From 04171af3e34ed5a09b4497d0713067ddc1885b4c Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Sun, 2 Nov 2025 18:37:07 +0100 Subject: [PATCH] Require `core.play` to play videos in gocoder --- transcoder/main.go | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/transcoder/main.go b/transcoder/main.go index 84de3650..4601c10a 100644 --- a/transcoder/main.go +++ b/transcoder/main.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "net/http" + "slices" _ "github.com/zoriya/kyoo/transcoder/docs" @@ -37,6 +38,35 @@ func ErrorHandler(err error, c echo.Context) { }{Errors: []string{message}}) } +func RequireCorePlayPermission(next echo.HandlerFunc) echo.HandlerFunc { + return func(c echo.Context) error { + user := c.Get("user") + if user == nil { + return echo.NewHTTPError(http.StatusForbidden, "missing jwt") + } + token, ok := user.(*jwt.Token) + if !ok { + return echo.NewHTTPError(http.StatusForbidden, "invalid jwt") + } + claims, ok := token.Claims.(jwt.MapClaims) + if !ok { + return echo.NewHTTPError(http.StatusForbidden, "invalid jwt claims") + } + permissions, ok := claims["permissions"] + if !ok { + return echo.NewHTTPError(http.StatusForbidden, "missing permissions claim") + } + perms, ok := permissions.([]any) + if !ok { + return echo.NewHTTPError(http.StatusForbidden, "permissions claim is not an array") + } + if !slices.Contains(perms, "core.play") { + return echo.NewHTTPError(http.StatusForbidden, "missing core.play permission") + } + return next(c) + } +} + // @title gocoder - Kyoo's transcoder // @version 1.0 // @description Real time transcoder. @@ -103,7 +133,7 @@ func main() { return nil, fmt.Errorf("unable to find key %q", kid) } - var pubkey interface{} + var pubkey any if err := jwk.Export(key, &pubkey); err != nil { return nil, fmt.Errorf("Unable to get the public key. Error: %s", err.Error()) } @@ -111,6 +141,8 @@ func main() { return pubkey, nil }, })) + + g.Use(RequireCorePlayPermission) } api.RegisterStreamHandlers(g, transcoder)