-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api/playback: Stop returning assets from other users on playback info #1717
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
448577a
to
8f19629
Compare
8eceb1f
to
29815fa
Compare
29815fa
to
79ec27f
Compare
c6133bf
to
b06dd40
Compare
79ec27f
to
4d14f0e
Compare
4d14f0e
to
c8c0baf
Compare
c8c0baf
to
e27c834
Compare
@@ -184,7 +213,10 @@ app.get("/:id", async (req, res) => { | |||
const ingest = ingests[0].base; | |||
|
|||
let { id } = req.params; | |||
const info = await getPlaybackInfo(req, ingest, id); | |||
const isEmbeddablePlayer = embeddablePlayerOrigin.test( | |||
req.headers["origin"] ?? "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could be spoofed on applications outside of the browser to do a cross user query on CIDs, but we probably don't mind
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah it's more about billing the right user than protecting any kind of sensitive info.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
e27c834
to
532f526
Compare
Codecov Report
@@ Coverage Diff @@
## vg/feat/viewership-auth #1717 +/- ##
=================================================================
+ Coverage 53.86283% 53.89470% +0.03187%
=================================================================
Files 75 75
Lines 5074 5071 -3
Branches 1017 1019 +2
=================================================================
Hits 2733 2733
+ Misses 1999 1998 -1
+ Partials 342 340 -2
... and 1 file with indirect coverage changes Continue to review full report in Codecov by Sentry.
|
532f526
to
942682d
Compare
What does this pull request do? Explain your changes. (required)
This is to stop returning assets from other users on the playback info endpoint.
This is a breaking change so we're doing it with a cut-off date logic instead
of breaking existing assets that might be used cross-user today.
Specific updates (required)
How did you test each of these updates (required)
yarn test
with the new testsDoes this pull request close any open issues?
Fixes API-45
Checklist