Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api/playback: Stop returning assets from other users on playback info #1717

Merged
merged 7 commits into from
May 9, 2023
Merged

api/playback: Stop returning assets from other users on playback info #1717

merged 7 commits into from
May 9, 2023

Conversation

victorges
Copy link
Member

@victorges victorges commented May 5, 2023
edited

What does this pull request do? Explain your changes. (required)
This is to stop returning assets from other users on the playback info endpoint.
This is a breaking change so we're doing it with a cut-off date logic instead
of breaking existing assets that might be used cross-user today.

Specific updates (required)

  • Add cut-off date to search for cross-user assets
  • Allow lvpr.tv to access any asset to continue to have CID support for embeddable player
  • Add a log when we return old assets to a different user, to evaluate fixing this

How did you test each of these updates (required)
yarn test with the new tests

Does this pull request close any open issues?
Fixes API-45

Checklist

  • I have read the CONTRIBUTING document.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.

@victorges victorges requested a review from a team as a code owner May 5, 2023 18:53
@linear
Copy link

linear bot commented May 5, 2023

API-45 Update playback info API to only return assets from same account

@vercel
Copy link

vercel bot commented May 5, 2023
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
livepeer-studio ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 9, 2023 3:49pm

@victorges victorges force-pushed the vg/fix/cross-playback-info branch from 8eceb1f to 29815fa Compare May 6, 2023 13:48
@victorges victorges force-pushed the vg/fix/cross-playback-info branch from 29815fa to 79ec27f Compare May 6, 2023 21:45
@victorges victorges force-pushed the vg/fix/cross-playback-info branch from 79ec27f to 4d14f0e Compare May 6, 2023 21:48
@victorges victorges force-pushed the vg/fix/cross-playback-info branch from 4d14f0e to c8c0baf Compare May 6, 2023 23:04
@victorges victorges force-pushed the vg/fix/cross-playback-info branch from c8c0baf to e27c834 Compare May 7, 2023 00:43
gioelecerati
gioelecerati reviewed May 8, 2023
View reviewed changes
packages/api/src/controllers/playback.ts
@@ -184,7 +213,10 @@ app.get("/:id", async (req, res) => {
const ingest = ingests[0].base;

let { id } = req.params;
const info = await getPlaybackInfo(req, ingest, id);
const isEmbeddablePlayer = embeddablePlayerOrigin.test(
req.headers["origin"] ?? ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be spoofed on applications outside of the browser to do a cross user query on CIDs, but we probably don't mind

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it's more about billing the right user than protecting any kind of sensitive info.

gioelecerati
gioelecerati approved these changes May 8, 2023
View reviewed changes
Copy link
Member

@gioelecerati gioelecerati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@victorges victorges force-pushed the vg/fix/cross-playback-info branch from e27c834 to 532f526 Compare May 8, 2023 15:22
@codecov
Copy link

codecov bot commented May 8, 2023
edited

Codecov Report

Merging #1717 (532f526) into vg/feat/viewership-auth (d38012a) will increase coverage by 0.03187%.
The diff coverage is 100.00000%.

Impacted file tree graph

@@                        Coverage Diff                        @@
##           vg/feat/viewership-auth       #1717         +/-   ##
=================================================================
+ Coverage                 53.86283%   53.89470%   +0.03187%     
=================================================================
  Files                           75          75                 
  Lines                         5074        5071          -3     
  Branches                      1017        1019          +2     
=================================================================
  Hits                          2733        2733                 
+ Misses                        1999        1998          -1     
+ Partials                       342         340          -2
Impacted Files Coverage Δ
packages/api/src/controllers/playback.ts 87.69231% <100.00000%> (+1.97802%) ⬆️
packages/api/src/store/asset-table.ts 92.85714% <100.00000%> (+0.35714%) ⬆️
packages/api/src/test-helpers.ts 80.85106% <100.00000%> (ø)

... and 1 file with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d38012a...532f526. Read the comment docs.

Impacted Files Coverage Δ
packages/api/src/controllers/playback.ts 87.69231% <100.00000%> (+1.97802%) ⬆️
packages/api/src/store/asset-table.ts 92.85714% <100.00000%> (+0.35714%) ⬆️
packages/api/src/test-helpers.ts 80.85106% <100.00000%> (ø)

... and 1 file with indirect coverage changes

Base automatically changed from vg/feat/viewership-auth to master May 9, 2023 15:46
@victorges victorges force-pushed the vg/fix/cross-playback-info branch from 532f526 to 942682d Compare May 9, 2023 15:47
@victorges victorges merged commit a56dca7 into master May 9, 2023
6 of 7 checks passed
@victorges victorges deleted the vg/fix/cross-playback-info branch May 9, 2023 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gioelecerati gioelecerati gioelecerati approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@victorges @gioelecerati