]> git.gir.st - subscriptionfeed.git/blob - app/frontend.py
git://git.gir.st / subscriptionfeed.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
move flask secret_key to config.ini
[subscriptionfeed.git] / app / frontend.py
1 import re
2 import time
3 import hmac
4 import base64
5 import hashlib
6 import sqlite3
7 import secrets
8 import requests
9 from urllib.parse import parse_qs
10 from flask import Flask, render_template, request, redirect, flash, url_for, jsonify, g
11
12 from common import *
13
14 app = Flask(__name__)
15 if 'secret_key' in cf['frontend']:
16 app.secret_key = base64.b64decode(cf['frontend']['secret_key'])
17 else:
18 app.secret_key = secrets.token_bytes(16)
19
20 @app.route('/')
21 def index():
22 return redirect(url_for('feed'), code=302)
23
24 @app.route('/feed/subscriptions')
25 def feed():
26 token = request.args.get('token', 'guest')
27 page = int(request.args.get('page', 0))
28 with sqlite3.connect(cf['global']['database']) as conn:
29 c = conn.cursor()
30 c.execute("""
31 SELECT videos.id, channel_id, name, title, published, flags.display
32 FROM videos
33 JOIN channels ON videos.channel_id = channels.id
34 LEFT JOIN flags ON (videos.id = flags.video_id) AND (flags.user = ?)
35 WHERE channel_id IN
36 (SELECT channel_id FROM subscriptions WHERE user = ?)
37 AND flags.display IS NOT 'hidden'
38 ORDER BY (display = 'pinned') DESC, crawled DESC
39 LIMIT 36
40 OFFSET 36*?""", (token, token, page))
41 rows = [{
42 'video_id': video_id,
43 'channel_id': channel_id,
44 'author': author,
45 'title': title,
46 'published': published,
47 'pinned': display == 'pinned',
48 } for (video_id, channel_id, author, title, published, display) in c.fetchall()]
49 return render_template('index.html.j2', rows=rows, page=page)
50
51 @app.route('/watch')
52 def watch():
53 if not 'v' in request.args:
54 return "missing video id", 400
55
56 plaintextheaders = {
57 'content-type': 'text/plain',
58 'Link': "<data:text/css,body%7Bcolor:%23eee;background:%23333%7D>; rel=stylesheet;"
59 }
60
61 video_id = request.args.get('v')
62 sts, algo = get_cipher()
63 video_url, metadata, error, errdetails = get_video_info(video_id, sts, algo)
64
65 extra = {'geolocked':'local=1', 'livestream':'raw=0'}.get(error,'')
66 invidious_url = f"https://invidio.us/watch?v={video_id}&{extra}&raw=1"
67 errdetails = {
68 'malformed': "Video ID is invalid.",
69 'geolocked': "This video is geolocked.",
70 'livestream': "Livestreams not yet supported.",
71 'exhausted': errdetails or "Couldn't extract video URLs.",
72 'player': errdetails,
73 }.get(error)
74
75 show = request.args.get("show")
76 if show == "raw":
77 if error:
78 msg = errdetails if error=='player' else f"{error.upper()}: {errdetails}"
79 return f"{msg}\n\nRedirecting to Invidious.", 502, {
80 'Refresh': f'2; URL={invidious_url}',
81 **plaintextheaders}
82 return redirect(video_url, code=307)
83 elif show == "json":
84 if error and not metadata:
85 return {'error': True, error: errdetails}, 400 # TODO: better (test _CpR4o81XQc)
86 return jsonify(metadata)
87 else:
88 if error and not metadata: # e.g. malformed, private/deleted video, ...
89 return errdetails,400 # TODO: nicer
90 return render_template('watch.html.j2',
91 video_id=video_id, video_url=video_url,
92 video_error=error, errdetails=errdetails, invidious_url=invidious_url,
93 **prepare_metadata(metadata))
94
95 @app.route('/channel/<channel_id>')
96 def channel(channel_id):
97 if not re.match(r"(UC[A-Za-z0-9_-]{22})", channel_id):
98 return "bad channel id", 400 # todo
99
100 xmlfeed = fetch_xml("channel_id", channel_id)
101 if not xmlfeed:
102 return "not found or something", 404 # XXX
103 title, author, videos = parse_xml(xmlfeed)
104 return render_template('xmlfeed.html.j2', title=author, rows=videos)
105
106 @app.route('/playlist')
107 def playlist():
108 playlist_id = request.args.get('list')
109 if not playlist_id:
110 return "bad list id", 400 # todo
111
112 xmlfeed = fetch_xml("playlist_id", playlist_id)
113 if not xmlfeed:
114 return "not found or something", 404 # XXX
115 title, author, videos = parse_xml(xmlfeed)
116 return render_template('xmlfeed.html.j2', title=f"{title} by {author}", rows=videos)
117
118 @app.route('/subscription_manager')
119 def subscription_manager():
120 token = request.args.get('token', 'guest')
121 with sqlite3.connect(cf['global']['database']) as conn:
122 #with conn.cursor() as c:
123 c = conn.cursor()
124 c.execute("""
125 SELECT subscriptions.channel_id, name,
126 (subscribed_until < datetime('now')) AS obsolete
127 FROM subscriptions
128 left JOIN channels ON channels.id = subscriptions.channel_id
129 left JOIN websub ON channels.id = websub.channel_id
130 WHERE user = ?
131 ORDER BY obsolete=0, name COLLATE NOCASE ASC""", (token,))
132 rows = [{
133 'channel_id': channel_id,
134 'author': author or channel_id,
135 'subscribed_until': subscribed_until
136 } for (channel_id, author, subscribed_until) in c.fetchall()]
137 return render_template('subscription_manager.html.j2', rows=rows)
138
139 @app.route('/feed/subscriptions', methods=['POST'])
140 def feed_post():
141 token = request.args.get('token', 'guest')
142 if token == 'guest': return "guest user is read-only", 403
143 action = next(request.form.keys(), None)
144 if action in ['pin', 'unpin', 'hide']:
145 video_id = request.form.get(action)
146 display = {
147 'pin': 'pinned',
148 'unpin': None,
149 'hide': 'hidden',
150 }[action]
151 with sqlite3.connect(cf['global']['database']) as conn:
152 #with conn.cursor() as c:
153 c = conn.cursor()
154 c.execute("""
155 INSERT OR REPLACE INTO flags (user, video_id, display)
156 VALUES (?, ?, ?)
157 """, (token, video_id, display))
158 else:
159 flash(("error","unsupported action"))
160 return redirect(request.url, code=303)
161
162 @app.route('/subscription_manager', methods=['POST'])
163 def manage_subscriptions():
164 token = request.args.get('token', 'guest')
165 if token == 'guest': return "guest user is read-only", 403
166 if 'subscribe' in request.form:
167 channel_id = request.form.get("subscribe")
168 match = re.match(r"(UC[A-Za-z0-9_-]{22})", channel_id)
169 if match:
170 channel_id = match.group(1)
171 else:
172 match = re.match(r"((?:PL|LL|EC|UU|FL|UL|OL)[A-Za-z0-9_-]{10,})", channel_id)
173 if match: # NOTE: PL-playlists are 32chars, others differ in length.
174 flash(("error","playlists not (yet?) supported."))
175 return redirect(request.url, code=303) # TODO: dedup redirection
176 else:
177 flash(("error","not a valid/subscribable URI"))
178 return redirect(request.url, code=303) # TODO: dedup redirection
179 with sqlite3.connect(cf['global']['database']) as conn:
180 #with conn.cursor() as c:
181 c = conn.cursor()
182 c.execute("""
183 INSERT OR IGNORE INTO subscriptions (user, channel_id)
184 VALUES (?, ?)
185 """, (token, channel_id))
186 # TODO: sql-error-handling, asynchronically calling update-subs.pl
187
188 elif 'unsubscribe' in request.form:
189 with sqlite3.connect(cf['global']['database']) as conn:
190 #with conn.cursor() as c:
191 c = conn.cursor()
192 c.execute("""
193 DELETE FROM subscriptions
194 WHERE user = ? AND channel_id = ?
195 """, (token, channel_id))
196 # TODO: sql-error-handling, report success
197
198 else:
199 flash(("error","unsupported action"))
200
201 return redirect(request.url, code=303)
202
203 @app.route('/r/')
204 def reddit_index():
205 return ""
206 @app.route('/r/<subreddit>')
207 def reddit(subreddit="videos"):
208 count = int(request.args.get('count', 0))
209 before = request.args.get('before')
210 after = request.args.get('after')
211 query = '&'.join([f"{k}={v}" for k,v in [('count',count), ('before',before), ('after',after)] if v])
212 r = requests.get(f"https://old.reddit.com/r/{subreddit}.json?{query}", headers={'User-Agent':'Mozilla/5.0'})
213 if not r.ok or not 'data' in r.json():
214 return r.text+"error retrieving reddit data", 502
215
216 good = [e for e in r.json()['data']['children'] if e['data']['score'] > 1]
217 bad = [e for e in r.json()['data']['children'] if e['data']['score'] <=1]
218 videos = []
219 for entry in (good+bad):
220 e = entry['data']
221 if e['domain'] not in ['youtube.com', 'youtu.be', 'invidio.us']:
222 continue
223 video_id = re.match(r'^https?://(?:www.|m.)?(?:youtube.com/watch\?(?:.*&amp;)?v=|youtu.be/|youtube.com/embed/)([-_0-9A-Za-z]+)', e['url']).group(1)
224 if not video_id: continue
225 videos.append({
226 'video_id': video_id,
227 'title': e['title'],
228 'url': e['permalink'],
229 'n_comments': e['num_comments'],
230 'n_karma': e['score'],
231 })
232 before = r.json()['data']['before']
233 after = r.json()['data']['after']
234 return render_template('reddit.html.j2', subreddit=subreddit, rows=videos, before=before, after=after, count=count)
235
236 def get_cipher():
237 # reload cipher from database every 1 hour
238 if 'cipher' not in g or time.time() - g.get('cipher_updated', 0) > 1 * 60 * 60:
239 with sqlite3.connect(cf['global']['database']) as conn:
240 c = conn.cursor()
241 c.execute("SELECT sts, algorithm FROM cipher")
242 g.cipher = c.fetchone()
243 g.cipher_updated = time.time()
244
245 return g.cipher
246
247 #@app.teardown_appcontext
248 #def teardown_db():
249 # db = g.pop('db', None)
250 #
251 # if db is not None:
252 # db.close()
253
254 # Magic CSRF protection: This modifies outgoing HTML responses and injects a csrf token into all forms.
255 # All post requests are then checked if they contain the valid token.
256 # TODO:
257 # - don't use regex for injecting
258 # - inject a http header into all responses (that could be used by apis)
259 # - allow csrf token to be passed in http header, json, ...
260 # - a decorator on routes to opt out of verification or output munging
261 @app.after_request
262 def add_csrf_protection(response):
263 if response.mimetype == "text/html":
264 token = hmac.new(app.secret_key, request.remote_addr.encode('ascii'), hashlib.sha256).hexdigest() # TODO: will fail behind reverse proxy (remote_addr always localhost)
265 response.set_data( re.sub(
266 rb'''(<[Ff][Oo][Rr][Mm](\s+[a-zA-Z0-9-]+(=(\w*|'[^']*'|"[^"]*"))?)*>)''', # match form tags with any number of attributes and any type of quotes
267 rb'\1<input type="hidden" name="csrf" value="'+token.encode('ascii')+rb'">', # hackily append a hidden input with our csrf protection value
268 response.get_data()))
269 return response
270 @app.before_request
271 def verify_csrf_protection():
272 token = hmac.new(app.secret_key, request.remote_addr.encode('ascii'), hashlib.sha256).hexdigest() # TODO: will fail behind reverse proxy (remote_addr always localhost)
273 if request.method == "POST" and request.form.get('csrf') != token:
274 return "CSRF validation failed!", 400
275 request.form = request.form.copy() # make it mutable
276 request.form.poplist('csrf') # remove our csrf again
277
278 @app.template_filter('format_date')
279 def format_date(s):
280 (y,m,d) = (int(n) for n in s.split('T')[0].split(' ')[0].split('-')) # iso-dates can seperate date from time with space or 'T'
281 M = '_ Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec'.split()
282 return f"{d} {M[m]}"
283
284 if __name__ == '__main__':
285 app.run(debug=True)
Privacy-focused webservice to catch up with Youtube subscriptions
Imprint / Impressum