########################################################################################## VID-13: Issue and validate tokens against containing directory not specific file ########################################################################################## Issue Type: Improvement ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Done (2019-04-18 18:10:13) Project: Videos.bentasker.co.uk (VID) Reported By: btasker Assigned To: btasker Components: - Authentication Targeted for fix in version: - v0.14 Time Estimate: 0 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Need to adjust the token minter so that it runs a LUA equivalent of `dirname` against the value of `vidpath` when minting a token. Need to do the same to the validator. The aim being that when a request is received for a token for `foo/bar.m3u8` it should also be considered valid for anything else in that directory (like `foo/segment1.ts`) The validator will also need adjusting to push a token (once it's been authenticated) into a cookie so that it'll be supplied alongside segment requests. The name of that cookie should be derived from the playback path so that playback will still work if there are multiple players embedded on the same page. ----------------------------------------------------------------------------------------- Issue Relations ================ - relates to VID-12: Token Checker - relates to VID-11: Token Minter ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2019-04-18 16:33:45 btasker ----------------------------------------------------------------------------------------- As described in VID-12 -- BEGIN QUOTE -- So, in order to allow token enforcement against segments and submanifests, I think the best way is to make a few (relatively small) changes - The VID-11 token minter should run the equivalent of dirname on vidpath so that the token is minted against the container directory - The validator should do the same with uri - Once a token has been successfully validated from the query string, it should be pushed to the client in a cookie -- To avoid breaking multi-player support, the cookie name should be derived from the path (so that multiple playback urls have distinct cookie names) The token auth won't recurse down through directories (i.e. if the token is issued for /foo/foo.m3u8 it can be used for /foo/foo.ts but not /foo/bar/foo.ts), but the only way around that would be to either walk down the tree of uri in the validator, or to use a packed rather than a hashed token. As this will require changes to be made to both the VID-11 code and this code, I'll raise a new issue to cover the changes so that comments don't need to be duplicated between. That'll be VID-13 -- END QUOTE -- ----------------------------------------------------------------------------------------- 2019-04-18 16:43:45 git ----------------------------------------------------------------------------------------- -- BEGIN QUOTE -- Repo: videos.bentasker.co.uk Host:Rimmer commit 8853869ef458bbb260f4d6f1fc884437b24b9db1 Author: B Tasker