npm - @warren-bank/hls-proxy - Versions diffs - 3.5.1 → 3.5.2 - Mend

@warren-bank/hls-proxy 3.5.1 → 3.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +5 -2
package/hls-proxy/acl_pass.js +25 -0
package/hls-proxy/bin/hlsd.js +2 -1
package/hls-proxy/bin/lib/help.js +2 -1
package/hls-proxy/bin/lib/process_argv.js +11 -1
package/hls-proxy/manifest_parser.js +8 -5
package/hls-proxy/proxy.js +22 -14
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -132,7 +132,8 @@ options:
 --cache-storage <adapter>
 --cache-storage-fs-dirpath <dirpath>
 -v <number>
---acl-whitelist <ip_address_list>
+--acl-ip <ip_address_list>
+--acl-pass <password_list>
 --http-proxy <http[s]://[user:pass@]hostname:port>
 --tls-cert <filepath>
 --tls-key <filepath>
@@ -363,8 +364,10 @@ options:
     * show an enhanced technical trace (useful while debugging unexpected behavior)
   * `4`:
     * show the content of .m3u8 files (both before and after URLs are modified)
-* _--acl-whitelist_ restricts proxy server access to clients at IP addresses in whitelist
+* _--acl-ip_ restricts proxy server access to clients at IP addresses in whitelist
   * ex: `"192.168.1.100,192.168.1.101,192.168.1.102"`
+* _--acl-pass_ restricts proxy server access to requests that include a `password` querystring parameter having a value in whitelist
+  * ex: `"1111,2222,3333,4444,5555"`
 * --http-proxy enables all outbound HTTP and HTTPS requests from HLS-Proxy to be tunnelled through an additional external web proxy server
   * SOCKS proxies are not supported
   * ex: `http://myusername:mypassword@myproxy.example.com:1234`

package/hls-proxy/acl_pass.js ADDED Viewed

@@ -0,0 +1,25 @@
+const expressjs = require('./expressjs_utils')
+const {URL}     = require('./url')
+const get_encoded_qs_password = function(req) {
+  const req_url = new URL( expressjs.get_full_req_url(req) )
+  return req_url.searchParams.get('password') || ''
+}
+const is_allowed = function(params, req) {
+  const {acl_pass} = params
+  if (acl_pass && Array.isArray(acl_pass) && acl_pass.length) {
+    const password = decodeURIComponent( get_encoded_qs_password(req) )
+    return (acl_pass.indexOf(password) >= 0)
+  }
+  return true
+}
+module.exports = {
+  get_encoded_qs_password,
+  is_allowed
+}

package/hls-proxy/bin/hlsd.js CHANGED Viewed

@@ -44,7 +44,8 @@ const middleware = require('../proxy')({
   cache_storage:                        argv_vals["--cache-storage"],
   cache_storage_fs_dirpath:             argv_vals["--cache-storage-fs-dirpath"],
   debug_level:                          argv_vals["-v"],
-  acl_whitelist:                        argv_vals["--acl-whitelist"],
+  acl_ip:                               argv_vals["--acl-ip"],
+  acl_pass:                             argv_vals["--acl-pass"],
   http_proxy:                           argv_vals["--http-proxy"],
   manifest_extension:                   argv_vals["--manifest-extension"],
   segment_extension:                    argv_vals["--segment-extension"]

package/hls-proxy/bin/lib/help.js CHANGED Viewed

@@ -27,7 +27,8 @@ options:
 --cache-storage <adapter>
 --cache-storage-fs-dirpath <dirpath>
 -v <number>
---acl-whitelist <ip_address_list>
+--acl-ip <ip_address_list>
+--acl-pass <password_list>
 --http-proxy <http[s]://[user:pass@]hostname:port>
 --tls-cert <filepath>
 --tls-key <filepath>

package/hls-proxy/bin/lib/process_argv.js CHANGED Viewed

@@ -33,7 +33,8 @@ const argv_flags = {
   "--cache-storage-fs-dirpath":             {file: "path-exists"},
   "-v":                                     {num:  "int"},
-  "--acl-whitelist":                        {},
+  "--acl-ip":                               {},
+  "--acl-pass":                             {},
   "--http-proxy":                           {},
   "--tls-cert":                             {file: "path-exists"},
@@ -46,6 +47,7 @@ const argv_flags = {
 const argv_flag_aliases = {
   "--help":                                 ["-h"],
+  "--acl-ip":                               ["--acl-whitelist"],
   "--http-proxy":                           ["--https-proxy", "--proxy"]
 }
@@ -169,6 +171,14 @@ if (typeof argv_vals["--cache-key"] !== 'number')
 if (typeof argv_vals["-v"] !== 'number')
   argv_vals["-v"] = 0
+if (argv_vals["--acl-ip"]) {
+  argv_vals["--acl-ip"] = argv_vals["--acl-ip"].trim().toLowerCase().split(/\s*,\s*/g)
+}
+if (argv_vals["--acl-pass"]) {
+  argv_vals["--acl-pass"] = argv_vals["--acl-pass"].trim().split(/\s*,\s*/g)
+}
 if (argv_vals["--http-proxy"]) {
   const proxy_options = {
     keepAlive:      true,

package/hls-proxy/manifest_parser.js CHANGED Viewed

@@ -112,7 +112,7 @@ const parse_HHMMSS_to_seconds = function(str) {
 //   prefetch_urls: [],
 //   modified_m3u8: ''
 // }
-const parse_manifest = function(m3u8_content, m3u8_url, referer_url, hooks, cache_segments, debug, vod_start_at_ms, redirected_base_url, should_prefetch_url, manifest_extension, segment_extension) {
+const parse_manifest = function(m3u8_content, m3u8_url, referer_url, hooks, cache_segments, debug, vod_start_at_ms, redirected_base_url, should_prefetch_url, manifest_extension, segment_extension, qs_password) {
   const m3u8_lines = m3u8_content.split(regexs.m3u8_line_separator)
   m3u8_content = null
@@ -125,7 +125,7 @@ const parse_manifest = function(m3u8_content, m3u8_url, referer_url, hooks, cach
       redirect_embedded_url(embedded_url, hooks, m3u8_url, debug)
       if (validate_embedded_url(embedded_url)) {
         finalize_embedded_url(embedded_url, vod_start_at_ms, debug)
-        encode_embedded_url(embedded_url, hooks, redirected_base_url, debug, manifest_extension, segment_extension)
+        encode_embedded_url(embedded_url, hooks, redirected_base_url, debug, manifest_extension, segment_extension, qs_password)
         get_prefetch_url(embedded_url, should_prefetch_url, prefetch_urls)
         modify_m3u8_line(embedded_url, m3u8_lines)
       }
@@ -332,7 +332,7 @@ const finalize_embedded_url = function(embedded_url, vod_start_at_ms, debug) {
   }
 }
-const encode_embedded_url = function(embedded_url, hooks, redirected_base_url, debug, manifest_extension, segment_extension) {
+const encode_embedded_url = function(embedded_url, hooks, redirected_base_url, debug, manifest_extension, segment_extension, qs_password) {
   if (embedded_url.unencoded_url) {
     let file_extension = embedded_url.url_type
     if (file_extension) {
@@ -344,6 +344,9 @@ const encode_embedded_url = function(embedded_url, hooks, redirected_base_url, d
     embedded_url.encoded_url = `${redirected_base_url}/${ utils.base64_encode(embedded_url.unencoded_url) }.${file_extension || 'other'}`
+    if (qs_password)
+      embedded_url.encoded_url += `?password=${qs_password}`
     debug(3, 'redirecting (proxied):', embedded_url.encoded_url)
     if (hooks && (hooks instanceof Object) && hooks.redirect_final && (typeof hooks.redirect_final === 'function')) {
@@ -379,7 +382,7 @@ const modify_m3u8_line = function(embedded_url, m3u8_lines) {
   }
 }
-const modify_m3u8_content = function(params, segment_cache, m3u8_content, m3u8_url, referer_url, redirected_base_url) {
+const modify_m3u8_content = function(params, segment_cache, m3u8_content, m3u8_url, referer_url, redirected_base_url, qs_password) {
   const {hooks, cache_segments, max_segments, debug_level, manifest_extension, segment_extension} = params
   const {has_cache, get_time_since_last_access, is_expired, prefetch_segment} = segment_cache
@@ -437,7 +440,7 @@ const modify_m3u8_content = function(params, segment_cache, m3u8_content, m3u8_u
     : null
   {
-    const parsed_manifest = parse_manifest(m3u8_content, m3u8_url, referer_url, hooks, cache_segments, debug, vod_start_at_ms, redirected_base_url, should_prefetch_url, manifest_extension, segment_extension)
+    const parsed_manifest = parse_manifest(m3u8_content, m3u8_url, referer_url, hooks, cache_segments, debug, vod_start_at_ms, redirected_base_url, should_prefetch_url, manifest_extension, segment_extension, qs_password)
     is_vod          = !!parsed_manifest.meta_data.is_vod                  // default: false => hls live stream
     seg_duration_ms = parsed_manifest.meta_data.seg_duration_ms || 10000  // default: 10 seconds in ms
     prefetch_urls   = parsed_manifest.prefetch_urls

package/hls-proxy/proxy.js CHANGED Viewed

@@ -1,16 +1,18 @@
-const request = require('@warren-bank/node-request').request
-const cookies = require('./cookies')
-const parser  = require('./manifest_parser')
-const timers  = require('./timers')
-const utils   = require('./utils')
+const request  = require('@warren-bank/node-request').request
+const acl_pass = require('./acl_pass')
+const cookies  = require('./cookies')
+const parser   = require('./manifest_parser')
+const timers   = require('./timers')
+const utils    = require('./utils')
 const get_middleware = function(params) {
   const {cache_segments} = params
-  let   {acl_whitelist}  = params
+  let   {acl_ip}         = params
   const segment_cache = require('./segment_cache')(params)
   const {get_segment, add_listener} = segment_cache
+  const is_acl_pass_allowed = acl_pass.is_allowed.bind(null, params)
   const debug               = utils.debug.bind(null, params)
   const parse_req_url       = utils.parse_req_url.bind(null, params)
   const get_request_options = utils.get_request_options.bind(null, params)
@@ -19,16 +21,14 @@ const get_middleware = function(params) {
   const middleware = {}
   // Access Control
-  if (acl_whitelist) {
-    acl_whitelist = acl_whitelist.trim().toLowerCase().split(/\s*,\s*/g)
+  if (acl_ip && Array.isArray(acl_ip) && acl_ip.length) {
     middleware.connection = (socket) => {
       if (socket && socket.remoteAddress) {
-        let remoteIP = socket.remoteAddress.toLowerCase().replace(/^::?ffff:/, '')
+        const remote_ip = socket.remoteAddress.toLowerCase().replace(/^::?ffff:/, '')
-        if (acl_whitelist.indexOf(remoteIP) === -1) {
+        if (acl_ip.indexOf(remote_ip) === -1) {
           socket.destroy()
-          debug(2, socket.remoteFamily, 'connection blocked by ACL whitelist:', remoteIP)
+          debug(2, socket.remoteFamily, 'connection blocked by ACL IP whitelist:', remote_ip)
         }
       }
     }
@@ -36,6 +36,13 @@ const get_middleware = function(params) {
   // Create an HTTP tunneling proxy
   middleware.request = async (req, res) => {
+    if (!is_acl_pass_allowed(req)) {
+      res.writeHead(401)
+      res.end()
+      debug(2, 'request blocked by ACL password whitelist:', req.url)
+      return
+    }
     debug(3, 'proxying (raw):', req.url)
     utils.add_CORS_headers(res)
@@ -48,7 +55,8 @@ const get_middleware = function(params) {
       return
     }
-    const is_m3u8 = (url_type === 'm3u8')
+    const qs_password = acl_pass.get_encoded_qs_password(req)
+    const is_m3u8     = (url_type === 'm3u8')
     const send_cache_segment = function(segment, type) {
       if (!type)
@@ -99,7 +107,7 @@ const get_middleware = function(params) {
           : url
         res.writeHead(200, { "content-type": "application/x-mpegURL" })
-        res.end( modify_m3u8_content(response.toString().trim(), m3u8_url, referer_url, redirected_base_url) )
+        res.end( modify_m3u8_content(response.toString().trim(), m3u8_url, referer_url, redirected_base_url, qs_password) )
       }
     })
     .catch((e) => {

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@warren-bank/hls-proxy",
   "description": "Node.js server to proxy HLS video streams",
-  "version":     "3.5.1",
+  "version":     "3.5.2",
   "scripts": {
     "start":     "node hls-proxy/bin/hlsd.js",
     "sudo": "sudo node hls-proxy/bin/hlsd.js"