Force Login Plugin

Hi there @Chocobozzz & @JohnLivingston ,

I am developing a plugin to restrict all the content for unauthorized users including the various pages public, private and internal videos so that only the authorized user will be able to use PeerTube as regular. In order to verify authorization, the access_token from LocalStorage (Browser) is used. And to redirect unauthorized user to the login page i have used the client hook

'action:router:navigation-end'

I have already developed this pluginand tested it in local environment. I works as expected. So, if I can get more insights regarding this, then it will be a lot helpful.

Have you a public repository where we can see the code?

Of course Sir, Here is my code repository. Smile Kisan / peertube-plugin-force-login · GitLab

@Chocobozzz & @JohnLivingston
I have tested the above plugin in my local development environment. For the production, I have used the v3.4.0 docker image of PeerTube and I would like to test this plugin in my production server before publishing in NPM package. Can you please share some info how can i test this sample plugin in the production server without publishing it.

I’m a bit in a hurry, so short answer:

rsync -az --delete-after /home/john/dev/peertube-plugin-livechat/ your.peertube.server.tld:/tmp/peertube-plugin-livechat/
ssh your.peertube.server.tld 'cd /home/john/PeerTube/ && node ./dist/server/tools/peertube.js plugins uninstall --npm-name peertube-plugin-livechat'
ssh your.peertube.server.tld 'cd /home/john/PeerTube/ && node ./dist/server/tools/peertube.js plugins install --path /tmp/peertube-plugin-livechat/'

pre requisite: having the peertube cli installed in the folder /home/john/Peertube of your server (of course, replace «john» by your user name).
And you have to authenticate the cli on your instance (check the documentation)

@JohnLivingston , I have deployed the PeerTube using the Docker image from official site. Is there any way i can check the local plugin in peertube production released using Docker image?

I don’t know. I’m not using Docker, and I don’t know how it works.

I just checked your plugin code. You have to be aware that this plugin is not really secure:

  • it does not check that the token is valid. So a user can add manually a random token in local storage to bypass the plugin verification
  • the verification is on front-end, it can be bypassed if using debugging tools
  • verification happens to late. All API call will be done, and data will be available in debuggin tools.
  • API are not protected, so it can still be possible to do API call to retrieve data and videos
  • video can be downloaded by guessing their links
  • mobile applications will still be able to browser your instance (because they use only API call, and not the front-end code)
  • and probably many more

I think a better approach would be to force the setting «privacy» to «internal» for all videos.