   let commands: PlaylistsCommand[]
 
   before(async function () {
-    this.timeout(120000)
+    this.timeout(240000)
 
     servers = await createMultipleServers(3)
 
@@ -1049,7 +1049,7 @@ describe('Test video playlists', function () {
       this.timeout(30000)
 
       for (const server of servers) {
-        await checkPlaylistFilesWereRemoved(playlistServer1UUID, server.internalServerNumber)
+        await checkPlaylistFilesWereRemoved(playlistServer1UUID, server)
       }
     })
 
diff --git a/server/tests/api/videos/video-privacy.ts b/server/tests/api/videos/video-privacy.ts
index b18c71c94..92f5dab3c 100644
--- a/server/tests/api/videos/video-privacy.ts
+++ b/server/tests/api/videos/video-privacy.ts
@@ -45,7 +45,7 @@ describe('Test video privacy', function () {
   describe('Private and internal videos', function () {
 
     it('Should upload a private and internal videos on server 1', async function () {
-      this.timeout(10000)
+      this.timeout(50000)
 
       for (const privacy of [ VideoPrivacy.PRIVATE, VideoPrivacy.INTERNAL ]) {
         const attributes = { privacy }
diff --git a/server/tests/api/videos/videos-common-filters.ts b/server/tests/api/videos/videos-common-filters.ts
index e7fc15e42..b176d90ab 100644
--- a/server/tests/api/videos/videos-common-filters.ts
+++ b/server/tests/api/videos/videos-common-filters.ts
@@ -232,7 +232,7 @@ describe('Test videos filter', function () {
     })
 
     it('Should display only remote videos', async function () {
-      this.timeout(40000)
+      this.timeout(120000)
 
       await servers[1].videos.upload({ attributes: { name: 'remote video' } })