Don't send auth header to object storage

client/src/app/shared/shared-main/auth/auth-interceptor.service.ts

@@ -1,10 +1,12 @@
-import { Observable, of, throwError as observableThrowError } from 'rxjs'
-import { catchError, switchMap } from 'rxjs/operators'
 import { HTTP_INTERCEPTORS, HttpErrorResponse, HttpEvent, HttpHandler, HttpInterceptor, HttpRequest } from '@angular/common/http'
 import { Injectable, Injector, inject } from '@angular/core'
 import { Router } from '@angular/router'
 import { AuthService } from '@app/core/auth/auth.service'
+import { getBackendUrl } from '@app/helpers'
 import { HttpStatusCode, OAuth2ErrorCode, PeerTubeProblemDocument, ServerErrorCode } from '@peertube/peertube-models'
+import { isSameOrigin } from '@root-helpers/url'
+import { Observable, throwError as observableThrowError, of } from 'rxjs'
+import { catchError, switchMap } from 'rxjs/operators'
 
 @Injectable()
 export class AuthInterceptor implements HttpInterceptor {
@@ -61,7 +63,11 @@ export class AuthInterceptor implements HttpInterceptor {
   private cloneRequestWithAuth (req: HttpRequest<any>) {
     const authHeaderValue = this.authService.getRequestHeaderValue()
 
-    if (authHeaderValue === null) return req
+    const sameOrigin = req.url.startsWith('/') || isSameOrigin(getBackendUrl(), req.url)
+
+    if (authHeaderValue === null || !sameOrigin) {
+      return req
+    }
 
     // Clone the request to add the new header
     return req.clone({ headers: req.headers.set('Authorization', authHeaderValue) })

client/src/root-helpers/url.ts

@@ -18,3 +18,12 @@ export function objectToUrlEncoded (obj: any) {
 
   return str.join('&')
 }
+
+export function isSameOrigin (current: string, target: string) {
+  const currentUrl = new URL(current)
+  const targetUrl = new URL(target)
+
+  if (currentUrl.hostname === 'localhost' && targetUrl.hostname === 'localhost') return true
+
+  return currentUrl.origin === targetUrl.origin
+}

client/src/standalone/player/src/shared/common/utils.ts

@@ -20,12 +20,3 @@ export function getRtcConfig (stunServers: string[]) {
     iceServers: stunServers.map(s => ({ urls: s }))
   }
 }
-
-export function isSameOrigin (current: string, target: string) {
-  const currentUrl = new URL(current)
-  const targetUrl = new URL(target)
-
-  if (currentUrl.hostname === 'localhost' && targetUrl.hostname === 'localhost') return true
-
-  return currentUrl.origin === targetUrl.origin
-}

client/src/standalone/player/src/shared/p2p-media-loader/segment-validator.ts

@@ -1,9 +1,9 @@
-import type { ByteRange } from 'p2p-media-loader-core'
 import { removeQueryParams } from '@peertube/peertube-core-utils'
 import { logger } from '@root-helpers/logger'
+import { isSameOrigin } from '@root-helpers/url'
 import { wait } from '@root-helpers/utils'
 import debug from 'debug'
-import { isSameOrigin } from '../common'
+import type { ByteRange } from 'p2p-media-loader-core'
 
 const debugLogger = debug('peertube:player:segment-validator')
 
@@ -16,14 +16,16 @@ export class SegmentValidator {
 
   private segmentJSONPromise: Promise<SegmentsJSON>
 
-  constructor (private readonly options: {
+  constructor (
+    private readonly options: {
       serverUrl: string
       segmentsSha256Url: string
       authorizationHeader: () => string
       requiresUserAuth: boolean
       requiresPassword: boolean
       videoPassword: () => string
-  }) {
+    }
+  ) {
   }
 
   async validate (url: string, byteRange: ByteRange | undefined, data: ArrayBuffer, retry = 1): Promise<boolean> {
@@ -93,7 +95,7 @@ export class SegmentValidator {
   }
 
   private fetchSha256Segments (): Promise<SegmentsJSON> {
-    let headers: { [ id: string ]: string } = {}
+    let headers: { [id: string]: string } = {}
 
     if (isSameOrigin(this.options.serverUrl, this.options.segmentsSha256Url)) {
       if (this.options.requiresPassword) headers = { 'x-peertube-video-password': this.options.videoPassword() }

client/src/standalone/player/src/shared/player-options-builder/hls-options-builder.ts

@@ -2,12 +2,13 @@ import { getResolutionAndFPSLabel, getResolutionLabel } from '@peertube/peertube
 import { LiveVideoLatencyMode } from '@peertube/peertube-models'
 import { logger } from '@root-helpers/logger'
 import { peertubeLocalStorage } from '@root-helpers/peertube-web-storage'
+import { isSameOrigin } from '@root-helpers/url'
 import debug from 'debug'
 import { Level } from 'hls.js'
 import type { CoreConfig, StreamConfig } from 'p2p-media-loader-core'
 import { getAverageBandwidthInStore } from '../../peertube-player-local-storage'
 import { HLSPluginOptions, P2PMediaLoaderPluginOptions, PeerTubePlayerConstructorOptions, PeerTubePlayerLoadOptions } from '../../types'
-import { getRtcConfig, isSameOrigin } from '../common'
+import { getRtcConfig } from '../common'
 import { RedundancyUrlManager } from '../p2p-media-loader/redundancy-url-manager'
 import { SegmentValidator } from '../p2p-media-loader/segment-validator'
 

client/src/standalone/videos/embed.ts

@@ -60,7 +60,7 @@ export class PeerTubeEmbed {
   constructor (videoWrapperId: string) {
     logger.registerServerSending(getBackendUrl())
 
-    this.http = new AuthHTTP()
+    this.http = new AuthHTTP(getBackendUrl())
 
     this.videoFetcher = new VideoFetcher(this.http)
     this.playlistFetcher = new PlaylistFetcher(this.http)
@@ -220,7 +220,6 @@ export class PeerTubeEmbed {
 
       return this.buildVideoPlayer({ videoResponse, captionsPromise, chaptersPromise, storyboardsPromise, forceAutoplay })
     } catch (err) {
-
       if (await this.handlePasswordError(err)) this.loadVideoAndBuildPlayer({ ...options })
       else this.playerHTML.displayError(err.message, await this.translationsPromise)
     }
@@ -296,9 +295,8 @@ export class PeerTubeEmbed {
     await this.peertubePlayer.load(loadOptions)
 
     if (!this.alreadyInitialized) {
-      this.player = this.peertubePlayer.getPlayer();
-
-      (window as any)['videojsPlayer'] = this.player
+      this.player = this.peertubePlayer.getPlayer()
+      ;(window as any)['videojsPlayer'] = this.player
 
       this.buildCSS()
 
@@ -465,7 +463,7 @@ export class PeerTubeEmbed {
 
 PeerTubeEmbed.main()
   .catch(err => {
-    (window as any).displayIncompatibleBrowser()
+    ;(window as any).displayIncompatibleBrowser()
 
     logger.error('Cannot init embed.', err)
   })

client/src/standalone/videos/shared/auth-http.ts

@@ -1,5 +1,5 @@
 import { HttpStatusCode, OAuth2ErrorCode, OAuth2ErrorCodeType, UserRefreshToken } from '@peertube/peertube-models'
-import { OAuthUserTokens, objectToUrlEncoded } from '../../../root-helpers'
+import { isSameOrigin, OAuthUserTokens, objectToUrlEncoded } from '../../../root-helpers'
 import { peertubeLocalStorage } from '../../../root-helpers/peertube-web-storage'
 
 export class AuthHTTP {
@@ -12,7 +12,7 @@ export class AuthHTTP {
 
   private headers = new Headers()
 
-  constructor () {
+  constructor (private readonly serverUrl: string) {
     this.userOAuthTokens = OAuthUserTokens.getUserTokens(peertubeLocalStorage)
 
     if (this.userOAuthTokens) this.setHeadersFromTokens()
@@ -21,9 +21,11 @@ export class AuthHTTP {
   fetch (url: string, { optionalAuth, method }: { optionalAuth: boolean, method?: string }, videoPassword?: string) {
     let refreshFetchOptions: { headers?: Headers } = {}
 
+    if (isSameOrigin(this.serverUrl, url)) {
       if (videoPassword) this.headers.set('x-peertube-video-password', videoPassword)
 
       if (videoPassword || optionalAuth) refreshFetchOptions = { headers: this.headers }
+    }
 
     return this.refreshFetch(url.toString(), { ...refreshFetchOptions, method })
   }
@@ -91,11 +93,13 @@ export class AuthHTTP {
             OAuthUserTokens.flushLocalStorage(peertubeLocalStorage)
 
             this.removeTokensFromHeaders()
-          }).then(() => fetch(url, {
+          }).then(() =>
+            fetch(url, {
               ...options,
 
               headers: this.headers
-          }))
+            })
+          )
       })
   }