VID-13: Issue and validate tokens against containing directory not specific file



Issue Information

Issue Type: Improvement
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: Videos.bentasker.co.uk (VID)
Resolution: Done (2019-04-18 18:10:13)
Target version: v0.14,
Components: Authentication ,

Created: 2019-04-18 16:32:14
Time Spent Working


Description
Need to adjust the token minter so that it runs a LUA equivalent of `dirname` against the value of `vidpath` when minting a token.

Need to do the same to the validator.

The aim being that when a request is received for a token for `foo/bar.m3u8` it should also be considered valid for anything else in that directory (like `foo/segment1.ts`)

The validator will also need adjusting to push a token (once it's been authenticated) into a cookie so that it'll be supplied alongside segment requests.

The name of that cookie should be derived from the playback path so that playback will still work if there are multiple players embedded on the same page.


Issue Links

Toggle State Changes

Activity


As described in VID-12
So, in order to allow token enforcement against segments and submanifests, I think the best way is to make a few (relatively small) changes

- The VID-11 token minter should run the equivalent of dirname on vidpath so that the token is minted against the container directory
- The validator should do the same with uri
- Once a token has been successfully validated from the query string, it should be pushed to the client in a cookie
-- To avoid breaking multi-player support, the cookie name should be derived from the path (so that multiple playback urls have distinct cookie names)

The token auth won't recurse down through directories (i.e. if the token is issued for /foo/foo.m3u8 it can be used for /foo/foo.ts but not /foo/bar/foo.ts), but the only way around that would be to either walk down the tree of uri in the validator, or to use a packed rather than a hashed token.

As this will require changes to be made to both the VID-11 code and this code, I'll raise a new issue to cover the changes so that comments don't need to be duplicated between.

That'll be VID-13
Repo: videos.bentasker.co.uk
Host:Rimmer

commit 8853869ef458bbb260f4d6f1fc884437b24b9db1
Author: B Tasker <github@<Domain Hidden>>
Date: Thu Apr 18 16:41:42 2019 +0100

Commit Message: VID-13 use containing directory name rather than full path in token minting and validation

resources/tokenisation/minter/token_gen.lua | 9 ++++++++-
resources/tokenisation/minter/token_validate.lua | 10 +++++++++-
2 files changed, 17 insertions(+), 2 deletions(-)


View Commit | View Changes
Repo: videos.bentasker.co.uk
Host:Rimmer

commit aa4e76262ee4ab1ea2eef9c91e69a2f5db9b3e08
Author: B Tasker <github@<Domain Hidden>>
Date: Thu Apr 18 17:45:50 2019 +0100

Commit Message: VID-13 Push tokens into a cookie, and accept them from there

resources/tokenisation/minter/token_validate.lua | 56 +++++++++++++++++++++-
1 files changed, 54 insertions(+), 2 deletions(-)


View Commit | View Changes
Have just done a live test by temporarily enabling token enforcement, and then attempting playback with the test player.

Playback of HLS works just fine.

I'm ready to mark this, and related issues as complete, though don't want to enable enforcement in production for a reasonable amount of time. Do need to do a release, however, so that there's version of the embed script that supports acquiring tokens (VID-10) in place well in advance of turning tokens on.
btasker changed status from 'Open' to 'Resolved'
btasker added 'Done' to resolution
btasker changed status from 'Resolved' to 'Closed'