# "Invidious" (which is an alternative front-end to YouTube) # Copyright (C) 2019 Omar Roth # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published # by the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . require "digest/md5" require "file_utils" require "kemal" require "athena-negotiation" require "openssl/hmac" require "option_parser" require "pg" require "sqlite3" require "xml" require "yaml" require "compress/zip" require "protodec/utils" require "./invidious/helpers/*" require "./invidious/*" require "./invidious/channels/*" require "./invidious/routes/**" require "./invidious/jobs/**" CONFIG = Config.load HMAC_KEY = CONFIG.hmac_key || Random::Secure.hex(32) PG_DB = DB.open CONFIG.database_url ARCHIVE_URL = URI.parse("https://archive.org") LOGIN_URL = URI.parse("https://accounts.google.com") PUBSUB_URL = URI.parse("https://pubsubhubbub.appspot.com") REDDIT_URL = URI.parse("https://www.reddit.com") TEXTCAPTCHA_URL = URI.parse("https://textcaptcha.com") YT_URL = URI.parse("https://www.youtube.com") HOST_URL = make_host_url(Kemal.config) CHARS_SAFE = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_" TEST_IDS = {"AgbeGFYluEA", "BaW_jenozKc", "a9LDPn-MO4I", "ddFvjfvPnqk", "iqKdEhx-dD4"} MAX_ITEMS_PER_PAGE = 1500 REQUEST_HEADERS_WHITELIST = {"accept", "accept-encoding", "cache-control", "content-length", "if-none-match", "range"} RESPONSE_HEADERS_BLACKLIST = {"access-control-allow-origin", "alt-svc", "server"} HTTP_CHUNK_SIZE = 10485760 # ~10MB CURRENT_BRANCH = {{ "#{`git branch | sed -n '/* /s///p'`.strip}" }} CURRENT_COMMIT = {{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit`.strip}" }} CURRENT_VERSION = {{ "#{`git log -1 --format=%ci | awk '{print $1}' | sed s/-/./g`.strip}" }} # This is used to determine the `?v=` on the end of file URLs (for cache busting). We # only need to expire modified assets, so we can use this to find the last commit that changes # any assets ASSET_COMMIT = {{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit -- assets`.strip}" }} SOFTWARE = { "name" => "invidious", "version" => "#{CURRENT_VERSION}-#{CURRENT_COMMIT}", "branch" => "#{CURRENT_BRANCH}", } YT_POOL = YoutubeConnectionPool.new(YT_URL, capacity: CONFIG.pool_size, timeout: 2.0, use_quic: CONFIG.use_quic) # CLI Kemal.config.extra_options do |parser| parser.banner = "Usage: invidious [arguments]" parser.on("-c THREADS", "--channel-threads=THREADS", "Number of threads for refreshing channels (default: #{CONFIG.channel_threads})") do |number| begin CONFIG.channel_threads = number.to_i rescue ex puts "THREADS must be integer" exit end end parser.on("-f THREADS", "--feed-threads=THREADS", "Number of threads for refreshing feeds (default: #{CONFIG.feed_threads})") do |number| begin CONFIG.feed_threads = number.to_i rescue ex puts "THREADS must be integer" exit end end parser.on("-o OUTPUT", "--output=OUTPUT", "Redirect output (default: #{CONFIG.output})") do |output| CONFIG.output = output end parser.on("-l LEVEL", "--log-level=LEVEL", "Log level, one of #{LogLevel.values} (default: #{CONFIG.log_level})") do |log_level| CONFIG.log_level = LogLevel.parse(log_level) end parser.on("-v", "--version", "Print version") do puts SOFTWARE.to_pretty_json exit end end Kemal::CLI.new ARGV if CONFIG.output.upcase != "STDOUT" FileUtils.mkdir_p(File.dirname(CONFIG.output)) end OUTPUT = CONFIG.output.upcase == "STDOUT" ? STDOUT : File.open(CONFIG.output, mode: "a") LOGGER = Invidious::LogHandler.new(OUTPUT, CONFIG.log_level) # Check table integrity if CONFIG.check_tables check_enum(PG_DB, "privacy", PlaylistPrivacy) check_table(PG_DB, "channels", InvidiousChannel) check_table(PG_DB, "channel_videos", ChannelVideo) check_table(PG_DB, "playlists", InvidiousPlaylist) check_table(PG_DB, "playlist_videos", PlaylistVideo) check_table(PG_DB, "nonces", Nonce) check_table(PG_DB, "session_ids", SessionId) check_table(PG_DB, "users", User) check_table(PG_DB, "videos", Video) if CONFIG.cache_annotations check_table(PG_DB, "annotations", Annotation) end end # Resolve player dependencies. This is done at compile time. # # Running the script by itself would show some colorful feedback while this doesn't. # Perhaps we should just move the script to runtime in order to get that feedback? {% puts "\nChecking player dependencies...\n" %} {% if flag?(:minified_player_dependencies) %} {% run("../scripts/fetch-player-dependencies.cr", "--minified") %} {% else %} {% run("../scripts/fetch-player-dependencies.cr") %} {% end %} {% puts "Done!\n" %} # Start jobs if CONFIG.channel_threads > 0 Invidious::Jobs.register Invidious::Jobs::RefreshChannelsJob.new(PG_DB) end if CONFIG.feed_threads > 0 Invidious::Jobs.register Invidious::Jobs::RefreshFeedsJob.new(PG_DB) end DECRYPT_FUNCTION = DecryptFunction.new(CONFIG.decrypt_polling) if CONFIG.decrypt_polling Invidious::Jobs.register Invidious::Jobs::UpdateDecryptFunctionJob.new end if CONFIG.statistics_enabled Invidious::Jobs.register Invidious::Jobs::StatisticsRefreshJob.new(PG_DB, SOFTWARE) end if (CONFIG.use_pubsub_feeds.is_a?(Bool) && CONFIG.use_pubsub_feeds.as(Bool)) || (CONFIG.use_pubsub_feeds.is_a?(Int32) && CONFIG.use_pubsub_feeds.as(Int32) > 0) Invidious::Jobs.register Invidious::Jobs::SubscribeToFeedsJob.new(PG_DB, HMAC_KEY) end if CONFIG.popular_enabled Invidious::Jobs.register Invidious::Jobs::PullPopularVideosJob.new(PG_DB) end if CONFIG.captcha_key Invidious::Jobs.register Invidious::Jobs::BypassCaptchaJob.new end connection_channel = Channel({Bool, Channel(PQ::Notification)}).new(32) Invidious::Jobs.register Invidious::Jobs::NotificationJob.new(connection_channel, CONFIG.database_url) Invidious::Jobs.start_all def popular_videos Invidious::Jobs::PullPopularVideosJob::POPULAR_VIDEOS.get end before_all do |env| preferences = Preferences.from_json("{}") begin if prefs_cookie = env.request.cookies["PREFS"]? preferences = Preferences.from_json(URI.decode_www_form(prefs_cookie.value)) else if language_header = env.request.headers["Accept-Language"]? if language = ANG.language_negotiator.best(language_header, LOCALES.keys) preferences.locale = language.header end end end rescue preferences = Preferences.from_json("{}") end env.set "preferences", preferences env.response.headers["X-XSS-Protection"] = "1; mode=block" env.response.headers["X-Content-Type-Options"] = "nosniff" # Allow media resources to be loaded from google servers # TODO: check if *.youtube.com can be removed if CONFIG.disabled?("local") || !preferences.local extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443" else extra_media_csp = "" end # Only allow the pages at /embed/* to be embedded if env.request.resource.starts_with?("/embed") frame_ancestors = "'self' http: https:" else frame_ancestors = "'none'" end # TODO: Remove style-src's 'unsafe-inline', requires to remove all # inline styles (, style=" [..] ") env.response.headers["Content-Security-Policy"] = { "default-src 'none'", "script-src 'self'", "style-src 'self' 'unsafe-inline'", "img-src 'self' data:", "font-src 'self' data:", "connect-src 'self'", "manifest-src 'self'", "media-src 'self' blob:" + extra_media_csp, "child-src 'self' blob:", "frame-src 'self'", "frame-ancestors " + frame_ancestors, }.join("; ") env.response.headers["Referrer-Policy"] = "same-origin" # Ask the chrom*-based browsers to disable FLoC # See: https://blog.runcloud.io/google-floc/ env.response.headers["Permissions-Policy"] = "interest-cohort=()" if (Kemal.config.ssl || CONFIG.https_only) && CONFIG.hsts env.response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload" end next if { "/sb/", "/vi/", "/s_p/", "/yts/", "/ggpht/", "/api/manifest/", "/videoplayback", "/latest_version", }.any? { |r| env.request.resource.starts_with? r } if env.request.cookies.has_key? "SID" sid = env.request.cookies["SID"].value if sid.starts_with? "v1:" raise "Cannot use token as SID" end # Invidious users only have SID if !env.request.cookies.has_key? "SSID" if email = PG_DB.query_one?("SELECT email FROM session_ids WHERE id = $1", sid, as: String) user = PG_DB.query_one("SELECT * FROM users WHERE email = $1", email, as: User) csrf_token = generate_response(sid, { ":authorize_token", ":playlist_ajax", ":signout", ":subscription_ajax", ":token_ajax", ":watch_ajax", }, HMAC_KEY, PG_DB, 1.week) preferences = user.preferences env.set "preferences", preferences env.set "sid", sid env.set "csrf_token", csrf_token env.set "user", user end else headers = HTTP::Headers.new headers["Cookie"] = env.request.headers["Cookie"] begin user, sid = get_user(sid, headers, PG_DB, false) csrf_token = generate_response(sid, { ":authorize_token", ":playlist_ajax", ":signout", ":subscription_ajax", ":token_ajax", ":watch_ajax", }, HMAC_KEY, PG_DB, 1.week) preferences = user.preferences env.set "preferences", preferences env.set "sid", sid env.set "csrf_token", csrf_token env.set "user", user rescue ex end end end dark_mode = convert_theme(env.params.query["dark_mode"]?) || preferences.dark_mode.to_s thin_mode = env.params.query["thin_mode"]? || preferences.thin_mode.to_s thin_mode = thin_mode == "true" locale = env.params.query["hl"]? || preferences.locale preferences.dark_mode = dark_mode preferences.thin_mode = thin_mode preferences.locale = locale env.set "preferences", preferences current_page = env.request.path if env.request.query query = HTTP::Params.parse(env.request.query.not_nil!) if query["referer"]? query["referer"] = get_referer(env, "/") end current_page += "?#{query}" end env.set "current_page", URI.encode_www_form(current_page) end Invidious::Routing.get "/", Invidious::Routes::Misc, :home Invidious::Routing.get "/privacy", Invidious::Routes::Misc, :privacy Invidious::Routing.get "/licenses", Invidious::Routes::Misc, :licenses Invidious::Routing.get "/channel/:ucid", Invidious::Routes::Channels, :home Invidious::Routing.get "/channel/:ucid/home", Invidious::Routes::Channels, :home Invidious::Routing.get "/channel/:ucid/videos", Invidious::Routes::Channels, :videos Invidious::Routing.get "/channel/:ucid/playlists", Invidious::Routes::Channels, :playlists Invidious::Routing.get "/channel/:ucid/community", Invidious::Routes::Channels, :community Invidious::Routing.get "/channel/:ucid/about", Invidious::Routes::Channels, :about ["", "/videos", "/playlists", "/community", "/about"].each do |path| # /c/LinusTechTips Invidious::Routing.get "/c/:user#{path}", Invidious::Routes::Channels, :brand_redirect # /user/linustechtips | Not always the same as /c/ Invidious::Routing.get "/user/:user#{path}", Invidious::Routes::Channels, :brand_redirect # /attribution_link?a=anything&u=/channel/UCZYTClx2T1of7BRZ86-8fow Invidious::Routing.get "/attribution_link#{path}", Invidious::Routes::Channels, :brand_redirect # /profile?user=linustechtips Invidious::Routing.get "/profile/#{path}", Invidious::Routes::Channels, :profile end Invidious::Routing.get "/watch", Invidious::Routes::Watch, :handle Invidious::Routing.get "/watch/:id", Invidious::Routes::Watch, :redirect Invidious::Routing.get "/shorts/:id", Invidious::Routes::Watch, :redirect Invidious::Routing.get "/w/:id", Invidious::Routes::Watch, :redirect Invidious::Routing.get "/v/:id", Invidious::Routes::Watch, :redirect Invidious::Routing.get "/e/:id", Invidious::Routes::Watch, :redirect Invidious::Routing.get "/redirect", Invidious::Routes::Misc, :cross_instance_redirect Invidious::Routing.get "/embed/", Invidious::Routes::Embed, :redirect Invidious::Routing.get "/embed/:id", Invidious::Routes::Embed, :show Invidious::Routing.get "/create_playlist", Invidious::Routes::Playlists, :new Invidious::Routing.post "/create_playlist", Invidious::Routes::Playlists, :create Invidious::Routing.get "/subscribe_playlist", Invidious::Routes::Playlists, :subscribe Invidious::Routing.get "/delete_playlist", Invidious::Routes::Playlists, :delete_page Invidious::Routing.post "/delete_playlist", Invidious::Routes::Playlists, :delete Invidious::Routing.get "/edit_playlist", Invidious::Routes::Playlists, :edit Invidious::Routing.post "/edit_playlist", Invidious::Routes::Playlists, :update Invidious::Routing.get "/add_playlist_items", Invidious::Routes::Playlists, :add_playlist_items_page Invidious::Routing.post "/playlist_ajax", Invidious::Routes::Playlists, :playlist_ajax Invidious::Routing.get "/playlist", Invidious::Routes::Playlists, :show Invidious::Routing.get "/mix", Invidious::Routes::Playlists, :mix Invidious::Routing.get "/opensearch.xml", Invidious::Routes::Search, :opensearch Invidious::Routing.get "/results", Invidious::Routes::Search, :results Invidious::Routing.get "/search", Invidious::Routes::Search, :search Invidious::Routing.get "/login", Invidious::Routes::Login, :login_page Invidious::Routing.post "/login", Invidious::Routes::Login, :login Invidious::Routing.post "/signout", Invidious::Routes::Login, :signout Invidious::Routing.get "/preferences", Invidious::Routes::PreferencesRoute, :show Invidious::Routing.post "/preferences", Invidious::Routes::PreferencesRoute, :update Invidious::Routing.get "/toggle_theme", Invidious::Routes::PreferencesRoute, :toggle_theme # Feeds Invidious::Routing.get "/view_all_playlists", Invidious::Routes::Feeds, :view_all_playlists_redirect Invidious::Routing.get "/feed/playlists", Invidious::Routes::Feeds, :playlists Invidious::Routing.get "/feed/popular", Invidious::Routes::Feeds, :popular Invidious::Routing.get "/feed/trending", Invidious::Routes::Feeds, :trending Invidious::Routing.get "/feed/subscriptions", Invidious::Routes::Feeds, :subscriptions Invidious::Routing.get "/feed/history", Invidious::Routes::Feeds, :history # RSS Feeds Invidious::Routing.get "/feed/channel/:ucid", Invidious::Routes::Feeds, :rss_channel Invidious::Routing.get "/feed/private", Invidious::Routes::Feeds, :rss_private Invidious::Routing.get "/feed/playlist/:plid", Invidious::Routes::Feeds, :rss_playlist Invidious::Routing.get "/feeds/videos.xml", Invidious::Routes::Feeds, :rss_videos # Support push notifications via PubSubHubbub Invidious::Routing.get "/feed/webhook/:token", Invidious::Routes::Feeds, :push_notifications_get Invidious::Routing.post "/feed/webhook/:token", Invidious::Routes::Feeds, :push_notifications_post # API routes (macro) define_v1_api_routes() # Video playback (macros) define_api_manifest_routes() define_video_playback_routes() # Users post "/watch_ajax" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env, "/feed/subscriptions") redirect = env.params.query["redirect"]? redirect ||= "true" redirect = redirect == "true" if !user if redirect next env.redirect referer else next error_json(403, "No such user") end end user = user.as(User) sid = sid.as(String) token = env.params.body["csrf_token"]? id = env.params.query["id"]? if !id env.response.status_code = 400 next end begin validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) rescue ex if redirect next error_template(400, ex) else next error_json(400, ex) end end if env.params.query["action_mark_watched"]? action = "action_mark_watched" elsif env.params.query["action_mark_unwatched"]? action = "action_mark_unwatched" else next env.redirect referer end case action when "action_mark_watched" if !user.watched.includes? id PG_DB.exec("UPDATE users SET watched = array_append(watched, $1) WHERE email = $2", id, user.email) end when "action_mark_unwatched" PG_DB.exec("UPDATE users SET watched = array_remove(watched, $1) WHERE email = $2", id, user.email) else next error_json(400, "Unsupported action #{action}") end if redirect env.redirect referer else env.response.content_type = "application/json" "{}" end end # /modify_notifications # will "ding" all subscriptions. # /modify_notifications?receive_all_updates=false&receive_no_updates=false # will "unding" all subscriptions. get "/modify_notifications" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env, "/") redirect = env.params.query["redirect"]? redirect ||= "false" redirect = redirect == "true" if !user if redirect next env.redirect referer else next error_json(403, "No such user") end end user = user.as(User) if !user.password channel_req = {} of String => String channel_req["receive_all_updates"] = env.params.query["receive_all_updates"]? || "true" channel_req["receive_no_updates"] = env.params.query["receive_no_updates"]? || "" channel_req["receive_post_updates"] = env.params.query["receive_post_updates"]? || "true" channel_req.reject! { |k, v| v != "true" && v != "false" } headers = HTTP::Headers.new headers["Cookie"] = env.request.headers["Cookie"] html = YT_POOL.client &.get("/subscription_manager?disable_polymer=1", headers) cookies = HTTP::Cookies.from_client_headers(headers) html.cookies.each do |cookie| if {"VISITOR_INFO1_LIVE", "YSC", "SIDCC"}.includes? cookie.name if cookies[cookie.name]? cookies[cookie.name] = cookie else cookies << cookie end end end headers = cookies.add_request_headers(headers) if match = html.body.match(/'XSRF_TOKEN': "(?[^"]+)"/) session_token = match["session_token"] else next env.redirect referer end headers["content-type"] = "application/x-www-form-urlencoded" channel_req["session_token"] = session_token subs = XML.parse_html(html.body) subs.xpath_nodes(%q(//a[@class="subscription-title yt-uix-sessionlink"]/@href)).each do |channel| channel_id = channel.content.lstrip("/channel/").not_nil! channel_req["channel_id"] = channel_id YT_POOL.client &.post("/subscription_ajax?action_update_subscription_preferences=1", headers, form: channel_req) end end if redirect env.redirect referer else env.response.content_type = "application/json" "{}" end end post "/subscription_ajax" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env, "/") redirect = env.params.query["redirect"]? redirect ||= "true" redirect = redirect == "true" if !user if redirect next env.redirect referer else next error_json(403, "No such user") end end user = user.as(User) sid = sid.as(String) token = env.params.body["csrf_token"]? begin validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) rescue ex if redirect next error_template(400, ex) else next error_json(400, ex) end end if env.params.query["action_create_subscription_to_channel"]?.try &.to_i?.try &.== 1 action = "action_create_subscription_to_channel" elsif env.params.query["action_remove_subscriptions"]?.try &.to_i?.try &.== 1 action = "action_remove_subscriptions" else next env.redirect referer end channel_id = env.params.query["c"]? channel_id ||= "" if !user.password # Sync subscriptions with YouTube subscribe_ajax(channel_id, action, env.request.headers) end email = user.email case action when "action_create_subscription_to_channel" if !user.subscriptions.includes? channel_id get_channel(channel_id, PG_DB, false, false) PG_DB.exec("UPDATE users SET feed_needs_update = true, subscriptions = array_append(subscriptions, $1) WHERE email = $2", channel_id, email) end when "action_remove_subscriptions" PG_DB.exec("UPDATE users SET feed_needs_update = true, subscriptions = array_remove(subscriptions, $1) WHERE email = $2", channel_id, email) else next error_json(400, "Unsupported action #{action}") end if redirect env.redirect referer else env.response.content_type = "application/json" "{}" end end get "/subscription_manager" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env) if !user next env.redirect referer end user = user.as(User) if !user.password # Refresh account headers = HTTP::Headers.new headers["Cookie"] = env.request.headers["Cookie"] user, sid = get_user(sid, headers, PG_DB) end action_takeout = env.params.query["action_takeout"]?.try &.to_i? action_takeout ||= 0 action_takeout = action_takeout == 1 format = env.params.query["format"]? format ||= "rss" if user.subscriptions.empty? values = "'{}'" else values = "VALUES #{user.subscriptions.map { |id| %(('#{id}')) }.join(",")}" end subscriptions = PG_DB.query_all("SELECT * FROM channels WHERE id = ANY(#{values})", as: InvidiousChannel) subscriptions.sort_by! { |channel| channel.author.downcase } if action_takeout if format == "json" env.response.content_type = "application/json" env.response.headers["content-disposition"] = "attachment" playlists = PG_DB.query_all("SELECT * FROM playlists WHERE author = $1 AND id LIKE 'IV%' ORDER BY created", user.email, as: InvidiousPlaylist) next JSON.build do |json| json.object do json.field "subscriptions", user.subscriptions json.field "watch_history", user.watched json.field "preferences", user.preferences json.field "playlists" do json.array do playlists.each do |playlist| json.object do json.field "title", playlist.title json.field "description", html_to_content(playlist.description_html) json.field "privacy", playlist.privacy.to_s json.field "videos" do json.array do PG_DB.query_all("SELECT id FROM playlist_videos WHERE plid = $1 ORDER BY array_position($2, index) LIMIT 500", playlist.id, playlist.index, as: String).each do |video_id| json.string video_id end end end end end end end end end else env.response.content_type = "application/xml" env.response.headers["content-disposition"] = "attachment" export = XML.build do |xml| xml.element("opml", version: "1.1") do xml.element("body") do if format == "newpipe" title = "YouTube Subscriptions" else title = "Invidious Subscriptions" end xml.element("outline", text: title, title: title) do subscriptions.each do |channel| if format == "newpipe" xmlUrl = "https://www.youtube.com/feeds/videos.xml?channel_id=#{channel.id}" else xmlUrl = "#{HOST_URL}/feed/channel/#{channel.id}" end xml.element("outline", text: channel.author, title: channel.author, "type": "rss", xmlUrl: xmlUrl) end end end end end next export.gsub(%(\n), "") end end templated "subscription_manager" end get "/data_control" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" referer = get_referer(env) if !user next env.redirect referer end user = user.as(User) templated "data_control" end post "/data_control" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" referer = get_referer(env) if user user = user.as(User) # TODO: Find a way to prevent browser timeout HTTP::FormData.parse(env.request) do |part| body = part.body.gets_to_end next if body.empty? # TODO: Unify into single import based on content-type case part.name when "import_invidious" body = JSON.parse(body) if body["subscriptions"]? user.subscriptions += body["subscriptions"].as_a.map { |a| a.as_s } user.subscriptions.uniq! user.subscriptions = get_batch_channels(user.subscriptions, PG_DB, false, false) PG_DB.exec("UPDATE users SET feed_needs_update = true, subscriptions = $1 WHERE email = $2", user.subscriptions, user.email) end if body["watch_history"]? user.watched += body["watch_history"].as_a.map { |a| a.as_s } user.watched.uniq! PG_DB.exec("UPDATE users SET watched = $1 WHERE email = $2", user.watched, user.email) end if body["preferences"]? user.preferences = Preferences.from_json(body["preferences"].to_json) PG_DB.exec("UPDATE users SET preferences = $1 WHERE email = $2", user.preferences.to_json, user.email) end if playlists = body["playlists"]?.try &.as_a? playlists.each do |item| title = item["title"]?.try &.as_s?.try &.delete("<>") description = item["description"]?.try &.as_s?.try &.delete("\r") privacy = item["privacy"]?.try &.as_s?.try { |privacy| PlaylistPrivacy.parse? privacy } next if !title next if !description next if !privacy playlist = create_playlist(PG_DB, title, privacy, user) PG_DB.exec("UPDATE playlists SET description = $1 WHERE id = $2", description, playlist.id) videos = item["videos"]?.try &.as_a?.try &.each_with_index do |video_id, idx| raise InfoException.new("Playlist cannot have more than 500 videos") if idx > 500 video_id = video_id.try &.as_s? next if !video_id begin video = get_video(video_id, PG_DB) rescue ex next end playlist_video = PlaylistVideo.new({ title: video.title, id: video.id, author: video.author, ucid: video.ucid, length_seconds: video.length_seconds, published: video.published, plid: playlist.id, live_now: video.live_now, index: Random::Secure.rand(0_i64..Int64::MAX), }) video_array = playlist_video.to_a args = arg_array(video_array) PG_DB.exec("INSERT INTO playlist_videos VALUES (#{args})", args: video_array) PG_DB.exec("UPDATE playlists SET index = array_append(index, $1), video_count = cardinality(index) + 1, updated = $2 WHERE id = $3", playlist_video.index, Time.utc, playlist.id) end end end when "import_youtube" if body[0..4] == "[a-zA-Z0-9_-]{24})"/).map do |md| md["channel_id"] end user.subscriptions.uniq! user.subscriptions = get_batch_channels(user.subscriptions, PG_DB, false, false) PG_DB.exec("UPDATE users SET feed_needs_update = true, subscriptions = $1 WHERE email = $2", user.subscriptions, user.email) when "import_newpipe_subscriptions" body = JSON.parse(body) user.subscriptions += body["subscriptions"].as_a.compact_map do |channel| if match = channel["url"].as_s.match(/\/channel\/(?UC[a-zA-Z0-9_-]{22})/) next match["channel"] elsif match = channel["url"].as_s.match(/\/user\/(?.+)/) response = YT_POOL.client &.get("/user/#{match["user"]}?disable_polymer=1&hl=en&gl=US") html = XML.parse_html(response.body) ucid = html.xpath_node(%q(//link[@rel="canonical"])).try &.["href"].split("/")[-1] next ucid if ucid end nil end user.subscriptions.uniq! user.subscriptions = get_batch_channels(user.subscriptions, PG_DB, false, false) PG_DB.exec("UPDATE users SET feed_needs_update = true, subscriptions = $1 WHERE email = $2", user.subscriptions, user.email) when "import_newpipe" Compress::Zip::Reader.open(IO::Memory.new(body)) do |file| file.each_entry do |entry| if entry.filename == "newpipe.db" tempfile = File.tempfile(".db") File.write(tempfile.path, entry.io.gets_to_end) db = DB.open("sqlite3://" + tempfile.path) user.watched += db.query_all("SELECT url FROM streams", as: String).map { |url| url.lchop("https://www.youtube.com/watch?v=") } user.watched.uniq! PG_DB.exec("UPDATE users SET watched = $1 WHERE email = $2", user.watched, user.email) user.subscriptions += db.query_all("SELECT url FROM subscriptions", as: String).map { |url| url.lchop("https://www.youtube.com/channel/") } user.subscriptions.uniq! user.subscriptions = get_batch_channels(user.subscriptions, PG_DB, false, false) PG_DB.exec("UPDATE users SET feed_needs_update = true, subscriptions = $1 WHERE email = $2", user.subscriptions, user.email) db.close tempfile.delete end end end else nil # Ignore end end end env.redirect referer end get "/change_password" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env) if !user next env.redirect referer end user = user.as(User) sid = sid.as(String) csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY, PG_DB) templated "change_password" end post "/change_password" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env) if !user next env.redirect referer end user = user.as(User) sid = sid.as(String) token = env.params.body["csrf_token"]? # We don't store passwords for Google accounts if !user.password next error_template(400, "Cannot change password for Google accounts") end begin validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) rescue ex next error_template(400, ex) end password = env.params.body["password"]? if !password next error_template(401, "Password is a required field") end new_passwords = env.params.body.select { |k, v| k.match(/^new_password\[\d+\]$/) }.map { |k, v| v } if new_passwords.size <= 1 || new_passwords.uniq.size != 1 next error_template(400, "New passwords must match") end new_password = new_passwords.uniq[0] if new_password.empty? next error_template(401, "Password cannot be empty") end if new_password.bytesize > 55 next error_template(400, "Password cannot be longer than 55 characters") end if !Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) next error_template(401, "Incorrect password") end new_password = Crypto::Bcrypt::Password.create(new_password, cost: 10) PG_DB.exec("UPDATE users SET password = $1 WHERE email = $2", new_password.to_s, user.email) env.redirect referer end get "/delete_account" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env) if !user next env.redirect referer end user = user.as(User) sid = sid.as(String) csrf_token = generate_response(sid, {":delete_account"}, HMAC_KEY, PG_DB) templated "delete_account" end post "/delete_account" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env) if !user next env.redirect referer end user = user.as(User) sid = sid.as(String) token = env.params.body["csrf_token"]? begin validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) rescue ex next error_template(400, ex) end view_name = "subscriptions_#{sha256(user.email)}" PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email) PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email) PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}") env.request.cookies.each do |cookie| cookie.expires = Time.utc(1990, 1, 1) env.response.cookies << cookie end env.redirect referer end get "/clear_watch_history" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env) if !user next env.redirect referer end user = user.as(User) sid = sid.as(String) csrf_token = generate_response(sid, {":clear_watch_history"}, HMAC_KEY, PG_DB) templated "clear_watch_history" end post "/clear_watch_history" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env) if !user next env.redirect referer end user = user.as(User) sid = sid.as(String) token = env.params.body["csrf_token"]? begin validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) rescue ex next error_template(400, ex) end PG_DB.exec("UPDATE users SET watched = '{}' WHERE email = $1", user.email) env.redirect referer end get "/authorize_token" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env) if !user next env.redirect referer end user = user.as(User) sid = sid.as(String) csrf_token = generate_response(sid, {":authorize_token"}, HMAC_KEY, PG_DB) scopes = env.params.query["scopes"]?.try &.split(",") scopes ||= [] of String callback_url = env.params.query["callback_url"]? if callback_url callback_url = URI.parse(callback_url) end expire = env.params.query["expire"]?.try &.to_i? templated "authorize_token" end post "/authorize_token" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env) if !user next env.redirect referer end user = env.get("user").as(User) sid = sid.as(String) token = env.params.body["csrf_token"]? begin validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) rescue ex next error_template(400, ex) end scopes = env.params.body.select { |k, v| k.match(/^scopes\[\d+\]$/) }.map { |k, v| v } callback_url = env.params.body["callbackUrl"]? expire = env.params.body["expire"]?.try &.to_i? access_token = generate_token(user.email, scopes, expire, HMAC_KEY, PG_DB) if callback_url access_token = URI.encode_www_form(access_token) url = URI.parse(callback_url) if url.query query = HTTP::Params.parse(url.query.not_nil!) else query = HTTP::Params.new end query["token"] = access_token url.query = query.to_s env.redirect url.to_s else csrf_token = "" env.set "access_token", access_token templated "authorize_token" end end get "/token_manager" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env, "/subscription_manager") if !user next env.redirect referer end user = user.as(User) tokens = PG_DB.query_all("SELECT id, issued FROM session_ids WHERE email = $1 ORDER BY issued DESC", user.email, as: {session: String, issued: Time}) templated "token_manager" end post "/token_ajax" do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? user = env.get? "user" sid = env.get? "sid" referer = get_referer(env) redirect = env.params.query["redirect"]? redirect ||= "true" redirect = redirect == "true" if !user if redirect next env.redirect referer else next error_json(403, "No such user") end end user = user.as(User) sid = sid.as(String) token = env.params.body["csrf_token"]? begin validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) rescue ex if redirect next error_template(400, ex) else next error_json(400, ex) end end if env.params.query["action_revoke_token"]? action = "action_revoke_token" else next env.redirect referer end session = env.params.query["session"]? session ||= "" case action when .starts_with? "action_revoke_token" PG_DB.exec("DELETE FROM session_ids * WHERE id = $1 AND email = $2", session, user.email) else next error_json(400, "Unsupported action #{action}") end if redirect env.redirect referer else env.response.content_type = "application/json" "{}" end end # Channels {"/channel/:ucid/live", "/user/:user/live", "/c/:user/live"}.each do |route| get route do |env| locale = LOCALES[env.get("preferences").as(Preferences).locale]? # Appears to be a bug in routing, having several routes configured # as `/a/:a`, `/b/:a`, `/c/:a` results in 404 value = env.request.resource.split("/")[2] body = "" {"channel", "user", "c"}.each do |type| response = YT_POOL.client &.get("/#{type}/#{value}/live?disable_polymer=1") if response.status_code == 200 body = response.body end end video_id = body.match(/'VIDEO_ID': "(?[a-zA-Z0-9_-]{11})"/).try &.["id"]? if video_id params = [] of String env.params.query.each do |k, v| params << "#{k}=#{v}" end params = params.join("&") url = "/watch?v=#{video_id}" if !params.empty? url += "&#{params}" end env.redirect url else env.redirect "/channel/#{value}" end end end # Authenticated endpoints # The notification APIs can't be extracted yet # due to the requirement of the `connection_channel` # used by the `NotificationJob` get "/api/v1/auth/notifications" do |env| env.response.content_type = "text/event-stream" topics = env.params.query["topics"]?.try &.split(",").uniq.first(1000) topics ||= [] of String create_notification_stream(env, topics, connection_channel) end post "/api/v1/auth/notifications" do |env| env.response.content_type = "text/event-stream" topics = env.params.body["topics"]?.try &.split(",").uniq.first(1000) topics ||= [] of String create_notification_stream(env, topics, connection_channel) end get "/ggpht/*" do |env| url = env.request.path.lchop("/ggpht") headers = HTTP::Headers{":authority" => "yt3.ggpht.com"} REQUEST_HEADERS_WHITELIST.each do |header| if env.request.headers[header]? headers[header] = env.request.headers[header] end end begin YT_POOL.client &.get(url, headers) do |response| env.response.status_code = response.status_code response.headers.each do |key, value| if !RESPONSE_HEADERS_BLACKLIST.includes?(key.downcase) env.response.headers[key] = value end end env.response.headers["Access-Control-Allow-Origin"] = "*" if response.status_code >= 300 env.response.headers.delete("Transfer-Encoding") break end proxy_file(response, env) end rescue ex end end options "/sb/:authority/:id/:storyboard/:index" do |env| env.response.headers["Access-Control-Allow-Origin"] = "*" env.response.headers["Access-Control-Allow-Methods"] = "GET, OPTIONS" env.response.headers["Access-Control-Allow-Headers"] = "Content-Type, Range" end get "/sb/:authority/:id/:storyboard/:index" do |env| authority = env.params.url["authority"] id = env.params.url["id"] storyboard = env.params.url["storyboard"] index = env.params.url["index"] url = "/sb/#{id}/#{storyboard}/#{index}?#{env.params.query}" headers = HTTP::Headers.new headers[":authority"] = "#{authority}.ytimg.com" REQUEST_HEADERS_WHITELIST.each do |header| if env.request.headers[header]? headers[header] = env.request.headers[header] end end begin YT_POOL.client &.get(url, headers) do |response| env.response.status_code = response.status_code response.headers.each do |key, value| if !RESPONSE_HEADERS_BLACKLIST.includes?(key.downcase) env.response.headers[key] = value end end env.response.headers["Connection"] = "close" env.response.headers["Access-Control-Allow-Origin"] = "*" if response.status_code >= 300 env.response.headers.delete("Transfer-Encoding") break end proxy_file(response, env) end rescue ex end end get "/s_p/:id/:name" do |env| id = env.params.url["id"] name = env.params.url["name"] url = env.request.resource headers = HTTP::Headers{":authority" => "i9.ytimg.com"} REQUEST_HEADERS_WHITELIST.each do |header| if env.request.headers[header]? headers[header] = env.request.headers[header] end end begin YT_POOL.client &.get(url, headers) do |response| env.response.status_code = response.status_code response.headers.each do |key, value| if !RESPONSE_HEADERS_BLACKLIST.includes?(key.downcase) env.response.headers[key] = value end end env.response.headers["Access-Control-Allow-Origin"] = "*" if response.status_code >= 300 && response.status_code != 404 env.response.headers.delete("Transfer-Encoding") break end proxy_file(response, env) end rescue ex end end get "/yts/img/:name" do |env| headers = HTTP::Headers.new REQUEST_HEADERS_WHITELIST.each do |header| if env.request.headers[header]? headers[header] = env.request.headers[header] end end begin YT_POOL.client &.get(env.request.resource, headers) do |response| env.response.status_code = response.status_code response.headers.each do |key, value| if !RESPONSE_HEADERS_BLACKLIST.includes?(key.downcase) env.response.headers[key] = value end end env.response.headers["Access-Control-Allow-Origin"] = "*" if response.status_code >= 300 && response.status_code != 404 env.response.headers.delete("Transfer-Encoding") break end proxy_file(response, env) end rescue ex end end get "/vi/:id/:name" do |env| id = env.params.url["id"] name = env.params.url["name"] headers = HTTP::Headers{":authority" => "i.ytimg.com"} if name == "maxres.jpg" build_thumbnails(id).each do |thumb| if YT_POOL.client &.head("/vi/#{id}/#{thumb[:url]}.jpg", headers).status_code == 200 name = thumb[:url] + ".jpg" break end end end url = "/vi/#{id}/#{name}" REQUEST_HEADERS_WHITELIST.each do |header| if env.request.headers[header]? headers[header] = env.request.headers[header] end end begin YT_POOL.client &.get(url, headers) do |response| env.response.status_code = response.status_code response.headers.each do |key, value| if !RESPONSE_HEADERS_BLACKLIST.includes?(key.downcase) env.response.headers[key] = value end end env.response.headers["Access-Control-Allow-Origin"] = "*" if response.status_code >= 300 && response.status_code != 404 env.response.headers.delete("Transfer-Encoding") break end proxy_file(response, env) end rescue ex end end get "/Captcha" do |env| headers = HTTP::Headers{":authority" => "accounts.google.com"} response = YT_POOL.client &.get(env.request.resource, headers) env.response.headers["Content-Type"] = response.headers["Content-Type"] response.body end # Undocumented, creates anonymous playlist with specified 'video_ids', max 50 videos get "/watch_videos" do |env| response = YT_POOL.client &.get(env.request.resource) if url = response.headers["Location"]? url = URI.parse(url).request_target next env.redirect url end env.response.status_code = response.status_code end error 404 do |env| if md = env.request.path.match(/^\/(?([a-zA-Z0-9_-]{11})|(\w+))$/) item = md["id"] # Check if item is branding URL e.g. https://youtube.com/gaming response = YT_POOL.client &.get("/#{item}") if response.status_code == 301 response = YT_POOL.client &.get(URI.parse(response.headers["Location"]).request_target) end if response.body.empty? env.response.headers["Location"] = "/" halt env, status_code: 302 end html = XML.parse_html(response.body) ucid = html.xpath_node(%q(//link[@rel="canonical"])).try &.["href"].split("/")[-1] if ucid env.response.headers["Location"] = "/channel/#{ucid}" halt env, status_code: 302 end params = [] of String env.params.query.each do |k, v| params << "#{k}=#{v}" end params = params.join("&") url = "/watch?v=#{item}" if !params.empty? url += "&#{params}" end # Check if item is video ID if item.match(/^[a-zA-Z0-9_-]{11}$/) && YT_POOL.client &.head("/watch?v=#{item}").status_code != 404 env.response.headers["Location"] = url halt env, status_code: 302 end end env.response.headers["Location"] = "/" halt env, status_code: 302 end error 500 do |env, ex| locale = LOCALES[env.get("preferences").as(Preferences).locale]? error_template(500, ex) end static_headers do |response, filepath, filestat| response.headers.add("Cache-Control", "max-age=2629800") end public_folder "assets" Kemal.config.powered_by_header = false add_handler FilteredCompressHandler.new add_handler APIHandler.new add_handler AuthHandler.new add_handler DenyFrame.new add_context_storage_type(Array(String)) add_context_storage_type(Preferences) add_context_storage_type(User) Kemal.config.logger = LOGGER Kemal.config.host_binding = Kemal.config.host_binding != "0.0.0.0" ? Kemal.config.host_binding : CONFIG.host_binding Kemal.config.port = Kemal.config.port != 3000 ? Kemal.config.port : CONFIG.port Kemal.config.app_name = "Invidious" Kemal.run