Mercurial > code > home > repos > video

diff serve-files.js @ 49:1bd17c2e5517 default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
video.py must sign video urls for serve-files.js to serve them
author drewp@bigasterisk.com
date Fri, 06 Dec 2024 17:13:51 -0800
parents ed16fdbb3996
children
line wrap: on
line diff
--- a/serve-files.js	Fri Dec 06 14:20:11 2024 -0800
+++ b/serve-files.js	Fri Dec 06 17:13:51 2024 -0800
@@ -1,13 +1,38 @@
 const express = require('express')
-const serveIndex = require('serve-index')
+const decodeSig = async (sig) => {
+    const { decodeSig } = await import('./signature_decode.mjs');
+    return decodeSig(sig);
+};
+const app = express()
 
-const app = express()
+async function checkSig(sig, user, reqPath) {
+    const msg = await decodeSig(sig);
+    if (msg[0] !== user) {
+        throw new Error('user mismatch ' + msg[0] + ' ' + user);
+    }
+    if (msg[1] !== reqPath) {
+        throw new Error('path mismatch');
+    }
+    const now = new Date() / 1000;
+    if (msg[2] < now) {
+        throw new Error('expired');
+    }
+}
+
 
 // e.g. /video/files/video-download/movie1/part1.webm
-
 app.use('/video/files',
+    async (req, res, next) => {
+        try {
+            await checkSig(req.query.sig || '', req.headers['x-pomerium-email'], req.path);
+        } catch (e) {
+            console.error(e);
+            res.status(403).send('403 Forbidden');
+            return;
+        }
+        next();
+    },
     express.static('/data'), // serves file content
-    serveIndex('/data', { 'icons': true }) // serves dir listings
 )
 
-app.listen(8003)
\ No newline at end of file
+app.listen(8003)