Commit graph

40 commits

Author SHA1 Message Date
SergeantPanda
c3fb9c0073 security: Fixed missing network_access_allowed checks in the VOD proxy. stream_vod, head_vod, stream_xc_movie, and stream_xc_episode were not checking the STREAMS network policy, unlike the equivalent TS proxy endpoints. 2026-04-10 11:09:27 -05:00
SergeantPanda
fa9a7868ff security: proxy streaming endpoints (stream_ts, stream_xc, stream_vod, head_vod, stream_xc_movie, stream_xc_episode) use @permission_classes([AllowAny]) (access is controlled by the per-stream-type network allow-list inside the view body); the UserAgentViewSet, StreamProfileViewSet, CoreSettingsViewSet, and ProxySettingsViewSet gained get_permissions() methods mapping read actions to IsStandardUser and write actions to IsAdmin; and AuthViewSet.logout was updated to return [Authenticated()]. 2026-04-10 10:47:50 -05:00
SergeantPanda
dcefc6541c chore(cleanup): - Removed dead VODConnectionManager class (apps/proxy/vod_proxy/connection_manager.py) and its associated helpers, which had been superseded by MultiWorkerVODConnectionManager. All active code already used the multi-worker implementation. Removed the unused VODConnectionManager import from vod_proxy/views.py, the unscheduled cleanup_vod_connections task from apps/proxy/tasks.py, and the unscheduled cleanup_vod_persistent_connections task from core/tasks.py.
Some checks are pending
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Waiting to run
- Removed dead VOD URL routes: `VODPlaylistView` (playlist generation), `VODPositionView` (position tracking), and the class-based `VODStatsView` (replaced by the existing function-based `vod_stats` view).
- Removed dead `updateVODPosition()` API method from `frontend/src/api.js`, which called the now-removed position tracking endpoint.
2026-04-09 19:59:50 -05:00
None
763f42cfff fix: pass TLS parameters to all external connection points in modular mode
- Add setup_pg_ssl_env() to export libpq PGSSL* env vars; all child psql/pg_dump/pg_isready commands inherit TLS automatically

- Move TLS client key permission fix before external PG connections (was running after, defeating the fix)

- Enhance key fix to trigger on ownership mismatch (root-owned 0600 key unreadable by app user)

- Extract key fix to shared script (docker/init/00-fix-pg-ssl-key.sh) sourced by both entrypoints

- Default POSTGRES_PASSWORD to empty in modular mode (cert-only auth sends no spurious password)

- Propagate TLS OPTIONS to backup pg_dump/pg_restore subprocess calls via _get_pg_env()

- Pass SSL kwargs to dropdb management command's psycopg2.connect()

- Add REDIS_SSL_PARAMS to VOD proxy Redis connections missed in original TLS PR

- Add 8-scenario TLS integration test suite (PG mTLS, Redis TLS, verify-full, key fix, Celery, regression)

- Add 6 unit tests for _get_pg_env() and dropdb TLS parameter passing
2026-03-30 20:19:27 -05:00
SergeantPanda
086cc74959 Bug Fix: M3U profile URL rewriting now uses the regex module instead of re across all URL transform code paths (url_utils.transform_url, core/views.py, vod_proxy/_transform_url, tasks.get_transformed_credentials, and the WebSocket live-preview handler in consumers.py). The regex module natively accepts JavaScript/PCRE-style named capture groups ((?<name>...)) without any conversion, eliminating the root cause of patterns that matched in the frontend live preview but failed on the backend with a re.error. As a further improvement, regex also supports variable-length lookbehind assertions (e.g. (?<=a+)), which re rejects with an error; patterns using these will now work correctly on the backend as well. Replace-pattern JS tokens are still normalised before calling regex.sub: $<name>\g<name> and $1/$2/… → \1/\2/… (Python replacement syntax). Also fixed a bug in the WebSocket preview handler where a pattern error was incorrectly returning the search pattern string as the preview output instead of the original URL. (Fixes #1005)
Some checks failed
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Has been cancelled
2026-03-29 17:55:08 -05:00
SergeantPanda
38f5156ca6 Enhancement: Show username in VOD cards. 2026-03-28 16:46:06 -05:00
SergeantPanda
aa6fb033d3 fix: update user stream limit checks to include media_id and rename user_limits_settings key 2026-03-26 20:02:54 -05:00
dekzter
a19be96ced fleshed out user limits and termination logic 2026-03-25 17:33:26 -04:00
dekzter
6f4665e6eb merged in dev 2026-02-26 08:20:20 -05:00
None
e217960500 feat: Add Redis authentication support for modular deployment
Add support for authentication when connecting to external Redis instances in modular deployment mode. This enables secure Redis deployments using either password-only authentication (Redis <6) or
username + password authentication (Redis 6+ ACL).

Changes:
- Add REDIS_PASSWORD and REDIS_USER environment variables
- Implement URL encoding for special characters in passwords
- Update all Redis connection points to support auth
- Add comprehensive documentation and examples to docker-compose.yml
- Maintains full backward compatibility (empty defaults = no auth)

All authentication mechanisms have been fully tested including pasword-only authentication, Redis 6+ ACL authentication with username + password, volume-mounted configuration files, and special character handling.

Existing deployments are not effected, authentication support is entirely opt-in using docker-compose.

Also, acknowledging the fact that the docker-compose file for modular deployments has been getting out of hand with auth support, the docker-compose.yml file was re-formatted for better visibility in configuration. This seemed like a better way to go than mandating a .env file.
2026-02-03 21:42:06 -06:00
SergeantPanda
de31826137 refactor: externalize Redis and Celery configuration via environment variables
Replace hardcoded localhost:6379 values throughout codebase with environment-based configuration. Add REDIS_PORT support and allow REDIS_URL override for external Redis services. Configure Celery broker/result backend to use Redis settings with environment variable overrides.

Closes #762
2025-12-18 16:54:59 -06:00
SergeantPanda
2558ea0b0b Enhancement: Add VOD client stop functionality to Stats page 2025-12-17 16:54:10 -06:00
dekzter
50e9075bb5 initial run of a binary and encoded redis client - no more encoding / decoding data into redis, huge PITA (still some outstanding spots I need to patch) 2025-10-25 08:15:39 -04:00
SergeantPanda
7bb4df78c8 Enhancement: Update M3U profile retrieval to include current connection counts and session handling during vod session start. 2025-09-26 09:18:42 -05:00
SergeantPanda
d961d4cad1 Bug fix: VOD will now select the correct M3U profile while starting.Fixes #461 2025-09-26 09:18:22 -05:00
SergeantPanda
b45c6eda38 Better content-type detection 2025-09-07 18:25:39 -05:00
SergeantPanda
adf960753c Changed user-agent for head request to use m3u account 2025-09-07 15:17:19 -05:00
SergeantPanda
c239f0300f Better progress tracking for clients that start a new session on every seek instead of reusing existing session. 2025-09-06 15:36:14 -05:00
SergeantPanda
4ca6bf763e Add position calculation 2025-09-06 10:16:54 -05:00
SergeantPanda
6b9d42fec1 Refactor VODStatsView to use correct field names for content type and M3U profile ID, and update user agent handling 2025-09-05 20:34:43 -05:00
SergeantPanda
18b8462a5f Refactor user-agent handling to use 'client_user_agent' for consistency across VOD connection management 2025-09-05 20:15:11 -05:00
SergeantPanda
1080b1fb94 Refactor stats and vod proxy 2025-09-05 19:30:13 -05:00
SergeantPanda
3590265836 Show all available options for VODs and their corresponding quality. 2025-08-21 15:04:47 -05:00
SergeantPanda
a4df1f1fb8 Allow specifying which account to play from. 2025-08-21 13:14:16 -05:00
SergeantPanda
24f876d09f Add priority for providers so VOD's can be auto selected based on the priority. 2025-08-20 17:38:21 -05:00
SergeantPanda
97b82e5520 Use redis to track provider connections to work with multi-worker uwsgi. 2025-08-19 17:35:51 -05:00
SergeantPanda
fa19525ab9 Remove url from movie table and save custom_properties for series. 2025-08-19 11:25:56 -05:00
SergeantPanda
54404339c2 Fix batch processing using simpler method for duplicate detection. 2025-08-19 10:01:37 -05:00
SergeantPanda
3e16614eab Store full content-length if using head request to initalize. 2025-08-12 17:32:07 -05:00
SergeantPanda
5eeb51585d Support HEAD requests, keep connection alive. 2025-08-12 15:27:39 -05:00
SergeantPanda
be51be7872 Switched to connection tracking by url instead of parameter and 301 redirect instead of 302. 2025-08-12 14:48:35 -05:00
SergeantPanda
6addcebaf5 Fix duplicate connection counting in redis. 2025-08-12 10:59:40 -05:00
SergeantPanda
07966424f8 Fix seeking not working. 2025-08-12 08:29:26 -05:00
SergeantPanda
345247df11 Fix vod streaming. 2025-08-08 08:35:59 -05:00
SergeantPanda
a332678cfb Remove URL from episode relation table. 2025-08-08 08:06:28 -05:00
SergeantPanda
0e388968c4 Convert to relation tables to support multiple providers for each vod. 2025-08-07 12:31:05 -05:00
SergeantPanda
44a2cf518c Track active connections the same way as ts_proxy 2025-08-05 21:35:04 -05:00
SergeantPanda
d18817acb0 Track VOD connections in Redis. 2025-08-05 21:24:41 -05:00
SergeantPanda
0585fc1dfe Separate Movies, Series and Episodes into their own tables 2025-08-02 13:32:44 -05:00
SergeantPanda
84aa631196 Initial backend commit for vod 2025-08-02 10:42:36 -05:00