]>
git.gir.st - subscriptionfeed.git/blob - app/frontend.py
9 from urllib
.parse
import parse_qs
10 from flask
import Flask
, render_template
, request
, redirect
, flash
, url_for
, jsonify
, g
15 app
.secret_key
= secrets
.token_bytes(16) # XXX: generate and hard-code, or cookies and csrf-validation will fail!
16 # Note: currently expiring after 10 minutes. googlevideo-urls are valid for 5h59m, but this makes reddit very stale and premiere videos won't start.
17 requests_cache
.install_cache(backend
='memory', expire_after
=10*60, allowable_codes
=(200,))
19 # Note: this should only be required for the 'memory' backed cache.
20 from threading
import Timer
22 requests_cache
.remove_expired_responses()
23 t
= Timer(sec
, purge_cache
, args
=(sec
,))
30 return redirect(url_for('feed'), code
=302)
32 @app.route('/feed/subscriptions')
34 token
= request
.args
.get('token', 'guest')
35 page
= int(request
.args
.get('page', 0))
36 with sqlite3
.connect(cf
['global']['database']) as conn
:
39 SELECT videos.id, channel_id, name, title, published, flags.display
41 JOIN channels ON videos.channel_id = channels.id
42 LEFT JOIN flags ON (videos.id = flags.video_id) AND (flags.user = ?)
44 (SELECT channel_id FROM subscriptions WHERE user = ?)
45 AND flags.display IS NOT 'hidden'
46 ORDER BY (display = 'pinned') DESC, crawled DESC
48 OFFSET 36*?""", (token
, token
, page
))
51 'channel_id': channel_id
,
54 'published': published
,
55 'pinned': display
== 'pinned',
56 } for (video_id
, channel_id
, author
, title
, published
, display
) in c
.fetchall()]
57 return render_template('index.html.j2', rows
=rows
, page
=page
)
61 if not 'v' in request
.args
:
62 return "missing video id", 400
64 plaintextheader
= {'content-type': 'text/plain',"Link": "<data:text/css,body%7Bcolor:%23eee;background:%23333%7D>; rel=stylesheet;"}
66 video_id
= request
.args
.get('v')
67 (sts
, algo
) = get_cipher()
68 (video_url
, metadata
, error_type
, error
) = get_video_info(video_id
, sts
, algo
)
69 if error_type
in ['initial', 'player']:
70 return error
, 400, plaintextheader
72 show
= request
.args
.get("show")
75 extra
= {'geolocked':'local=1', 'livestream':'raw=0'}.get(error
,'')
76 # if error==exhausted, metadata.playabilityStatus.reason may contain additional information.
77 return f
"{error.upper()}: Redirecting to Invidious.", 502, {'Refresh': f
'2; URL=https://invidio.us/watch?v={video_id}&{extra}&raw=1', **plaintextheader
}
78 return redirect(video_url
, code
=307)
80 return jsonify(metadata
)
81 else: # todo: handle geolocked, livesteam and the case when we have an exhausted error with no metadata returned
82 return render_template('watch.html.j2', video_id
=video_id
, video_url
=video_url
, **prepare_metadata(metadata
))
84 @app.route('/channel/<channel_id>')
85 def channel(channel_id
):
86 if not re
.match(r
"(UC[A-Za-z0-9_-]{22})", channel_id
):
87 return "bad channel id", 400 # todo
89 xmlfeed
= fetch_xml("channel_id", channel_id
)
91 return "not found or something", 404 # XXX
92 (title
, author
, _
, videos
) = parse_xml(xmlfeed
)
93 return render_template('xmlfeed.html.j2', title
=author
, rows
=videos
)
95 @app.route('/playlist')
97 playlist_id
= request
.args
.get('list')
99 return "bad list id", 400 # todo
101 xmlfeed
= fetch_xml("playlist_id", playlist_id
)
103 return "not found or something", 404 # XXX
104 (title
, author
, _
, videos
) = parse_xml(xmlfeed
)
105 return render_template('xmlfeed.html.j2', title
=f
"{title} by {author}", rows
=videos
)
107 @app.route('/subscription_manager')
108 def subscription_manager():
109 token
= request
.args
.get('token', 'guest')
110 with sqlite3
.connect(cf
['global']['database']) as conn
:
111 #with conn.cursor() as c:
114 SELECT subscriptions.channel_id, name,
115 (subscribed_until < datetime('now')) AS obsolete
117 left JOIN channels ON channels.id = subscriptions.channel_id
118 left JOIN websub ON channels.id = websub.channel_id
120 ORDER BY obsolete=0, name COLLATE NOCASE ASC""", (token
,))
122 'channel_id': channel_id
,
123 'author': author
or channel_id
,
124 'subscribed_until': subscribed_until
125 } for (channel_id
, author
, subscribed_until
) in c
.fetchall()]
126 return render_template('subscription_manager.html.j2', rows
=rows
)
128 @app.route('/feed/subscriptions', methods
=['POST'])
130 token
= request
.args
.get('token', 'guest')
131 if token
== 'guest': return "guest user is read-only", 403
132 action
= next(iter(k
for k
in request
.form
.keys() if k
!= 'csrf'), None)
133 if action
in ['pin', 'unpin', 'hide']:
134 video_id
= request
.form
.get(action
)
140 with sqlite3
.connect(cf
['global']['database']) as conn
:
141 #with conn.cursor() as c:
144 INSERT OR REPLACE INTO flags (user, video_id, display)
146 """, (token
, video_id
, display
))
148 flash(("error","unsupported action"))
149 return redirect(request
.url
, code
=303)
151 @app.route('/subscription_manager', methods
=['POST'])
152 def manage_subscriptions():
153 token
= request
.args
.get('token', 'guest')
154 if token
== 'guest': return "guest user is read-only", 403
155 if 'subscribe' in request
.form
:
156 channel_id
= request
.form
.get("subscribe")
157 match
= re
.match(r
"(UC[A-Za-z0-9_-]{22})", channel_id
)
159 channel_id
= match
.group(1)
161 match
= re
.match(r
"((?:PL|LL|EC|UU|FL|UL|OL)[A-Za-z0-9_-]{10,})", channel_id
)
162 if match
: # NOTE: PL-playlists are 32chars, others differ in length.
163 flash(("error","playlists not (yet?) supported."))
164 return redirect(request
.url
, code
=303) # TODO: dedup redirection
166 flash(("error","not a valid/subscribable URI"))
167 return redirect(request
.url
, code
=303) # TODO: dedup redirection
168 with sqlite3
.connect(cf
['global']['database']) as conn
:
169 #with conn.cursor() as c:
172 INSERT OR IGNORE INTO subscriptions (user, channel_id)
174 """, (token
, channel_id
))
175 # TODO: sql-error-handling, asynchronically calling update-subs.pl
177 elif 'unsubscribe' in request
.form
:
178 with sqlite3
.connect(cf
['global']['database']) as conn
:
179 #with conn.cursor() as c:
182 DELETE FROM subscriptions
183 WHERE user = ? AND channel_id = ?
184 """, (token
, channel_id
))
185 # TODO: sql-error-handling, report success
188 flash(("error","unsupported action"))
190 return redirect(request
.url
, code
=303)
195 @app.route('/r/<subreddit>')
196 def reddit(subreddit
="videos"):
197 count
= int(request
.args
.get('count', 0))
198 before
= request
.args
.get('before')
199 after
= request
.args
.get('after')
200 query
= '&'.join([f
"{k}={v}" for k
,v
in [('count',count
), ('before',before
), ('after',after
)] if v
])
201 r
= requests
.get(f
"https://old.reddit.com/r/{subreddit}.json?{query}", headers
={'User-Agent':'Mozilla/5.0'})
202 if not r
.ok
or not 'data' in r
.json():
203 return r
.text
+"error retrieving reddit data", 502
205 good
= [e
for e
in r
.json()['data']['children'] if e
['data']['score'] > 1]
206 bad
= [e
for e
in r
.json()['data']['children'] if e
['data']['score'] <=1]
208 for entry
in (good
+bad
):
210 if e
['domain'] not in ['youtube.com', 'youtu.be', 'invidio.us']:
212 video_id
= re
.match(r
'^https?://(?:www.|m.)?(?:youtube.com/watch\?(?:.*&)?v=|youtu.be/|youtube.com/embed/)([-_0-9A-Za-z]+)', e
['url']).group(1)
213 if not video_id
: continue
215 'video_id': video_id
,
217 'url': e
['permalink'],
218 'n_comments': e
['num_comments'],
219 'n_karma': e
['score'],
221 before
= r
.json()['data']['before']
222 after
= r
.json()['data']['after']
223 return render_template('reddit.html.j2', subreddit
=subreddit
, rows
=videos
, before
=before
, after
=after
, count
=count
)
226 # reload cipher from database every 1 hour
227 if 'cipher' not in g
or time
.time() - g
.get('cipher_updated', 0) > 1 * 60 * 60:
228 with sqlite3
.connect(cf
['global']['database']) as conn
:
230 c
.execute("SELECT sts, algorithm FROM cipher")
231 g
.cipher
= c
.fetchone()
232 g
.cipher_updated
= time
.time()
236 #@app.teardown_appcontext
238 # db = g.pop('db', None)
243 # Magic CSRF protection: This modifies outgoing HTML responses and injects a csrf token into all forms.
244 # All post requests are then checked if they contain the valid token.
246 # - don't use regex for injecting
247 # - inject a http header into all responses (that could be used by apis)
248 # - allow csrf token to be passed in http header, json, ...
249 # - a decorator on routes to opt out of verification or output munging
251 def add_csrf_protection(response
):
252 if response
.mimetype
== "text/html":
253 token
= hmac
.new(app
.secret_key
, request
.remote_addr
.encode('ascii'), hashlib
.sha256
).hexdigest() # TODO: will fail behind reverse proxy (remote_addr always localhost)
254 response
.set_data( re
.sub(
255 rb
'''(<[Ff][Oo][Rr][Mm](\s+[a-zA-Z0-9-]+(=(\w*|'[^']*'|"[^"]*"))?)*>)''', # match form tags with any number of attributes and any type of quotes
256 rb
'\1<input type="hidden" name="csrf" value="'+token
.encode('ascii')+rb
'">', # hackily append a hidden input with our csrf protection value
257 response
.get_data()))
260 def verify_csrf_protection():
261 token
= hmac
.new(app
.secret_key
, request
.remote_addr
.encode('ascii'), hashlib
.sha256
).hexdigest() # TODO: will fail behind reverse proxy (remote_addr always localhost)
262 if request
.method
== "POST" and request
.form
.get('csrf') != token
:
263 return "CSRF validation failed!", 400
264 request
.form
= request
.form
.copy() # make it mutable
265 # request.form.pop('csrf') # XXX: breaks all requests?!
267 @app.template_filter('format_date')
269 (y
,m
,d
) = (int(n
) for n
in s
.split('T')[0].split(' ')[0].split('-')) # iso-dates can seperate date from time with space or 'T'
270 M
= '_ Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec'.split()
273 if __name__
== '__main__':