81 files changed, 2502 insertions, 669 deletions

diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 0b27d5277..a8677a1d3 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -51,6 +51,7 @@ import { myVideosHistoryRouter } from './my-history'
 import { myNotificationsRouter } from './my-notifications'
 import { mySubscriptionsRouter } from './my-subscriptions'
 import { myVideoPlaylistsRouter } from './my-video-playlists'
+import { twoFactorRouter } from './two-factor'
 
 const auditLogger = auditLoggerFactory('users')
 
@@ -66,6 +67,7 @@ const askSendEmailLimiter = buildRateLimiter({
 })
 
 const usersRouter = express.Router()
+usersRouter.use('/', twoFactorRouter)
 usersRouter.use('/', tokensRouter)
 usersRouter.use('/', myNotificationsRouter)
 usersRouter.use('/', mySubscriptionsRouter)
@@ -343,7 +345,7 @@ async function askResetUserPassword (req: express.Request, res: express.Response
 
   const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)
   const url = WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString
-  await Emailer.Instance.addPasswordResetEmailJob(user.username, user.email, url)
+  Emailer.Instance.addPasswordResetEmailJob(user.username, user.email, url)
 
   return res.status(HttpStatusCode.NO_CONTENT_204).end()
 }
diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts
index 012a49791..c6afea67c 100644
--- a/server/controllers/api/users/token.ts
+++ b/server/controllers/api/users/token.ts
@@ -1,8 +1,9 @@
 import express from 'express'
 import { logger } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
+import { OTP } from '@server/initializers/constants'
 import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
-import { handleOAuthToken } from '@server/lib/auth/oauth'
+import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
 import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
 import { Hooks } from '@server/lib/plugins/hooks'
 import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
@@ -79,6 +80,10 @@ async function handleToken (req: express.Request, res: express.Response, next: e
   } catch (err) {
     logger.warn('Login error', { err })
 
+    if (err instanceof MissingTwoFactorError) {
+      res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
+    }
+
     return res.fail({
       status: err.code,
       message: err.message,
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts
new file mode 100644
index 000000000..e6ae9e4dd
--- /dev/null
+++ b/server/controllers/api/users/two-factor.ts
@@ -0,0 +1,95 @@
+import express from 'express'
+import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
+import { encrypt } from '@server/helpers/peertube-crypto'
+import { CONFIG } from '@server/initializers/config'
+import { Redis } from '@server/lib/redis'
+import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
+import {
+  confirmTwoFactorValidator,
+  disableTwoFactorValidator,
+  requestOrConfirmTwoFactorValidator
+} from '@server/middlewares/validators/two-factor'
+import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
+
+const twoFactorRouter = express.Router()
+
+twoFactorRouter.post('/:id/two-factor/request',
+  authenticate,
+  asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
+  asyncMiddleware(requestOrConfirmTwoFactorValidator),
+  asyncMiddleware(requestTwoFactor)
+)
+
+twoFactorRouter.post('/:id/two-factor/confirm-request',
+  authenticate,
+  asyncMiddleware(requestOrConfirmTwoFactorValidator),
+  confirmTwoFactorValidator,
+  asyncMiddleware(confirmRequestTwoFactor)
+)
+
+twoFactorRouter.post('/:id/two-factor/disable',
+  authenticate,
+  asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
+  asyncMiddleware(disableTwoFactorValidator),
+  asyncMiddleware(disableTwoFactor)
+)
+
+// ---------------------------------------------------------------------------
+
+export {
+  twoFactorRouter
+}
+
+// ---------------------------------------------------------------------------
+
+async function requestTwoFactor (req: express.Request, res: express.Response) {
+  const user = res.locals.user
+
+  const { secret, uri } = generateOTPSecret(user.email)
+
+  const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
+  const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)
+
+  return res.json({
+    otpRequest: {
+      requestToken,
+      secret,
+      uri
+    }
+  } as TwoFactorEnableResult)
+}
+
+async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
+  const requestToken = req.body.requestToken
+  const otpToken = req.body.otpToken
+  const user = res.locals.user
+
+  const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
+  if (!encryptedSecret) {
+    return res.fail({
+      message: 'Invalid request token',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+
+  if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
+    return res.fail({
+      message: 'Invalid OTP token',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+
+  user.otpSecret = encryptedSecret
+  await user.save()
+
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}
+
+async function disableTwoFactor (req: express.Request, res: express.Response) {
+  const user = res.locals.user
+
+  user.otpSecret = null
+  await user.save()
+
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}
diff --git a/server/controllers/index.ts b/server/controllers/index.ts
index e8833d58c..8574a9e7b 100644
--- a/server/controllers/index.ts
+++ b/server/controllers/index.ts
@@ -6,7 +6,6 @@ export * from './feeds'
 export * from './services'
 export * from './static'
 export * from './lazy-static'
-export * from './live'
 export * from './misc'
 export * from './webfinger'
 export * from './tracker'
diff --git a/server/controllers/live.ts b/server/controllers/live.ts
deleted file mode 100644
index 81008f120..000000000
--- a/server/controllers/live.ts
+++ /dev/null
@@ -1,32 +0,0 @@
-import cors from 'cors'
-import express from 'express'
-import { mapToJSON } from '@server/helpers/core-utils'
-import { LiveSegmentShaStore } from '@server/lib/live'
-import { HttpStatusCode } from '@shared/models'
-
-const liveRouter = express.Router()
-
-liveRouter.use('/segments-sha256/:videoUUID',
-  cors(),
-  getSegmentsSha256
-)
-
-// ---------------------------------------------------------------------------
-
-export {
-  liveRouter
-}
-
-// ---------------------------------------------------------------------------
-
-function getSegmentsSha256 (req: express.Request, res: express.Response) {
-  const videoUUID = req.params.videoUUID
-
-  const result = LiveSegmentShaStore.Instance.getSegmentsSha256(videoUUID)
-
-  if (!result) {
-    return res.status(HttpStatusCode.NOT_FOUND_404).end()
-  }
-
-  return res.json(mapToJSON(result))
-}
diff --git a/server/controllers/well-known.ts b/server/controllers/well-known.ts
index f467bd629..ce5883571 100644
--- a/server/controllers/well-known.ts
+++ b/server/controllers/well-known.ts
@@ -5,6 +5,7 @@ import { root } from '@shared/core-utils'
 import { CONFIG } from '../initializers/config'
 import { ROUTE_CACHE_LIFETIME, WEBSERVER } from '../initializers/constants'
 import { cacheRoute } from '../middlewares/cache/cache'
+import { handleStaticError } from '@server/middlewares'
 
 const wellKnownRouter = express.Router()
 
@@ -69,6 +70,12 @@ wellKnownRouter.use('/.well-known/host-meta',
   }
 )
 
+wellKnownRouter.use('/.well-known/',
+  cacheRoute(ROUTE_CACHE_LIFETIME.WELL_KNOWN),
+  express.static(CONFIG.STORAGE.WELL_KNOWN_DIR, { fallthrough: false }),
+  handleStaticError
+)
+
 // ---------------------------------------------------------------------------
 
 export {
diff --git a/server/helpers/core-utils.ts b/server/helpers/core-utils.ts
index c762f6a29..73bd994c1 100644
--- a/server/helpers/core-utils.ts
+++ b/server/helpers/core-utils.ts
@@ -6,7 +6,7 @@
 */
 
 import { exec, ExecOptions } from 'child_process'
-import { ED25519KeyPairOptions, generateKeyPair, randomBytes, RSAKeyPairOptions } from 'crypto'
+import { ED25519KeyPairOptions, generateKeyPair, randomBytes, RSAKeyPairOptions, scrypt } from 'crypto'
 import { truncate } from 'lodash'
 import { pipeline } from 'stream'
 import { URL } from 'url'
@@ -311,7 +311,17 @@ function promisify2<T, U, A> (func: (arg1: T, arg2: U, cb: (err: any, result: A)
   }
 }
 
+// eslint-disable-next-line max-len
+function promisify3<T, U, V, A> (func: (arg1: T, arg2: U, arg3: V, cb: (err: any, result: A) => void) => void): (arg1: T, arg2: U, arg3: V) => Promise<A> {
+  return function promisified (arg1: T, arg2: U, arg3: V): Promise<A> {
+    return new Promise<A>((resolve: (arg: A) => void, reject: (err: any) => void) => {
+      func.apply(null, [ arg1, arg2, arg3, (err: any, res: A) => err ? reject(err) : resolve(res) ])
+    })
+  }
+}
+
 const randomBytesPromise = promisify1<number, Buffer>(randomBytes)
+const scryptPromise = promisify3<string, string, number, Buffer>(scrypt)
 const execPromise2 = promisify2<string, any, string>(exec)
 const execPromise = promisify1<string, string>(exec)
 const pipelinePromise = promisify(pipeline)
@@ -339,6 +349,8 @@ export {
   promisify1,
   promisify2,
 
+  scryptPromise,
+
   randomBytesPromise,
 
   generateRSAKeyPairPromise,
diff --git a/server/helpers/otp.ts b/server/helpers/otp.ts
new file mode 100644
index 000000000..a32cc9621
--- /dev/null
+++ b/server/helpers/otp.ts
@@ -0,0 +1,58 @@
+import { Secret, TOTP } from 'otpauth'
+import { CONFIG } from '@server/initializers/config'
+import { WEBSERVER } from '@server/initializers/constants'
+import { decrypt } from './peertube-crypto'
+
+async function isOTPValid (options: {
+  encryptedSecret: string
+  token: string
+}) {
+  const { token, encryptedSecret } = options
+
+  const secret = await decrypt(encryptedSecret, CONFIG.SECRETS.PEERTUBE)
+
+  const totp = new TOTP({
+    ...baseOTPOptions(),
+
+    secret
+  })
+
+  const delta = totp.validate({
+    token,
+    window: 1
+  })
+
+  if (delta === null) return false
+
+  return true
+}
+
+function generateOTPSecret (email: string) {
+  const totp = new TOTP({
+    ...baseOTPOptions(),
+
+    label: email,
+    secret: new Secret()
+  })
+
+  return {
+    secret: totp.secret.base32,
+    uri: totp.toString()
+  }
+}
+
+export {
+  isOTPValid,
+  generateOTPSecret
+}
+
+// ---------------------------------------------------------------------------
+
+function baseOTPOptions () {
+  return {
+    issuer: WEBSERVER.HOST,
+    algorithm: 'SHA1',
+    digits: 6,
+    period: 30
+  }
+}
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts
index 8aca50900..ae7d11800 100644
--- a/server/helpers/peertube-crypto.ts
+++ b/server/helpers/peertube-crypto.ts
@@ -1,11 +1,11 @@
 import { compare, genSalt, hash } from 'bcrypt'
-import { createSign, createVerify } from 'crypto'
+import { createCipheriv, createDecipheriv, createSign, createVerify } from 'crypto'
 import { Request } from 'express'
 import { cloneDeep } from 'lodash'
 import { sha256 } from '@shared/extra-utils'
-import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'
+import { BCRYPT_SALT_SIZE, ENCRYPTION, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'
 import { MActor } from '../types/models'
-import { generateRSAKeyPairPromise, promisify1, promisify2 } from './core-utils'
+import { generateRSAKeyPairPromise, promisify1, promisify2, randomBytesPromise, scryptPromise } from './core-utils'
 import { jsonld } from './custom-jsonld-signature'
 import { logger } from './logger'
 
@@ -21,9 +21,13 @@ function createPrivateAndPublicKeys () {
   return generateRSAKeyPairPromise(PRIVATE_RSA_KEY_SIZE)
 }
 
+// ---------------------------------------------------------------------------
 // User password checks
+// ---------------------------------------------------------------------------
 
 function comparePassword (plainPassword: string, hashPassword: string) {
+  if (!plainPassword) return Promise.resolve(false)
+
   return bcryptComparePromise(plainPassword, hashPassword)
 }
 
@@ -33,7 +37,9 @@ async function cryptPassword (password: string) {
   return bcryptHashPromise(password, salt)
 }
 
+// ---------------------------------------------------------------------------
 // HTTP Signature
+// ---------------------------------------------------------------------------
 
 function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean {
   if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) {
@@ -62,7 +68,9 @@ function parseHTTPSignature (req: Request, clockSkew?: number) {
   return parsed
 }
 
+// ---------------------------------------------------------------------------
 // JSONLD
+// ---------------------------------------------------------------------------
 
 function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> {
   if (signedDocument.signature.type === 'RsaSignature2017') {
@@ -112,6 +120,8 @@ async function signJsonLDObject <T> (byActor: MActor, data: T) {
   return Object.assign(data, { signature })
 }
 
+// ---------------------------------------------------------------------------
+
 function buildDigest (body: any) {
   const rawBody = typeof body === 'string' ? body : JSON.stringify(body)
 
@@ -119,6 +129,34 @@ function buildDigest (body: any) {
 }
 
 // ---------------------------------------------------------------------------
+// Encryption
+// ---------------------------------------------------------------------------
+
+async function encrypt (str: string, secret: string) {
+  const iv = await randomBytesPromise(ENCRYPTION.IV)
+
+  const key = await scryptPromise(secret, ENCRYPTION.SALT, 32)
+  const cipher = createCipheriv(ENCRYPTION.ALGORITHM, key, iv)
+
+  let encrypted = iv.toString(ENCRYPTION.ENCODING) + ':'
+  encrypted += cipher.update(str, 'utf8', ENCRYPTION.ENCODING)
+  encrypted += cipher.final(ENCRYPTION.ENCODING)
+
+  return encrypted
+}
+
+async function decrypt (encryptedArg: string, secret: string) {
+  const [ ivStr, encryptedStr ] = encryptedArg.split(':')
+
+  const iv = Buffer.from(ivStr, 'hex')
+  const key = await scryptPromise(secret, ENCRYPTION.SALT, 32)
+
+  const decipher = createDecipheriv(ENCRYPTION.ALGORITHM, key, iv)
+
+  return decipher.update(encryptedStr, ENCRYPTION.ENCODING, 'utf8') + decipher.final('utf8')
+}
+
+// ---------------------------------------------------------------------------
 
 export {
   isHTTPSignatureDigestValid,
@@ -129,7 +167,10 @@ export {
   comparePassword,
   createPrivateAndPublicKeys,
   cryptPassword,
-  signJsonLDObject
+  signJsonLDObject,
+
+  encrypt,
+  decrypt
 }
 
 // ---------------------------------------------------------------------------
diff --git a/server/helpers/youtube-dl/youtube-dl-cli.ts b/server/helpers/youtube-dl/youtube-dl-cli.ts
index fc4c40787..a2f630953 100644
--- a/server/helpers/youtube-dl/youtube-dl-cli.ts
+++ b/server/helpers/youtube-dl/youtube-dl-cli.ts
@@ -128,14 +128,14 @@ export class YoutubeDLCLI {
     const data = await this.run({ url, args: completeArgs, processOptions })
     if (!data) return undefined
 
-    const info = data.map(this.parseInfo)
+    const info = data.map(d => JSON.parse(d))
 
     return info.length === 1
       ? info[0]
       : info
   }
 
-  getListInfo (options: {
+  async getListInfo (options: {
     url: string
     latestVideosCount?: number
     processOptions: execa.NodeOptions
@@ -151,12 +151,17 @@ export class YoutubeDLCLI {
       additionalYoutubeDLArgs.push('--playlist-end', options.latestVideosCount.toString())
     }
 
-    return this.getInfo({
+    const result = await this.getInfo({
       url: options.url,
       format: YoutubeDLCLI.getYoutubeDLVideoFormat([], false),
       processOptions: options.processOptions,
       additionalYoutubeDLArgs
     })
+
+    if (!result) return result
+    if (!Array.isArray(result)) return [ result ]
+
+    return result
   }
 
   async getSubs (options: {
@@ -241,8 +246,4 @@ export class YoutubeDLCLI {
 
     return args
   }
-
-  private parseInfo (data: string) {
-    return JSON.parse(data)
-  }
 }
diff --git a/server/initializers/checker-after-init.ts b/server/initializers/checker-after-init.ts
index 42839d1c9..c83fef425 100644
--- a/server/initializers/checker-after-init.ts
+++ b/server/initializers/checker-after-init.ts
@@ -42,6 +42,7 @@ function checkConfig () {
     logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.')
   }
 
+  checkSecretsConfig()
   checkEmailConfig()
   checkNSFWPolicyConfig()
   checkLocalRedundancyConfig()
@@ -103,6 +104,12 @@ export {
 
 // ---------------------------------------------------------------------------
 
+function checkSecretsConfig () {
+  if (!CONFIG.SECRETS.PEERTUBE) {
+    throw new Error('secrets.peertube is missing in config. Generate one using `openssl rand -hex 32`')
+  }
+}
+
 function checkEmailConfig () {
   if (!isEmailEnabled()) {
     if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts
index 3188903be..c9268b156 100644
--- a/server/initializers/checker-before-init.ts
+++ b/server/initializers/checker-before-init.ts
@@ -11,12 +11,13 @@ const config: IConfig = require('config')
 function checkMissedConfig () {
   const required = [ 'listen.port', 'listen.hostname',
     'webserver.https', 'webserver.hostname', 'webserver.port',
+    'secrets.peertube',
     'trust_proxy',
     'database.hostname', 'database.port', 'database.username', 'database.password', 'database.pool.max',
     'smtp.hostname', 'smtp.port', 'smtp.username', 'smtp.password', 'smtp.tls', 'smtp.from_address',
     'email.body.signature', 'email.subject.prefix',
     'storage.avatars', 'storage.videos', 'storage.logs', 'storage.previews', 'storage.thumbnails', 'storage.torrents', 'storage.cache',
-    'storage.redundancy', 'storage.tmp', 'storage.streaming_playlists', 'storage.plugins',
+    'storage.redundancy', 'storage.tmp', 'storage.streaming_playlists', 'storage.plugins', 'storage.well_known',
     'log.level',
     'user.video_quota', 'user.video_quota_daily',
     'video_channels.max_per_user',
diff --git a/server/initializers/config.ts b/server/initializers/config.ts
index 2c92bea22..a5a0d4e46 100644
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@@ -20,6 +20,9 @@ const CONFIG = {
     PORT: config.get<number>('listen.port'),
     HOSTNAME: config.get<string>('listen.hostname')
   },
+  SECRETS: {
+    PEERTUBE: config.get<string>('secrets.peertube')
+  },
   DATABASE: {
     DBNAME: config.has('database.name') ? config.get<string>('database.name') : 'peertube' + config.get<string>('database.suffix'),
     HOSTNAME: config.get<string>('database.hostname'),
@@ -107,7 +110,8 @@ const CONFIG = {
     TORRENTS_DIR: buildPath(config.get<string>('storage.torrents')),
     CACHE_DIR: buildPath(config.get<string>('storage.cache')),
     PLUGINS_DIR: buildPath(config.get<string>('storage.plugins')),
-    CLIENT_OVERRIDES_DIR: buildPath(config.get<string>('storage.client_overrides'))
+    CLIENT_OVERRIDES_DIR: buildPath(config.get<string>('storage.client_overrides')),
+    WELL_KNOWN_DIR: buildPath(config.get<string>('storage.well_known'))
   },
   OBJECT_STORAGE: {
     ENABLED: config.get<boolean>('object_storage.enabled'),
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index 7039ab457..cab61948a 100644
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -1,5 +1,5 @@
 import { RepeatOptions } from 'bullmq'
-import { randomBytes } from 'crypto'
+import { Encoding, randomBytes } from 'crypto'
 import { invert } from 'lodash'
 import { join } from 'path'
 import { randomInt, root } from '@shared/core-utils'
@@ -25,7 +25,7 @@ import { CONFIG, registerConfigChangedHandler } from './config'
 
 // ---------------------------------------------------------------------------
 
-const LAST_MIGRATION_VERSION = 740
+const LAST_MIGRATION_VERSION = 745
 
 // ---------------------------------------------------------------------------
 
@@ -116,7 +116,8 @@ const ROUTE_CACHE_LIFETIME = {
   ACTIVITY_PUB: {
     VIDEOS: '1 second' // 1 second, cache concurrent requests after a broadcast for example
   },
-  STATS: '4 hours'
+  STATS: '4 hours',
+  WELL_KNOWN: '1 day'
 }
 
 // ---------------------------------------------------------------------------
@@ -636,9 +637,18 @@ let PRIVATE_RSA_KEY_SIZE = 2048
 // Password encryption
 const BCRYPT_SALT_SIZE = 10
 
+const ENCRYPTION = {
+  ALGORITHM: 'aes-256-cbc',
+  IV: 16,
+  SALT: 'peertube',
+  ENCODING: 'hex' as Encoding
+}
+
 const USER_PASSWORD_RESET_LIFETIME = 60000 * 60 // 60 minutes
 const USER_PASSWORD_CREATE_LIFETIME = 60000 * 60 * 24 * 7 // 7 days
 
+const TWO_FACTOR_AUTH_REQUEST_TOKEN_LIFETIME = 60000 * 10 // 10 minutes
+
 const USER_EMAIL_VERIFY_LIFETIME = 60000 * 60 // 60 minutes
 
 const NSFW_POLICY_TYPES: { [ id: string ]: NSFWPolicyType } = {
@@ -804,6 +814,10 @@ const REDUNDANCY = {
 }
 
 const ACCEPT_HEADERS = [ 'html', 'application/json' ].concat(ACTIVITY_PUB.POTENTIAL_ACCEPT_HEADERS)
+const OTP = {
+  HEADER_NAME: 'x-peertube-otp',
+  HEADER_REQUIRED_VALUE: 'required; app'
+}
 
 const ASSETS_PATH = {
   DEFAULT_AUDIO_BACKGROUND: join(root(), 'dist', 'server', 'assets', 'default-audio-background.jpg'),
@@ -952,6 +966,7 @@ const VIDEO_FILTERS = {
 export {
   WEBSERVER,
   API_VERSION,
+  ENCRYPTION,
   VIDEO_LIVE,
   PEERTUBE_VERSION,
   LAZY_STATIC_PATHS,
@@ -985,6 +1000,7 @@ export {
   FOLLOW_STATES,
   DEFAULT_USER_THEME_NAME,
   SERVER_ACTOR_NAME,
+  TWO_FACTOR_AUTH_REQUEST_TOKEN_LIFETIME,
   PLUGIN_GLOBAL_CSS_FILE_NAME,
   PLUGIN_GLOBAL_CSS_PATH,
   PRIVATE_RSA_KEY_SIZE,
@@ -1040,6 +1056,7 @@ export {
   PLUGIN_EXTERNAL_AUTH_TOKEN_LIFETIME,
   ASSETS_PATH,
   FILES_CONTENT_HASH,
+  OTP,
   loadLanguages,
   buildLanguages,
   generateContentHash
diff --git a/server/initializers/migrations/0745-user-otp.ts b/server/initializers/migrations/0745-user-otp.ts
new file mode 100644
index 000000000..157308ea1
--- /dev/null
+++ b/server/initializers/migrations/0745-user-otp.ts
@@ -0,0 +1,29 @@
+import * as Sequelize from 'sequelize'
+
+async function up (utils: {
+  transaction: Sequelize.Transaction
+  queryInterface: Sequelize.QueryInterface
+  sequelize: Sequelize.Sequelize
+  db: any
+}): Promise<void> {
+  const { transaction } = utils
+
+  const data = {
+    type: Sequelize.STRING,
+    defaultValue: null,
+    allowNull: true
+  }
+  await utils.queryInterface.addColumn('user', 'otpSecret', data, { transaction })
+
+}
+
+async function down (utils: {
+  queryInterface: Sequelize.QueryInterface
+  transaction: Sequelize.Transaction
+}) {
+}
+
+export {
+  up,
+  down
+}
diff --git a/server/lib/activitypub/process/process-create.ts b/server/lib/activitypub/process/process-create.ts
index 76ed37aae..1e6e8956c 100644
--- a/server/lib/activitypub/process/process-create.ts
+++ b/server/lib/activitypub/process/process-create.ts
@@ -109,8 +109,10 @@ async function processCreateVideoComment (activity: ActivityCreate, byActor: MAc
   let video: MVideoAccountLightBlacklistAllFiles
   let created: boolean
   let comment: MCommentOwnerVideo
+
   try {
     const resolveThreadResult = await resolveThread({ url: commentObject.id, isVideo: false })
+    if (!resolveThreadResult) return // Comment not accepted
 
     video = resolveThreadResult.video
     created = resolveThreadResult.commentCreated
diff --git a/server/lib/activitypub/video-comments.ts b/server/lib/activitypub/video-comments.ts
index 911c7cd30..b65baf0e9 100644
--- a/server/lib/activitypub/video-comments.ts
+++ b/server/lib/activitypub/video-comments.ts
@@ -4,7 +4,9 @@ import { logger } from '../../helpers/logger'
 import { doJSONRequest } from '../../helpers/requests'
 import { ACTIVITY_PUB, CRAWL_REQUEST_CONCURRENCY } from '../../initializers/constants'
 import { VideoCommentModel } from '../../models/video/video-comment'
-import { MCommentOwner, MCommentOwnerVideo, MVideoAccountLightBlacklistAllFiles } from '../../types/models/video'
+import { MComment, MCommentOwner, MCommentOwnerVideo, MVideoAccountLightBlacklistAllFiles } from '../../types/models/video'
+import { isRemoteVideoCommentAccepted } from '../moderation'
+import { Hooks } from '../plugins/hooks'
 import { getOrCreateAPActor } from './actors'
 import { checkUrlsSameHost } from './url'
 import { getOrCreateAPVideo } from './videos'
@@ -103,6 +105,10 @@ async function tryToResolveThreadFromVideo (params: ResolveThreadParams) {
     firstReply.changed('updatedAt', true)
     firstReply.Video = video
 
+    if (await isRemoteCommentAccepted(firstReply) !== true) {
+      return undefined
+    }
+
     comments[comments.length - 1] = await firstReply.save()
 
     for (let i = comments.length - 2; i >= 0; i--) {
@@ -113,6 +119,10 @@ async function tryToResolveThreadFromVideo (params: ResolveThreadParams) {
       comment.changed('updatedAt', true)
       comment.Video = video
 
+      if (await isRemoteCommentAccepted(comment) !== true) {
+        return undefined
+      }
+
       comments[i] = await comment.save()
     }
 
@@ -169,3 +179,26 @@ async function resolveRemoteParentComment (params: ResolveThreadParams) {
     commentCreated: true
   })
 }
+
+async function isRemoteCommentAccepted (comment: MComment) {
+  // Already created
+  if (comment.id) return true
+
+  const acceptParameters = {
+    comment
+  }
+
+  const acceptedResult = await Hooks.wrapFun(
+    isRemoteVideoCommentAccepted,
+    acceptParameters,
+    'filter:activity-pub.remote-video-comment.create.accept.result'
+  )
+
+  if (!acceptedResult || acceptedResult.accepted !== true) {
+    logger.info('Refused to create a remote comment.', { acceptedResult, acceptParameters })
+
+    return false
+  }
+
+  return true
+}
diff --git a/server/lib/auth/oauth.ts b/server/lib/auth/oauth.ts
index fa1887315..35b05ec5a 100644
--- a/server/lib/auth/oauth.ts
+++ b/server/lib/auth/oauth.ts
@@ -9,11 +9,23 @@ import OAuth2Server, {
   UnsupportedGrantTypeError
 } from '@node-oauth/oauth2-server'
 import { randomBytesPromise } from '@server/helpers/core-utils'
+import { isOTPValid } from '@server/helpers/otp'
 import { MOAuthClient } from '@server/types/models'
 import { sha1 } from '@shared/extra-utils'
-import { OAUTH_LIFETIME } from '../../initializers/constants'
+import { HttpStatusCode } from '@shared/models'
+import { OAUTH_LIFETIME, OTP } from '../../initializers/constants'
 import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model'
 
+class MissingTwoFactorError extends Error {
+  code = HttpStatusCode.UNAUTHORIZED_401
+  name = 'missing_two_factor'
+}
+
+class InvalidTwoFactorError extends Error {
+  code = HttpStatusCode.BAD_REQUEST_400
+  name = 'invalid_two_factor'
+}
+
 /**
  *
  * Reimplement some functions of OAuth2Server to inject external auth methods
@@ -94,6 +106,9 @@ function handleOAuthAuthenticate (
 }
 
 export {
+  MissingTwoFactorError,
+  InvalidTwoFactorError,
+
   handleOAuthToken,
   handleOAuthAuthenticate
 }
@@ -118,6 +133,16 @@ async function handlePasswordGrant (options: {
   const user = await getUser(request.body.username, request.body.password, bypassLogin)
   if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid')
 
+  if (user.otpSecret) {
+    if (!request.headers[OTP.HEADER_NAME]) {
+      throw new MissingTwoFactorError('Missing two factor header')
+    }
+
+    if (await isOTPValid({ encryptedSecret: user.otpSecret, token: request.headers[OTP.HEADER_NAME] }) !== true) {
+      throw new InvalidTwoFactorError('Invalid two factor header')
+    }
+  }
+
   const token = await buildToken()
 
   return saveToken(token, client, user, { bypassLogin })
diff --git a/server/lib/hls.ts b/server/lib/hls.ts
index a0a5afc0f..a41f1ae48 100644
--- a/server/lib/hls.ts
+++ b/server/lib/hls.ts
@@ -15,7 +15,7 @@ import { P2P_MEDIA_LOADER_PEER_VERSION, REQUEST_TIMEOUTS } from '../initializers
 import { sequelizeTypescript } from '../initializers/database'
 import { VideoFileModel } from '../models/video/video-file'
 import { VideoStreamingPlaylistModel } from '../models/video/video-streaming-playlist'
-import { storeHLSFile } from './object-storage'
+import { storeHLSFileFromFilename } from './object-storage'
 import { generateHLSMasterPlaylistFilename, generateHlsSha256SegmentsFilename, getHlsResolutionPlaylistFilename } from './paths'
 import { VideoPathManager } from './video-path-manager'
 
@@ -95,7 +95,7 @@ function updateMasterHLSPlaylist (video: MVideo, playlistArg: MStreamingPlaylist
     await writeFile(masterPlaylistPath, masterPlaylists.join('\n') + '\n')
 
     if (playlist.storage === VideoStorage.OBJECT_STORAGE) {
-      playlist.playlistUrl = await storeHLSFile(playlist, playlist.playlistFilename)
+      playlist.playlistUrl = await storeHLSFileFromFilename(playlist, playlist.playlistFilename)
       await remove(masterPlaylistPath)
     }
 
@@ -146,7 +146,7 @@ function updateSha256VODSegments (video: MVideo, playlistArg: MStreamingPlaylist
     await outputJSON(outputPath, json)
 
     if (playlist.storage === VideoStorage.OBJECT_STORAGE) {
-      playlist.segmentsSha256Url = await storeHLSFile(playlist, playlist.segmentsSha256Filename)
+      playlist.segmentsSha256Url = await storeHLSFileFromFilename(playlist, playlist.segmentsSha256Filename)
       await remove(outputPath)
     }
 
diff --git a/server/lib/job-queue/handlers/move-to-object-storage.ts b/server/lib/job-queue/handlers/move-to-object-storage.ts
index 25bdebeea..28c3d325d 100644
--- a/server/lib/job-queue/handlers/move-to-object-storage.ts
+++ b/server/lib/job-queue/handlers/move-to-object-storage.ts
@@ -5,7 +5,7 @@ import { logger, loggerTagsFactory } from '@server/helpers/logger'
 import { updateTorrentMetadata } from '@server/helpers/webtorrent'
 import { CONFIG } from '@server/initializers/config'
 import { P2P_MEDIA_LOADER_PEER_VERSION } from '@server/initializers/constants'
-import { storeHLSFile, storeWebTorrentFile } from '@server/lib/object-storage'
+import { storeHLSFileFromFilename, storeWebTorrentFile } from '@server/lib/object-storage'
 import { getHLSDirectory, getHlsResolutionPlaylistFilename } from '@server/lib/paths'
 import { moveToFailedMoveToObjectStorageState, moveToNextState } from '@server/lib/video-state'
 import { VideoModel } from '@server/models/video/video'
@@ -88,10 +88,10 @@ async function moveHLSFiles (video: MVideoWithAllFiles) {
 
       // Resolution playlist
       const playlistFilename = getHlsResolutionPlaylistFilename(file.filename)
-      await storeHLSFile(playlistWithVideo, playlistFilename)
+      await storeHLSFileFromFilename(playlistWithVideo, playlistFilename)
 
       // Resolution fragmented file
-      const fileUrl = await storeHLSFile(playlistWithVideo, file.filename)
+      const fileUrl = await storeHLSFileFromFilename(playlistWithVideo, file.filename)
 
       const oldPath = join(getHLSDirectory(video), file.filename)
 
@@ -113,9 +113,9 @@ async function doAfterLastJob (options: {
     const playlistWithVideo = playlist.withVideo(video)
 
     // Master playlist
-    playlist.playlistUrl = await storeHLSFile(playlistWithVideo, playlist.playlistFilename)
+    playlist.playlistUrl = await storeHLSFileFromFilename(playlistWithVideo, playlist.playlistFilename)
     // Sha256 segments file
-    playlist.segmentsSha256Url = await storeHLSFile(playlistWithVideo, playlist.segmentsSha256Filename)
+    playlist.segmentsSha256Url = await storeHLSFileFromFilename(playlistWithVideo, playlist.segmentsSha256Filename)
 
     playlist.storage = VideoStorage.OBJECT_STORAGE
 
diff --git a/server/lib/job-queue/handlers/video-channel-import.ts b/server/lib/job-queue/handlers/video-channel-import.ts
index 600292844..c3dd8a688 100644
--- a/server/lib/job-queue/handlers/video-channel-import.ts
+++ b/server/lib/job-queue/handlers/video-channel-import.ts
@@ -5,7 +5,7 @@ import { synchronizeChannel } from '@server/lib/sync-channel'
 import { VideoChannelModel } from '@server/models/video/video-channel'
 import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync'
 import { MChannelSync } from '@server/types/models'
-import { VideoChannelImportPayload, VideoChannelSyncState } from '@shared/models'
+import { VideoChannelImportPayload } from '@shared/models'
 
 export async function processVideoChannelImport (job: Job) {
   const payload = job.data as VideoChannelImportPayload
@@ -32,17 +32,11 @@ export async function processVideoChannelImport (job: Job) {
 
   const videoChannel = await VideoChannelModel.loadAndPopulateAccount(payload.videoChannelId)
 
-  try {
-    logger.info(`Starting importing videos from external channel "${payload.externalChannelUrl}" to "${videoChannel.name}" `)
-
-    await synchronizeChannel({
-      channel: videoChannel,
-      externalChannelUrl: payload.externalChannelUrl,
-      channelSync
-    })
-  } catch (err) {
-    logger.error(`Failed to import channel ${videoChannel.name}`, { err })
-    channelSync.state = VideoChannelSyncState.FAILED
-    await channelSync.save()
-  }
+  logger.info(`Starting importing videos from external channel "${payload.externalChannelUrl}" to "${videoChannel.name}" `)
+
+  await synchronizeChannel({
+    channel: videoChannel,
+    externalChannelUrl: payload.externalChannelUrl,
+    channelSync
+  })
 }
diff --git a/server/lib/job-queue/handlers/video-live-ending.ts b/server/lib/job-queue/handlers/video-live-ending.ts
index 8a3ee09a2..7dbffc955 100644
--- a/server/lib/job-queue/handlers/video-live-ending.ts
+++ b/server/lib/job-queue/handlers/video-live-ending.ts
@@ -4,7 +4,7 @@ import { join } from 'path'
 import { ffprobePromise, getAudioStream, getVideoStreamDimensionsInfo } from '@server/helpers/ffmpeg'
 import { getLocalVideoActivityPubUrl } from '@server/lib/activitypub/url'
 import { federateVideoIfNeeded } from '@server/lib/activitypub/videos'
-import { cleanupPermanentLive, cleanupTMPLiveFiles, cleanupUnsavedNormalLive } from '@server/lib/live'
+import { cleanupAndDestroyPermanentLive, cleanupTMPLiveFiles, cleanupUnsavedNormalLive } from '@server/lib/live'
 import { generateHLSMasterPlaylistFilename, generateHlsSha256SegmentsFilename, getLiveReplayBaseDirectory } from '@server/lib/paths'
 import { generateVideoMiniature } from '@server/lib/thumbnail'
 import { generateHlsPlaylistResolutionFromTS } from '@server/lib/transcoding/transcoding'
@@ -34,13 +34,13 @@ async function processVideoLiveEnding (job: Job) {
   const live = await VideoLiveModel.loadByVideoId(payload.videoId)
   const liveSession = await VideoLiveSessionModel.load(payload.liveSessionId)
 
-  const permanentLive = live.permanentLive
-
   if (!video || !live || !liveSession) {
     logError()
     return
   }
 
+  const permanentLive = live.permanentLive
+
   liveSession.endingProcessed = true
   await liveSession.save()
 
@@ -141,23 +141,22 @@ async function replaceLiveByReplay (options: {
 }) {
   const { video, liveSession, live, permanentLive, replayDirectory } = options
 
-  await cleanupTMPLiveFiles(video)
+  const videoWithFiles = await VideoModel.loadFull(video.id)
+  const hlsPlaylist = videoWithFiles.getHLSPlaylist()
+
+  await cleanupTMPLiveFiles(videoWithFiles, hlsPlaylist)
 
   await live.destroy()
 
-  video.isLive = false
-  video.waitTranscoding = true
-  video.state = VideoState.TO_TRANSCODE
+  videoWithFiles.isLive = false
+  videoWithFiles.waitTranscoding = true
+  videoWithFiles.state = VideoState.TO_TRANSCODE
 
-  await video.save()
+  await videoWithFiles.save()
 
-  liveSession.replayVideoId = video.id
+  liveSession.replayVideoId = videoWithFiles.id
   await liveSession.save()
 
-  // Remove old HLS playlist video files
-  const videoWithFiles = await VideoModel.loadFull(video.id)
-
-  const hlsPlaylist = videoWithFiles.getHLSPlaylist()
   await VideoFileModel.removeHLSFilesOfVideoId(hlsPlaylist.id)
 
   // Reset playlist
@@ -234,7 +233,7 @@ async function cleanupLiveAndFederate (options: {
 
   if (streamingPlaylist) {
     if (permanentLive) {
-      await cleanupPermanentLive(video, streamingPlaylist)
+      await cleanupAndDestroyPermanentLive(video, streamingPlaylist)
     } else {
       await cleanupUnsavedNormalLive(video, streamingPlaylist)
     }
diff --git a/server/lib/live/live-manager.ts b/server/lib/live/live-manager.ts
index 16715862b..9470b530b 100644
--- a/server/lib/live/live-manager.ts
+++ b/server/lib/live/live-manager.ts
@@ -21,14 +21,14 @@ import { VideoLiveSessionModel } from '@server/models/video/video-live-session'
 import { VideoStreamingPlaylistModel } from '@server/models/video/video-streaming-playlist'
 import { MStreamingPlaylistVideo, MVideo, MVideoLiveSession, MVideoLiveVideo } from '@server/types/models'
 import { pick, wait } from '@shared/core-utils'
-import { LiveVideoError, VideoState, VideoStreamingPlaylistType } from '@shared/models'
+import { LiveVideoError, VideoState, VideoStorage, VideoStreamingPlaylistType } from '@shared/models'
 import { federateVideoIfNeeded } from '../activitypub/videos'
 import { JobQueue } from '../job-queue'
 import { generateHLSMasterPlaylistFilename, generateHlsSha256SegmentsFilename, getLiveReplayBaseDirectory } from '../paths'
 import { PeerTubeSocket } from '../peertube-socket'
 import { Hooks } from '../plugins/hooks'
 import { LiveQuotaStore } from './live-quota-store'
-import { cleanupPermanentLive } from './live-utils'
+import { cleanupAndDestroyPermanentLive } from './live-utils'
 import { MuxingSession } from './shared'
 
 const NodeRtmpSession = require('node-media-server/src/node_rtmp_session')
@@ -224,7 +224,7 @@ class LiveManager {
     if (oldStreamingPlaylist) {
       if (!videoLive.permanentLive) throw new Error('Found previous session in a non permanent live: ' + video.uuid)
 
-      await cleanupPermanentLive(video, oldStreamingPlaylist)
+      await cleanupAndDestroyPermanentLive(video, oldStreamingPlaylist)
     }
 
     this.videoSessions.set(video.id, sessionId)
@@ -301,7 +301,7 @@ class LiveManager {
       ...pick(options, [ 'streamingPlaylist', 'inputUrl', 'bitrate', 'ratio', 'fps', 'allResolutions', 'hasAudio' ])
     })
 
-    muxingSession.on('master-playlist-created', () => this.publishAndFederateLive(videoLive, localLTags))
+    muxingSession.on('live-ready', () => this.publishAndFederateLive(videoLive, localLTags))
 
     muxingSession.on('bad-socket-health', ({ videoId }) => {
       logger.error(
@@ -485,6 +485,10 @@ class LiveManager {
 
     playlist.assignP2PMediaLoaderInfoHashes(video, allResolutions)
 
+    playlist.storage = CONFIG.OBJECT_STORAGE.ENABLED
+      ? VideoStorage.OBJECT_STORAGE
+      : VideoStorage.FILE_SYSTEM
+
     return playlist.save()
   }
 
diff --git a/server/lib/live/live-segment-sha-store.ts b/server/lib/live/live-segment-sha-store.ts
index 4af6f3ebf..faf03dccf 100644
--- a/server/lib/live/live-segment-sha-store.ts
+++ b/server/lib/live/live-segment-sha-store.ts
@@ -1,62 +1,73 @@
+import { writeJson } from 'fs-extra'
 import { basename } from 'path'
+import { mapToJSON } from '@server/helpers/core-utils'
 import { logger, loggerTagsFactory } from '@server/helpers/logger'
+import { MStreamingPlaylistVideo } from '@server/types/models'
 import { buildSha256Segment } from '../hls'
+import { storeHLSFileFromPath } from '../object-storage'
 
 const lTags = loggerTagsFactory('live')
 
 class LiveSegmentShaStore {
 
-  private static instance: LiveSegmentShaStore
-
-  private readonly segmentsSha256 = new Map<string, Map<string, string>>()
-
-  private constructor () {
+  private readonly segmentsSha256 = new Map<string, string>()
+
+  private readonly videoUUID: string
+  private readonly sha256Path: string
+  private readonly streamingPlaylist: MStreamingPlaylistVideo
+  private readonly sendToObjectStorage: boolean
+
+  constructor (options: {
+    videoUUID: string
+    sha256Path: string
+    streamingPlaylist: MStreamingPlaylistVideo
+    sendToObjectStorage: boolean
+  }) {
+    this.videoUUID = options.videoUUID
+    this.sha256Path = options.sha256Path
+    this.streamingPlaylist = options.streamingPlaylist
+    this.sendToObjectStorage = options.sendToObjectStorage
   }
 
-  getSegmentsSha256 (videoUUID: string) {
-    return this.segmentsSha256.get(videoUUID)
-  }
-
-  async addSegmentSha (videoUUID: string, segmentPath: string) {
-    const segmentName = basename(segmentPath)
-    logger.debug('Adding live sha segment %s.', segmentPath, lTags(videoUUID))
+  async addSegmentSha (segmentPath: string) {
+    logger.debug('Adding live sha segment %s.', segmentPath, lTags(this.videoUUID))
 
     const shaResult = await buildSha256Segment(segmentPath)
 
-    if (!this.segmentsSha256.has(videoUUID)) {
-      this.segmentsSha256.set(videoUUID, new Map())
-    }
+    const segmentName = basename(segmentPath)
+    this.segmentsSha256.set(segmentName, shaResult)
 
-    const filesMap = this.segmentsSha256.get(videoUUID)
-    filesMap.set(segmentName, shaResult)
+    await this.writeToDisk()
   }
 
-  removeSegmentSha (videoUUID: string, segmentPath: string) {
+  async removeSegmentSha (segmentPath: string) {
     const segmentName = basename(segmentPath)
 
-    logger.debug('Removing live sha segment %s.', segmentPath, lTags(videoUUID))
+    logger.debug('Removing live sha segment %s.', segmentPath, lTags(this.videoUUID))
 
-    const filesMap = this.segmentsSha256.get(videoUUID)
-    if (!filesMap) {
-      logger.warn('Unknown files map to remove sha for %s.', videoUUID, lTags(videoUUID))
+    if (!this.segmentsSha256.has(segmentName)) {
+      logger.warn('Unknown segment in files map for video %s and segment %s.', this.videoUUID, segmentPath, lTags(this.videoUUID))
       return
     }
 
-    if (!filesMap.has(segmentName)) {
-      logger.warn('Unknown segment in files map for video %s and segment %s.', videoUUID, segmentPath, lTags(videoUUID))
-      return
-    }
+    this.segmentsSha256.delete(segmentName)
 
-    filesMap.delete(segmentName)
+    await this.writeToDisk()
   }
 
-  cleanupShaSegments (videoUUID: string) {
-    this.segmentsSha256.delete(videoUUID)
-  }
+  private async writeToDisk () {
+    await writeJson(this.sha256Path, mapToJSON(this.segmentsSha256))
 
-  static get Instance () {
-    return this.instance || (this.instance = new this())
+    if (this.sendToObjectStorage) {
+      const url = await storeHLSFileFromPath(this.streamingPlaylist, this.sha256Path)
+
+      if (this.streamingPlaylist.segmentsSha256Url !== url) {
+        this.streamingPlaylist.segmentsSha256Url = url
+        await this.streamingPlaylist.save()
+      }
+    }
   }
+
 }
 
 export {
diff --git a/server/lib/live/live-utils.ts b/server/lib/live/live-utils.ts
index bba876642..d2b8e3a55 100644
--- a/server/lib/live/live-utils.ts
+++ b/server/lib/live/live-utils.ts
@@ -1,9 +1,10 @@
 import { pathExists, readdir, remove } from 'fs-extra'
 import { basename, join } from 'path'
 import { logger } from '@server/helpers/logger'
-import { MStreamingPlaylist, MVideo } from '@server/types/models'
+import { MStreamingPlaylist, MStreamingPlaylistVideo, MVideo } from '@server/types/models'
+import { VideoStorage } from '@shared/models'
+import { listHLSFileKeysOf, removeHLSFileObjectStorage, removeHLSObjectStorage } from '../object-storage'
 import { getLiveDirectory } from '../paths'
-import { LiveSegmentShaStore } from './live-segment-sha-store'
 
 function buildConcatenatedName (segmentOrPlaylistPath: string) {
   const num = basename(segmentOrPlaylistPath).match(/^(\d+)(-|\.)/)
@@ -11,8 +12,8 @@ function buildConcatenatedName (segmentOrPlaylistPath: string) {
   return 'concat-' + num[1] + '.ts'
 }
 
-async function cleanupPermanentLive (video: MVideo, streamingPlaylist: MStreamingPlaylist) {
-  await cleanupTMPLiveFiles(video)
+async function cleanupAndDestroyPermanentLive (video: MVideo, streamingPlaylist: MStreamingPlaylist) {
+  await cleanupTMPLiveFiles(video, streamingPlaylist)
 
   await streamingPlaylist.destroy()
 }
@@ -20,32 +21,51 @@ async function cleanupPermanentLive (video: MVideo, streamingPlaylist: MStreamin
 async function cleanupUnsavedNormalLive (video: MVideo, streamingPlaylist: MStreamingPlaylist) {
   const hlsDirectory = getLiveDirectory(video)
 
+  // We uploaded files to object storage too, remove them
+  if (streamingPlaylist.storage === VideoStorage.OBJECT_STORAGE) {
+    await removeHLSObjectStorage(streamingPlaylist.withVideo(video))
+  }
+
   await remove(hlsDirectory)
 
   await streamingPlaylist.destroy()
+}
 
-  LiveSegmentShaStore.Instance.cleanupShaSegments(video.uuid)
+async function cleanupTMPLiveFiles (video: MVideo, streamingPlaylist: MStreamingPlaylist) {
+  await cleanupTMPLiveFilesFromObjectStorage(streamingPlaylist.withVideo(video))
+
+  await cleanupTMPLiveFilesFromFilesystem(video)
 }
 
-async function cleanupTMPLiveFiles (video: MVideo) {
-  const hlsDirectory = getLiveDirectory(video)
+export {
+  cleanupAndDestroyPermanentLive,
+  cleanupUnsavedNormalLive,
+  cleanupTMPLiveFiles,
+  buildConcatenatedName
+}
+
+// ---------------------------------------------------------------------------
 
-  LiveSegmentShaStore.Instance.cleanupShaSegments(video.uuid)
+function isTMPLiveFile (name: string) {
+  return name.endsWith('.ts') ||
+    name.endsWith('.m3u8') ||
+    name.endsWith('.json') ||
+    name.endsWith('.mpd') ||
+    name.endsWith('.m4s') ||
+    name.endsWith('.tmp')
+}
+
+async function cleanupTMPLiveFilesFromFilesystem (video: MVideo) {
+  const hlsDirectory = getLiveDirectory(video)
 
   if (!await pathExists(hlsDirectory)) return
 
-  logger.info('Cleanup TMP live files of %s.', hlsDirectory)
+  logger.info('Cleanup TMP live files from filesystem of %s.', hlsDirectory)
 
   const files = await readdir(hlsDirectory)
 
   for (const filename of files) {
-    if (
-      filename.endsWith('.ts') ||
-      filename.endsWith('.m3u8') ||
-      filename.endsWith('.mpd') ||
-      filename.endsWith('.m4s') ||
-      filename.endsWith('.tmp')
-    ) {
+    if (isTMPLiveFile(filename)) {
       const p = join(hlsDirectory, filename)
 
       remove(p)
@@ -54,9 +74,14 @@ async function cleanupTMPLiveFiles (video: MVideo) {
   }
 }
 
-export {
-  cleanupPermanentLive,
-  cleanupUnsavedNormalLive,
-  cleanupTMPLiveFiles,
-  buildConcatenatedName
+async function cleanupTMPLiveFilesFromObjectStorage (streamingPlaylist: MStreamingPlaylistVideo) {
+  if (streamingPlaylist.storage !== VideoStorage.OBJECT_STORAGE) return
+
+  const keys = await listHLSFileKeysOf(streamingPlaylist)
+
+  for (const key of keys) {
+    if (isTMPLiveFile(key)) {
+      await removeHLSFileObjectStorage(streamingPlaylist, key)
+    }
+  }
 }
diff --git a/server/lib/live/shared/muxing-session.ts b/server/lib/live/shared/muxing-session.ts
index 505717dce..4c27d5dd8 100644
--- a/server/lib/live/shared/muxing-session.ts
+++ b/server/lib/live/shared/muxing-session.ts
@@ -9,8 +9,10 @@ import { getLiveMuxingCommand, getLiveTranscodingCommand } from '@server/helpers
 import { logger, loggerTagsFactory, LoggerTagsFn } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
 import { MEMOIZE_TTL, VIDEO_LIVE } from '@server/initializers/constants'
+import { removeHLSFileObjectStorage, storeHLSFileFromFilename, storeHLSFileFromPath } from '@server/lib/object-storage'
 import { VideoFileModel } from '@server/models/video/video-file'
 import { MStreamingPlaylistVideo, MUserId, MVideoLiveVideo } from '@server/types/models'
+import { VideoStorage } from '@shared/models'
 import { getLiveDirectory, getLiveReplayBaseDirectory } from '../../paths'
 import { VideoTranscodingProfilesManager } from '../../transcoding/default-transcoding-profiles'
 import { isAbleToUploadVideo } from '../../user'
@@ -21,7 +23,7 @@ import { buildConcatenatedName } from '../live-utils'
 import memoizee = require('memoizee')
 
 interface MuxingSessionEvents {
-  'master-playlist-created': (options: { videoId: number }) => void
+  'live-ready': (options: { videoId: number }) => void
 
   'bad-socket-health': (options: { videoId: number }) => void
   'duration-exceeded': (options: { videoId: number }) => void
@@ -68,12 +70,18 @@ class MuxingSession extends EventEmitter {
   private readonly outDirectory: string
   private readonly replayDirectory: string
 
+  private readonly liveSegmentShaStore: LiveSegmentShaStore
+
   private readonly lTags: LoggerTagsFn
 
   private segmentsToProcessPerPlaylist: { [playlistId: string]: string[] } = {}
 
   private tsWatcher: FSWatcher
   private masterWatcher: FSWatcher
+  private m3u8Watcher: FSWatcher
+
+  private masterPlaylistCreated = false
+  private liveReady = false
 
   private aborted = false
 
@@ -123,6 +131,13 @@ class MuxingSession extends EventEmitter {
     this.outDirectory = getLiveDirectory(this.videoLive.Video)
     this.replayDirectory = join(getLiveReplayBaseDirectory(this.videoLive.Video), new Date().toISOString())
 
+    this.liveSegmentShaStore = new LiveSegmentShaStore({
+      videoUUID: this.videoLive.Video.uuid,
+      sha256Path: join(this.outDirectory, this.streamingPlaylist.segmentsSha256Filename),
+      streamingPlaylist: this.streamingPlaylist,
+      sendToObjectStorage: CONFIG.OBJECT_STORAGE.ENABLED
+    })
+
     this.lTags = loggerTagsFactory('live', this.sessionId, this.videoUUID)
   }
 
@@ -159,8 +174,9 @@ class MuxingSession extends EventEmitter {
 
     logger.info('Running live muxing/transcoding for %s.', this.videoUUID, this.lTags())
 
-    this.watchTSFiles()
     this.watchMasterFile()
+    this.watchTSFiles()
+    this.watchM3U8File()
 
     let ffmpegShellCommand: string
     this.ffmpegCommand.on('start', cmdline => {
@@ -219,7 +235,7 @@ class MuxingSession extends EventEmitter {
     setTimeout(() => {
       // Wait latest segments generation, and close watchers
 
-      Promise.all([ this.tsWatcher.close(), this.masterWatcher.close() ])
+      Promise.all([ this.tsWatcher.close(), this.masterWatcher.close(), this.m3u8Watcher.close() ])
         .then(() => {
           // Process remaining segments hash
           for (const key of Object.keys(this.segmentsToProcessPerPlaylist)) {
@@ -240,14 +256,41 @@ class MuxingSession extends EventEmitter {
   private watchMasterFile () {
     this.masterWatcher = watch(this.outDirectory + '/' + this.streamingPlaylist.playlistFilename)
 
-    this.masterWatcher.on('add', () => {
-      this.emit('master-playlist-created', { videoId: this.videoId })
+    this.masterWatcher.on('add', async () => {
+      if (this.streamingPlaylist.storage === VideoStorage.OBJECT_STORAGE) {
+        try {
+          const url = await storeHLSFileFromFilename(this.streamingPlaylist, this.streamingPlaylist.playlistFilename)
+
+          this.streamingPlaylist.playlistUrl = url
+          await this.streamingPlaylist.save()
+        } catch (err) {
+          logger.error('Cannot upload live master file to object storage.', { err, ...this.lTags() })
+        }
+      }
+
+      this.masterPlaylistCreated = true
 
       this.masterWatcher.close()
         .catch(err => logger.error('Cannot close master watcher of %s.', this.outDirectory, { err, ...this.lTags() }))
     })
   }
 
+  private watchM3U8File () {
+    this.m3u8Watcher = watch(this.outDirectory + '/*.m3u8')
+
+    const onChangeOrAdd = async (m3u8Path: string) => {
+      if (this.streamingPlaylist.storage !== VideoStorage.OBJECT_STORAGE) return
+
+      try {
+        await storeHLSFileFromPath(this.streamingPlaylist, m3u8Path)
+      } catch (err) {
+        logger.error('Cannot store in object storage m3u8 file %s', m3u8Path, { err, ...this.lTags() })
+      }
+    }
+
+    this.m3u8Watcher.on('change', onChangeOrAdd)
+  }
+
   private watchTSFiles () {
     const startStreamDateTime = new Date().getTime()
 
@@ -282,7 +325,21 @@ class MuxingSession extends EventEmitter {
       }
     }
 
-    const deleteHandler = (segmentPath: string) => LiveSegmentShaStore.Instance.removeSegmentSha(this.videoUUID, segmentPath)
+    const deleteHandler = async (segmentPath: string) => {
+      try {
+        await this.liveSegmentShaStore.removeSegmentSha(segmentPath)
+      } catch (err) {
+        logger.warn('Cannot remove segment sha %s from sha store', segmentPath, { err, ...this.lTags() })
+      }
+
+      if (this.streamingPlaylist.storage === VideoStorage.OBJECT_STORAGE) {
+        try {
+          await removeHLSFileObjectStorage(this.streamingPlaylist, segmentPath)
+        } catch (err) {
+          logger.error('Cannot remove segment %s from object storage', segmentPath, { err, ...this.lTags() })
+        }
+      }
+    }
 
     this.tsWatcher.on('add', p => addHandler(p))
     this.tsWatcher.on('unlink', p => deleteHandler(p))
@@ -315,6 +372,7 @@ class MuxingSession extends EventEmitter {
         extname: '.ts',
         infoHash: null,
         fps: this.fps,
+        storage: this.streamingPlaylist.storage,
         videoStreamingPlaylistId: this.streamingPlaylist.id
       })
 
@@ -343,18 +401,36 @@ class MuxingSession extends EventEmitter {
   }
 
   private processSegments (segmentPaths: string[]) {
-    mapSeries(segmentPaths, async previousSegment => {
-      // Add sha hash of previous segments, because ffmpeg should have finished generating them
-      await LiveSegmentShaStore.Instance.addSegmentSha(this.videoUUID, previousSegment)
+    mapSeries(segmentPaths, previousSegment => this.processSegment(previousSegment))
+      .catch(err => {
+        if (this.aborted) return
+
+        logger.error('Cannot process segments', { err, ...this.lTags() })
+      })
+  }
 
-      if (this.saveReplay) {
-        await this.addSegmentToReplay(previousSegment)
+  private async processSegment (segmentPath: string) {
+    // Add sha hash of previous segments, because ffmpeg should have finished generating them
+    await this.liveSegmentShaStore.addSegmentSha(segmentPath)
+
+    if (this.saveReplay) {
+      await this.addSegmentToReplay(segmentPath)
+    }
+
+    if (this.streamingPlaylist.storage === VideoStorage.OBJECT_STORAGE) {
+      try {
+        await storeHLSFileFromPath(this.streamingPlaylist, segmentPath)
+      } catch (err) {
+        logger.error('Cannot store TS segment %s in object storage', segmentPath, { err, ...this.lTags() })
       }
-    }).catch(err => {
-      if (this.aborted) return
+    }
 
-      logger.error('Cannot process segments', { err, ...this.lTags() })
-    })
+    // Master playlist and segment JSON file are created, live is ready
+    if (this.masterPlaylistCreated && !this.liveReady) {
+      this.liveReady = true
+
+      this.emit('live-ready', { videoId: this.videoId })
+    }
   }
 
   private hasClientSocketInBadHealth (sessionId: string) {
diff --git a/server/lib/moderation.ts b/server/lib/moderation.ts
index c23f5b6a6..3cc92ca30 100644
--- a/server/lib/moderation.ts
+++ b/server/lib/moderation.ts
@@ -1,4 +1,4 @@
-import { VideoUploadFile } from 'express'
+import express, { VideoUploadFile } from 'express'
 import { PathLike } from 'fs-extra'
 import { Transaction } from 'sequelize/types'
 import { AbuseAuditView, auditLoggerFactory } from '@server/helpers/audit-logger'
@@ -13,18 +13,15 @@ import {
   MAbuseFull,
   MAccountDefault,
   MAccountLight,
+  MComment,
   MCommentAbuseAccountVideo,
   MCommentOwnerVideo,
   MUser,
   MVideoAbuseVideoFull,
   MVideoAccountLightBlacklistAllFiles
 } from '@server/types/models'
-import { ActivityCreate } from '../../shared/models/activitypub'
-import { VideoObject } from '../../shared/models/activitypub/objects'
-import { VideoCommentObject } from '../../shared/models/activitypub/objects/video-comment-object'
 import { LiveVideoCreate, VideoCreate, VideoImportCreate } from '../../shared/models/videos'
 import { VideoCommentCreate } from '../../shared/models/videos/comment'
-import { ActorModel } from '../models/actor/actor'
 import { UserModel } from '../models/user/user'
 import { VideoModel } from '../models/video/video'
 import { VideoCommentModel } from '../models/video/video-comment'
@@ -36,7 +33,9 @@ export type AcceptResult = {
   errorMessage?: string
 }
 
-// Can be filtered by plugins
+// ---------------------------------------------------------------------------
+
+// Stub function that can be filtered by plugins
 function isLocalVideoAccepted (object: {
   videoBody: VideoCreate
   videoFile: VideoUploadFile
@@ -45,6 +44,9 @@ function isLocalVideoAccepted (object: {
   return { accepted: true }
 }
 
+// ---------------------------------------------------------------------------
+
+// Stub function that can be filtered by plugins
 function isLocalLiveVideoAccepted (object: {
   liveVideoBody: LiveVideoCreate
   user: UserModel
@@ -52,7 +54,11 @@ function isLocalLiveVideoAccepted (object: {
   return { accepted: true }
 }
 
+// ---------------------------------------------------------------------------
+
+// Stub function that can be filtered by plugins
 function isLocalVideoThreadAccepted (_object: {
+  req: express.Request
   commentBody: VideoCommentCreate
   video: VideoModel
   user: UserModel
@@ -60,7 +66,9 @@ function isLocalVideoThreadAccepted (_object: {
   return { accepted: true }
 }
 
+// Stub function that can be filtered by plugins
 function isLocalVideoCommentReplyAccepted (_object: {
+  req: express.Request
   commentBody: VideoCommentCreate
   parentComment: VideoCommentModel
   video: VideoModel
@@ -69,22 +77,18 @@ function isLocalVideoCommentReplyAccepted (_object: {
   return { accepted: true }
 }
 
-function isRemoteVideoAccepted (_object: {
-  activity: ActivityCreate
-  videoAP: VideoObject
-  byActor: ActorModel
-}): AcceptResult {
-  return { accepted: true }
-}
+// ---------------------------------------------------------------------------
 
+// Stub function that can be filtered by plugins
 function isRemoteVideoCommentAccepted (_object: {
-  activity: ActivityCreate
-  commentAP: VideoCommentObject
-  byActor: ActorModel
+  comment: MComment
 }): AcceptResult {
   return { accepted: true }
 }
 
+// ---------------------------------------------------------------------------
+
+// Stub function that can be filtered by plugins
 function isPreImportVideoAccepted (object: {
   videoImportBody: VideoImportCreate
   user: MUser
@@ -92,6 +96,7 @@ function isPreImportVideoAccepted (object: {
   return { accepted: true }
 }
 
+// Stub function that can be filtered by plugins
 function isPostImportVideoAccepted (object: {
   videoFilePath: PathLike
   videoFile: VideoFileModel
@@ -100,6 +105,8 @@ function isPostImportVideoAccepted (object: {
   return { accepted: true }
 }
 
+// ---------------------------------------------------------------------------
+
 async function createVideoAbuse (options: {
   baseAbuse: FilteredModelAttributes<AbuseModel>
   videoInstance: MVideoAccountLightBlacklistAllFiles
@@ -189,12 +196,13 @@ function createAccountAbuse (options: {
   })
 }
 
+// ---------------------------------------------------------------------------
+
 export {
   isLocalLiveVideoAccepted,
 
   isLocalVideoAccepted,
   isLocalVideoThreadAccepted,
-  isRemoteVideoAccepted,
   isRemoteVideoCommentAccepted,
   isLocalVideoCommentReplyAccepted,
   isPreImportVideoAccepted,
diff --git a/server/lib/object-storage/shared/object-storage-helpers.ts b/server/lib/object-storage/shared/object-storage-helpers.ts
index 16161362c..c131977e8 100644
--- a/server/lib/object-storage/shared/object-storage-helpers.ts
+++ b/server/lib/object-storage/shared/object-storage-helpers.ts
@@ -22,6 +22,24 @@ type BucketInfo = {
   PREFIX?: string
 }
 
+async function listKeysOfPrefix (prefix: string, bucketInfo: BucketInfo) {
+  const s3Client = getClient()
+
+  const commandPrefix = bucketInfo.PREFIX + prefix
+  const listCommand = new ListObjectsV2Command({
+    Bucket: bucketInfo.BUCKET_NAME,
+    Prefix: commandPrefix
+  })
+
+  const listedObjects = await s3Client.send(listCommand)
+
+  if (isArray(listedObjects.Contents) !== true) return []
+
+  return listedObjects.Contents.map(c => c.Key)
+}
+
+// ---------------------------------------------------------------------------
+
 async function storeObject (options: {
   inputPath: string
   objectStorageKey: string
@@ -36,6 +54,8 @@ async function storeObject (options: {
   return uploadToStorage({ objectStorageKey, content: fileStream, bucketInfo })
 }
 
+// ---------------------------------------------------------------------------
+
 async function removeObject (filename: string, bucketInfo: BucketInfo) {
   const command = new DeleteObjectCommand({
     Bucket: bucketInfo.BUCKET_NAME,
@@ -89,6 +109,8 @@ async function removePrefix (prefix: string, bucketInfo: BucketInfo) {
   if (listedObjects.IsTruncated) await removePrefix(prefix, bucketInfo)
 }
 
+// ---------------------------------------------------------------------------
+
 async function makeAvailable (options: {
   key: string
   destination: string
@@ -122,7 +144,8 @@ export {
   storeObject,
   removeObject,
   removePrefix,
-  makeAvailable
+  makeAvailable,
+  listKeysOfPrefix
 }
 
 // ---------------------------------------------------------------------------
diff --git a/server/lib/object-storage/videos.ts b/server/lib/object-storage/videos.ts
index 66e738200..62aae248b 100644
--- a/server/lib/object-storage/videos.ts
+++ b/server/lib/object-storage/videos.ts
@@ -1,19 +1,35 @@
-import { join } from 'path'
+import { basename, join } from 'path'
 import { logger } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
 import { MStreamingPlaylistVideo, MVideoFile } from '@server/types/models'
 import { getHLSDirectory } from '../paths'
 import { generateHLSObjectBaseStorageKey, generateHLSObjectStorageKey, generateWebTorrentObjectStorageKey } from './keys'
-import { lTags, makeAvailable, removeObject, removePrefix, storeObject } from './shared'
+import { listKeysOfPrefix, lTags, makeAvailable, removeObject, removePrefix, storeObject } from './shared'
 
-function storeHLSFile (playlist: MStreamingPlaylistVideo, filename: string, path?: string) {
+function listHLSFileKeysOf (playlist: MStreamingPlaylistVideo) {
+  return listKeysOfPrefix(generateHLSObjectBaseStorageKey(playlist), CONFIG.OBJECT_STORAGE.STREAMING_PLAYLISTS)
+}
+
+// ---------------------------------------------------------------------------
+
+function storeHLSFileFromFilename (playlist: MStreamingPlaylistVideo, filename: string) {
   return storeObject({
-    inputPath: path ?? join(getHLSDirectory(playlist.Video), filename),
+    inputPath: join(getHLSDirectory(playlist.Video), filename),
     objectStorageKey: generateHLSObjectStorageKey(playlist, filename),
     bucketInfo: CONFIG.OBJECT_STORAGE.STREAMING_PLAYLISTS
   })
 }
 
+function storeHLSFileFromPath (playlist: MStreamingPlaylistVideo, path: string) {
+  return storeObject({
+    inputPath: path,
+    objectStorageKey: generateHLSObjectStorageKey(playlist, basename(path)),
+    bucketInfo: CONFIG.OBJECT_STORAGE.STREAMING_PLAYLISTS
+  })
+}
+
+// ---------------------------------------------------------------------------
+
 function storeWebTorrentFile (filename: string) {
   return storeObject({
     inputPath: join(CONFIG.STORAGE.VIDEOS_DIR, filename),
@@ -22,6 +38,8 @@ function storeWebTorrentFile (filename: string) {
   })
 }
 
+// ---------------------------------------------------------------------------
+
 function removeHLSObjectStorage (playlist: MStreamingPlaylistVideo) {
   return removePrefix(generateHLSObjectBaseStorageKey(playlist), CONFIG.OBJECT_STORAGE.STREAMING_PLAYLISTS)
 }
@@ -30,10 +48,14 @@ function removeHLSFileObjectStorage (playlist: MStreamingPlaylistVideo, filename
   return removeObject(generateHLSObjectStorageKey(playlist, filename), CONFIG.OBJECT_STORAGE.STREAMING_PLAYLISTS)
 }
 
+// ---------------------------------------------------------------------------
+
 function removeWebTorrentObjectStorage (videoFile: MVideoFile) {
   return removeObject(generateWebTorrentObjectStorageKey(videoFile.filename), CONFIG.OBJECT_STORAGE.VIDEOS)
 }
 
+// ---------------------------------------------------------------------------
+
 async function makeHLSFileAvailable (playlist: MStreamingPlaylistVideo, filename: string, destination: string) {
   const key = generateHLSObjectStorageKey(playlist, filename)
 
@@ -62,9 +84,14 @@ async function makeWebTorrentFileAvailable (filename: string, destination: strin
   return destination
 }
 
+// ---------------------------------------------------------------------------
+
 export {
+  listHLSFileKeysOf,
+
   storeWebTorrentFile,
-  storeHLSFile,
+  storeHLSFileFromFilename,
+  storeHLSFileFromPath,
 
   removeHLSObjectStorage,
   removeHLSFileObjectStorage,
diff --git a/server/lib/plugins/plugin-helpers-builder.ts b/server/lib/plugins/plugin-helpers-builder.ts
index 4e799b3d4..7b1def6e3 100644
--- a/server/lib/plugins/plugin-helpers-builder.ts
+++ b/server/lib/plugins/plugin-helpers-builder.ts
@@ -1,4 +1,5 @@
 import express from 'express'
+import { Server } from 'http'
 import { join } from 'path'
 import { ffprobePromise } from '@server/helpers/ffmpeg/ffprobe-utils'
 import { buildLogger } from '@server/helpers/logger'
@@ -13,15 +14,16 @@ import { ServerBlocklistModel } from '@server/models/server/server-blocklist'
 import { UserModel } from '@server/models/user/user'
 import { VideoModel } from '@server/models/video/video'
 import { VideoBlacklistModel } from '@server/models/video/video-blacklist'
-import { MPlugin } from '@server/types/models'
+import { MPlugin, MVideo, UserNotificationModelForApi } from '@server/types/models'
 import { PeerTubeHelpers } from '@server/types/plugins'
 import { VideoBlacklistCreate, VideoStorage } from '@shared/models'
 import { addAccountInBlocklist, addServerInBlocklist, removeAccountFromBlocklist, removeServerFromBlocklist } from '../blocklist'
+import { PeerTubeSocket } from '../peertube-socket'
 import { ServerConfigManager } from '../server-config-manager'
 import { blacklistVideo, unblacklistVideo } from '../video-blacklist'
 import { VideoPathManager } from '../video-path-manager'
 
-function buildPluginHelpers (pluginModel: MPlugin, npmName: string): PeerTubeHelpers {
+function buildPluginHelpers (httpServer: Server, pluginModel: MPlugin, npmName: string): PeerTubeHelpers {
   const logger = buildPluginLogger(npmName)
 
   const database = buildDatabaseHelpers()
@@ -29,12 +31,14 @@ function buildPluginHelpers (pluginModel: MPlugin, npmName: string): PeerTubeHel
 
   const config = buildConfigHelpers()
 
-  const server = buildServerHelpers()
+  const server = buildServerHelpers(httpServer)
 
   const moderation = buildModerationHelpers()
 
   const plugin = buildPluginRelatedHelpers(pluginModel, npmName)
 
+  const socket = buildSocketHelpers()
+
   const user = buildUserHelpers()
 
   return {
@@ -45,6 +49,7 @@ function buildPluginHelpers (pluginModel: MPlugin, npmName: string): PeerTubeHel
     moderation,
     plugin,
     server,
+    socket,
     user
   }
 }
@@ -65,8 +70,10 @@ function buildDatabaseHelpers () {
   }
 }
 
-function buildServerHelpers () {
+function buildServerHelpers (httpServer: Server) {
   return {
+    getHTTPServer: () => httpServer,
+
     getServerActor: () => getServerActor()
   }
 }
@@ -214,10 +221,23 @@ function buildPluginRelatedHelpers (plugin: MPlugin, npmName: string) {
 
     getBaseRouterRoute: () => `/plugins/${plugin.name}/${plugin.version}/router/`,
 
+    getBaseWebSocketRoute: () => `/plugins/${plugin.name}/${plugin.version}/ws/`,
+
     getDataDirectoryPath: () => join(CONFIG.STORAGE.PLUGINS_DIR, 'data', npmName)
   }
 }
 
+function buildSocketHelpers () {
+  return {
+    sendNotification: (userId: number, notification: UserNotificationModelForApi) => {
+      PeerTubeSocket.Instance.sendNotification(userId, notification)
+    },
+    sendVideoLiveNewState: (video: MVideo) => {
+      PeerTubeSocket.Instance.sendVideoLiveNewState(video)
+    }
+  }
+}
+
 function buildUserHelpers () {
   return {
     loadById: (id: number) => {
diff --git a/server/lib/plugins/plugin-manager.ts b/server/lib/plugins/plugin-manager.ts
index a46b97fa4..c4d9b6574 100644
--- a/server/lib/plugins/plugin-manager.ts
+++ b/server/lib/plugins/plugin-manager.ts
@@ -1,6 +1,7 @@
 import express from 'express'
 import { createReadStream, createWriteStream } from 'fs'
 import { ensureDir, outputFile, readJSON } from 'fs-extra'
+import { Server } from 'http'
 import { basename, join } from 'path'
 import { decachePlugin } from '@server/helpers/decache'
 import { ApplicationModel } from '@server/models/application/application'
@@ -67,9 +68,37 @@ export class PluginManager implements ServerHook {
   private hooks: { [name: string]: HookInformationValue[] } = {}
   private translations: PluginLocalesTranslations = {}
 
+  private server: Server
+
   private constructor () {
   }
 
+  init (server: Server) {
+    this.server = server
+  }
+
+  registerWebSocketRouter () {
+    this.server.on('upgrade', (request, socket, head) => {
+      const url = request.url
+
+      const matched = url.match(`/plugins/([^/]+)/([^/]+/)?ws(/.*)`)
+      if (!matched) return
+
+      const npmName = PluginModel.buildNpmName(matched[1], PluginType.PLUGIN)
+      const subRoute = matched[3]
+
+      const result = this.getRegisteredPluginOrTheme(npmName)
+      if (!result) return
+
+      const routes = result.registerHelpers.getWebSocketRoutes()
+
+      const wss = routes.find(r => r.route.startsWith(subRoute))
+      if (!wss) return
+
+      wss.handler(request, socket, head)
+    })
+  }
+
   // ###################### Getters ######################
 
   isRegistered (npmName: string) {
@@ -581,7 +610,7 @@ export class PluginManager implements ServerHook {
       })
     }
 
-    const registerHelpers = new RegisterHelpers(npmName, plugin, onHookAdded.bind(this))
+    const registerHelpers = new RegisterHelpers(npmName, plugin, this.server, onHookAdded.bind(this))
 
     return {
       registerStore: registerHelpers,
diff --git a/server/lib/plugins/register-helpers.ts b/server/lib/plugins/register-helpers.ts
index f4d405676..1aaef3606 100644
--- a/server/lib/plugins/register-helpers.ts
+++ b/server/lib/plugins/register-helpers.ts
@@ -1,4 +1,5 @@
 import express from 'express'
+import { Server } from 'http'
 import { logger } from '@server/helpers/logger'
 import { onExternalUserAuthenticated } from '@server/lib/auth/external-auth'
 import { VideoConstantManagerFactory } from '@server/lib/plugins/video-constant-manager-factory'
@@ -8,7 +9,8 @@ import {
   RegisterServerAuthExternalResult,
   RegisterServerAuthPassOptions,
   RegisterServerExternalAuthenticatedResult,
-  RegisterServerOptions
+  RegisterServerOptions,
+  RegisterServerWebSocketRouteOptions
 } from '@server/types/plugins'
 import {
   EncoderOptionsBuilder,
@@ -49,12 +51,15 @@ export class RegisterHelpers {
 
   private readonly onSettingsChangeCallbacks: SettingsChangeCallback[] = []
 
+  private readonly webSocketRoutes: RegisterServerWebSocketRouteOptions[] = []
+
   private readonly router: express.Router
   private readonly videoConstantManagerFactory: VideoConstantManagerFactory
 
   constructor (
     private readonly npmName: string,
     private readonly plugin: PluginModel,
+    private readonly server: Server,
     private readonly onHookAdded: (options: RegisterServerHookOptions) => void
   ) {
     this.router = express.Router()
@@ -66,6 +71,7 @@ export class RegisterHelpers {
     const registerSetting = this.buildRegisterSetting()
 
     const getRouter = this.buildGetRouter()
+    const registerWebSocketRoute = this.buildRegisterWebSocketRoute()
 
     const settingsManager = this.buildSettingsManager()
     const storageManager = this.buildStorageManager()
@@ -85,13 +91,14 @@ export class RegisterHelpers {
     const unregisterIdAndPassAuth = this.buildUnregisterIdAndPassAuth()
     const unregisterExternalAuth = this.buildUnregisterExternalAuth()
 
-    const peertubeHelpers = buildPluginHelpers(this.plugin, this.npmName)
+    const peertubeHelpers = buildPluginHelpers(this.server, this.plugin, this.npmName)
 
     return {
       registerHook,
       registerSetting,
 
       getRouter,
+      registerWebSocketRoute,
 
       settingsManager,
       storageManager,
@@ -180,10 +187,20 @@ export class RegisterHelpers {
     return this.onSettingsChangeCallbacks
   }
 
+  getWebSocketRoutes () {
+    return this.webSocketRoutes
+  }
+
   private buildGetRouter () {
     return () => this.router
   }
 
+  private buildRegisterWebSocketRoute () {
+    return (options: RegisterServerWebSocketRouteOptions) => {
+      this.webSocketRoutes.push(options)
+    }
+  }
+
   private buildRegisterSetting () {
     return (options: RegisterServerSettingOptions) => {
       this.settings.push(options)
diff --git a/server/lib/redis.ts b/server/lib/redis.ts
index 9b3c72300..b7523492a 100644
--- a/server/lib/redis.ts
+++ b/server/lib/redis.ts
@@ -9,6 +9,7 @@ import {
   CONTACT_FORM_LIFETIME,
   RESUMABLE_UPLOAD_SESSION_LIFETIME,
   TRACKER_RATE_LIMITS,
+  TWO_FACTOR_AUTH_REQUEST_TOKEN_LIFETIME,
   USER_EMAIL_VERIFY_LIFETIME,
   USER_PASSWORD_CREATE_LIFETIME,
   USER_PASSWORD_RESET_LIFETIME,
@@ -108,10 +109,24 @@ class Redis {
     return this.removeValue(this.generateResetPasswordKey(userId))
   }
 
-  async getResetPasswordLink (userId: number) {
+  async getResetPasswordVerificationString (userId: number) {
     return this.getValue(this.generateResetPasswordKey(userId))
   }
 
+  /* ************ Two factor auth request ************ */
+
+  async setTwoFactorRequest (userId: number, otpSecret: string) {
+    const requestToken = await generateRandomString(32)
+
+    await this.setValue(this.generateTwoFactorRequestKey(userId, requestToken), otpSecret, TWO_FACTOR_AUTH_REQUEST_TOKEN_LIFETIME)
+
+    return requestToken
+  }
+
+  async getTwoFactorRequestToken (userId: number, requestToken: string) {
+    return this.getValue(this.generateTwoFactorRequestKey(userId, requestToken))
+  }
+
   /* ************ Email verification ************ */
 
   async setVerifyEmailVerificationString (userId: number) {
@@ -342,6 +357,10 @@ class Redis {
     return 'reset-password-' + userId
   }
 
+  private generateTwoFactorRequestKey (userId: number, token: string) {
+    return 'two-factor-request-' + userId + '-' + token
+  }
+
   private generateVerifyEmailKey (userId: number) {
     return 'verify-email-' + userId
   }
@@ -391,8 +410,8 @@ class Redis {
     return JSON.parse(value)
   }
 
-  private setObject (key: string, value: { [ id: string ]: number | string }) {
-    return this.setValue(key, JSON.stringify(value))
+  private setObject (key: string, value: { [ id: string ]: number | string }, expirationMilliseconds?: number) {
+    return this.setValue(key, JSON.stringify(value), expirationMilliseconds)
   }
 
   private async setValue (key: string, value: string, expirationMilliseconds?: number) {
diff --git a/server/lib/schedulers/video-channel-sync-latest-scheduler.ts b/server/lib/schedulers/video-channel-sync-latest-scheduler.ts
index a527f68b5..efb957fac 100644
--- a/server/lib/schedulers/video-channel-sync-latest-scheduler.ts
+++ b/server/lib/schedulers/video-channel-sync-latest-scheduler.ts
@@ -2,7 +2,6 @@ import { logger } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
 import { VideoChannelModel } from '@server/models/video/video-channel'
 import { VideoChannelSyncModel } from '@server/models/video/video-channel-sync'
-import { VideoChannelSyncState } from '@shared/models'
 import { SCHEDULER_INTERVALS_MS } from '../../initializers/constants'
 import { synchronizeChannel } from '../sync-channel'
 import { AbstractScheduler } from './abstract-scheduler'
@@ -28,26 +27,20 @@ export class VideoChannelSyncLatestScheduler extends AbstractScheduler {
     for (const sync of channelSyncs) {
       const channel = await VideoChannelModel.loadAndPopulateAccount(sync.videoChannelId)
 
-      try {
-        logger.info(
-          'Creating video import jobs for "%s" sync with external channel "%s"',
-          channel.Actor.preferredUsername, sync.externalChannelUrl
-        )
-
-        const onlyAfter = sync.lastSyncAt || sync.createdAt
-
-        await synchronizeChannel({
-          channel,
-          externalChannelUrl: sync.externalChannelUrl,
-          videosCountLimit: CONFIG.IMPORT.VIDEO_CHANNEL_SYNCHRONIZATION.VIDEOS_LIMIT_PER_SYNCHRONIZATION,
-          channelSync: sync,
-          onlyAfter
-        })
-      } catch (err) {
-        logger.error(`Failed to synchronize channel ${channel.Actor.preferredUsername}`, { err })
-        sync.state = VideoChannelSyncState.FAILED
-        await sync.save()
-      }
+      logger.info(
+        'Creating video import jobs for "%s" sync with external channel "%s"',
+        channel.Actor.preferredUsername, sync.externalChannelUrl
+      )
+
+      const onlyAfter = sync.lastSyncAt || sync.createdAt
+
+      await synchronizeChannel({
+        channel,
+        externalChannelUrl: sync.externalChannelUrl,
+        videosCountLimit: CONFIG.IMPORT.VIDEO_CHANNEL_SYNCHRONIZATION.VIDEOS_LIMIT_PER_SYNCHRONIZATION,
+        channelSync: sync,
+        onlyAfter
+      })
     }
   }
 
diff --git a/server/lib/sync-channel.ts b/server/lib/sync-channel.ts
index f91599c14..35af91429 100644
--- a/server/lib/sync-channel.ts
+++ b/server/lib/sync-channel.ts
@@ -24,56 +24,62 @@ export async function synchronizeChannel (options: {
     await channelSync.save()
   }
 
-  const user = await UserModel.loadByChannelActorId(channel.actorId)
-  const youtubeDL = new YoutubeDLWrapper(
-    externalChannelUrl,
-    ServerConfigManager.Instance.getEnabledResolutions('vod'),
-    CONFIG.TRANSCODING.ALWAYS_TRANSCODE_ORIGINAL_RESOLUTION
-  )
-
-  const targetUrls = await youtubeDL.getInfoForListImport({ latestVideosCount: videosCountLimit })
-
-  logger.info(
-    'Fetched %d candidate URLs for sync channel %s.',
-    targetUrls.length, channel.Actor.preferredUsername, { targetUrls }
-  )
-
-  if (targetUrls.length === 0) {
-    if (channelSync) {
-      channelSync.state = VideoChannelSyncState.SYNCED
-      await channelSync.save()
-    }
-
-    return
-  }
+  try {
+    const user = await UserModel.loadByChannelActorId(channel.actorId)
+    const youtubeDL = new YoutubeDLWrapper(
+      externalChannelUrl,
+      ServerConfigManager.Instance.getEnabledResolutions('vod'),
+      CONFIG.TRANSCODING.ALWAYS_TRANSCODE_ORIGINAL_RESOLUTION
+    )
 
-  const children: CreateJobArgument[] = []
+    const targetUrls = await youtubeDL.getInfoForListImport({ latestVideosCount: videosCountLimit })
 
-  for (const targetUrl of targetUrls) {
-    if (await skipImport(channel, targetUrl, onlyAfter)) continue
+    logger.info(
+      'Fetched %d candidate URLs for sync channel %s.',
+      targetUrls.length, channel.Actor.preferredUsername, { targetUrls }
+    )
 
-    const { job } = await buildYoutubeDLImport({
-      user,
-      channel,
-      targetUrl,
-      channelSync,
-      importDataOverride: {
-        privacy: VideoPrivacy.PUBLIC
+    if (targetUrls.length === 0) {
+      if (channelSync) {
+        channelSync.state = VideoChannelSyncState.SYNCED
+        await channelSync.save()
       }
-    })
 
-    children.push(job)
-  }
+      return
+    }
+
+    const children: CreateJobArgument[] = []
+
+    for (const targetUrl of targetUrls) {
+      if (await skipImport(channel, targetUrl, onlyAfter)) continue
 
-  // Will update the channel sync status
-  const parent: CreateJobArgument = {
-    type: 'after-video-channel-import',
-    payload: {
-      channelSyncId: channelSync?.id
+      const { job } = await buildYoutubeDLImport({
+        user,
+        channel,
+        targetUrl,
+        channelSync,
+        importDataOverride: {
+          privacy: VideoPrivacy.PUBLIC
+        }
+      })
+
+      children.push(job)
     }
-  }
 
-  await JobQueue.Instance.createJobWithChildren(parent, children)
+    // Will update the channel sync status
+    const parent: CreateJobArgument = {
+      type: 'after-video-channel-import',
+      payload: {
+        channelSyncId: channelSync?.id
+      }
+    }
+
+    await JobQueue.Instance.createJobWithChildren(parent, children)
+  } catch (err) {
+    logger.error(`Failed to import channel ${channel.name}`, { err })
+    channelSync.state = VideoChannelSyncState.FAILED
+    await channelSync.save()
+  }
 }
 
 // ---------------------------------------------------------------------------
diff --git a/server/middlewares/validators/shared/index.ts b/server/middlewares/validators/shared/index.ts
index bbd03b248..de98cd442 100644
--- a/server/middlewares/validators/shared/index.ts
+++ b/server/middlewares/validators/shared/index.ts
@@ -1,5 +1,6 @@
 export * from './abuses'
 export * from './accounts'
+export * from './users'
 export * from './utils'
 export * from './video-blacklists'
 export * from './video-captions'
diff --git a/server/middlewares/validators/shared/users.ts b/server/middlewares/validators/shared/users.ts
new file mode 100644
index 000000000..fbaa7db0e
--- /dev/null
+++ b/server/middlewares/validators/shared/users.ts
@@ -0,0 +1,62 @@
+import express from 'express'
+import { ActorModel } from '@server/models/actor/actor'
+import { UserModel } from '@server/models/user/user'
+import { MUserDefault } from '@server/types/models'
+import { HttpStatusCode } from '@shared/models'
+
+function checkUserIdExist (idArg: number | string, res: express.Response, withStats = false) {
+  const id = parseInt(idArg + '', 10)
+  return checkUserExist(() => UserModel.loadByIdWithChannels(id, withStats), res)
+}
+
+function checkUserEmailExist (email: string, res: express.Response, abortResponse = true) {
+  return checkUserExist(() => UserModel.loadByEmail(email), res, abortResponse)
+}
+
+async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email: string, res: express.Response) {
+  const user = await UserModel.loadByUsernameOrEmail(username, email)
+
+  if (user) {
+    res.fail({
+      status: HttpStatusCode.CONFLICT_409,
+      message: 'User with this username or email already exists.'
+    })
+    return false
+  }
+
+  const actor = await ActorModel.loadLocalByName(username)
+  if (actor) {
+    res.fail({
+      status: HttpStatusCode.CONFLICT_409,
+      message: 'Another actor (account/channel) with this name on this instance already exists or has already existed.'
+    })
+    return false
+  }
+
+  return true
+}
+
+async function checkUserExist (finder: () => Promise<MUserDefault>, res: express.Response, abortResponse = true) {
+  const user = await finder()
+
+  if (!user) {
+    if (abortResponse === true) {
+      res.fail({
+        status: HttpStatusCode.NOT_FOUND_404,
+        message: 'User not found'
+      })
+    }
+
+    return false
+  }
+
+  res.locals.user = user
+  return true
+}
+
+export {
+  checkUserIdExist,
+  checkUserEmailExist,
+  checkUserNameOrEmailDoesNotAlreadyExist,
+  checkUserExist
+}
diff --git a/server/middlewares/validators/two-factor.ts b/server/middlewares/validators/two-factor.ts
new file mode 100644
index 000000000..106b579b5
--- /dev/null
+++ b/server/middlewares/validators/two-factor.ts
@@ -0,0 +1,81 @@
+import express from 'express'
+import { body, param } from 'express-validator'
+import { HttpStatusCode, UserRight } from '@shared/models'
+import { exists, isIdValid } from '../../helpers/custom-validators/misc'
+import { areValidationErrors, checkUserIdExist } from './shared'
+
+const requestOrConfirmTwoFactorValidator = [
+  param('id').custom(isIdValid),
+
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+
+    if (!await checkCanEnableOrDisableTwoFactor(req.params.id, res)) return
+
+    if (res.locals.user.otpSecret) {
+      return res.fail({
+        status: HttpStatusCode.BAD_REQUEST_400,
+        message: `Two factor is already enabled.`
+      })
+    }
+
+    return next()
+  }
+]
+
+const confirmTwoFactorValidator = [
+  body('requestToken').custom(exists),
+  body('otpToken').custom(exists),
+
+  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+
+    return next()
+  }
+]
+
+const disableTwoFactorValidator = [
+  param('id').custom(isIdValid),
+
+  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    if (areValidationErrors(req, res)) return
+
+    if (!await checkCanEnableOrDisableTwoFactor(req.params.id, res)) return
+
+    if (!res.locals.user.otpSecret) {
+      return res.fail({
+        status: HttpStatusCode.BAD_REQUEST_400,
+        message: `Two factor is already disabled.`
+      })
+    }
+
+    return next()
+  }
+]
+
+// ---------------------------------------------------------------------------
+
+export {
+  requestOrConfirmTwoFactorValidator,
+  confirmTwoFactorValidator,
+  disableTwoFactorValidator
+}
+
+// ---------------------------------------------------------------------------
+
+async function checkCanEnableOrDisableTwoFactor (userId: number | string, res: express.Response) {
+  const authUser = res.locals.oauth.token.user
+
+  if (!await checkUserIdExist(userId, res)) return
+
+  if (res.locals.user.id !== authUser.id && authUser.hasRight(UserRight.MANAGE_USERS) !== true) {
+    res.fail({
+      status: HttpStatusCode.FORBIDDEN_403,
+      message: `User ${authUser.username} does not have right to change two factor setting of this user.`
+    })
+
+    return false
+  }
+
+  return true
+}
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 2de5265fb..055af3b64 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -1,9 +1,8 @@
 import express from 'express'
 import { body, param, query } from 'express-validator'
 import { Hooks } from '@server/lib/plugins/hooks'
-import { MUserDefault } from '@server/types/models'
 import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models'
-import { isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
+import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
 import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
 import {
   isUserAdminFlagsValid,
@@ -30,8 +29,15 @@ import { isThemeRegistered } from '../../lib/plugins/theme-utils'
 import { Redis } from '../../lib/redis'
 import { isSignupAllowed, isSignupAllowedForCurrentIP } from '../../lib/signup'
 import { ActorModel } from '../../models/actor/actor'
-import { UserModel } from '../../models/user/user'
-import { areValidationErrors, doesVideoChannelIdExist, doesVideoExist, isValidVideoIdParam } from './shared'
+import {
+  areValidationErrors,
+  checkUserEmailExist,
+  checkUserIdExist,
+  checkUserNameOrEmailDoesNotAlreadyExist,
+  doesVideoChannelIdExist,
+  doesVideoExist,
+  isValidVideoIdParam
+} from './shared'
 
 const usersListValidator = [
   query('blocked')
@@ -411,6 +417,13 @@ const usersAskResetPasswordValidator = [
       return res.status(HttpStatusCode.NO_CONTENT_204).end()
     }
 
+    if (res.locals.user.pluginAuth) {
+      return res.fail({
+        status: HttpStatusCode.CONFLICT_409,
+        message: 'Cannot recover password of a user that uses a plugin authentication.'
+      })
+    }
+
     return next()
   }
 ]
@@ -428,7 +441,7 @@ const usersResetPasswordValidator = [
     if (!await checkUserIdExist(req.params.id, res)) return
 
     const user = res.locals.user
-    const redisVerificationString = await Redis.Instance.getResetPasswordLink(user.id)
+    const redisVerificationString = await Redis.Instance.getResetPasswordVerificationString(user.id)
 
     if (redisVerificationString !== req.body.verificationString) {
       return res.fail({
@@ -454,6 +467,13 @@ const usersAskSendVerifyEmailValidator = [
       return res.status(HttpStatusCode.NO_CONTENT_204).end()
     }
 
+    if (res.locals.user.pluginAuth) {
+      return res.fail({
+        status: HttpStatusCode.CONFLICT_409,
+        message: 'Cannot ask verification email of a user that uses a plugin authentication.'
+      })
+    }
+
     return next()
   }
 ]
@@ -486,6 +506,41 @@ const usersVerifyEmailValidator = [
   }
 ]
 
+const usersCheckCurrentPasswordFactory = (targetUserIdGetter: (req: express.Request) => number | string) => {
+  return [
+    body('currentPassword').optional().custom(exists),
+
+    async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+      if (areValidationErrors(req, res)) return
+
+      const user = res.locals.oauth.token.User
+      const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR
+      const targetUserId = parseInt(targetUserIdGetter(req) + '')
+
+      // Admin/moderator action on another user, skip the password check
+      if (isAdminOrModerator && targetUserId !== user.id) {
+        return next()
+      }
+
+      if (!req.body.currentPassword) {
+        return res.fail({
+          status: HttpStatusCode.BAD_REQUEST_400,
+          message: 'currentPassword is missing'
+        })
+      }
+
+      if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
+        return res.fail({
+          status: HttpStatusCode.FORBIDDEN_403,
+          message: 'currentPassword is invalid.'
+        })
+      }
+
+      return next()
+    }
+  ]
+}
+
 const userAutocompleteValidator = [
   param('search')
     .isString()
@@ -553,6 +608,7 @@ export {
   usersUpdateValidator,
   usersUpdateMeValidator,
   usersVideoRatingValidator,
+  usersCheckCurrentPasswordFactory,
   ensureUserRegistrationAllowed,
   ensureUserRegistrationAllowedForIP,
   usersGetValidator,
@@ -566,55 +622,3 @@ export {
   ensureCanModerateUser,
   ensureCanManageChannelOrAccount
 }
-
-// ---------------------------------------------------------------------------
-
-function checkUserIdExist (idArg: number | string, res: express.Response, withStats = false) {
-  const id = parseInt(idArg + '', 10)
-  return checkUserExist(() => UserModel.loadByIdWithChannels(id, withStats), res)
-}
-
-function checkUserEmailExist (email: string, res: express.Response, abortResponse = true) {
-  return checkUserExist(() => UserModel.loadByEmail(email), res, abortResponse)
-}
-
-async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email: string, res: express.Response) {
-  const user = await UserModel.loadByUsernameOrEmail(username, email)
-
-  if (user) {
-    res.fail({
-      status: HttpStatusCode.CONFLICT_409,
-      message: 'User with this username or email already exists.'
-    })
-    return false
-  }
-
-  const actor = await ActorModel.loadLocalByName(username)
-  if (actor) {
-    res.fail({
-      status: HttpStatusCode.CONFLICT_409,
-      message: 'Another actor (account/channel) with this name on this instance already exists or has already existed.'
-    })
-    return false
-  }
-
-  return true
-}
-
-async function checkUserExist (finder: () => Promise<MUserDefault>, res: express.Response, abortResponse = true) {
-  const user = await finder()
-
-  if (!user) {
-    if (abortResponse === true) {
-      res.fail({
-        status: HttpStatusCode.NOT_FOUND_404,
-        message: 'User not found'
-      })
-    }
-
-    return false
-  }
-
-  res.locals.user = user
-  return true
-}
diff --git a/server/middlewares/validators/videos/video-comments.ts b/server/middlewares/validators/videos/video-comments.ts
index 69062701b..133feb7bd 100644
--- a/server/middlewares/validators/videos/video-comments.ts
+++ b/server/middlewares/validators/videos/video-comments.ts
@@ -208,7 +208,8 @@ async function isVideoCommentAccepted (req: express.Request, res: express.Respon
   const acceptParameters = {
     video,
     commentBody: req.body,
-    user: res.locals.oauth.token.User
+    user: res.locals.oauth.token.User,
+    req
   }
 
   let acceptedResult: AcceptResult
@@ -234,7 +235,7 @@ async function isVideoCommentAccepted (req: express.Request, res: express.Respon
 
     res.fail({
       status: HttpStatusCode.FORBIDDEN_403,
-      message: acceptedResult?.errorMessage || 'Refused local comment'
+      message: acceptedResult?.errorMessage || 'Comment has been rejected.'
     })
     return false
   }
diff --git a/server/models/user/user.ts b/server/models/user/user.ts
index 1a7c84390..34329580b 100644
--- a/server/models/user/user.ts
+++ b/server/models/user/user.ts
@@ -403,6 +403,11 @@ export class UserModel extends Model<Partial<AttributesOnly<UserModel>>> {
   @Column
   lastLoginDate: Date
 
+  @AllowNull(true)
+  @Default(null)
+  @Column
+  otpSecret: string
+
   @CreatedAt
   createdAt: Date
 
@@ -935,7 +940,9 @@ export class UserModel extends Model<Partial<AttributesOnly<UserModel>>> {
 
       pluginAuth: this.pluginAuth,
 
-      lastLoginDate: this.lastLoginDate
+      lastLoginDate: this.lastLoginDate,
+
+      twoFactorEnabled: !!this.otpSecret
     }
 
     if (parameters.withAdminFlags) {
diff --git a/server/models/video/video-job-info.ts b/server/models/video/video-job-info.ts
index 7497addf1..740f6b5c6 100644
--- a/server/models/video/video-job-info.ts
+++ b/server/models/video/video-job-info.ts
@@ -84,7 +84,7 @@ export class VideoJobInfoModel extends Model<Partial<AttributesOnly<VideoJobInfo
   static async decrease (videoUUID: string, column: VideoJobInfoColumnType): Promise<number> {
     const options = { type: QueryTypes.SELECT as QueryTypes.SELECT, bind: { videoUUID } }
 
-    const [ { pendingMove } ] = await VideoJobInfoModel.sequelize.query<{ pendingMove: number }>(`
+    const result = await VideoJobInfoModel.sequelize.query<{ pendingMove: number }>(`
     UPDATE
       "videoJobInfo"
     SET
@@ -97,7 +97,9 @@ export class VideoJobInfoModel extends Model<Partial<AttributesOnly<VideoJobInfo
       "${column}";
     `, options)
 
-    return pendingMove
+    if (result.length === 0) return undefined
+
+    return result[0].pendingMove
   }
 
   static async abortAllTasks (videoUUID: string, column: VideoJobInfoColumnType): Promise<void> {
diff --git a/server/models/video/video-streaming-playlist.ts b/server/models/video/video-streaming-playlist.ts
index f587989dc..2b6771f27 100644
--- a/server/models/video/video-streaming-playlist.ts
+++ b/server/models/video/video-streaming-playlist.ts
@@ -245,21 +245,25 @@ export class VideoStreamingPlaylistModel extends Model<Partial<AttributesOnly<Vi
   }
 
   getMasterPlaylistUrl (video: MVideo) {
-    if (this.storage === VideoStorage.OBJECT_STORAGE) {
-      return getHLSPublicFileUrl(this.playlistUrl)
-    }
+    if (video.isOwned()) {
+      if (this.storage === VideoStorage.OBJECT_STORAGE) {
+        return getHLSPublicFileUrl(this.playlistUrl)
+      }
 
-    if (video.isOwned()) return WEBSERVER.URL + this.getMasterPlaylistStaticPath(video.uuid)
+      return WEBSERVER.URL + this.getMasterPlaylistStaticPath(video.uuid)
+    }
 
     return this.playlistUrl
   }
 
   getSha256SegmentsUrl (video: MVideo) {
-    if (this.storage === VideoStorage.OBJECT_STORAGE) {
-      return getHLSPublicFileUrl(this.segmentsSha256Url)
-    }
+    if (video.isOwned()) {
+      if (this.storage === VideoStorage.OBJECT_STORAGE) {
+        return getHLSPublicFileUrl(this.segmentsSha256Url)
+      }
 
-    if (video.isOwned()) return WEBSERVER.URL + this.getSha256SegmentsStaticPath(video.uuid, video.isLive)
+      return WEBSERVER.URL + this.getSha256SegmentsStaticPath(video.uuid)
+    }
 
     return this.segmentsSha256Url
   }
@@ -287,9 +291,7 @@ export class VideoStreamingPlaylistModel extends Model<Partial<AttributesOnly<Vi
     return join(STATIC_PATHS.STREAMING_PLAYLISTS.HLS, videoUUID, this.playlistFilename)
   }
 
-  private getSha256SegmentsStaticPath (videoUUID: string, isLive: boolean) {
-    if (isLive) return join('/live', 'segments-sha256', videoUUID)
-
+  private getSha256SegmentsStaticPath (videoUUID: string) {
     return join(STATIC_PATHS.STREAMING_PLAYLISTS.HLS, videoUUID, this.segmentsSha256Filename)
   }
 }
diff --git a/server/tests/api/check-params/index.ts b/server/tests/api/check-params/index.ts
index cd7a38459..33dc8fb76 100644
--- a/server/tests/api/check-params/index.ts
+++ b/server/tests/api/check-params/index.ts
@@ -2,6 +2,7 @@ import './abuses'
 import './accounts'
 import './blocklist'
 import './bulk'
+import './channel-import-videos'
 import './config'
 import './contact-form'
 import './custom-pages'
@@ -17,6 +18,7 @@ import './redundancy'
 import './search'
 import './services'
 import './transcoding'
+import './two-factor'
 import './upload-quota'
 import './user-notifications'
 import './user-subscriptions'
@@ -24,12 +26,11 @@ import './users-admin'
 import './users'
 import './video-blacklist'
 import './video-captions'
+import './video-channel-syncs'
 import './video-channels'
 import './video-comments'
 import './video-files'
 import './video-imports'
-import './video-channel-syncs'
-import './channel-import-videos'
 import './video-playlists'
 import './video-source'
 import './video-studio'
diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts
new file mode 100644
index 000000000..f8365f1b5
--- /dev/null
+++ b/server/tests/api/check-params/two-factor.ts
@@ -0,0 +1,288 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+
+import { HttpStatusCode } from '@shared/models'
+import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
+
+describe('Test two factor API validators', function () {
+  let server: PeerTubeServer
+
+  let rootId: number
+  let rootPassword: string
+  let rootRequestToken: string
+  let rootOTPToken: string
+
+  let userId: number
+  let userToken = ''
+  let userPassword: string
+  let userRequestToken: string
+  let userOTPToken: string
+
+  // ---------------------------------------------------------------
+
+  before(async function () {
+    this.timeout(30000)
+
+    {
+      server = await createSingleServer(1)
+      await setAccessTokensToServers([ server ])
+    }
+
+    {
+      const result = await server.users.generate('user1')
+      userToken = result.token
+      userId = result.userId
+      userPassword = result.password
+    }
+
+    {
+      const { id } = await server.users.getMyInfo()
+      rootId = id
+      rootPassword = server.store.user.password
+    }
+  })
+
+  describe('When requesting two factor', function () {
+
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.request({ userId: 42, currentPassword: rootPassword, expectedStatus: HttpStatusCode.NOT_FOUND_404 })
+    })
+
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.request({
+        userId: 'invalid' as any,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail to request another user two factor without the appropriate rights', async function () {
+      await server.twoFactor.request({
+        userId: rootId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should succeed to request another user two factor with the appropriate rights', async function () {
+      await server.twoFactor.request({ userId, currentPassword: rootPassword })
+    })
+
+    it('Should fail to request two factor without a password', async function () {
+      await server.twoFactor.request({
+        userId,
+        token: userToken,
+        currentPassword: undefined,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail to request two factor with an incorrect password', async function () {
+      await server.twoFactor.request({
+        userId,
+        token: userToken,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
+      await server.twoFactor.request({ userId })
+    })
+
+    it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
+      await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
+
+    it('Should succeed to request my two factor auth', async function () {
+      {
+        const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
+        userRequestToken = otpRequest.requestToken
+        userOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
+      }
+
+      {
+        const { otpRequest } = await server.twoFactor.request({ userId: rootId, currentPassword: rootPassword })
+        rootRequestToken = otpRequest.requestToken
+        rootOTPToken = TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
+      }
+    })
+  })
+
+  describe('When confirming two factor request', function () {
+
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: 42,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.NOT_FOUND_404
+      })
+    })
+
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: 'invalid' as any,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail to confirm another user two factor request without the appropriate rights', async function () {
+      await server.twoFactor.confirmRequest({
+        userId: rootId,
+        token: userToken,
+        requestToken: rootRequestToken,
+        otpToken: rootOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should fail without request token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: undefined,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail with an invalid request token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: 'toto',
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should fail with request token of another user', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: rootRequestToken,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should fail without an otp token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: undefined,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail with a bad otp token', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: '123456',
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should succeed to confirm another user two factor request with the appropriate rights', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken
+      })
+
+      // Reinit
+      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
+    })
+
+    it('Should succeed to confirm my two factor request', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        token: userToken,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken
+      })
+    })
+
+    it('Should fail to confirm again two factor request', async function () {
+      await server.twoFactor.confirmRequest({
+        userId,
+        token: userToken,
+        requestToken: userRequestToken,
+        otpToken: userOTPToken,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+  })
+
+  describe('When disabling two factor', function () {
+
+    it('Should fail with an unknown user id', async function () {
+      await server.twoFactor.disable({
+        userId: 42,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.NOT_FOUND_404
+      })
+    })
+
+    it('Should fail with an invalid user id', async function () {
+      await server.twoFactor.disable({
+        userId: 'invalid' as any,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+
+    it('Should fail to disable another user two factor without the appropriate rights', async function () {
+      await server.twoFactor.disable({
+        userId: rootId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should fail to disable two factor with an incorrect password', async function () {
+      await server.twoFactor.disable({
+        userId,
+        token: userToken,
+        currentPassword: rootPassword,
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
+      await server.twoFactor.disable({ userId })
+      await server.twoFactor.requestAndConfirm({ userId })
+    })
+
+    it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
+      await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+      await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
+
+    it('Should succeed to disable another user two factor with the appropriate rights', async function () {
+      await server.twoFactor.disable({ userId, currentPassword: rootPassword })
+
+      await server.twoFactor.requestAndConfirm({ userId })
+    })
+
+    it('Should succeed to update my two factor auth', async function () {
+      await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
+    })
+
+    it('Should fail to disable again two factor', async function () {
+      await server.twoFactor.disable({
+        userId,
+        token: userToken,
+        currentPassword: userPassword,
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    })
+  })
+
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
diff --git a/server/tests/api/live/live-fast-restream.ts b/server/tests/api/live/live-fast-restream.ts
index 502959258..3ea6be9ff 100644
--- a/server/tests/api/live/live-fast-restream.ts
+++ b/server/tests/api/live/live-fast-restream.ts
@@ -59,7 +59,7 @@ describe('Fast restream in live', function () {
       const video = await server.videos.get({ id: liveId })
       expect(video.streamingPlaylists).to.have.lengthOf(1)
 
-      await server.live.getSegment({ videoUUID: liveId, segment: 0, playlistNumber: 0 })
+      await server.live.getSegmentFile({ videoUUID: liveId, segment: 0, playlistNumber: 0 })
       await makeRawRequest(video.streamingPlaylists[0].playlistUrl, HttpStatusCode.OK_200)
       await makeRawRequest(video.streamingPlaylists[0].segmentsSha256Url, HttpStatusCode.OK_200)
 
diff --git a/server/tests/api/live/live.ts b/server/tests/api/live/live.ts
index c436f0f01..5dd2bd9ab 100644
--- a/server/tests/api/live/live.ts
+++ b/server/tests/api/live/live.ts
@@ -3,7 +3,7 @@
 import { expect } from 'chai'
 import { basename, join } from 'path'
 import { ffprobePromise, getVideoStream } from '@server/helpers/ffmpeg'
-import { checkLiveSegmentHash, checkResolutionsInMasterPlaylist, testImage } from '@server/tests/shared'
+import { testImage, testVideoResolutions } from '@server/tests/shared'
 import { getAllFiles, wait } from '@shared/core-utils'
 import {
   HttpStatusCode,
@@ -372,46 +372,6 @@ describe('Test live', function () {
       return uuid
     }
 
-    async function testVideoResolutions (liveVideoId: string, resolutions: number[]) {
-      for (const server of servers) {
-        const { data } = await server.videos.list()
-        expect(data.find(v => v.uuid === liveVideoId)).to.exist
-
-        const video = await server.videos.get({ id: liveVideoId })
-
-        expect(video.streamingPlaylists).to.have.lengthOf(1)
-
-        const hlsPlaylist = video.streamingPlaylists.find(s => s.type === VideoStreamingPlaylistType.HLS)
-        expect(hlsPlaylist).to.exist
-
-        // Only finite files are displayed
-        expect(hlsPlaylist.files).to.have.lengthOf(0)
-
-        await checkResolutionsInMasterPlaylist({ server, playlistUrl: hlsPlaylist.playlistUrl, resolutions })
-
-        for (let i = 0; i < resolutions.length; i++) {
-          const segmentNum = 3
-          const segmentName = `${i}-00000${segmentNum}.ts`
-          await commands[0].waitUntilSegmentGeneration({ videoUUID: video.uuid, playlistNumber: i, segment: segmentNum })
-
-          const subPlaylist = await servers[0].streamingPlaylists.get({
-            url: `${servers[0].url}/static/streaming-playlists/hls/${video.uuid}/${i}.m3u8`
-          })
-
-          expect(subPlaylist).to.contain(segmentName)
-
-          const baseUrlAndPath = servers[0].url + '/static/streaming-playlists/hls'
-          await checkLiveSegmentHash({
-            server,
-            baseUrlSegment: baseUrlAndPath,
-            videoUUID: video.uuid,
-            segmentName,
-            hlsPlaylist
-          })
-        }
-      }
-    }
-
     function updateConf (resolutions: number[]) {
       return servers[0].config.updateCustomSubConfig({
         newConfig: {
@@ -449,7 +409,14 @@ describe('Test live', function () {
       await waitUntilLivePublishedOnAllServers(servers, liveVideoId)
       await waitJobs(servers)
 
-      await testVideoResolutions(liveVideoId, [ 720 ])
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId,
+        resolutions: [ 720 ],
+        objectStorage: false,
+        transcoded: true
+      })
 
       await stopFfmpeg(ffmpegCommand)
     })
@@ -477,7 +444,14 @@ describe('Test live', function () {
       await waitUntilLivePublishedOnAllServers(servers, liveVideoId)
       await waitJobs(servers)
 
-      await testVideoResolutions(liveVideoId, resolutions.concat([ 720 ]))
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId,
+        resolutions: resolutions.concat([ 720 ]),
+        objectStorage: false,
+        transcoded: true
+      })
 
       await stopFfmpeg(ffmpegCommand)
     })
@@ -522,7 +496,14 @@ describe('Test live', function () {
       await waitUntilLivePublishedOnAllServers(servers, liveVideoId)
       await waitJobs(servers)
 
-      await testVideoResolutions(liveVideoId, resolutions)
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId,
+        resolutions,
+        objectStorage: false,
+        transcoded: true
+      })
 
       await stopFfmpeg(ffmpegCommand)
       await commands[0].waitUntilEnded({ videoId: liveVideoId })
@@ -538,7 +519,7 @@ describe('Test live', function () {
       }
 
       const minBitrateLimits = {
-        720: 5500 * 1000,
+        720: 5000 * 1000,
         360: 1000 * 1000,
         240: 550 * 1000
       }
@@ -569,7 +550,7 @@ describe('Test live', function () {
           if (resolution >= 720) {
             expect(file.fps).to.be.approximately(60, 10)
           } else {
-            expect(file.fps).to.be.approximately(30, 2)
+            expect(file.fps).to.be.approximately(30, 3)
           }
 
           const filename = basename(file.fileUrl)
@@ -611,7 +592,14 @@ describe('Test live', function () {
       await waitUntilLivePublishedOnAllServers(servers, liveVideoId)
       await waitJobs(servers)
 
-      await testVideoResolutions(liveVideoId, resolutions)
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId,
+        resolutions,
+        objectStorage: false,
+        transcoded: true
+      })
 
       await stopFfmpeg(ffmpegCommand)
       await commands[0].waitUntilEnded({ videoId: liveVideoId })
@@ -640,7 +628,14 @@ describe('Test live', function () {
       await waitUntilLivePublishedOnAllServers(servers, liveVideoId)
       await waitJobs(servers)
 
-      await testVideoResolutions(liveVideoId, [ 720 ])
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId,
+        resolutions: [ 720 ],
+        objectStorage: false,
+        transcoded: true
+      })
 
       await stopFfmpeg(ffmpegCommand)
       await commands[0].waitUntilEnded({ videoId: liveVideoId })
diff --git a/server/tests/api/notifications/admin-notifications.ts b/server/tests/api/notifications/admin-notifications.ts
index b3bb4888e..07c981a37 100644
--- a/server/tests/api/notifications/admin-notifications.ts
+++ b/server/tests/api/notifications/admin-notifications.ts
@@ -37,7 +37,7 @@ describe('Test admin notifications', function () {
       plugins: {
         index: {
           enabled: true,
-          check_latest_versions_interval: '5 seconds'
+          check_latest_versions_interval: '3 seconds'
         }
       }
     }
@@ -62,7 +62,7 @@ describe('Test admin notifications', function () {
 
   describe('Latest PeerTube version notification', function () {
 
-    it('Should not send a notification to admins if there is not a new version', async function () {
+    it('Should not send a notification to admins if there is no new version', async function () {
       this.timeout(30000)
 
       joinPeerTubeServer.setLatestVersion('1.4.2')
@@ -71,7 +71,7 @@ describe('Test admin notifications', function () {
       await checkNewPeerTubeVersion({ ...baseParams, latestVersion: '1.4.2', checkType: 'absence' })
     })
 
-    it('Should send a notification to admins on new plugin version', async function () {
+    it('Should send a notification to admins on new version', async function () {
       this.timeout(30000)
 
       joinPeerTubeServer.setLatestVersion('15.4.2')
diff --git a/server/tests/api/notifications/moderation-notifications.ts b/server/tests/api/notifications/moderation-notifications.ts
index d8a7d576e..fc953f144 100644
--- a/server/tests/api/notifications/moderation-notifications.ts
+++ b/server/tests/api/notifications/moderation-notifications.ts
@@ -382,7 +382,7 @@ describe('Test moderation notifications', function () {
     })
 
     it('Should send a notification only to admin when there is a new instance follower', async function () {
-      this.timeout(20000)
+      this.timeout(60000)
 
       await servers[2].follows.follow({ hosts: [ servers[0].url ] })
 
diff --git a/server/tests/api/object-storage/live.ts b/server/tests/api/object-storage/live.ts
index 0958ffe0f..7e16b4c89 100644
--- a/server/tests/api/object-storage/live.ts
+++ b/server/tests/api/object-storage/live.ts
@@ -1,9 +1,9 @@
 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
 
 import { expect } from 'chai'
-import { expectStartWith } from '@server/tests/shared'
+import { expectStartWith, testVideoResolutions } from '@server/tests/shared'
 import { areObjectStorageTestsDisabled } from '@shared/core-utils'
-import { HttpStatusCode, LiveVideoCreate, VideoFile, VideoPrivacy } from '@shared/models'
+import { HttpStatusCode, LiveVideoCreate, VideoPrivacy } from '@shared/models'
 import {
   createMultipleServers,
   doubleFollow,
@@ -35,41 +35,43 @@ async function createLive (server: PeerTubeServer, permanent: boolean) {
   return uuid
 }
 
-async function checkFiles (files: VideoFile[]) {
-  for (const file of files) {
-    expectStartWith(file.fileUrl, ObjectStorageCommand.getPlaylistBaseUrl())
+async function checkFilesExist (servers: PeerTubeServer[], videoUUID: string, numberOfFiles: number) {
+  for (const server of servers) {
+    const video = await server.videos.get({ id: videoUUID })
 
-    await makeRawRequest(file.fileUrl, HttpStatusCode.OK_200)
-  }
-}
+    expect(video.files).to.have.lengthOf(0)
+    expect(video.streamingPlaylists).to.have.lengthOf(1)
 
-async function getFiles (server: PeerTubeServer, videoUUID: string) {
-  const video = await server.videos.get({ id: videoUUID })
+    const files = video.streamingPlaylists[0].files
+    expect(files).to.have.lengthOf(numberOfFiles)
 
-  expect(video.files).to.have.lengthOf(0)
-  expect(video.streamingPlaylists).to.have.lengthOf(1)
+    for (const file of files) {
+      expectStartWith(file.fileUrl, ObjectStorageCommand.getPlaylistBaseUrl())
 
-  return video.streamingPlaylists[0].files
+      await makeRawRequest(file.fileUrl, HttpStatusCode.OK_200)
+    }
+  }
 }
 
-async function streamAndEnd (servers: PeerTubeServer[], liveUUID: string) {
-  const ffmpegCommand = await servers[0].live.sendRTMPStreamInVideo({ videoId: liveUUID })
-  await waitUntilLivePublishedOnAllServers(servers, liveUUID)
-
-  const videoLiveDetails = await servers[0].videos.get({ id: liveUUID })
-  const liveDetails = await servers[0].live.get({ videoId: liveUUID })
+async function checkFilesCleanup (server: PeerTubeServer, videoUUID: string, resolutions: number[]) {
+  const resolutionFiles = resolutions.map((_value, i) => `${i}.m3u8`)
 
-  await stopFfmpeg(ffmpegCommand)
-
-  if (liveDetails.permanentLive) {
-    await waitUntilLiveWaitingOnAllServers(servers, liveUUID)
-  } else {
-    await waitUntilLiveReplacedByReplayOnAllServers(servers, liveUUID)
+  for (const playlistName of [ 'master.m3u8' ].concat(resolutionFiles)) {
+    await server.live.getPlaylistFile({
+      videoUUID,
+      playlistName,
+      expectedStatus: HttpStatusCode.NOT_FOUND_404,
+      objectStorage: true
+    })
   }
 
-  await waitJobs(servers)
-
-  return { videoLiveDetails, liveDetails }
+  await server.live.getSegmentFile({
+    videoUUID,
+    playlistNumber: 0,
+    segment: 0,
+    objectStorage: true,
+    expectedStatus: HttpStatusCode.NOT_FOUND_404
+  })
 }
 
 describe('Object storage for lives', function () {
@@ -100,57 +102,124 @@ describe('Object storage for lives', function () {
       videoUUID = await createLive(servers[0], false)
     })
 
-    it('Should create a live and save the replay on object storage', async function () {
+    it('Should create a live and publish it on object storage', async function () {
+      this.timeout(220000)
+
+      const ffmpegCommand = await servers[0].live.sendRTMPStreamInVideo({ videoId: videoUUID })
+      await waitUntilLivePublishedOnAllServers(servers, videoUUID)
+
+      await testVideoResolutions({
+        originServer: servers[0],
+        servers,
+        liveVideoId: videoUUID,
+        resolutions: [ 720 ],
+        transcoded: false,
+        objectStorage: true
+      })
+
+      await stopFfmpeg(ffmpegCommand)
+    })
+
+    it('Should have saved the replay on object storage', async function () {
       this.timeout(220000)
 
-      await streamAndEnd(servers, videoUUID)
+      await waitUntilLiveReplacedByReplayOnAllServers(servers, videoUUID)
+      await waitJobs(servers)
 
-      for (const server of servers) {
-        const files = await getFiles(server, videoUUID)
-        expect(files).to.have.lengthOf(1)
+      await checkFilesExist(servers, videoUUID, 1)
+    })
 
-        await checkFiles(files)
-      }
+    it('Should have cleaned up live files from object storage', async function () {
+      await checkFilesCleanup(servers[0], videoUUID, [ 720 ])
     })
   })
 
   describe('With live transcoding', async function () {
-    let videoUUIDPermanent: string
-    let videoUUIDNonPermanent: string
+    const resolutions = [ 720, 480, 360, 240, 144 ]
 
     before(async function () {
       await servers[0].config.enableLive({ transcoding: true })
-
-      videoUUIDPermanent = await createLive(servers[0], true)
-      videoUUIDNonPermanent = await createLive(servers[0], false)
     })
 
-    it('Should create a live and save the replay on object storage', async function () {
-      this.timeout(240000)
+    describe('Normal replay', function () {
+      let videoUUIDNonPermanent: string
+
+      before(async function () {
+        videoUUIDNonPermanent = await createLive(servers[0], false)
+      })
+
+      it('Should create a live and publish it on object storage', async function () {
+        this.timeout(240000)
+
+        const ffmpegCommand = await servers[0].live.sendRTMPStreamInVideo({ videoId: videoUUIDNonPermanent })
+        await waitUntilLivePublishedOnAllServers(servers, videoUUIDNonPermanent)
+
+        await testVideoResolutions({
+          originServer: servers[0],
+          servers,
+          liveVideoId: videoUUIDNonPermanent,
+          resolutions,
+          transcoded: true,
+          objectStorage: true
+        })
+
+        await stopFfmpeg(ffmpegCommand)
+      })
 
-      await streamAndEnd(servers, videoUUIDNonPermanent)
+      it('Should have saved the replay on object storage', async function () {
+        this.timeout(220000)
 
-      for (const server of servers) {
-        const files = await getFiles(server, videoUUIDNonPermanent)
-        expect(files).to.have.lengthOf(5)
+        await waitUntilLiveReplacedByReplayOnAllServers(servers, videoUUIDNonPermanent)
+        await waitJobs(servers)
 
-        await checkFiles(files)
-      }
+        await checkFilesExist(servers, videoUUIDNonPermanent, 5)
+      })
+
+      it('Should have cleaned up live files from object storage', async function () {
+        await checkFilesCleanup(servers[0], videoUUIDNonPermanent, resolutions)
+      })
     })
 
-    it('Should create a live and save the replay of permanent live on object storage', async function () {
-      this.timeout(240000)
+    describe('Permanent replay', function () {
+      let videoUUIDPermanent: string
+
+      before(async function () {
+        videoUUIDPermanent = await createLive(servers[0], true)
+      })
+
+      it('Should create a live and publish it on object storage', async function () {
+        this.timeout(240000)
+
+        const ffmpegCommand = await servers[0].live.sendRTMPStreamInVideo({ videoId: videoUUIDPermanent })
+        await waitUntilLivePublishedOnAllServers(servers, videoUUIDPermanent)
+
+        await testVideoResolutions({
+          originServer: servers[0],
+          servers,
+          liveVideoId: videoUUIDPermanent,
+          resolutions,
+          transcoded: true,
+          objectStorage: true
+        })
+
+        await stopFfmpeg(ffmpegCommand)
+      })
+
+      it('Should have saved the replay on object storage', async function () {
+        this.timeout(220000)
 
-      const { videoLiveDetails } = await streamAndEnd(servers, videoUUIDPermanent)
+        await waitUntilLiveWaitingOnAllServers(servers, videoUUIDPermanent)
+        await waitJobs(servers)
 
-      const replay = await findExternalSavedVideo(servers[0], videoLiveDetails)
+        const videoLiveDetails = await servers[0].videos.get({ id: videoUUIDPermanent })
+        const replay = await findExternalSavedVideo(servers[0], videoLiveDetails)
 
-      for (const server of servers) {
-        const files = await getFiles(server, replay.uuid)
-        expect(files).to.have.lengthOf(5)
+        await checkFilesExist(servers, replay.uuid, 5)
+      })
 
-        await checkFiles(files)
-      }
+      it('Should have cleaned up live files from object storage', async function () {
+        await checkFilesCleanup(servers[0], videoUUIDPermanent, resolutions)
+      })
     })
   })
 
diff --git a/server/tests/api/redundancy/redundancy.ts b/server/tests/api/redundancy/redundancy.ts
index 5abed358f..f349a7a76 100644
--- a/server/tests/api/redundancy/redundancy.ts
+++ b/server/tests/api/redundancy/redundancy.ts
@@ -5,7 +5,7 @@ import { readdir } from 'fs-extra'
 import magnetUtil from 'magnet-uri'
 import { basename, join } from 'path'
 import { checkSegmentHash, checkVideoFilesWereRemoved, saveVideoInServers } from '@server/tests/shared'
-import { root, wait } from '@shared/core-utils'
+import { wait } from '@shared/core-utils'
 import {
   HttpStatusCode,
   VideoDetails,
@@ -159,12 +159,12 @@ async function check2Webseeds (videoUUID?: string) {
   const { webtorrentFilenames } = await ensureSameFilenames(videoUUID)
 
   const directories = [
-    'test' + servers[0].internalServerNumber + '/redundancy',
-    'test' + servers[1].internalServerNumber + '/videos'
+    servers[0].getDirectoryPath('redundancy'),
+    servers[1].getDirectoryPath('videos')
   ]
 
   for (const directory of directories) {
-    const files = await readdir(join(root(), directory))
+    const files = await readdir(directory)
     expect(files).to.have.length.at.least(4)
 
     // Ensure we files exist on disk
@@ -214,12 +214,12 @@ async function check1PlaylistRedundancies (videoUUID?: string) {
   const { hlsFilenames } = await ensureSameFilenames(videoUUID)
 
   const directories = [
-    'test' + servers[0].internalServerNumber + '/redundancy/hls',
-    'test' + servers[1].internalServerNumber + '/streaming-playlists/hls'
+    servers[0].getDirectoryPath('redundancy/hls'),
+    servers[1].getDirectoryPath('streaming-playlists/hls')
   ]
 
   for (const directory of directories) {
-    const files = await readdir(join(root(), directory, videoUUID))
+    const files = await readdir(join(directory, videoUUID))
     expect(files).to.have.length.at.least(4)
 
     // Ensure we files exist on disk
diff --git a/server/tests/api/users/index.ts b/server/tests/api/users/index.ts
index c65152c6f..643f1a531 100644
--- a/server/tests/api/users/index.ts
+++ b/server/tests/api/users/index.ts
@@ -1,3 +1,4 @@
+import './two-factor'
 import './user-subscriptions'
 import './user-videos'
 import './users'
diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts
new file mode 100644
index 000000000..0dcab9e17
--- /dev/null
+++ b/server/tests/api/users/two-factor.ts
@@ -0,0 +1,200 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+
+import { expect } from 'chai'
+import { expectStartWith } from '@server/tests/shared'
+import { HttpStatusCode } from '@shared/models'
+import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers, TwoFactorCommand } from '@shared/server-commands'
+
+async function login (options: {
+  server: PeerTubeServer
+  username: string
+  password: string
+  otpToken?: string
+  expectedStatus?: HttpStatusCode
+}) {
+  const { server, username, password, otpToken, expectedStatus } = options
+
+  const user = { username, password }
+  const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
+
+  return { res, token }
+}
+
+describe('Test users', function () {
+  let server: PeerTubeServer
+  let otpSecret: string
+  let requestToken: string
+
+  const userUsername = 'user1'
+  let userId: number
+  let userPassword: string
+  let userToken: string
+
+  before(async function () {
+    this.timeout(30000)
+
+    server = await createSingleServer(1)
+
+    await setAccessTokensToServers([ server ])
+    const res = await server.users.generate(userUsername)
+    userId = res.userId
+    userPassword = res.password
+    userToken = res.token
+  })
+
+  it('Should not add the header on login if two factor is not enabled', async function () {
+    const { res, token } = await login({ server, username: userUsername, password: userPassword })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+
+    await server.users.getMyInfo({ token })
+  })
+
+  it('Should request two factor and get the secret and uri', async function () {
+    const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
+
+    expect(otpRequest.requestToken).to.exist
+
+    expect(otpRequest.secret).to.exist
+    expect(otpRequest.secret).to.have.lengthOf(32)
+
+    expect(otpRequest.uri).to.exist
+    expectStartWith(otpRequest.uri, 'otpauth://')
+    expect(otpRequest.uri).to.include(otpRequest.secret)
+
+    requestToken = otpRequest.requestToken
+    otpSecret = otpRequest.secret
+  })
+
+  it('Should not have two factor confirmed yet', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.false
+  })
+
+  it('Should confirm two factor', async function () {
+    await server.twoFactor.confirmRequest({
+      userId,
+      token: userToken,
+      otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
+      requestToken
+    })
+  })
+
+  it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
+    const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+
+  it('Should add the header on login if two factor is enabled and password is correct', async function () {
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      expectedStatus: HttpStatusCode.UNAUTHORIZED_401
+    })
+
+    expect(res.header['x-peertube-otp']).to.exist
+    expect(token).to.not.exist
+
+    await server.users.getMyInfo({ token })
+  })
+
+  it('Should not login with correct password and incorrect otp secret', async function () {
+    const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
+
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      otpToken: otp.generate(),
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+
+  it('Should not login with correct password and incorrect otp code', async function () {
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: userPassword,
+      otpToken: '123456',
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+
+  it('Should not login with incorrect password and correct otp code', async function () {
+    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
+
+    const { res, token } = await login({
+      server,
+      username: userUsername,
+      password: 'fake',
+      otpToken,
+      expectedStatus: HttpStatusCode.BAD_REQUEST_400
+    })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.not.exist
+  })
+
+  it('Should correctly login with correct password and otp code', async function () {
+    const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
+
+    const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken })
+
+    expect(res.header['x-peertube-otp']).to.not.exist
+    expect(token).to.exist
+
+    await server.users.getMyInfo({ token })
+  })
+
+  it('Should have two factor enabled when getting my info', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.true
+  })
+
+  it('Should disable two factor and be able to login without otp token', async function () {
+    await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
+
+    const { res, token } = await login({ server, username: userUsername, password: userPassword })
+    expect(res.header['x-peertube-otp']).to.not.exist
+
+    await server.users.getMyInfo({ token })
+  })
+
+  it('Should have two factor disabled when getting my info', async function () {
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.false
+  })
+
+  it('Should enable two factor auth without password from an admin', async function () {
+    const { otpRequest } = await server.twoFactor.request({ userId })
+
+    await server.twoFactor.confirmRequest({
+      userId,
+      otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(),
+      requestToken: otpRequest.requestToken
+    })
+
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.true
+  })
+
+  it('Should disable two factor auth without password from an admin', async function () {
+    await server.twoFactor.disable({ userId })
+
+    const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+    expect(twoFactorEnabled).to.be.false
+  })
+
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
diff --git a/server/tests/api/users/users-multiple-servers.ts b/server/tests/api/users/users-multiple-servers.ts
index 62d668d1e..188e6f137 100644
--- a/server/tests/api/users/users-multiple-servers.ts
+++ b/server/tests/api/users/users-multiple-servers.ts
@@ -197,7 +197,7 @@ describe('Test users with multiple servers', function () {
   it('Should not have actor files', async () => {
     for (const server of servers) {
       for (const userAvatarFilename of userAvatarFilenames) {
-        await checkActorFilesWereRemoved(userAvatarFilename, server.internalServerNumber)
+        await checkActorFilesWereRemoved(userAvatarFilename, server)
       }
     }
   })
diff --git a/server/tests/api/videos/multiple-servers.ts b/server/tests/api/videos/multiple-servers.ts
index d47807a79..2ad749fd4 100644
--- a/server/tests/api/videos/multiple-servers.ts
+++ b/server/tests/api/videos/multiple-servers.ts
@@ -156,7 +156,7 @@ describe('Test multiple servers', function () {
     })
 
     it('Should upload the video on server 2 and propagate on each server', async function () {
-      this.timeout(100000)
+      this.timeout(240000)
 
       const user = {
         username: 'user1',
diff --git a/server/tests/api/videos/video-files.ts b/server/tests/api/videos/video-files.ts
index 10277b9cf..c0b886aad 100644
--- a/server/tests/api/videos/video-files.ts
+++ b/server/tests/api/videos/video-files.ts
@@ -33,7 +33,7 @@ describe('Test videos files', function () {
     let validId2: string
 
     before(async function () {
-      this.timeout(120_000)
+      this.timeout(360_000)
 
       {
         const { uuid } = await servers[0].videos.quickUpload({ name: 'video 1' })
diff --git a/server/tests/api/videos/video-playlists.ts b/server/tests/api/videos/video-playlists.ts
index 47b8c7b1e..9d223de48 100644
--- a/server/tests/api/videos/video-playlists.ts
+++ b/server/tests/api/videos/video-playlists.ts
@@ -70,7 +70,7 @@ describe('Test video playlists', function () {
   let commands: PlaylistsCommand[]
 
   before(async function () {
-    this.timeout(120000)
+    this.timeout(240000)
 
     servers = await createMultipleServers(3)
 
@@ -1049,7 +1049,7 @@ describe('Test video playlists', function () {
       this.timeout(30000)
 
       for (const server of servers) {
-        await checkPlaylistFilesWereRemoved(playlistServer1UUID, server.internalServerNumber)
+        await checkPlaylistFilesWereRemoved(playlistServer1UUID, server)
       }
     })
 
diff --git a/server/tests/api/videos/video-privacy.ts b/server/tests/api/videos/video-privacy.ts
index b18c71c94..92f5dab3c 100644
--- a/server/tests/api/videos/video-privacy.ts
+++ b/server/tests/api/videos/video-privacy.ts
@@ -45,7 +45,7 @@ describe('Test video privacy', function () {
   describe('Private and internal videos', function () {
 
     it('Should upload a private and internal videos on server 1', async function () {
-      this.timeout(10000)
+      this.timeout(50000)
 
       for (const privacy of [ VideoPrivacy.PRIVATE, VideoPrivacy.INTERNAL ]) {
         const attributes = { privacy }
diff --git a/server/tests/api/videos/videos-common-filters.ts b/server/tests/api/videos/videos-common-filters.ts
index e7fc15e42..b176d90ab 100644
--- a/server/tests/api/videos/videos-common-filters.ts
+++ b/server/tests/api/videos/videos-common-filters.ts
@@ -232,7 +232,7 @@ describe('Test videos filter', function () {
     })
 
     it('Should display only remote videos', async function () {
-      this.timeout(40000)
+      this.timeout(120000)
 
       await servers[1].videos.upload({ attributes: { name: 'remote video' } })
 
diff --git a/server/tests/external-plugins/akismet.ts b/server/tests/external-plugins/akismet.ts
new file mode 100644
index 000000000..974bf0011
--- /dev/null
+++ b/server/tests/external-plugins/akismet.ts
@@ -0,0 +1,160 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+
+import { expect } from 'chai'
+import { HttpStatusCode } from '@shared/models'
+import {
+  cleanupTests,
+  createMultipleServers,
+  doubleFollow,
+  PeerTubeServer,
+  setAccessTokensToServers,
+  waitJobs
+} from '@shared/server-commands'
+
+describe('Official plugin Akismet', function () {
+  let servers: PeerTubeServer[]
+  let videoUUID: string
+
+  before(async function () {
+    this.timeout(30000)
+
+    servers = await createMultipleServers(2)
+    await setAccessTokensToServers(servers)
+
+    await servers[0].plugins.install({
+      npmName: 'peertube-plugin-akismet'
+    })
+
+    if (!process.env.AKISMET_KEY) throw new Error('Missing AKISMET_KEY from env')
+
+    await servers[0].plugins.updateSettings({
+      npmName: 'peertube-plugin-akismet',
+      settings: {
+        'akismet-api-key': process.env.AKISMET_KEY
+      }
+    })
+
+    await doubleFollow(servers[0], servers[1])
+  })
+
+  describe('Local threads/replies', function () {
+
+    before(async function () {
+      const { uuid } = await servers[0].videos.quickUpload({ name: 'video 1' })
+      videoUUID = uuid
+    })
+
+    it('Should not detect a thread as spam', async function () {
+      await servers[0].comments.createThread({ videoId: videoUUID, text: 'comment' })
+    })
+
+    it('Should not detect a reply as spam', async function () {
+      await servers[0].comments.addReplyToLastThread({ text: 'reply' })
+    })
+
+    it('Should detect a thread as spam', async function () {
+      await servers[0].comments.createThread({
+        videoId: videoUUID,
+        text: 'akismet-guaranteed-spam',
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+
+    it('Should detect a thread as spam', async function () {
+      await servers[0].comments.createThread({ videoId: videoUUID, text: 'comment' })
+      await servers[0].comments.addReplyToLastThread({ text: 'akismet-guaranteed-spam', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
+  })
+
+  describe('Remote threads/replies', function () {
+
+    before(async function () {
+      this.timeout(60000)
+
+      const { uuid } = await servers[0].videos.quickUpload({ name: 'video 1' })
+      videoUUID = uuid
+
+      await waitJobs(servers)
+    })
+
+    it('Should not detect a thread as spam', async function () {
+      this.timeout(30000)
+
+      await servers[1].comments.createThread({ videoId: videoUUID, text: 'remote comment 1' })
+      await waitJobs(servers)
+
+      const { data } = await servers[0].comments.listThreads({ videoId: videoUUID })
+      expect(data).to.have.lengthOf(1)
+    })
+
+    it('Should not detect a reply as spam', async function () {
+      this.timeout(30000)
+
+      await servers[1].comments.addReplyToLastThread({ text: 'I agree with you' })
+      await waitJobs(servers)
+
+      const { data } = await servers[0].comments.listThreads({ videoId: videoUUID })
+      expect(data).to.have.lengthOf(1)
+
+      const tree = await servers[0].comments.getThread({ videoId: videoUUID, threadId: data[0].id })
+      expect(tree.children).to.have.lengthOf(1)
+    })
+
+    it('Should detect a thread as spam', async function () {
+      this.timeout(30000)
+
+      await servers[1].comments.createThread({ videoId: videoUUID, text: 'akismet-guaranteed-spam' })
+      await waitJobs(servers)
+
+      const { data } = await servers[0].comments.listThreads({ videoId: videoUUID })
+      expect(data).to.have.lengthOf(1)
+    })
+
+    it('Should detect a thread as spam', async function () {
+      this.timeout(30000)
+
+      await servers[1].comments.addReplyToLastThread({ text: 'akismet-guaranteed-spam' })
+      await waitJobs(servers)
+
+      const { data } = await servers[0].comments.listThreads({ videoId: videoUUID })
+      expect(data).to.have.lengthOf(1)
+
+      const thread = data[0]
+      const tree = await servers[0].comments.getThread({ videoId: videoUUID, threadId: thread.id })
+      expect(tree.children).to.have.lengthOf(1)
+    })
+  })
+
+  describe('Signup', function () {
+
+    before(async function () {
+      await servers[0].config.updateExistingSubConfig({
+        newConfig: {
+          signup: {
+            enabled: true
+          }
+        }
+      })
+    })
+
+    it('Should allow signup', async function () {
+      await servers[0].users.register({
+        username: 'user1',
+        displayName: 'user 1'
+      })
+    })
+
+    it('Should detect a signup as SPAM', async function () {
+      await servers[0].users.register({
+        username: 'user2',
+        displayName: 'user 2',
+        email: 'akismet-guaranteed-spam@example.com',
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+    })
+  })
+
+  after(async function () {
+    await cleanupTests(servers)
+  })
+})
diff --git a/server/tests/external-plugins/auth-ldap.ts b/server/tests/external-plugins/auth-ldap.ts
index d7f155d2a..6f6a574a0 100644
--- a/server/tests/external-plugins/auth-ldap.ts
+++ b/server/tests/external-plugins/auth-ldap.ts
@@ -94,6 +94,14 @@ describe('Official plugin auth-ldap', function () {
     await server.login.login({ user: { username: 'fry@planetexpress.com', password: 'fry' } })
   })
 
+  it('Should not be able to ask password reset', async function () {
+    await server.users.askResetPassword({ email: 'fry@planetexpress.com', expectedStatus: HttpStatusCode.CONFLICT_409 })
+  })
+
+  it('Should not be able to ask email verification', async function () {
+    await server.users.askSendVerifyEmail({ email: 'fry@planetexpress.com', expectedStatus: HttpStatusCode.CONFLICT_409 })
+  })
+
   it('Should not login if the plugin is uninstalled', async function () {
     await server.plugins.uninstall({ npmName: 'peertube-plugin-auth-ldap' })
 
diff --git a/server/tests/external-plugins/index.ts b/server/tests/external-plugins/index.ts
index 31d818b51..815bbf1da 100644
--- a/server/tests/external-plugins/index.ts
+++ b/server/tests/external-plugins/index.ts
@@ -1,3 +1,4 @@
+import './akismet'
 import './auth-ldap'
 import './auto-block-videos'
 import './auto-mute'
diff --git a/server/tests/fixtures/peertube-plugin-test-four/main.js b/server/tests/fixtures/peertube-plugin-test-four/main.js
index 5194e3e02..3e848c49e 100644
--- a/server/tests/fixtures/peertube-plugin-test-four/main.js
+++ b/server/tests/fixtures/peertube-plugin-test-four/main.js
@@ -128,6 +128,22 @@ async function register ({
 
       return res.json(result)
     })
+
+    router.post('/send-notification', async (req, res) => {
+      peertubeHelpers.socket.sendNotification(req.body.userId, {
+        type: 1,
+        userId: req.body.userId
+      })
+
+      return res.sendStatus(201)
+    })
+
+    router.post('/send-video-live-new-state/:uuid', async (req, res) => {
+      const video = await peertubeHelpers.videos.loadByIdOrUUID(req.params.uuid)
+      peertubeHelpers.socket.sendVideoLiveNewState(video)
+
+      return res.sendStatus(201)
+    })
   }
 
 }
diff --git a/server/tests/fixtures/peertube-plugin-test-websocket/main.js b/server/tests/fixtures/peertube-plugin-test-websocket/main.js
new file mode 100644
index 000000000..3fde76cfe
--- /dev/null
+++ b/server/tests/fixtures/peertube-plugin-test-websocket/main.js
@@ -0,0 +1,36 @@
+const WebSocketServer = require('ws').WebSocketServer
+
+async function register ({
+  registerWebSocketRoute
+}) {
+  const wss = new WebSocketServer({ noServer: true })
+
+  wss.on('connection', function connection(ws) {
+    ws.on('message', function message(data) {
+      if (data.toString() === 'ping') {
+        ws.send('pong')
+      }
+    })
+  })
+
+  registerWebSocketRoute({
+    route: '/toto',
+
+    handler: (request, socket, head) => {
+      wss.handleUpgrade(request, socket, head, ws => {
+        wss.emit('connection', ws, request)
+      })
+    }
+  })
+}
+
+async function unregister () {
+  return
+}
+
+module.exports = {
+  register,
+  unregister
+}
+
+// ###########################################################################
diff --git a/server/tests/fixtures/peertube-plugin-test-websocket/package.json b/server/tests/fixtures/peertube-plugin-test-websocket/package.json
new file mode 100644
index 000000000..89c8baa04
--- /dev/null
+++ b/server/tests/fixtures/peertube-plugin-test-websocket/package.json
@@ -0,0 +1,20 @@
+{
+  "name": "peertube-plugin-test-websocket",
+  "version": "0.0.1",
+  "description": "Plugin test websocket",
+  "engine": {
+    "peertube": ">=1.3.0"
+  },
+  "keywords": [
+    "peertube",
+    "plugin"
+  ],
+  "homepage": "https://github.com/Chocobozzz/PeerTube",
+  "author": "Chocobozzz",
+  "bugs": "https://github.com/Chocobozzz/PeerTube/issues",
+  "library": "./main.js",
+  "staticDirs": {},
+  "css": [],
+  "clientScripts": [],
+  "translations": {}
+}
diff --git a/server/tests/fixtures/peertube-plugin-test/main.js b/server/tests/fixtures/peertube-plugin-test/main.js
index 813482a27..19dccf26e 100644
--- a/server/tests/fixtures/peertube-plugin-test/main.js
+++ b/server/tests/fixtures/peertube-plugin-test/main.js
@@ -178,6 +178,8 @@ async function register ({ registerHook, registerSetting, settingsManager, stora
     }
   })
 
+  // ---------------------------------------------------------------------------
+
   registerHook({
     target: 'filter:api.video-thread.create.accept.result',
     handler: ({ accepted }, { commentBody }) => checkCommentBadWord(accepted, commentBody)
@@ -189,6 +191,13 @@ async function register ({ registerHook, registerSetting, settingsManager, stora
   })
 
   registerHook({
+    target: 'filter:activity-pub.remote-video-comment.create.accept.result',
+    handler: ({ accepted }, { comment }) => checkCommentBadWord(accepted, comment)
+  })
+
+  // ---------------------------------------------------------------------------
+
+  registerHook({
     target: 'filter:api.video-threads.list.params',
     handler: obj => addToCount(obj)
   })
diff --git a/server/tests/helpers/crypto.ts b/server/tests/helpers/crypto.ts
new file mode 100644
index 000000000..b508c715b
--- /dev/null
+++ b/server/tests/helpers/crypto.ts
@@ -0,0 +1,33 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+
+import { expect } from 'chai'
+import { decrypt, encrypt } from '@server/helpers/peertube-crypto'
+
+describe('Encrypt/Descrypt', function () {
+
+  it('Should encrypt and decrypt the string', async function () {
+    const secret = 'my_secret'
+    const str = 'my super string'
+
+    const encrypted = await encrypt(str, secret)
+    const decrypted = await decrypt(encrypted, secret)
+
+    expect(str).to.equal(decrypted)
+  })
+
+  it('Should not decrypt without the same secret', async function () {
+    const str = 'my super string'
+
+    const encrypted = await encrypt(str, 'my_secret')
+
+    let error = false
+
+    try {
+      await decrypt(encrypted, 'my_sicret')
+    } catch (err) {
+      error = true
+    }
+
+    expect(error).to.be.true
+  })
+})
diff --git a/server/tests/helpers/index.ts b/server/tests/helpers/index.ts
index 951208842..1f0e3098a 100644
--- a/server/tests/helpers/index.ts
+++ b/server/tests/helpers/index.ts
@@ -1,6 +1,7 @@
-import './image'
+import './comment-model'
 import './core-utils'
+import './crypto'
 import './dns'
-import './comment-model'
+import './image'
 import './markdown'
 import './request'
diff --git a/server/tests/misc-endpoints.ts b/server/tests/misc-endpoints.ts
index 663ac044a..d2072342e 100644
--- a/server/tests/misc-endpoints.ts
+++ b/server/tests/misc-endpoints.ts
@@ -1,18 +1,24 @@
 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
 
 import { expect } from 'chai'
-import { cleanupTests, createSingleServer, makeGetRequest, PeerTubeServer, setAccessTokensToServers } from '@shared/server-commands'
+import { writeJson } from 'fs-extra'
+import { join } from 'path'
 import { HttpStatusCode, VideoPrivacy } from '@shared/models'
+import { cleanupTests, createSingleServer, makeGetRequest, PeerTubeServer, setAccessTokensToServers } from '@shared/server-commands'
 import { expectLogDoesNotContain } from './shared'
 
 describe('Test misc endpoints', function () {
   let server: PeerTubeServer
+  let wellKnownPath: string
 
   before(async function () {
     this.timeout(120000)
 
     server = await createSingleServer(1)
+
     await setAccessTokensToServers([ server ])
+
+    wellKnownPath = server.getDirectoryPath('well-known')
   })
 
   describe('Test a well known endpoints', function () {
@@ -93,6 +99,28 @@ describe('Test misc endpoints', function () {
       expect(remoteInteract).to.exist
       expect(remoteInteract.template).to.equal(server.url + '/remote-interaction?uri={uri}')
     })
+
+    it('Should return 404 for non-existing files in /.well-known', async function () {
+      await makeGetRequest({
+        url: server.url,
+        path: '/.well-known/non-existing-file',
+        expectedStatus: HttpStatusCode.NOT_FOUND_404
+      })
+    })
+
+    it('Should return custom file from /.well-known', async function () {
+      const filename = 'existing-file.json'
+
+      await writeJson(join(wellKnownPath, filename), { iThink: 'therefore I am' })
+
+      const { body } = await makeGetRequest({
+        url: server.url,
+        path: '/.well-known/' + filename,
+        expectedStatus: HttpStatusCode.OK_200
+      })
+
+      expect(body.iThink).to.equal('therefore I am')
+    })
   })
 
   describe('Test classic static endpoints', function () {
diff --git a/server/tests/plugins/filter-hooks.ts b/server/tests/plugins/filter-hooks.ts
index 026c7e856..ae4b3cf5f 100644
--- a/server/tests/plugins/filter-hooks.ts
+++ b/server/tests/plugins/filter-hooks.ts
@@ -64,232 +64,289 @@ describe('Test plugin filter hooks', function () {
     })
   })
 
-  it('Should run filter:api.videos.list.params', async function () {
-    const { data } = await servers[0].videos.list({ start: 0, count: 2 })
+  describe('Videos', function () {
 
-    // 2 plugins do +1 to the count parameter
-    expect(data).to.have.lengthOf(4)
-  })
+    it('Should run filter:api.videos.list.params', async function () {
+      const { data } = await servers[0].videos.list({ start: 0, count: 2 })
 
-  it('Should run filter:api.videos.list.result', async function () {
-    const { total } = await servers[0].videos.list({ start: 0, count: 0 })
+      // 2 plugins do +1 to the count parameter
+      expect(data).to.have.lengthOf(4)
+    })
 
-    // Plugin do +1 to the total result
-    expect(total).to.equal(11)
-  })
+    it('Should run filter:api.videos.list.result', async function () {
+      const { total } = await servers[0].videos.list({ start: 0, count: 0 })
 
-  it('Should run filter:api.video-playlist.videos.list.params', async function () {
-    const { data } = await servers[0].playlists.listVideos({
-      count: 2,
-      playlistId: videoPlaylistUUID
+      // Plugin do +1 to the total result
+      expect(total).to.equal(11)
     })
 
-    // 1 plugin do +1 to the count parameter
-    expect(data).to.have.lengthOf(3)
-  })
+    it('Should run filter:api.video-playlist.videos.list.params', async function () {
+      const { data } = await servers[0].playlists.listVideos({
+        count: 2,
+        playlistId: videoPlaylistUUID
+      })
 
-  it('Should run filter:api.video-playlist.videos.list.result', async function () {
-    const { total } = await servers[0].playlists.listVideos({
-      count: 0,
-      playlistId: videoPlaylistUUID
+      // 1 plugin do +1 to the count parameter
+      expect(data).to.have.lengthOf(3)
     })
 
-    // Plugin do +1 to the total result
-    expect(total).to.equal(11)
-  })
+    it('Should run filter:api.video-playlist.videos.list.result', async function () {
+      const { total } = await servers[0].playlists.listVideos({
+        count: 0,
+        playlistId: videoPlaylistUUID
+      })
 
-  it('Should run filter:api.accounts.videos.list.params', async function () {
-    const { data } = await servers[0].videos.listByAccount({ handle: 'root', start: 0, count: 2 })
+      // Plugin do +1 to the total result
+      expect(total).to.equal(11)
+    })
 
-    // 1 plugin do +1 to the count parameter
-    expect(data).to.have.lengthOf(3)
-  })
+    it('Should run filter:api.accounts.videos.list.params', async function () {
+      const { data } = await servers[0].videos.listByAccount({ handle: 'root', start: 0, count: 2 })
 
-  it('Should run filter:api.accounts.videos.list.result', async function () {
-    const { total } = await servers[0].videos.listByAccount({ handle: 'root', start: 0, count: 2 })
+      // 1 plugin do +1 to the count parameter
+      expect(data).to.have.lengthOf(3)
+    })
 
-    // Plugin do +2 to the total result
-    expect(total).to.equal(12)
-  })
+    it('Should run filter:api.accounts.videos.list.result', async function () {
+      const { total } = await servers[0].videos.listByAccount({ handle: 'root', start: 0, count: 2 })
 
-  it('Should run filter:api.video-channels.videos.list.params', async function () {
-    const { data } = await servers[0].videos.listByChannel({ handle: 'root_channel', start: 0, count: 2 })
+      // Plugin do +2 to the total result
+      expect(total).to.equal(12)
+    })
 
-    // 1 plugin do +3 to the count parameter
-    expect(data).to.have.lengthOf(5)
-  })
+    it('Should run filter:api.video-channels.videos.list.params', async function () {
+      const { data } = await servers[0].videos.listByChannel({ handle: 'root_channel', start: 0, count: 2 })
 
-  it('Should run filter:api.video-channels.videos.list.result', async function () {
-    const { total } = await servers[0].videos.listByChannel({ handle: 'root_channel', start: 0, count: 2 })
+      // 1 plugin do +3 to the count parameter
+      expect(data).to.have.lengthOf(5)
+    })
 
-    // Plugin do +3 to the total result
-    expect(total).to.equal(13)
-  })
+    it('Should run filter:api.video-channels.videos.list.result', async function () {
+      const { total } = await servers[0].videos.listByChannel({ handle: 'root_channel', start: 0, count: 2 })
 
-  it('Should run filter:api.user.me.videos.list.params', async function () {
-    const { data } = await servers[0].videos.listMyVideos({ start: 0, count: 2 })
+      // Plugin do +3 to the total result
+      expect(total).to.equal(13)
+    })
 
-    // 1 plugin do +4 to the count parameter
-    expect(data).to.have.lengthOf(6)
-  })
+    it('Should run filter:api.user.me.videos.list.params', async function () {
+      const { data } = await servers[0].videos.listMyVideos({ start: 0, count: 2 })
 
-  it('Should run filter:api.user.me.videos.list.result', async function () {
-    const { total } = await servers[0].videos.listMyVideos({ start: 0, count: 2 })
+      // 1 plugin do +4 to the count parameter
+      expect(data).to.have.lengthOf(6)
+    })
 
-    // Plugin do +4 to the total result
-    expect(total).to.equal(14)
-  })
+    it('Should run filter:api.user.me.videos.list.result', async function () {
+      const { total } = await servers[0].videos.listMyVideos({ start: 0, count: 2 })
 
-  it('Should run filter:api.video.get.result', async function () {
-    const video = await servers[0].videos.get({ id: videoUUID })
-    expect(video.name).to.contain('<3')
-  })
+      // Plugin do +4 to the total result
+      expect(total).to.equal(14)
+    })
 
-  it('Should run filter:api.video.upload.accept.result', async function () {
-    await servers[0].videos.upload({ attributes: { name: 'video with bad word' }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    it('Should run filter:api.video.get.result', async function () {
+      const video = await servers[0].videos.get({ id: videoUUID })
+      expect(video.name).to.contain('<3')
+    })
   })
 
-  it('Should run filter:api.live-video.create.accept.result', async function () {
-    const attributes = {
-      name: 'video with bad word',
-      privacy: VideoPrivacy.PUBLIC,
-      channelId: servers[0].store.channel.id
-    }
+  describe('Video/live/import accept', function () {
 
-    await servers[0].live.create({ fields: attributes, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
-  })
-
-  it('Should run filter:api.video.pre-import-url.accept.result', async function () {
-    const attributes = {
-      name: 'normal title',
-      privacy: VideoPrivacy.PUBLIC,
-      channelId: servers[0].store.channel.id,
-      targetUrl: FIXTURE_URLS.goodVideo + 'bad'
-    }
-    await servers[0].imports.importVideo({ attributes, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
-  })
+    it('Should run filter:api.video.upload.accept.result', async function () {
+      await servers[0].videos.upload({ attributes: { name: 'video with bad word' }, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
 
-  it('Should run filter:api.video.pre-import-torrent.accept.result', async function () {
-    const attributes = {
-      name: 'bad torrent',
-      privacy: VideoPrivacy.PUBLIC,
-      channelId: servers[0].store.channel.id,
-      torrentfile: 'video-720p.torrent' as any
-    }
-    await servers[0].imports.importVideo({ attributes, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
-  })
+    it('Should run filter:api.live-video.create.accept.result', async function () {
+      const attributes = {
+        name: 'video with bad word',
+        privacy: VideoPrivacy.PUBLIC,
+        channelId: servers[0].store.channel.id
+      }
 
-  it('Should run filter:api.video.post-import-url.accept.result', async function () {
-    this.timeout(60000)
+      await servers[0].live.create({ fields: attributes, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
 
-    let videoImportId: number
+    it('Should run filter:api.video.pre-import-url.accept.result', async function () {
+      const attributes = {
+        name: 'normal title',
+        privacy: VideoPrivacy.PUBLIC,
+        channelId: servers[0].store.channel.id,
+        targetUrl: FIXTURE_URLS.goodVideo + 'bad'
+      }
+      await servers[0].imports.importVideo({ attributes, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
 
-    {
+    it('Should run filter:api.video.pre-import-torrent.accept.result', async function () {
       const attributes = {
-        name: 'title with bad word',
+        name: 'bad torrent',
         privacy: VideoPrivacy.PUBLIC,
         channelId: servers[0].store.channel.id,
-        targetUrl: FIXTURE_URLS.goodVideo
+        torrentfile: 'video-720p.torrent' as any
       }
-      const body = await servers[0].imports.importVideo({ attributes })
-      videoImportId = body.id
-    }
+      await servers[0].imports.importVideo({ attributes, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+    })
 
-    await waitJobs(servers)
+    it('Should run filter:api.video.post-import-url.accept.result', async function () {
+      this.timeout(60000)
 
-    {
-      const body = await servers[0].imports.getMyVideoImports()
-      const videoImports = body.data
+      let videoImportId: number
 
-      const videoImport = videoImports.find(i => i.id === videoImportId)
+      {
+        const attributes = {
+          name: 'title with bad word',
+          privacy: VideoPrivacy.PUBLIC,
+          channelId: servers[0].store.channel.id,
+          targetUrl: FIXTURE_URLS.goodVideo
+        }
+        const body = await servers[0].imports.importVideo({ attributes })
+        videoImportId = body.id
+      }
 
-      expect(videoImport.state.id).to.equal(VideoImportState.REJECTED)
-      expect(videoImport.state.label).to.equal('Rejected')
-    }
-  })
+      await waitJobs(servers)
 
-  it('Should run filter:api.video.post-import-torrent.accept.result', async function () {
-    this.timeout(60000)
+      {
+        const body = await servers[0].imports.getMyVideoImports()
+        const videoImports = body.data
 
-    let videoImportId: number
+        const videoImport = videoImports.find(i => i.id === videoImportId)
 
-    {
-      const attributes = {
-        name: 'title with bad word',
-        privacy: VideoPrivacy.PUBLIC,
-        channelId: servers[0].store.channel.id,
-        torrentfile: 'video-720p.torrent' as any
+        expect(videoImport.state.id).to.equal(VideoImportState.REJECTED)
+        expect(videoImport.state.label).to.equal('Rejected')
       }
-      const body = await servers[0].imports.importVideo({ attributes })
-      videoImportId = body.id
-    }
+    })
 
-    await waitJobs(servers)
+    it('Should run filter:api.video.post-import-torrent.accept.result', async function () {
+      this.timeout(60000)
 
-    {
-      const { data: videoImports } = await servers[0].imports.getMyVideoImports()
+      let videoImportId: number
 
-      const videoImport = videoImports.find(i => i.id === videoImportId)
+      {
+        const attributes = {
+          name: 'title with bad word',
+          privacy: VideoPrivacy.PUBLIC,
+          channelId: servers[0].store.channel.id,
+          torrentfile: 'video-720p.torrent' as any
+        }
+        const body = await servers[0].imports.importVideo({ attributes })
+        videoImportId = body.id
+      }
 
-      expect(videoImport.state.id).to.equal(VideoImportState.REJECTED)
-      expect(videoImport.state.label).to.equal('Rejected')
-    }
-  })
+      await waitJobs(servers)
+
+      {
+        const { data: videoImports } = await servers[0].imports.getMyVideoImports()
+
+        const videoImport = videoImports.find(i => i.id === videoImportId)
 
-  it('Should run filter:api.video-thread.create.accept.result', async function () {
-    await servers[0].comments.createThread({
-      videoId: videoUUID,
-      text: 'comment with bad word',
-      expectedStatus: HttpStatusCode.FORBIDDEN_403
+        expect(videoImport.state.id).to.equal(VideoImportState.REJECTED)
+        expect(videoImport.state.label).to.equal('Rejected')
+      }
     })
   })
 
-  it('Should run filter:api.video-comment-reply.create.accept.result', async function () {
-    const created = await servers[0].comments.createThread({ videoId: videoUUID, text: 'thread' })
-    threadId = created.id
+  describe('Video comments accept', function () {
 
-    await servers[0].comments.addReply({
-      videoId: videoUUID,
-      toCommentId: threadId,
-      text: 'comment with bad word',
-      expectedStatus: HttpStatusCode.FORBIDDEN_403
+    it('Should run filter:api.video-thread.create.accept.result', async function () {
+      await servers[0].comments.createThread({
+        videoId: videoUUID,
+        text: 'comment with bad word',
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
     })
-    await servers[0].comments.addReply({
-      videoId: videoUUID,
-      toCommentId: threadId,
-      text: 'comment with good word',
-      expectedStatus: HttpStatusCode.OK_200
+
+    it('Should run filter:api.video-comment-reply.create.accept.result', async function () {
+      const created = await servers[0].comments.createThread({ videoId: videoUUID, text: 'thread' })
+      threadId = created.id
+
+      await servers[0].comments.addReply({
+        videoId: videoUUID,
+        toCommentId: threadId,
+        text: 'comment with bad word',
+        expectedStatus: HttpStatusCode.FORBIDDEN_403
+      })
+      await servers[0].comments.addReply({
+        videoId: videoUUID,
+        toCommentId: threadId,
+        text: 'comment with good word',
+        expectedStatus: HttpStatusCode.OK_200
+      })
     })
-  })
 
-  it('Should run filter:api.video-threads.list.params', async function () {
-    const { data } = await servers[0].comments.listThreads({ videoId: videoUUID, start: 0, count: 0 })
+    it('Should run filter:activity-pub.remote-video-comment.create.accept.result on a thread creation', async function () {
+      this.timeout(30000)
 
-    // our plugin do +1 to the count parameter
-    expect(data).to.have.lengthOf(1)
-  })
+      await servers[1].comments.createThread({ videoId: videoUUID, text: 'comment with bad word' })
 
-  it('Should run filter:api.video-threads.list.result', async function () {
-    const { total } = await servers[0].comments.listThreads({ videoId: videoUUID, start: 0, count: 0 })
+      await waitJobs(servers)
 
-    // Plugin do +1 to the total result
-    expect(total).to.equal(2)
-  })
+      {
+        const thread = await servers[0].comments.listThreads({ videoId: videoUUID })
+        expect(thread.data).to.have.lengthOf(1)
+        expect(thread.data[0].text).to.not.include(' bad ')
+      }
+
+      {
+        const thread = await servers[1].comments.listThreads({ videoId: videoUUID })
+        expect(thread.data).to.have.lengthOf(2)
+      }
+    })
 
-  it('Should run filter:api.video-thread-comments.list.params')
+    it('Should run filter:activity-pub.remote-video-comment.create.accept.result on a reply creation', async function () {
+      this.timeout(30000)
 
-  it('Should run filter:api.video-thread-comments.list.result', async function () {
-    const thread = await servers[0].comments.getThread({ videoId: videoUUID, threadId })
+      const { data } = await servers[1].comments.listThreads({ videoId: videoUUID })
+      const threadIdServer2 = data.find(t => t.text === 'thread').id
 
-    expect(thread.comment.text.endsWith(' <3')).to.be.true
+      await servers[1].comments.addReply({
+        videoId: videoUUID,
+        toCommentId: threadIdServer2,
+        text: 'comment with bad word'
+      })
+
+      await waitJobs(servers)
+
+      {
+        const tree = await servers[0].comments.getThread({ videoId: videoUUID, threadId })
+        expect(tree.children).to.have.lengthOf(1)
+        expect(tree.children[0].comment.text).to.not.include(' bad ')
+      }
+
+      {
+        const tree = await servers[1].comments.getThread({ videoId: videoUUID, threadId: threadIdServer2 })
+        expect(tree.children).to.have.lengthOf(2)
+      }
+    })
   })
 
-  it('Should run filter:api.overviews.videos.list.{params,result}', async function () {
-    await servers[0].overviews.getVideos({ page: 1 })
+  describe('Video comments', function () {
+
+    it('Should run filter:api.video-threads.list.params', async function () {
+      const { data } = await servers[0].comments.listThreads({ videoId: videoUUID, start: 0, count: 0 })
+
+      // our plugin do +1 to the count parameter
+      expect(data).to.have.lengthOf(1)
+    })
 
-    // 3 because we get 3 samples per page
-    await servers[0].servers.waitUntilLog('Run hook filter:api.overviews.videos.list.params', 3)
-    await servers[0].servers.waitUntilLog('Run hook filter:api.overviews.videos.list.result', 3)
+    it('Should run filter:api.video-threads.list.result', async function () {
+      const { total } = await servers[0].comments.listThreads({ videoId: videoUUID, start: 0, count: 0 })
+
+      // Plugin do +1 to the total result
+      expect(total).to.equal(2)
+    })
+
+    it('Should run filter:api.video-thread-comments.list.params')
+
+    it('Should run filter:api.video-thread-comments.list.result', async function () {
+      const thread = await servers[0].comments.getThread({ videoId: videoUUID, threadId })
+
+      expect(thread.comment.text.endsWith(' <3')).to.be.true
+    })
+
+    it('Should run filter:api.overviews.videos.list.{params,result}', async function () {
+      await servers[0].overviews.getVideos({ page: 1 })
+
+      // 3 because we get 3 samples per page
+      await servers[0].servers.waitUntilLog('Run hook filter:api.overviews.videos.list.params', 3)
+      await servers[0].servers.waitUntilLog('Run hook filter:api.overviews.videos.list.result', 3)
+    })
   })
 
   describe('filter:video.auto-blacklist.result', function () {
diff --git a/server/tests/plugins/index.ts b/server/tests/plugins/index.ts
index 4534120fd..210af7236 100644
--- a/server/tests/plugins/index.ts
+++ b/server/tests/plugins/index.ts
@@ -8,5 +8,6 @@ import './plugin-router'
 import './plugin-storage'
 import './plugin-transcoding'
 import './plugin-unloading'
+import './plugin-websocket'
 import './translations'
 import './video-constants'
diff --git a/server/tests/plugins/plugin-helpers.ts b/server/tests/plugins/plugin-helpers.ts
index 955d7ddfd..31c18350a 100644
--- a/server/tests/plugins/plugin-helpers.ts
+++ b/server/tests/plugins/plugin-helpers.ts
@@ -83,6 +83,33 @@ describe('Test plugin helpers', function () {
     })
   })
 
+  describe('Socket', function () {
+
+    it('Should sendNotification without any exceptions', async () => {
+      const user = await servers[0].users.create({ username: 'notis_redding', password: 'secret1234?' })
+      await makePostBodyRequest({
+        url: servers[0].url,
+        path: '/plugins/test-four/router/send-notification',
+        fields: {
+          userId: user.id
+        },
+        expectedStatus: HttpStatusCode.CREATED_201
+      })
+    })
+
+    it('Should sendVideoLiveNewState without any exceptions', async () => {
+      const res = await servers[0].videos.quickUpload({ name: 'video server 1' })
+
+      await makePostBodyRequest({
+        url: servers[0].url,
+        path: '/plugins/test-four/router/send-video-live-new-state/' + res.uuid,
+        expectedStatus: HttpStatusCode.CREATED_201
+      })
+
+      await servers[0].videos.remove({ id: res.uuid })
+    })
+  })
+
   describe('Plugin', function () {
 
     it('Should get the base static route', async function () {
diff --git a/server/tests/plugins/plugin-websocket.ts b/server/tests/plugins/plugin-websocket.ts
new file mode 100644
index 000000000..adaa28b1d
--- /dev/null
+++ b/server/tests/plugins/plugin-websocket.ts
@@ -0,0 +1,70 @@
+/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
+
+import WebSocket from 'ws'
+import { cleanupTests, createSingleServer, PeerTubeServer, PluginsCommand, setAccessTokensToServers } from '@shared/server-commands'
+
+function buildWebSocket (server: PeerTubeServer, path: string) {
+  return new WebSocket('ws://' + server.host + path)
+}
+
+function expectErrorOrTimeout (server: PeerTubeServer, path: string, expectedTimeout: number) {
+  return new Promise<void>((res, rej) => {
+    const ws = buildWebSocket(server, path)
+    ws.on('error', () => res())
+
+    const timeout = setTimeout(() => res(), expectedTimeout)
+
+    ws.on('open', () => {
+      clearTimeout(timeout)
+
+      return rej(new Error('Connect did not timeout'))
+    })
+  })
+}
+
+describe('Test plugin websocket', function () {
+  let server: PeerTubeServer
+  const basePaths = [
+    '/plugins/test-websocket/ws/',
+    '/plugins/test-websocket/0.0.1/ws/'
+  ]
+
+  before(async function () {
+    this.timeout(30000)
+
+    server = await createSingleServer(1)
+    await setAccessTokensToServers([ server ])
+
+    await server.plugins.install({ path: PluginsCommand.getPluginTestPath('-websocket') })
+  })
+
+  it('Should not connect to the websocket without the appropriate path', async function () {
+    const paths = [
+      '/plugins/unknown/ws/',
+      '/plugins/unknown/0.0.1/ws/'
+    ]
+
+    for (const path of paths) {
+      await expectErrorOrTimeout(server, path, 1000)
+    }
+  })
+
+  it('Should not connect to the websocket without the appropriate sub path', async function () {
+    for (const path of basePaths) {
+      await expectErrorOrTimeout(server, path + '/unknown', 1000)
+    }
+  })
+
+  it('Should connect to the websocket and receive pong', function (done) {
+    const ws = buildWebSocket(server, basePaths[0])
+
+    ws.on('open', () => ws.send('ping'))
+    ws.on('message', data => {
+      if (data.toString() === 'pong') return done()
+    })
+  })
+
+  after(async function () {
+    await cleanupTests([ server ])
+  })
+})
diff --git a/server/tests/shared/actors.ts b/server/tests/shared/actors.ts
index f8f4a5137..41fd72e89 100644
--- a/server/tests/shared/actors.ts
+++ b/server/tests/shared/actors.ts
@@ -2,8 +2,6 @@
 
 import { expect } from 'chai'
 import { pathExists, readdir } from 'fs-extra'
-import { join } from 'path'
-import { root } from '@shared/core-utils'
 import { Account, VideoChannel } from '@shared/models'
 import { PeerTubeServer } from '@shared/server-commands'
 
@@ -31,11 +29,9 @@ async function expectAccountFollows (options: {
   return expectActorFollow({ ...options, data })
 }
 
-async function checkActorFilesWereRemoved (filename: string, serverNumber: number) {
-  const testDirectory = 'test' + serverNumber
-
+async function checkActorFilesWereRemoved (filename: string, server: PeerTubeServer) {
   for (const directory of [ 'avatars' ]) {
-    const directoryPath = join(root(), testDirectory, directory)
+    const directoryPath = server.getDirectoryPath(directory)
 
     const directoryExists = await pathExists(directoryPath)
     expect(directoryExists).to.be.true
diff --git a/server/tests/shared/directories.ts b/server/tests/shared/directories.ts
index c7065a767..90d534a06 100644
--- a/server/tests/shared/directories.ts
+++ b/server/tests/shared/directories.ts
@@ -2,22 +2,18 @@
 
 import { expect } from 'chai'
 import { pathExists, readdir } from 'fs-extra'
-import { join } from 'path'
-import { root } from '@shared/core-utils'
 import { PeerTubeServer } from '@shared/server-commands'
 
 async function checkTmpIsEmpty (server: PeerTubeServer) {
   await checkDirectoryIsEmpty(server, 'tmp', [ 'plugins-global.css', 'hls', 'resumable-uploads' ])
 
-  if (await pathExists(join('test' + server.internalServerNumber, 'tmp', 'hls'))) {
+  if (await pathExists(server.getDirectoryPath('tmp/hls'))) {
     await checkDirectoryIsEmpty(server, 'tmp/hls')
   }
 }
 
 async function checkDirectoryIsEmpty (server: PeerTubeServer, directory: string, exceptions: string[] = []) {
-  const testDirectory = 'test' + server.internalServerNumber
-
-  const directoryPath = join(root(), testDirectory, directory)
+  const directoryPath = server.getDirectoryPath(directory)
 
   const directoryExists = await pathExists(directoryPath)
   expect(directoryExists).to.be.true
diff --git a/server/tests/shared/live.ts b/server/tests/shared/live.ts
index 4bd4786fc..f165832fe 100644
--- a/server/tests/shared/live.ts
+++ b/server/tests/shared/live.ts
@@ -3,39 +3,95 @@
 import { expect } from 'chai'
 import { pathExists, readdir } from 'fs-extra'
 import { join } from 'path'
-import { LiveVideo } from '@shared/models'
-import { PeerTubeServer } from '@shared/server-commands'
+import { wait } from '@shared/core-utils'
+import { LiveVideo, VideoStreamingPlaylistType } from '@shared/models'
+import { ObjectStorageCommand, PeerTubeServer } from '@shared/server-commands'
+import { checkLiveSegmentHash, checkResolutionsInMasterPlaylist } from './streaming-playlists'
 
 async function checkLiveCleanup (server: PeerTubeServer, videoUUID: string, savedResolutions: number[] = []) {
-  let live: LiveVideo
-
-  try {
-    live = await server.live.get({ videoId: videoUUID })
-  } catch {}
-
   const basePath = server.servers.buildDirectory('streaming-playlists')
   const hlsPath = join(basePath, 'hls', videoUUID)
 
   if (savedResolutions.length === 0) {
+    return checkUnsavedLiveCleanup(server, videoUUID, hlsPath)
+  }
+
+  return checkSavedLiveCleanup(hlsPath, savedResolutions)
+}
+
+// ---------------------------------------------------------------------------
 
-    if (live?.permanentLive) {
-      expect(await pathExists(hlsPath)).to.be.true
+async function testVideoResolutions (options: {
+  originServer: PeerTubeServer
+  servers: PeerTubeServer[]
+  liveVideoId: string
+  resolutions: number[]
+  transcoded: boolean
+  objectStorage: boolean
+}) {
+  const { originServer, servers, liveVideoId, resolutions, transcoded, objectStorage } = options
 
-      const hlsFiles = await readdir(hlsPath)
-      expect(hlsFiles).to.have.lengthOf(1) // Only replays directory
+  for (const server of servers) {
+    const { data } = await server.videos.list()
+    expect(data.find(v => v.uuid === liveVideoId)).to.exist
 
-      const replayDir = join(hlsPath, 'replay')
-      expect(await pathExists(replayDir)).to.be.true
+    const video = await server.videos.get({ id: liveVideoId })
+    expect(video.streamingPlaylists).to.have.lengthOf(1)
 
-      const replayFiles = await readdir(join(hlsPath, 'replay'))
-      expect(replayFiles).to.have.lengthOf(0)
-    } else {
-      expect(await pathExists(hlsPath)).to.be.false
+    const hlsPlaylist = video.streamingPlaylists.find(s => s.type === VideoStreamingPlaylistType.HLS)
+    expect(hlsPlaylist).to.exist
+    expect(hlsPlaylist.files).to.have.lengthOf(0) // Only fragmented mp4 files are displayed
+
+    await checkResolutionsInMasterPlaylist({ server, playlistUrl: hlsPlaylist.playlistUrl, resolutions, transcoded })
+
+    if (objectStorage) {
+      expect(hlsPlaylist.playlistUrl).to.contain(ObjectStorageCommand.getPlaylistBaseUrl())
     }
 
-    return
+    for (let i = 0; i < resolutions.length; i++) {
+      const segmentNum = 3
+      const segmentName = `${i}-00000${segmentNum}.ts`
+      await originServer.live.waitUntilSegmentGeneration({ videoUUID: video.uuid, playlistNumber: i, segment: segmentNum })
+
+      const baseUrl = objectStorage
+        ? ObjectStorageCommand.getPlaylistBaseUrl() + 'hls'
+        : originServer.url + '/static/streaming-playlists/hls'
+
+      if (objectStorage) {
+        await originServer.live.waitUntilSegmentUpload({ playlistNumber: i, segment: segmentNum })
+        await wait(1000)
+
+        expect(hlsPlaylist.segmentsSha256Url).to.contain(ObjectStorageCommand.getPlaylistBaseUrl())
+      }
+
+      const subPlaylist = await originServer.streamingPlaylists.get({
+        url: `${baseUrl}/${video.uuid}/${i}.m3u8`,
+        withRetry: objectStorage // With object storage, the request may fail because of inconsistent data in S3
+      })
+
+      expect(subPlaylist).to.contain(segmentName)
+
+      await checkLiveSegmentHash({
+        server,
+        baseUrlSegment: baseUrl,
+        videoUUID: video.uuid,
+        segmentName,
+        hlsPlaylist
+      })
+    }
   }
+}
+
+// ---------------------------------------------------------------------------
+
+export {
+  checkLiveCleanup,
+  testVideoResolutions
+}
 
+// ---------------------------------------------------------------------------
+
+async function checkSavedLiveCleanup (hlsPath: string, savedResolutions: number[] = []) {
   const files = await readdir(hlsPath)
 
   // fragmented file and playlist per resolution + master playlist + segments sha256 json file
@@ -56,6 +112,27 @@ async function checkLiveCleanup (server: PeerTubeServer, videoUUID: string, save
   expect(shaFile).to.exist
 }
 
-export {
-  checkLiveCleanup
+async function checkUnsavedLiveCleanup (server: PeerTubeServer, videoUUID: string, hlsPath: string) {
+  let live: LiveVideo
+
+  try {
+    live = await server.live.get({ videoId: videoUUID })
+  } catch {}
+
+  if (live?.permanentLive) {
+    expect(await pathExists(hlsPath)).to.be.true
+
+    const hlsFiles = await readdir(hlsPath)
+    expect(hlsFiles).to.have.lengthOf(1) // Only replays directory
+
+    const replayDir = join(hlsPath, 'replay')
+    expect(await pathExists(replayDir)).to.be.true
+
+    const replayFiles = await readdir(join(hlsPath, 'replay'))
+    expect(replayFiles).to.have.lengthOf(0)
+
+    return
+  }
+
+  expect(await pathExists(hlsPath)).to.be.false
 }
diff --git a/server/tests/shared/playlists.ts b/server/tests/shared/playlists.ts
index fdd541d20..8db303fd8 100644
--- a/server/tests/shared/playlists.ts
+++ b/server/tests/shared/playlists.ts
@@ -1,17 +1,14 @@
 import { expect } from 'chai'
 import { readdir } from 'fs-extra'
-import { join } from 'path'
-import { root } from '@shared/core-utils'
+import { PeerTubeServer } from '@shared/server-commands'
 
 async function checkPlaylistFilesWereRemoved (
   playlistUUID: string,
-  internalServerNumber: number,
+  server: PeerTubeServer,
   directories = [ 'thumbnails' ]
 ) {
-  const testDirectory = 'test' + internalServerNumber
-
   for (const directory of directories) {
-    const directoryPath = join(root(), testDirectory, directory)
+    const directoryPath = server.getDirectoryPath(directory)
 
     const files = await readdir(directoryPath)
     for (const file of files) {
diff --git a/server/tests/shared/streaming-playlists.ts b/server/tests/shared/streaming-playlists.ts
index 4d82b3654..eff34944b 100644
--- a/server/tests/shared/streaming-playlists.ts
+++ b/server/tests/shared/streaming-playlists.ts
@@ -26,7 +26,7 @@ async function checkSegmentHash (options: {
   const offset = parseInt(matches[2], 10)
   const range = `${offset}-${offset + length - 1}`
 
-  const segmentBody = await command.getSegment({
+  const segmentBody = await command.getFragmentedSegment({
     url: `${baseUrlSegment}/${videoName}`,
     expectedStatus: HttpStatusCode.PARTIAL_CONTENT_206,
     range: `bytes=${range}`
@@ -46,7 +46,7 @@ async function checkLiveSegmentHash (options: {
   const { server, baseUrlSegment, videoUUID, segmentName, hlsPlaylist } = options
   const command = server.streamingPlaylists
 
-  const segmentBody = await command.getSegment({ url: `${baseUrlSegment}/${videoUUID}/${segmentName}` })
+  const segmentBody = await command.getFragmentedSegment({ url: `${baseUrlSegment}/${videoUUID}/${segmentName}` })
   const shaBody = await command.getSegmentSha256({ url: hlsPlaylist.segmentsSha256Url })
 
   expect(sha256(segmentBody)).to.equal(shaBody[segmentName])
@@ -56,15 +56,16 @@ async function checkResolutionsInMasterPlaylist (options: {
   server: PeerTubeServer
   playlistUrl: string
   resolutions: number[]
+  transcoded?: boolean // default true
 }) {
-  const { server, playlistUrl, resolutions } = options
+  const { server, playlistUrl, resolutions, transcoded = true } = options
 
   const masterPlaylist = await server.streamingPlaylists.get({ url: playlistUrl })
 
   for (const resolution of resolutions) {
-    const reg = new RegExp(
-      '#EXT-X-STREAM-INF:BANDWIDTH=\\d+,RESOLUTION=\\d+x' + resolution + ',(FRAME-RATE=\\d+,)?CODECS="avc1.64001f,mp4a.40.2"'
-    )
+    const reg = transcoded
+      ? new RegExp('#EXT-X-STREAM-INF:BANDWIDTH=\\d+,RESOLUTION=\\d+x' + resolution + ',(FRAME-RATE=\\d+,)?CODECS="avc1.64001f,mp4a.40.2"')
+      : new RegExp('#EXT-X-STREAM-INF:BANDWIDTH=\\d+,RESOLUTION=\\d+x' + resolution + '')
 
     expect(masterPlaylist).to.match(reg)
   }
diff --git a/server/types/plugins/index.ts b/server/types/plugins/index.ts
index de30ff2ab..bf9c35d49 100644
--- a/server/types/plugins/index.ts
+++ b/server/types/plugins/index.ts
@@ -1,3 +1,4 @@
 export * from './plugin-library.model'
 export * from './register-server-auth.model'
 export * from './register-server-option.model'
+export * from './register-server-websocket-route.model'
diff --git a/server/types/plugins/register-server-option.model.ts b/server/types/plugins/register-server-option.model.ts
index fb4f12a4c..1e2bd830e 100644
--- a/server/types/plugins/register-server-option.model.ts
+++ b/server/types/plugins/register-server-option.model.ts
@@ -1,4 +1,5 @@
 import { Response, Router } from 'express'
+import { Server } from 'http'
 import { Logger } from 'winston'
 import { ActorModel } from '@server/models/actor/actor'
 import {
@@ -16,12 +17,13 @@ import {
   ThumbnailType,
   VideoBlacklistCreate
 } from '@shared/models'
-import { MUserDefault, MVideoThumbnail } from '../models'
+import { MUserDefault, MVideo, MVideoThumbnail, UserNotificationModelForApi } from '../models'
 import {
   RegisterServerAuthExternalOptions,
   RegisterServerAuthExternalResult,
   RegisterServerAuthPassOptions
 } from './register-server-auth.model'
+import { RegisterServerWebSocketRouteOptions } from './register-server-websocket-route.model'
 
 export type PeerTubeHelpers = {
   logger: Logger
@@ -83,15 +85,25 @@ export type PeerTubeHelpers = {
   }
 
   server: {
+    // PeerTube >= 5.0
+    getHTTPServer: () => Server
+
     getServerActor: () => Promise<ActorModel>
   }
 
+  socket: {
+    sendNotification: (userId: number, notification: UserNotificationModelForApi) => void
+    sendVideoLiveNewState: (video: MVideo) => void
+  }
+
   plugin: {
     // PeerTube >= 3.2
     getBaseStaticRoute: () => string
 
     // PeerTube >= 3.2
     getBaseRouterRoute: () => string
+    // PeerTube >= 5.0
+    getBaseWebSocketRoute: () => string
 
     // PeerTube >= 3.2
     getDataDirectoryPath: () => string
@@ -135,5 +147,12 @@ export type RegisterServerOptions = {
   //  * /plugins/:pluginName/router/...
   getRouter(): Router
 
+  // PeerTube >= 5.0
+  // Register WebSocket route
+  // Base routes of the WebSocket router are
+  //  * /plugins/:pluginName/:pluginVersion/ws/...
+  //  * /plugins/:pluginName/ws/...
+  registerWebSocketRoute: (options: RegisterServerWebSocketRouteOptions) => void
+
   peertubeHelpers: PeerTubeHelpers
 }
diff --git a/server/types/plugins/register-server-websocket-route.model.ts b/server/types/plugins/register-server-websocket-route.model.ts
new file mode 100644
index 000000000..edf64f66b
--- /dev/null
+++ b/server/types/plugins/register-server-websocket-route.model.ts
@@ -0,0 +1,8 @@
+import { IncomingMessage } from 'http'
+import { Duplex } from 'stream'
+
+export type RegisterServerWebSocketRouteOptions = {
+  route: string
+
+  handler: (request: IncomingMessage, socket: Duplex, head: Buffer) => any
+}