19 files changed, 132 insertions, 86 deletions
diff --git a/server/controllers/api/videos/token.ts b/server/controllers/api/videos/token.ts
index 009b6dfb6..22387c3e8 100644
--- a/server/controllers/api/videos/token.ts
+++ b/server/controllers/api/videos/token.ts
@@ -22,7 +22,7 @@ export {
 function generateToken (req: express.Request, res: express.Response) {
  const video = res.locals.onlyVideo
-  const { token, expires } = VideoTokensManager.Instance.create(video.uuid)
+  const { token, expires } = VideoTokensManager.Instance.create({ videoUUID: video.uuid, user: res.locals.oauth.token.User })
  return res.json({
    files: {
diff --git a/server/controllers/feeds.ts b/server/controllers/feeds.ts
index 772fe734d..ef810a842 100644
--- a/server/controllers/feeds.ts
+++ b/server/controllers/feeds.ts
@@ -285,8 +285,8 @@ function addVideosToFeed (feed: Feed, videos: VideoModel[]) {
      content: toSafeHtml(video.description),
      author: [
        {
-          name: video.VideoChannel.Account.getDisplayName(),
+          name: video.VideoChannel.getDisplayName(),
-          link: video.VideoChannel.Account.Actor.url
+          link: video.VideoChannel.Actor.url
        }
      ],
      date: video.publishedAt,
diff --git a/server/controllers/tracker.ts b/server/controllers/tracker.ts
index 19a8b2bc9..0ef98c35e 100644
--- a/server/controllers/tracker.ts
+++ b/server/controllers/tracker.ts
@@ -1,17 +1,22 @@
 import { Server as TrackerServer } from 'bittorrent-tracker'
 import express from 'express'
 import { createServer } from 'http'
+import LRUCache from 'lru-cache'
 import proxyAddr from 'proxy-addr'
 import { WebSocketServer } from 'ws'
-import { Redis } from '@server/lib/redis'
 import { logger } from '../helpers/logger'
 import { CONFIG } from '../initializers/config'
-import { TRACKER_RATE_LIMITS } from '../initializers/constants'
+import { LRU_CACHE, TRACKER_RATE_LIMITS } from '../initializers/constants'
 import { VideoFileModel } from '../models/video/video-file'
 import { VideoStreamingPlaylistModel } from '../models/video/video-streaming-playlist'
 const trackerRouter = express.Router()
+const blockedIPs = new LRUCache<string, boolean>({
+  max: LRU_CACHE.TRACKER_IPS.MAX_SIZE,
+  ttl: TRACKER_RATE_LIMITS.BLOCK_IP_LIFETIME
+})
 let peersIps = {}
 let peersIpInfoHash = {}
 runPeersChecker()
@@ -55,8 +60,7 @@ const trackerServer = new TrackerServer({
      // Close socket connection and block IP for a few time
      if (params.type === 'ws') {
-        Redis.Instance.setTrackerBlockIP(ip)
+        blockedIPs.set(ip, true)
-          .catch(err => logger.error('Cannot set tracker block ip.', { err }))
        // setTimeout to wait filter response
        setTimeout(() => params.socket.close(), 0)
@@ -102,20 +106,16 @@ function createWebsocketTrackerServer (app: express.Application) {
    if (request.url === '/tracker/socket') {
      const ip = proxyAddr(request, CONFIG.TRUST_PROXY)
-      Redis.Instance.doesTrackerBlockIPExist(ip)
+      if (blockedIPs.has(ip)) {
-        .then(result => {
+        logger.debug('Blocking IP %s from tracker.', ip)
-          if (result === true) {
-            logger.debug('Blocking IP %s from tracker.', ip)
-            socket.write('HTTP/1.1 403 Forbidden\r\n\r\n')
+        socket.write('HTTP/1.1 403 Forbidden\r\n\r\n')
-            socket.destroy()
+        socket.destroy()
-            return
+        return
-          }
+      }
-          // FIXME: typings
+      // FIXME: typings
-          return wss.handleUpgrade(request, socket as any, head, ws => wss.emit('connection', ws, request))
+      return wss.handleUpgrade(request, socket as any, head, ws => wss.emit('connection', ws, request))
-        })
-        .catch(err => logger.error('Cannot check if tracker block ip exists.', { err }))
    }
    // Don't destroy socket, we have Socket.IO too
diff --git a/server/helpers/custom-validators/misc.ts b/server/helpers/custom-validators/misc.ts
index 3dc5504e3..b3ab3ac64 100644
--- a/server/helpers/custom-validators/misc.ts
+++ b/server/helpers/custom-validators/misc.ts
@@ -103,7 +103,13 @@ function checkMimetypeRegex (fileMimeType: string, mimeTypeRegex: string) {
 // ---------------------------------------------------------------------------
 function toCompleteUUID (value: string) {
-  if (isShortUUID(value)) return shortToUUID(value)
+  if (isShortUUID(value)) {
+    try {
+      return shortToUUID(value)
+    } catch {
+      return null
+    }
+  }
  return value
 }
diff --git a/server/helpers/youtube-dl/youtube-dl-cli.ts b/server/helpers/youtube-dl/youtube-dl-cli.ts
index a2f630953..765038cea 100644
--- a/server/helpers/youtube-dl/youtube-dl-cli.ts
+++ b/server/helpers/youtube-dl/youtube-dl-cli.ts
@@ -6,6 +6,7 @@ import { VideoResolution } from '@shared/models'
 import { logger, loggerTagsFactory } from '../logger'
 import { getProxy, isProxyEnabled } from '../proxy'
 import { isBinaryResponse, peertubeGot } from '../requests'
+import { OptionsOfBufferResponseBody } from 'got/dist/source'
 const lTags = loggerTagsFactory('youtube-dl')
@@ -28,7 +29,16 @@ export class YoutubeDLCLI {
    logger.info('Updating youtubeDL binary from %s.', url, lTags())
-    const gotOptions = { context: { bodyKBLimit: 20_000 }, responseType: 'buffer' as 'buffer' }
+    const gotOptions: OptionsOfBufferResponseBody = {
+      context: { bodyKBLimit: 20_000 },
+      responseType: 'buffer' as 'buffer'
+    }
+    if (process.env.YOUTUBE_DL_DOWNLOAD_BEARER_TOKEN) {
+      gotOptions.headers = {
+        authorization: 'Bearer ' + process.env.YOUTUBE_DL_DOWNLOAD_BEARER_TOKEN
+      }
+    }
    try {
      let gotResult = await peertubeGot(url, gotOptions)
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index 0e56f0c9f..ec5045078 100644
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -781,6 +781,9 @@ const LRU_CACHE = {
  VIDEO_TOKENS: {
    MAX_SIZE: 100_000,
    TTL: parseDurationToMs('8 hours')
+  },
+  TRACKER_IPS: {
+    MAX_SIZE: 100_000
  }
 }
@@ -884,7 +887,7 @@ const TRACKER_RATE_LIMITS = {
  INTERVAL: 60000 * 5, // 5 minutes
  ANNOUNCES_PER_IP_PER_INFOHASH: 15, // maximum announces per torrent in the interval
  ANNOUNCES_PER_IP: 30, // maximum announces for all our torrents in the interval
-  BLOCK_IP_LIFETIME: 60000 * 3 // 3 minutes
+  BLOCK_IP_LIFETIME: parseDurationToMs('3 minutes')
 }
 const P2P_MEDIA_LOADER_PEER_VERSION = 2
diff --git a/server/lib/plugins/plugin-helpers-builder.ts b/server/lib/plugins/plugin-helpers-builder.ts
index 7b1def6e3..e75c0b994 100644
--- a/server/lib/plugins/plugin-helpers-builder.ts
+++ b/server/lib/plugins/plugin-helpers-builder.ts
@@ -245,7 +245,7 @@ function buildUserHelpers () {
    },
    getAuthUser: (res: express.Response) => {
-      const user = res.locals.oauth?.token?.User
+      const user = res.locals.oauth?.token?.User || res.locals.videoFileToken?.user
      if (!user) return undefined
      return UserModel.loadByIdFull(user.id)
diff --git a/server/lib/redis.ts b/server/lib/redis.ts
index c0e9aece7..451ddd0b6 100644
--- a/server/lib/redis.ts
+++ b/server/lib/redis.ts
@@ -8,7 +8,6 @@ import {
  AP_CLEANER,
  CONTACT_FORM_LIFETIME,
  RESUMABLE_UPLOAD_SESSION_LIFETIME,
-  TRACKER_RATE_LIMITS,
  TWO_FACTOR_AUTH_REQUEST_TOKEN_LIFETIME,
  USER_EMAIL_VERIFY_LIFETIME,
  USER_PASSWORD_CREATE_LIFETIME,
@@ -157,16 +156,6 @@ class Redis {
    return this.exists(this.generateIPViewKey(ip, videoUUID))
  }
-  /* ************ Tracker IP block ************ */
-  setTrackerBlockIP (ip: string) {
-    return this.setValue(this.generateTrackerBlockIPKey(ip), '1', TRACKER_RATE_LIMITS.BLOCK_IP_LIFETIME)
-  }
-  async doesTrackerBlockIPExist (ip: string) {
-    return this.exists(this.generateTrackerBlockIPKey(ip))
-  }
  /* ************ Video views stats ************ */
  addVideoViewStats (videoId: number) {
@@ -365,10 +354,6 @@ class Redis {
    return `views-${videoUUID}-${ip}`
  }
-  private generateTrackerBlockIPKey (ip: string) {
-    return `tracker-block-ip-${ip}`
-  }
  private generateContactFormKey (ip: string) {
    return 'contact-form-' + ip
  }
diff --git a/server/lib/sync-channel.ts b/server/lib/sync-channel.ts
index 10167ee38..3a805a943 100644
--- a/server/lib/sync-channel.ts
+++ b/server/lib/sync-channel.ts
@@ -76,7 +76,7 @@ export async function synchronizeChannel (options: {
    await JobQueue.Instance.createJobWithChildren(parent, children)
  } catch (err) {
-    logger.error(`Failed to import channel ${channel.name}`, { err })
+    logger.error(`Failed to import ${externalChannelUrl} in channel ${channel.name}`, { err })
    channelSync.state = VideoChannelSyncState.FAILED
    await channelSync.save()
  }
diff --git a/server/lib/video-tokens-manager.ts b/server/lib/video-tokens-manager.ts
index c43085d16..17aa29cdd 100644
--- a/server/lib/video-tokens-manager.ts
+++ b/server/lib/video-tokens-manager.ts
@@ -1,5 +1,7 @@
 import LRUCache from 'lru-cache'
 import { LRU_CACHE } from '@server/initializers/constants'
+import { MUserAccountUrl } from '@server/types/models'
+import { pick } from '@shared/core-utils'
 import { buildUUID } from '@shared/extra-utils'
 // ---------------------------------------------------------------------------
@@ -10,19 +12,22 @@ class VideoTokensManager {
  private static instance: VideoTokensManager
-  private readonly lruCache = new LRUCache<string, string>({
+  private readonly lruCache = new LRUCache<string, { videoUUID: string, user: MUserAccountUrl }>({
    max: LRU_CACHE.VIDEO_TOKENS.MAX_SIZE,
    ttl: LRU_CACHE.VIDEO_TOKENS.TTL
  })
  private constructor () {}
-  create (videoUUID: string) {
+  create (options: {
+    user: MUserAccountUrl
+    videoUUID: string
+  }) {
    const token = buildUUID()
    const expires = new Date(new Date().getTime() + LRU_CACHE.VIDEO_TOKENS.TTL)
-    this.lruCache.set(token, videoUUID)
+    this.lruCache.set(token, pick(options, [ 'user', 'videoUUID' ]))
    return { token, expires }
  }
@@ -34,7 +39,16 @@ class VideoTokensManager {
    const value = this.lruCache.get(options.token)
    if (!value) return false
-    return value === options.videoUUID
+    return value.videoUUID === options.videoUUID
+  }
+  getUserFromToken (options: {
+    token: string
+  }) {
+    const value = this.lruCache.get(options.token)
+    if (!value) return undefined
+    return value.user
  }
  static get Instance () {
diff --git a/server/middlewares/validators/shared/videos.ts b/server/middlewares/validators/shared/videos.ts
index ebbfc0a0a..0033a32ff 100644
--- a/server/middlewares/validators/shared/videos.ts
+++ b/server/middlewares/validators/shared/videos.ts
@@ -180,18 +180,16 @@ async function checkCanAccessVideoStaticFiles (options: {
    return checkCanSeeVideo(options)
  }
-  if (!video.hasPrivateStaticPath()) return true
  const videoFileToken = req.query.videoFileToken
-  if (!videoFileToken) {
+  if (videoFileToken && VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) {
-    res.sendStatus(HttpStatusCode.FORBIDDEN_403)
+    const user = VideoTokensManager.Instance.getUserFromToken({ token: videoFileToken })
-    return false
-  }
-  if (VideoTokensManager.Instance.hasToken({ token: videoFileToken, videoUUID: video.uuid })) {
+    res.locals.videoFileToken = { user }
    return true
  }
+  if (!video.hasPrivateStaticPath()) return true
  res.sendStatus(HttpStatusCode.FORBIDDEN_403)
  return false
 }
diff --git a/server/tests/api/check-params/redundancy.ts b/server/tests/api/check-params/redundancy.ts
index 908407b9a..73dfd489d 100644
--- a/server/tests/api/check-params/redundancy.ts
+++ b/server/tests/api/check-params/redundancy.ts
@@ -24,7 +24,7 @@ describe('Test server redundancy API validators', function () {
  // ---------------------------------------------------------------
  before(async function () {
-    this.timeout(80000)
+    this.timeout(160000)
    servers = await createMultipleServers(2)
diff --git a/server/tests/api/notifications/moderation-notifications.ts b/server/tests/api/notifications/moderation-notifications.ts
index b127a7a31..c7b9b5fb0 100644
--- a/server/tests/api/notifications/moderation-notifications.ts
+++ b/server/tests/api/notifications/moderation-notifications.ts
@@ -34,7 +34,7 @@ describe('Test moderation notifications', function () {
  let emails: object[] = []
  before(async function () {
-    this.timeout(120000)
+    this.timeout(50000)
    const res = await prepareNotificationsTest(3)
    emails = res.emails
@@ -60,7 +60,7 @@ describe('Test moderation notifications', function () {
    })
    it('Should not send a notification to moderators on local abuse reported by an admin', async function () {
-      this.timeout(20000)
+      this.timeout(50000)
      const name = 'video for abuse ' + buildUUID()
      const video = await servers[0].videos.upload({ token: userToken1, attributes: { name } })
@@ -72,7 +72,7 @@ describe('Test moderation notifications', function () {
    })
    it('Should send a notification to moderators on local video abuse', async function () {
-      this.timeout(20000)
+      this.timeout(50000)
      const name = 'video for abuse ' + buildUUID()
      const video = await servers[0].videos.upload({ token: userToken1, attributes: { name } })
@@ -84,7 +84,7 @@ describe('Test moderation notifications', function () {
    })
    it('Should send a notification to moderators on remote video abuse', async function () {
-      this.timeout(20000)
+      this.timeout(50000)
      const name = 'video for abuse ' + buildUUID()
      const video = await servers[0].videos.upload({ token: userToken1, attributes: { name } })
@@ -99,7 +99,7 @@ describe('Test moderation notifications', function () {
    })
    it('Should send a notification to moderators on local comment abuse', async function () {
-      this.timeout(20000)
+      this.timeout(50000)
      const name = 'video for abuse ' + buildUUID()
      const video = await servers[0].videos.upload({ token: userToken1, attributes: { name } })
@@ -118,7 +118,7 @@ describe('Test moderation notifications', function () {
    })
    it('Should send a notification to moderators on remote comment abuse', async function () {
-      this.timeout(20000)
+      this.timeout(50000)
      const name = 'video for abuse ' + buildUUID()
      const video = await servers[0].videos.upload({ token: userToken1, attributes: { name } })
@@ -140,7 +140,7 @@ describe('Test moderation notifications', function () {
    })
    it('Should send a notification to moderators on local account abuse', async function () {
-      this.timeout(20000)
+      this.timeout(50000)
      const username = 'user' + new Date().getTime()
      const { account } = await servers[0].users.create({ username, password: 'donald' })
@@ -153,7 +153,7 @@ describe('Test moderation notifications', function () {
    })
    it('Should send a notification to moderators on remote account abuse', async function () {
-      this.timeout(20000)
+      this.timeout(50000)
      const username = 'user' + new Date().getTime()
      const tmpToken = await servers[0].users.generateUserAndToken(username)
@@ -512,10 +512,14 @@ describe('Test moderation notifications', function () {
    })
    it('Should not send video publish notification if auto-blacklisted', async function () {
+      this.timeout(120000)
      await checkVideoIsPublished({ ...userBaseParams, videoName, shortUUID, checkType: 'absence' })
    })
    it('Should not send a local user subscription notification if auto-blacklisted', async function () {
+      this.timeout(120000)
      await checkNewVideoFromSubscription({ ...adminBaseParamsServer1, videoName, shortUUID, checkType: 'absence' })
    })
@@ -524,7 +528,7 @@ describe('Test moderation notifications', function () {
    })
    it('Should send video published and unblacklist after video unblacklisted', async function () {
-      this.timeout(40000)
+      this.timeout(120000)
      await servers[0].blacklist.remove({ videoId: uuid })
@@ -537,10 +541,14 @@ describe('Test moderation notifications', function () {
    })
    it('Should send a local user subscription notification after removed from blacklist', async function () {
+      this.timeout(120000)
      await checkNewVideoFromSubscription({ ...adminBaseParamsServer1, videoName, shortUUID, checkType: 'presence' })
    })
    it('Should send a remote user subscription notification after removed from blacklist', async function () {
+      this.timeout(120000)
      await checkNewVideoFromSubscription({ ...adminBaseParamsServer2, videoName, shortUUID, checkType: 'presence' })
    })
@@ -576,7 +584,7 @@ describe('Test moderation notifications', function () {
    })
    it('Should not send publish/subscription notifications after scheduled update if video still auto-blacklisted', async function () {
-      this.timeout(40000)
+      this.timeout(120000)
      // In 2 seconds
      const updateAt = new Date(new Date().getTime() + 2000)
diff --git a/server/tests/api/object-storage/video-static-file-privacy.ts b/server/tests/api/object-storage/video-static-file-privacy.ts
index 71ad35a43..869d437d5 100644
--- a/server/tests/api/object-storage/video-static-file-privacy.ts
+++ b/server/tests/api/object-storage/video-static-file-privacy.ts
@@ -120,7 +120,7 @@ describe('Object storage for video static file privacy', function () {
    // ---------------------------------------------------------------------------
    it('Should upload a private video and have appropriate object storage ACL', async function () {
-      this.timeout(60000)
+      this.timeout(120000)
      {
        const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.PRIVATE })
@@ -138,7 +138,7 @@ describe('Object storage for video static file privacy', function () {
    })
    it('Should upload a public video and have appropriate object storage ACL', async function () {
-      this.timeout(60000)
+      this.timeout(120000)
      const { uuid } = await server.videos.quickUpload({ name: 'video', privacy: VideoPrivacy.UNLISTED })
      await waitJobs([ server ])
diff --git a/server/tests/api/videos/video-channel-syncs.ts b/server/tests/api/videos/video-channel-syncs.ts
index 91291524d..dd483f95e 100644
--- a/server/tests/api/videos/video-channel-syncs.ts
+++ b/server/tests/api/videos/video-channel-syncs.ts
@@ -307,6 +307,7 @@ describe('Test channel synchronizations', function () {
    })
  }
-  runSuite('youtube-dl')
+  // FIXME: suite is broken with youtube-dl
+  // runSuite('youtube-dl')
  runSuite('yt-dlp')
 })
diff --git a/server/tests/feeds/feeds.ts b/server/tests/feeds/feeds.ts
index 906dab1a3..7345f728a 100644
--- a/server/tests/feeds/feeds.ts
+++ b/server/tests/feeds/feeds.ts
@@ -189,7 +189,7 @@ describe('Test syndication feeds', () => {
        const jsonObj = JSON.parse(json)
        expect(jsonObj.items.length).to.be.equal(1)
        expect(jsonObj.items[0].title).to.equal('my super name for server 1')
-        expect(jsonObj.items[0].author.name).to.equal('root')
+        expect(jsonObj.items[0].author.name).to.equal('Main root channel')
      }
      {
@@ -197,7 +197,7 @@ describe('Test syndication feeds', () => {
        const jsonObj = JSON.parse(json)
        expect(jsonObj.items.length).to.be.equal(1)
        expect(jsonObj.items[0].title).to.equal('user video')
-        expect(jsonObj.items[0].author.name).to.equal('john')
+        expect(jsonObj.items[0].author.name).to.equal('Main john channel')
      }
      for (const server of servers) {
@@ -223,7 +223,7 @@ describe('Test syndication feeds', () => {
        const jsonObj = JSON.parse(json)
        expect(jsonObj.items.length).to.be.equal(1)
        expect(jsonObj.items[0].title).to.equal('my super name for server 1')
-        expect(jsonObj.items[0].author.name).to.equal('root')
+        expect(jsonObj.items[0].author.name).to.equal('Main root channel')
      }
      {
@@ -231,7 +231,7 @@ describe('Test syndication feeds', () => {
        const jsonObj = JSON.parse(json)
        expect(jsonObj.items.length).to.be.equal(1)
        expect(jsonObj.items[0].title).to.equal('user video')
-        expect(jsonObj.items[0].author.name).to.equal('john')
+        expect(jsonObj.items[0].author.name).to.equal('Main john channel')
      }
      for (const server of servers) {
diff --git a/server/tests/fixtures/peertube-plugin-test/main.js b/server/tests/fixtures/peertube-plugin-test/main.js
index 19dccf26e..19ba9f278 100644
--- a/server/tests/fixtures/peertube-plugin-test/main.js
+++ b/server/tests/fixtures/peertube-plugin-test/main.js
@@ -250,7 +250,10 @@ async function register ({ registerHook, registerSetting, settingsManager, stora
  registerHook({
    target: 'filter:api.download.video.allowed.result',
-    handler: (result, params) => {
+    handler: async (result, params) => {
+      const loggedInUser = await peertubeHelpers.user.getAuthUser(params.res)
+      if (loggedInUser) return { allowed: true }
      if (params && !params.streamingPlaylist && params.video.name.includes('bad file')) {
        return { allowed: false, errorMessage: 'Cao Cao' }
      }
diff --git a/server/tests/plugins/filter-hooks.ts b/server/tests/plugins/filter-hooks.ts
index 083fd43ca..6724b3bf8 100644
--- a/server/tests/plugins/filter-hooks.ts
+++ b/server/tests/plugins/filter-hooks.ts
@@ -430,6 +430,7 @@ describe('Test plugin filter hooks', function () {
  describe('Download hooks', function () {
    const downloadVideos: VideoDetails[] = []
+    let downloadVideo2Token: string
    before(async function () {
      this.timeout(120000)
@@ -459,6 +460,8 @@ describe('Test plugin filter hooks', function () {
      for (const uuid of uuids) {
        downloadVideos.push(await servers[0].videos.get({ id: uuid }))
      }
+      downloadVideo2Token = await servers[0].videoToken.getVideoFileToken({ videoId: downloadVideos[2].uuid })
    })
    it('Should run filter:api.download.torrent.allowed.result', async function () {
@@ -471,32 +474,42 @@ describe('Test plugin filter hooks', function () {
    it('Should run filter:api.download.video.allowed.result', async function () {
      {
-        const res = await makeRawRequest({ url: downloadVideos[1].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+        const refused = downloadVideos[1].files[0].fileDownloadUrl
+        const allowed = [
+          downloadVideos[0].files[0].fileDownloadUrl,
+          downloadVideos[2].files[0].fileDownloadUrl
+        ]
+        const res = await makeRawRequest({ url: refused, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
        expect(res.body.error).to.equal('Cao Cao')
-        await makeRawRequest({ url: downloadVideos[0].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 })
+        for (const url of allowed) {
-        await makeRawRequest({ url: downloadVideos[2].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 })
+          await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 })
+          await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 })
+        }
      }
      {
-        const res = await makeRawRequest({
+        const refused = downloadVideos[2].streamingPlaylists[0].files[0].fileDownloadUrl
-          url: downloadVideos[2].streamingPlaylists[0].files[0].fileDownloadUrl,
-          expectedStatus: HttpStatusCode.FORBIDDEN_403
-        })
-        expect(res.body.error).to.equal('Sun Jian')
+        const allowed = [
+          downloadVideos[2].files[0].fileDownloadUrl,
+          downloadVideos[0].streamingPlaylists[0].files[0].fileDownloadUrl,
+          downloadVideos[1].streamingPlaylists[0].files[0].fileDownloadUrl
+        ]
-        await makeRawRequest({ url: downloadVideos[2].files[0].fileDownloadUrl, expectedStatus: HttpStatusCode.OK_200 })
+        // Only streaming playlist is refuse
+        const res = await makeRawRequest({ url: refused, expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+        expect(res.body.error).to.equal('Sun Jian')
-        await makeRawRequest({
+        // But not we there is a user in res
-          url: downloadVideos[0].streamingPlaylists[0].files[0].fileDownloadUrl,
+        await makeRawRequest({ url: refused, token: servers[0].accessToken, expectedStatus: HttpStatusCode.OK_200 })
-          expectedStatus: HttpStatusCode.OK_200
+        await makeRawRequest({ url: refused, query: { videoFileToken: downloadVideo2Token }, expectedStatus: HttpStatusCode.OK_200 })
-        })
-        await makeRawRequest({
+        // Other files work
-          url: downloadVideos[1].streamingPlaylists[0].files[0].fileDownloadUrl,
+        for (const url of allowed) {
-          expectedStatus: HttpStatusCode.OK_200
+          await makeRawRequest({ url, expectedStatus: HttpStatusCode.OK_200 })
-        })
+        }
      }
    })
  })
diff --git a/server/types/express.d.ts b/server/types/express.d.ts
index 3738ffc47..99244d2a0 100644
--- a/server/types/express.d.ts
+++ b/server/types/express.d.ts
@@ -10,6 +10,7 @@ import {
  MChannelBannerAccountDefault,
  MChannelSyncChannel,
  MStreamingPlaylist,
+  MUserAccountUrl,
  MVideoChangeOwnershipFull,
  MVideoFile,
  MVideoFormattableDetails,
@@ -187,6 +188,10 @@ declare module 'express' {
        actor: MActorAccountChannelId
      }
+      videoFileToken?: {
+        user: MUserAccountUrl
+      }
      authenticated?: boolean
      registeredPlugin?: RegisteredPlugin