Force Login Plugin

newbedeveloper · September 14, 2021, 11:30am

Hi there @Chocobozzz & @JohnLivingston ,

I am developing a plugin to restrict all the content for unauthorized users including the various pages public, private and internal videos so that only the authorized user will be able to use PeerTube as regular. In order to verify authorization, the access_token from LocalStorage (Browser) is used. And to redirect unauthorized user to the login page i have used the client hook

'action:router:navigation-end'

I have already developed this pluginand tested it in local environment. I works as expected. So, if I can get more insights regarding this, then it will be a lot helpful.

JohnLivingston · September 14, 2021, 12:11pm

Have you a public repository where we can see the code?

newbedeveloper · September 15, 2021, 9:46am

Of course Sir, Here is my code repository. Smile Kisan / peertube-plugin-force-login · GitLab

newbedeveloper · September 14, 2021, 3:42pm

@Chocobozzz & @JohnLivingston
I have tested the above plugin in my local development environment. For the production, I have used the v3.4.0 docker image of PeerTube and I would like to test this plugin in my production server before publishing in NPM package. Can you please share some info how can i test this sample plugin in the production server without publishing it.

JohnLivingston · September 14, 2021, 4:54pm

I’m a bit in a hurry, so short answer:

rsync -az --delete-after /home/john/dev/peertube-plugin-livechat/ your.peertube.server.tld:/tmp/peertube-plugin-livechat/
ssh your.peertube.server.tld 'cd /home/john/PeerTube/ && node ./dist/server/tools/peertube.js plugins uninstall --npm-name peertube-plugin-livechat'
ssh your.peertube.server.tld 'cd /home/john/PeerTube/ && node ./dist/server/tools/peertube.js plugins install --path /tmp/peertube-plugin-livechat/'

pre requisite: having the peertube cli installed in the folder /home/john/Peertube of your server (of course, replace «john» by your user name).
And you have to authenticate the cli on your instance (check the documentation)

newbedeveloper · September 15, 2021, 6:35am

@JohnLivingston , I have deployed the PeerTube using the Docker image from official site. Is there any way i can check the local plugin in peertube production released using Docker image?

JohnLivingston · September 16, 2021, 3:21pm

I don’t know. I’m not using Docker, and I don’t know how it works.

JohnLivingston · September 16, 2021, 3:28pm

I just checked your plugin code. You have to be aware that this plugin is not really secure:

it does not check that the token is valid. So a user can add manually a random token in local storage to bypass the plugin verification
the verification is on front-end, it can be bypassed if using debugging tools
verification happens to late. All API call will be done, and data will be available in debuggin tools.
API are not protected, so it can still be possible to do API call to retrieve data and videos
video can be downloaded by guessing their links
mobile applications will still be able to browser your instance (because they use only API call, and not the front-end code)
and probably many more

I think a better approach would be to force the setting «privacy» to «internal» for all videos.