Need to implement a token validator which can be run in Openresty to validate that a HMAC token provided as part of the URL is valid.
The tokens are minted by the script created in VID-11
and are a SHA256 HMAC generated based upon a string comprised of the following
To be considered valid:
- The token must not have expired (i.e. os.time()
- The HMAC should validate (i.e. we can regenerate the same string using the secret)
Variables used to supply the token in a request (as per VID-10
) are t
(token) and e
(expiry) in the querystring.
Once the basic functionality is in place, want to look at improving so that a token can be used for segments too (currently we can only force protection for master manifests, otherwise playback would fail). That'll likely involve using dirname
on the path when minting a token, and then adjusting the validator to push the token into a cookie (or similar). That can be dealt with properly later - the prime concern currently being to ensure VID-11
tokens can be used - but should be kept in mind.