import re import time import hmac import base64 import hashlib import sqlite3 import secrets import requests from urllib.parse import parse_qs from werkzeug.security import generate_password_hash, check_password_hash from flask import Flask, render_template, request, redirect, flash, url_for, jsonify, g from flask_login import LoginManager, UserMixin, current_user, login_user, logout_user, login_required from common import * app = Flask(__name__) app.secret_key = base64.b64decode(cf['frontend'].get('secret_key','')) or \ secrets.token_bytes(16) # development fallback; CSRF/cookies won't persist. login = LoginManager(app) login.login_view = 'login_form' @app.route('/') def index(): return redirect(url_for('feed'), code=302) @app.route('/feed/subscriptions') # disabled for guest user: @login_required def feed(): if current_user.is_anonymous: token = 'guest' else: token = current_user.token page = int(request.args.get('page', 0)) with sqlite3.connect(cf['global']['database']) as conn: c = conn.cursor() c.execute(""" SELECT videos.id, channel_id, name, title, published, flags.display FROM videos JOIN channels ON videos.channel_id = channels.id LEFT JOIN flags ON (videos.id = flags.video_id) AND (flags.user = ?) WHERE channel_id IN (SELECT channel_id FROM subscriptions WHERE user = ?) AND flags.display IS NOT 'hidden' ORDER BY (display = 'pinned') DESC, crawled DESC LIMIT 36 OFFSET 36*?""", (token, token, page)) rows = [{ 'video_id': video_id, 'channel_id': channel_id, 'author': author, 'title': title, 'published': published, 'pinned': display == 'pinned', } for (video_id, channel_id, author, title, published, display) in c.fetchall()] return render_template('index.html.j2', rows=rows, page=page) @app.route('/watch') def watch(): if not 'v' in request.args: return "missing video id", 400 plaintextheaders = { 'content-type': 'text/plain', 'Link': "; rel=stylesheet;" } video_id = request.args.get('v') sts, algo = get_cipher() video_url, metadata, error, errdetails = get_video_info(video_id, sts, algo) extra = {'geolocked':'local=1', 'livestream':'raw=0'}.get(error,'') invidious_url = f"https://invidio.us/watch?v={video_id}&{extra}&raw=1" errdetails = { 'malformed': "Video ID is invalid.", 'geolocked': "This video is geolocked.", 'livestream': "Livestreams not yet supported.", 'exhausted': errdetails or "Couldn't extract video URLs.", 'player': errdetails, }.get(error) show = request.args.get("show") if show == "raw": if error: msg = errdetails if error=='player' else f"{error.upper()}: {errdetails}" return f"{msg}\n\nRedirecting to Invidious.", 502, { 'Refresh': f'2; URL={invidious_url}', **plaintextheaders} return redirect(video_url, code=307) elif show == "json": if error and not metadata: return {'error': True, error: errdetails}, 400 # TODO: better (test _CpR4o81XQc) return jsonify(metadata) else: if error and not metadata: # e.g. malformed, private/deleted video, ... return errdetails,400 # TODO: nicer return render_template('watch.html.j2', video_id=video_id, video_url=video_url, video_error=error, errdetails=errdetails, invidious_url=invidious_url, **prepare_metadata(metadata)) @app.route('/channel/') def channel(channel_id): if not re.match(r"(UC[A-Za-z0-9_-]{22})", channel_id): return "bad channel id", 400 # todo xmlfeed = fetch_xml("channel_id", channel_id) if not xmlfeed: return "not found or something", 404 # XXX title, author, videos = parse_xml(xmlfeed) return render_template('xmlfeed.html.j2', title=author, rows=videos) @app.route('/playlist') def playlist(): playlist_id = request.args.get('list') if not playlist_id: return "bad list id", 400 # todo xmlfeed = fetch_xml("playlist_id", playlist_id) if not xmlfeed: return "not found or something", 404 # XXX title, author, videos = parse_xml(xmlfeed) return render_template('xmlfeed.html.j2', title=f"{title} by {author}", rows=videos) @app.route('/manage/subscriptions') # disabled for guest user: @login_required def subscription_manager(): if current_user.is_anonymous: token = 'guest' else: token = current_user.token with sqlite3.connect(cf['global']['database']) as conn: #with conn.cursor() as c: c = conn.cursor() c.execute(""" SELECT subscriptions.channel_id, name, (subscribed_until < datetime('now')) AS obsolete FROM subscriptions left JOIN channels ON channels.id = subscriptions.channel_id left JOIN websub ON channels.id = websub.channel_id WHERE user = ? AND subscriptions.type IN ('channel', 'playlist') ORDER BY obsolete=0, name COLLATE NOCASE ASC""", (token,)) rows = [{ 'channel_id': channel_id, 'author': author or channel_id, 'subscribed_until': subscribed_until } for (channel_id, author, subscribed_until) in c.fetchall()] return render_template('subscription_manager.html.j2', rows=rows) @app.route('/feed/subscriptions', methods=['POST']) @login_required def feed_post(): token = current_user.token action = next(request.form.keys(), None) if action in ['pin', 'unpin', 'hide']: video_id = request.form.get(action) display = { 'pin': 'pinned', 'unpin': None, 'hide': 'hidden', }[action] with sqlite3.connect(cf['global']['database']) as conn: #with conn.cursor() as c: c = conn.cursor() c.execute(""" INSERT OR REPLACE INTO flags (user, video_id, display) VALUES (?, ?, ?) """, (token, video_id, display)) else: flash("unsupported action", "error") return redirect(request.url, code=303) @app.route('/manage/subscriptions', methods=['POST']) @login_required def manage_subscriptions(): token = current_user.token if 'subscribe' in request.form: channel_id = request.form.get("subscribe") match = re.search(r"(UC[A-Za-z0-9_-]{22})", channel_id) if match: channel_id = match.group(1) else: match = re.search(r"((?:PL|LL|EC|UU|FL|UL|OL)[A-Za-z0-9_-]{10,})", channel_id) if match: # NOTE: PL-playlists are 32chars, others differ in length. flash("playlists not (yet?) supported.", "error") return redirect(request.url, code=303) # TODO: dedup redirection else: flash("not a valid/subscribable URI", "error") return redirect(request.url, code=303) # TODO: dedup redirection with sqlite3.connect(cf['global']['database']) as conn: #with conn.cursor() as c: c = conn.cursor() c.execute(""" INSERT OR IGNORE INTO subscriptions (user, channel_id) VALUES (?, ?) """, (token, channel_id)) # TODO: sql-error-handling, asynchronically calling update-subs.pl elif 'unsubscribe' in request.form: channel_id = request.form.get("unsubscribe") with sqlite3.connect(cf['global']['database']) as conn: #with conn.cursor() as c: c = conn.cursor() c.execute(""" DELETE FROM subscriptions WHERE user = ? AND channel_id = ? """, (token, channel_id)) # TODO: sql-error-handling, report success else: flash("unsupported action", "error") return redirect(request.url, code=303) @app.route('/r/') def reddit_index(): return "" @app.route('/r/') def reddit(subreddit="videos"): count = int(request.args.get('count', 0)) before = request.args.get('before') after = request.args.get('after') query = '&'.join([f"{k}={v}" for k,v in [('count',count), ('before',before), ('after',after)] if v]) r = requests.get(f"https://old.reddit.com/r/{subreddit}.json?{query}", headers={'User-Agent':'Mozilla/5.0'}) if not r.ok or not 'data' in r.json(): return r.text+"error retrieving reddit data", 502 good = [e for e in r.json()['data']['children'] if e['data']['score'] > 1] bad = [e for e in r.json()['data']['children'] if e['data']['score'] <=1] videos = [] for entry in (good+bad): e = entry['data'] if e['domain'] not in ['youtube.com', 'youtu.be', 'invidio.us']: continue video_id = re.match(r'^https?://(?:www.|m.)?(?:youtube.com/watch\?(?:.*&)?v=|youtu.be/|youtube.com/embed/)([-_0-9A-Za-z]+)', e['url']).group(1) if not video_id: continue videos.append({ 'video_id': video_id, 'title': e['title'], 'url': e['permalink'], 'n_comments': e['num_comments'], 'n_karma': e['score'], }) before = r.json()['data']['before'] after = r.json()['data']['after'] return render_template('reddit.html.j2', subreddit=subreddit, rows=videos, before=before, after=after, count=count) @app.route('/login') def login_form(): return render_template('login.html.j2') @app.route('/login', methods=['POST']) def do_login(): action = request.form.get('action') if action == 'login': user = User.from_name(request.form.get('user')) if user and user.check_password(request.form.get('password')): login_user(user, remember=request.form.get('remember')) return redirect(url_for('index')) flash('wrong username and/or password', 'error') elif action == 'register': flash("open registration currently closed. ask girst on irc://chat.freenode.net/#invidious if you want an account.", 'info') elif action == 'logout': logout_user() return redirect(url_for('index')) else: flash('unsupported action', 'error') return redirect(url_for('login_form')) def get_cipher(): # reload cipher from database every 1 hour if 'cipher' not in g or time.time() - g.get('cipher_updated', 0) > 1 * 60 * 60: with sqlite3.connect(cf['global']['database']) as conn: c = conn.cursor() c.execute("SELECT sts, algorithm FROM cipher") g.cipher = c.fetchone() g.cipher_updated = time.time() return g.cipher class User(UserMixin): def __init__(self, id, name, passwd, token): self.id = id self.name = name self.passwd = passwd self.token = token def get_id(self): return self.token def set_password(self, passwd): self.passwd = generate_password_hash(passwd) # ^TODO: store changes to database def check_password(self, passwd): return check_password_hash(self.passwd, passwd) @classmethod def from_id(self, id): with sqlite3.connect(cf['global']['database']) as conn: c = conn.cursor() c.execute("SELECT name,password,token FROM users WHERE id = ?", (id,)) try: name, passwd, token = c.fetchone() except: return None # todo: ugly return User(id, name, passwd, token) @classmethod def from_name(self, name): with sqlite3.connect(cf['global']['database']) as conn: c = conn.cursor() c.execute("SELECT id,password,token FROM users WHERE name=?", (name,)) try: id, passwd, token = c.fetchone() except: return None # todo: ugly return User(id, name, passwd, token) @classmethod def from_token(self, token): with sqlite3.connect(cf['global']['database']) as conn: c = conn.cursor() c.execute("SELECT id,name,password FROM users WHERE token=?", (token,)) try: id, name, passwd, = c.fetchone() except: return None # todo: ugly return User(id, name, passwd, token) @login.user_loader def load_user(token): # in the future tokens will be invalidable by users. -> https://flask-login.readthedocs.io/en/latest/#alternative-tokens return User.from_token(token) @login.request_loader def querytoken_auth(request): if request.args.get('token'): return User.from_token(request.args.get('token')) return None #@app.teardown_appcontext #def teardown_db(): # db = g.pop('db', None) # # if db is not None: # db.close() # Magic CSRF protection: This modifies outgoing HTML responses and injects a csrf token into all forms. # All post requests are then checked if they contain the valid token. # TODO: # - don't use regex for injecting # - inject a http header into all responses (that could be used by apis) # - allow csrf token to be passed in http header, json, ... # - a decorator on routes to opt out of verification or output munging @app.after_request def add_csrf_protection(response): if response.mimetype == "text/html": token = hmac.new(app.secret_key, request.remote_addr.encode('ascii'), hashlib.sha256).hexdigest() # TODO: will fail behind reverse proxy (remote_addr always localhost) response.set_data( re.sub( rb'''(<[Ff][Oo][Rr][Mm](\s+[a-zA-Z0-9-]+(=(\w*|'[^']*'|"[^"]*"))?)*>)''', # match form tags with any number of attributes and any type of quotes rb'\1', # hackily append a hidden input with our csrf protection value response.get_data())) return response @app.before_request def verify_csrf_protection(): token = hmac.new(app.secret_key, request.remote_addr.encode('ascii'), hashlib.sha256).hexdigest() # TODO: will fail behind reverse proxy (remote_addr always localhost) if request.method == "POST" and request.form.get('csrf') != token: return "CSRF validation failed!", 400 request.form = request.form.copy() # make it mutable request.form.poplist('csrf') # remove our csrf again @app.template_filter('format_date') def format_date(s): (y,m,d) = (int(n) for n in s.split('T')[0].split(' ')[0].split('-')) # iso-dates can seperate date from time with space or 'T' M = '_ Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec'.split() return f"{d} {M[m]}" if __name__ == '__main__': app.run(debug=True)