Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 8e1ed10ba5 | |||
| 8f63f20fdf | |||
| 2b0aaf3a5d |
@@ -28,14 +28,15 @@
|
||||
## ✨ Features
|
||||
|
||||
- **Public stream list** - Live and archive tabs, password-protected streams, custom site branding, bilingual UI (Chinese / English) with per-language site description
|
||||
- **Player** - HLS, FLV, MPEG-DASH playback via ArtPlayer; AES-128 key override and DASH ClearKey support
|
||||
- **Admin panel** - Add, edit, reorder, enable/disable streams; manage sources; drag-and-drop ordering
|
||||
- **Player** - HLS, FLV, MPEG-DASH playback via ArtPlayer; AES-128 key override and DASH ClearKey support; Widevine and FairPlay DRM playback via Shaka Player (multi-DRM configs per source, Android Telegram WebView detection)
|
||||
- **Admin panel** - Add, edit, reorder, enable/disable streams; manage sources with per-source labels and proxy mode selection
|
||||
- **Viewer analytics** - Session tracking, unique visitors, peak concurrent viewers, average watch duration, device / browser / OS / geography breakdown, real-time dashboard, CSV export
|
||||
- **Telegram notifications** - Per-stream push messages on stream start and stop
|
||||
- **Stream push** - Local file browser with per-file and per-folder RTMP push management; multi-file folder push with independent stream keys; inline push status and detail modal; remote RTMP push config for external encoders; hidden HLS route proxy (`/h/<slug>`) so real stream keys are never exposed publicly
|
||||
- **VOD / file serving** - Signed `/video/` URLs with HTTP Range support (seek-capable); publish any local video file or folder as an archive stream directly from the file browser
|
||||
- **HLS proxy** - Signed `/proxy/hls/` routes for cross-origin HLS playback
|
||||
- **HLS proxy modes** - Per-source direct, full proxy, or manifest-only proxy modes for balancing source URL exposure, CORS compatibility, and server bandwidth
|
||||
- **API key auth** - Generate per-key tokens in the admin panel for programmatic access to all admin and analytics endpoints
|
||||
- **Mobile responsive** - Admin panel sidebar, source editor, file browser rows, and push directory sidebar all collapse gracefully on narrow screens
|
||||
|
||||
<div align="right">
|
||||
|
||||
@@ -142,7 +143,7 @@ Set these environment variables in `docker-compose.yml`:
|
||||
|
||||
| Variable | Default | Required | Description |
|
||||
|---|---|---|---|
|
||||
| `SECRET_KEY` | `change-this-secret` | **Yes** | HMAC signing key for sessions and stream routes |
|
||||
| `SECRET_KEY` | `REPLACE_ME` | **Yes** | HMAC signing key for sessions and stream routes. Generate with `openssl rand -hex 32` |
|
||||
| `DATABASE_URL` | see compose file | **Yes** | PostgreSQL connection string |
|
||||
| `POSTGRES_PASSWORD` | see compose file | **Yes** | PostgreSQL password |
|
||||
| `TZ` | `UTC` | No | Container timezone, e.g. `Asia/Shanghai` |
|
||||
@@ -182,6 +183,17 @@ volumes:
|
||||
- /your/media/path:/app/media/external
|
||||
```
|
||||
|
||||
**HLS proxy modes**
|
||||
|
||||
Each stream source can choose how external HLS URLs are exposed to viewers:
|
||||
|
||||
| Mode | Behavior | Bandwidth impact |
|
||||
|---|---|---|
|
||||
| `Auto` | Backward-compatible default; external HLS uses the full proxy | StreamHall carries manifest and segment traffic |
|
||||
| `Direct` | Player uses the source URL directly | Viewer traffic goes to the source server |
|
||||
| `Full proxy` | Manifest, segments, maps, and keys are routed through `/proxy/hls/` | StreamHall carries all HLS media traffic |
|
||||
| `Manifest only` | Only the playlist uses StreamHall; segment/key/map URLs are absolute source URLs | Low StreamHall bandwidth; final media URLs remain visible in browser network tools |
|
||||
|
||||
<div align="right">
|
||||
|
||||
[![][back-to-top]](#readme-top)
|
||||
@@ -234,7 +246,7 @@ The hidden public HLS URL (`/h/<slug>/...`) routes through nginx on port `8889`,
|
||||
### Authentication
|
||||
|
||||
- **Browser session** - cookie set by `POST /api?action=login`
|
||||
- **API key** - send `Authorization: Bearer <token>` header, or append `?api_key=<token>` to any admin endpoint. Keys are managed in the admin panel under **Site Settings → API Keys**.
|
||||
- **API key** - send `Authorization: Bearer <token>` header. Keys are managed in the admin panel under **Site Settings → API Keys**.
|
||||
|
||||
### Public Endpoints
|
||||
|
||||
@@ -280,7 +292,7 @@ The hidden public HLS URL (`/h/<slug>/...`) routes through nginx on port `8889`,
|
||||
| `GET` | `/api?action=stats_geo` | Country-level visitor counts |
|
||||
| `GET` | `/api?action=stats_stream_detail&id=<id>` | Single-stream detail |
|
||||
| `GET` | `/api?action=stats_sessions_page&id=<id>` | Paginated session list |
|
||||
| `GET` | `/api?action=stats_export_csv` | Export sessions as CSV |
|
||||
| `GET` | `/api?action=stats_export_csv&range=<range>` | Export sessions as CSV (`range`: `today`, `7d`, `30d` (default), `all`) |
|
||||
|
||||
<div align="right">
|
||||
|
||||
|
||||
+18
-6
@@ -28,14 +28,15 @@
|
||||
## ✨ 功能特性
|
||||
|
||||
- **公开直播列表** - 直播 / 存档双 Tab,支持密码保护、自定义站点品牌,内置中英双语界面(含分语言站点简介)
|
||||
- **播放器** - 基于 ArtPlayer,支持 HLS、FLV、MPEG-DASH 播放;支持 AES-128 密钥覆盖及 DASH ClearKey
|
||||
- **管理后台** - 直播的增删改查、启用/禁用、拖拽排序;多播放源管理
|
||||
- **播放器** - 基于 ArtPlayer,支持 HLS、FLV、MPEG-DASH 播放;支持 AES-128 密钥覆盖及 DASH ClearKey;通过 Shaka Player 支持 Widevine 和 FairPlay DRM 播放(每路播放源可独立配置多 DRM 方案,内置 Android Telegram WebView 检测)
|
||||
- **管理后台** - 直播的增删改查、启用/禁用、拖拽排序;多播放源管理,支持逐字段标签和代理模式选择
|
||||
- **观看统计** - 会话追踪、独立访客数、峰值并发、平均时长、设备 / 浏览器 / 操作系统 / 地理分布实时看板,支持 CSV 导出
|
||||
- **Telegram 推送** - 可按直播单独配置,开播 / 关播自动发送通知
|
||||
- **推流配置** - 内置文件浏览器,支持单文件和文件夹 RTMP 推流管理;文件夹可同时向多个推流码批量推送独立任务;推流状态内联显示于文件行,详情弹窗提供实时时长、复制地址和停止操作;同时支持远端编码器 RTMP 推流配置;隐藏 HLS 路由代理(`/h/<slug>`),真实推流码不出现在公开地址中
|
||||
- **VOD 点播 / 视频服务** - 带 HMAC 签名的 `/video/` URL,支持 HTTP Range 请求(可 seek);文件浏览器中可直接将视频文件或文件夹发布为归档直播
|
||||
- **HLS 代理** - 带签名验证的 `/proxy/hls/` 路由,解决跨域 HLS 播放问题
|
||||
- **HLS 代理模式** - 每个播放源可选择直连、完整代理或仅代理 Manifest,在源地址暴露、跨域兼容和服务器带宽之间自行取舍
|
||||
- **API 密钥鉴权** - 在后台生成 Token,可通过 API 密钥对所有管理及统计接口进行程序化访问
|
||||
- **移动端适配** - 管理后台侧边栏、视角编辑器、文件浏览器行、推流目录侧边栏均可在窄屏设备上自适应折叠
|
||||
|
||||
<div align="right">
|
||||
|
||||
@@ -142,7 +143,7 @@ python server.py
|
||||
|
||||
| 变量 | 默认值 | 是否必填 | 说明 |
|
||||
|---|---|---|---|
|
||||
| `SECRET_KEY` | `change-this-secret` | **必填** | 会话与推流路由的 HMAC 签名密钥 |
|
||||
| `SECRET_KEY` | `REPLACE_ME` | **必填** | 会话与推流路由的 HMAC 签名密钥。可用 `openssl rand -hex 32` 生成 |
|
||||
| `DATABASE_URL` | 见 compose 文件 | **必填** | PostgreSQL 连接字符串 |
|
||||
| `POSTGRES_PASSWORD` | 见 compose 文件 | **必填** | PostgreSQL 数据库密码 |
|
||||
| `TZ` | `UTC` | 否 | 容器时区,如 `Asia/Shanghai` |
|
||||
@@ -182,6 +183,17 @@ volumes:
|
||||
- /your/media/path:/app/media/external
|
||||
```
|
||||
|
||||
**HLS 代理模式**
|
||||
|
||||
每个播放源都可以选择外部 HLS 链接如何暴露给观众:
|
||||
|
||||
| 模式 | 行为 | 带宽影响 |
|
||||
|---|---|---|
|
||||
| `自动` | 向后兼容默认行为;外部 HLS 使用完整代理 | StreamHall 承担 manifest 和分片流量 |
|
||||
| `直连` | 播放器直接使用源站 URL | 观众流量走源服务器 |
|
||||
| `完整代理` | manifest、分片、map、key 都通过 `/proxy/hls/` | StreamHall 承担全部 HLS 媒体流量 |
|
||||
| `仅 Manifest` | 只有播放列表经过 StreamHall;分片、key、map 改写为源站绝对地址 | StreamHall 带宽较低;最终媒体 URL 仍会出现在浏览器网络请求中 |
|
||||
|
||||
<div align="right">
|
||||
|
||||
[![][back-to-top]](#readme-top)
|
||||
@@ -234,7 +246,7 @@ RTMP 服务器: rtmp://HOST:1935/live
|
||||
### 鉴权方式
|
||||
|
||||
- **浏览器会话** - 通过 `POST /api?action=login` 登录后设置的 Cookie
|
||||
- **API 密钥** - 在请求头携带 `Authorization: Bearer <token>`,或在 URL 追加 `?api_key=<token>`。密钥在后台**网站设置 → API 密钥**处管理。
|
||||
- **API 密钥** - 在请求头携带 `Authorization: Bearer <token>`。密钥在后台**网站设置 → API 密钥**处管理。
|
||||
|
||||
### 公开接口
|
||||
|
||||
@@ -280,7 +292,7 @@ RTMP 服务器: rtmp://HOST:1935/live
|
||||
| `GET` | `/api?action=stats_geo` | 地理分布(国家级) |
|
||||
| `GET` | `/api?action=stats_stream_detail&id=<id>` | 单场直播详情 |
|
||||
| `GET` | `/api?action=stats_sessions_page&id=<id>` | 分页会话列表 |
|
||||
| `GET` | `/api?action=stats_export_csv` | 导出会话 CSV |
|
||||
| `GET` | `/api?action=stats_export_csv&range=<range>` | 导出会话 CSV(`range`:`today`、`7d`、`30d`(默认)、`all`) |
|
||||
|
||||
<div align="right">
|
||||
|
||||
|
||||
+4
-3
@@ -10,8 +10,9 @@ services:
|
||||
ports:
|
||||
- "8085:8080"
|
||||
environment:
|
||||
SECRET_KEY: "change-this-secret"
|
||||
DATABASE_URL: "postgresql://streamhall:streamhall_pg_password@postgres:5432/streamhall"
|
||||
# Generate with: openssl rand -hex 32
|
||||
SECRET_KEY: "REPLACE_ME"
|
||||
DATABASE_URL: "postgresql://streamhall:REPLACE_DB_PASSWORD@postgres:5432/streamhall"
|
||||
TZ: "UTC"
|
||||
RTMP_HOST: "srs"
|
||||
# Comma-separated list of video directories (optional label:path format)
|
||||
@@ -29,7 +30,7 @@ services:
|
||||
environment:
|
||||
POSTGRES_DB: "streamhall"
|
||||
POSTGRES_USER: "streamhall"
|
||||
POSTGRES_PASSWORD: "streamhall_pg_password"
|
||||
POSTGRES_PASSWORD: "REPLACE_DB_PASSWORD"
|
||||
TZ: "UTC"
|
||||
volumes:
|
||||
- ./postgres-data:/var/lib/postgresql/data
|
||||
|
||||
+647
-60
File diff suppressed because it is too large
Load Diff
+365
-42
@@ -368,6 +368,189 @@
|
||||
const contentId = getFairPlayContentId(initData);
|
||||
return shaka.util.FairPlayUtils.initDataTransform(initData, contentId, drmInfo.serverCertificate);
|
||||
}
|
||||
function fairPlayStringToUtf16Buffer(text) {
|
||||
const buffer = new ArrayBuffer(text.length * 2);
|
||||
const view = new Uint16Array(buffer);
|
||||
for (let i = 0; i < text.length; i++) view[i] = text.charCodeAt(i);
|
||||
return new Uint8Array(buffer);
|
||||
}
|
||||
|
||||
function concatFairPlayInitData(initData, contentId, certificate) {
|
||||
const init = new Uint8Array(initData);
|
||||
const id = fairPlayStringToUtf16Buffer(contentId);
|
||||
const cert = new Uint8Array(certificate);
|
||||
const result = new Uint8Array(init.byteLength + 4 + id.byteLength + 4 + cert.byteLength);
|
||||
const view = new DataView(result.buffer);
|
||||
let offset = 0;
|
||||
result.set(init, offset);
|
||||
offset += init.byteLength;
|
||||
view.setUint32(offset, id.byteLength, true);
|
||||
offset += 4;
|
||||
result.set(id, offset);
|
||||
offset += id.byteLength;
|
||||
view.setUint32(offset, cert.byteLength, true);
|
||||
offset += 4;
|
||||
result.set(cert, offset);
|
||||
return result;
|
||||
}
|
||||
|
||||
function getLegacyFairPlayContentId(initData) {
|
||||
const text = shaka.util.StringUtils.fromBytesAutoDetect(initData);
|
||||
const raw = shaka.util.FairPlayUtils.defaultGetContentId(text) || text.replace(/^skd:\/\//i, '');
|
||||
const query = raw.includes('?') ? raw.split('?').pop() : raw;
|
||||
const params = new URLSearchParams(query.replace(/^.*?assetId=/, 'assetId='));
|
||||
return params.get('assetId') || raw;
|
||||
}
|
||||
|
||||
function transformLegacyFairPlayInitData(initData, certificate) {
|
||||
const contentId = getLegacyFairPlayContentId(initData);
|
||||
return concatFairPlayInitData(initData, contentId, certificate);
|
||||
}
|
||||
function normalizeFairPlayLicenseResponse(buffer, contentType = '') {
|
||||
const data = new Uint8Array(buffer);
|
||||
const type = String(contentType || '').toLowerCase();
|
||||
const looksTextWrapped = type.includes('json') || type.includes('xml') || type.includes('text');
|
||||
if (!looksTextWrapped || !window.shaka?.util?.FairPlayUtils || !window.shaka?.net?.NetworkingEngine) {
|
||||
return data;
|
||||
}
|
||||
try {
|
||||
const response = { data, headers: { 'content-type': contentType } };
|
||||
shaka.util.FairPlayUtils.commonFairPlayResponse(shaka.net.NetworkingEngine.RequestType.LICENSE, response);
|
||||
return response.data;
|
||||
} catch (error) {
|
||||
console.warn('Native FairPlay response unwrap skipped:', error);
|
||||
return data;
|
||||
}
|
||||
}
|
||||
|
||||
function setupNativeFairPlayHls(video, url, drm, art, options = {}) {
|
||||
if (!window.WebKitMediaKeys || !WebKitMediaKeys.isTypeSupported('com.apple.fps.1_0', 'video/mp4')) {
|
||||
return null;
|
||||
}
|
||||
const licenseUrl = String(drm?.licenseUrl || '').trim();
|
||||
const certificateUrl = String(drm?.certificateUrl || '').trim();
|
||||
const headers = parseHeaderConfig(drm?.licenseHeaders || '');
|
||||
const keySystem = 'com.apple.fps.1_0';
|
||||
const sessions = [];
|
||||
const disposers = [];
|
||||
let disposed = false;
|
||||
let loaded = false;
|
||||
const showNativeError = (stage, error) => {
|
||||
const detail = error?.message || error?.name || error?.type || error?.code || String(error || 'unknown');
|
||||
console.error(`Native FairPlay Error [${stage}]:`, error);
|
||||
art.notice.show = `${t('drm_playback_error')} (${stage}: ${detail})`;
|
||||
};
|
||||
const certificatePromise = fetch(certificateUrl, { cache: 'force-cache' }).then(response => {
|
||||
if (!response.ok) throw new Error(`HTTP ${response.status}`);
|
||||
return response.arrayBuffer();
|
||||
}).then(buffer => {
|
||||
console.info('Native FairPlay certificate loaded:', certificateUrl, buffer.byteLength);
|
||||
return new Uint8Array(buffer);
|
||||
}).catch(error => {
|
||||
showNativeError('certificate', error);
|
||||
throw error;
|
||||
});
|
||||
const clearWaiting = () => {
|
||||
loaded = true;
|
||||
};
|
||||
const handleNeedKey = event => {
|
||||
console.info('Native FairPlay needkey:', event);
|
||||
certificatePromise.then(certificate => {
|
||||
if (disposed) return;
|
||||
try {
|
||||
const initData = event.initData || event.webkitInitData;
|
||||
if (!initData || !initData.byteLength) throw new Error('missing initData');
|
||||
const transformed = transformLegacyFairPlayInitData(initData, certificate);
|
||||
console.info('Native FairPlay initData:', shaka.util.StringUtils.fromBytesAutoDetect(initData), 'contentId=', getLegacyFairPlayContentId(initData), initData.byteLength, transformed.byteLength);
|
||||
let session = null;
|
||||
try {
|
||||
session = video.webkitKeys.createSession('video/mp4', transformed);
|
||||
} catch (error) {
|
||||
showNativeError('create-session', error);
|
||||
return;
|
||||
}
|
||||
if (!session) {
|
||||
showNativeError('create-session', new Error('empty session'));
|
||||
return;
|
||||
}
|
||||
sessions.push(session);
|
||||
const handleMessage = messageEvent => {
|
||||
const message = messageEvent.message || messageEvent.webkitMessage;
|
||||
if (!message || !message.byteLength) {
|
||||
showNativeError('license-message', new Error('missing SPC message'));
|
||||
return;
|
||||
}
|
||||
const licenseEndpoint = options.licenseProxyUrl || licenseUrl;
|
||||
console.info('Native FairPlay license request:', licenseEndpoint, message.byteLength);
|
||||
const requestHeaders = options.licenseProxyUrl
|
||||
? { 'Content-Type': 'application/octet-stream', 'X-StreamHall-Viewer-Token': options.viewerToken || '' }
|
||||
: { 'Content-Type': 'application/octet-stream', ...headers };
|
||||
fetch(licenseEndpoint, {
|
||||
method: 'POST',
|
||||
headers: requestHeaders,
|
||||
body: message
|
||||
}).then(async response => {
|
||||
const contentType = response.headers.get('content-type') || '';
|
||||
console.info('Native FairPlay license status:', response.status, contentType);
|
||||
const buffer = await response.arrayBuffer();
|
||||
if (!response.ok) {
|
||||
const text = new TextDecoder().decode(buffer.slice(0, 2048));
|
||||
console.warn('Native FairPlay license error body:', text);
|
||||
throw `HTTP ${response.status}: ${text}`;
|
||||
}
|
||||
return { buffer, contentType };
|
||||
}).then(({ buffer, contentType }) => {
|
||||
if (disposed) return;
|
||||
console.info('Native FairPlay license response:', buffer.byteLength);
|
||||
session.update(normalizeFairPlayLicenseResponse(buffer, contentType));
|
||||
}).catch(error => showNativeError('license', error));
|
||||
};
|
||||
const handleKeyError = errorEvent => {
|
||||
const code = session.error ? `${session.error.code || ''} ${session.error.systemCode || ''}`.trim() : '';
|
||||
showNativeError('key-session', code ? new Error(code) : errorEvent);
|
||||
};
|
||||
session.addEventListener('webkitkeymessage', handleMessage);
|
||||
session.addEventListener('webkitkeyerror', handleKeyError);
|
||||
disposers.push(() => {
|
||||
session.removeEventListener('webkitkeymessage', handleMessage);
|
||||
session.removeEventListener('webkitkeyerror', handleKeyError);
|
||||
});
|
||||
} catch (error) {
|
||||
showNativeError('needkey', error);
|
||||
}
|
||||
}).catch(error => showNativeError('certificate', error));
|
||||
};
|
||||
const handleVideoError = () => showNativeError('media', video.error || new Error('Native FairPlay media error'));
|
||||
try {
|
||||
video.webkitSetMediaKeys(new WebKitMediaKeys(keySystem));
|
||||
} catch (error) {
|
||||
showNativeError('mediakeys', error);
|
||||
return null;
|
||||
}
|
||||
video.addEventListener('webkitneedkey', handleNeedKey);
|
||||
video.addEventListener('loadeddata', clearWaiting);
|
||||
video.addEventListener('playing', clearWaiting);
|
||||
video.addEventListener('error', handleVideoError);
|
||||
disposers.push(() => {
|
||||
video.removeEventListener('webkitneedkey', handleNeedKey);
|
||||
video.removeEventListener('loadeddata', clearWaiting);
|
||||
video.removeEventListener('playing', clearWaiting);
|
||||
video.removeEventListener('error', handleVideoError);
|
||||
});
|
||||
const timeout = window.setTimeout(() => {
|
||||
if (!disposed && !loaded && video.readyState < 2) {
|
||||
art.notice.show = `${t('drm_playback_error')} (native FairPlay timeout)`;
|
||||
}
|
||||
}, 15000);
|
||||
video.src = url;
|
||||
video.load();
|
||||
return () => {
|
||||
disposed = true;
|
||||
window.clearTimeout(timeout);
|
||||
disposers.splice(0).forEach(dispose => dispose());
|
||||
try { video.removeAttribute('src'); video.load(); } catch (e) {}
|
||||
};
|
||||
}
|
||||
|
||||
function getDrmConfigs(link) {
|
||||
const configs = Array.isArray(link?.drmConfigs) ? link.drmConfigs : Array.isArray(link?.drm_configs) ? link.drm_configs : [];
|
||||
@@ -376,7 +559,10 @@
|
||||
licenseUrl: String(config?.licenseUrl || config?.license_url || '').trim(),
|
||||
certificateUrl: String(config?.certificateUrl || config?.certificate_url || '').trim(),
|
||||
licenseHeaders: String(config?.licenseHeaders || config?.license_headers || '').trim(),
|
||||
pssh: String(config?.pssh || '').trim()
|
||||
pssh: String(config?.pssh || '').trim(),
|
||||
playbackUrl: String(config?.playbackUrl || config?.playback_url || '').trim(),
|
||||
playbackType: String(config?.playbackType || config?.playback_type || '').trim().toLowerCase(),
|
||||
playback_url: String(config?.playback_url || '').trim()
|
||||
})).filter(config => (config.drmType === 'widevine' || config.drmType === 'fairplay') && config.licenseUrl);
|
||||
if (normalized.length) return normalized;
|
||||
const legacyType = String(link?.drmType || link?.drm_type || '').toLowerCase();
|
||||
@@ -387,22 +573,47 @@
|
||||
licenseUrl: legacyLicense,
|
||||
certificateUrl: String(link?.certificateUrl || link?.certificate_url || '').trim(),
|
||||
licenseHeaders: String(link?.licenseHeaders || link?.license_headers || '').trim(),
|
||||
pssh: String(link?.pssh || '').trim()
|
||||
pssh: String(link?.pssh || '').trim(),
|
||||
playbackUrl: String(link?.playbackUrl || link?.playback_url || '').trim(),
|
||||
playbackType: String(link?.playbackType || link?.playback_type || '').trim().toLowerCase(),
|
||||
playback_url: String(link?.playback_url || '').trim()
|
||||
}];
|
||||
}
|
||||
return [];
|
||||
}
|
||||
|
||||
function browserPrefersFairPlay() {
|
||||
function isAppleWebKitFairPlayCapable() {
|
||||
const ua = navigator.userAgent || '';
|
||||
const isSafari = /Safari/i.test(ua) && !/(Chrome|Chromium|CriOS|FxiOS|Edg|OPR|OPiOS)/i.test(ua);
|
||||
return !!window.WebKitMediaKeys || isSafari;
|
||||
const isiOSWebKit = /iPad|iPhone|iPod/i.test(ua) || (navigator.platform === 'MacIntel' && navigator.maxTouchPoints > 1);
|
||||
const isDesktopSafari = /Safari/i.test(ua) && !/(Chrome|Chromium|CriOS|FxiOS|Edg|OPR|OPiOS)/i.test(ua);
|
||||
return !!window.WebKitMediaKeys || isiOSWebKit || isDesktopSafari;
|
||||
}
|
||||
|
||||
function browserPrefersFairPlay() {
|
||||
return isAppleWebKitFairPlayCapable();
|
||||
}
|
||||
|
||||
function isAndroidRestrictedWebView() {
|
||||
const ua = navigator.userAgent || '';
|
||||
if (!/Android/i.test(ua)) return false;
|
||||
return /Telegram/i.test(ua) || /; wv\)/i.test(ua) || /\bwv\b/i.test(ua);
|
||||
return /Telegram/i.test(ua);
|
||||
}
|
||||
|
||||
async function canUseWidevineKeySystem() {
|
||||
if (!navigator.requestMediaKeySystemAccess) return false;
|
||||
try {
|
||||
await navigator.requestMediaKeySystemAccess('com.widevine.alpha', [{
|
||||
initDataTypes: ['cenc'],
|
||||
audioCapabilities: [{ contentType: 'audio/mp4; codecs="mp4a.40.2"' }],
|
||||
videoCapabilities: [{ contentType: 'video/mp4; codecs="avc1.42E01E"' }],
|
||||
distinctiveIdentifier: 'optional',
|
||||
persistentState: 'optional',
|
||||
sessionTypes: ['temporary']
|
||||
}]);
|
||||
return true;
|
||||
} catch (error) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
function selectDrmConfig(link) {
|
||||
@@ -426,9 +637,45 @@
|
||||
return !!selectDrmConfig(link);
|
||||
}
|
||||
|
||||
function safeDestroyHls(art) {
|
||||
try {
|
||||
const hls = art?.hls;
|
||||
if (hls) hls.destroy();
|
||||
} catch (error) {
|
||||
if (!String(error?.message || error).includes('Cannot find instance of HLS')) {
|
||||
console.warn('HLS cleanup skipped:', error);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function linkHasDrmConfigs(link) {
|
||||
return getDrmConfigs(link).length > 0;
|
||||
}
|
||||
function drmConfigMatchScore(config, selected) {
|
||||
if (!selected || config.drmType !== selected.drmType) return -1;
|
||||
let score = 1;
|
||||
const fields = ['licenseUrl', 'certificateUrl', 'playbackUrl', 'playbackType', 'pssh', 'licenseHeaders'];
|
||||
for (const field of fields) {
|
||||
const left = String(config[field] || '').trim();
|
||||
const right = String(selected[field] || '').trim();
|
||||
if (left && right && left !== right) return -1;
|
||||
if (left === right) score += 1;
|
||||
}
|
||||
return score;
|
||||
}
|
||||
function getDrmConfigIndex(link, selected) {
|
||||
const configs = getDrmConfigs(link);
|
||||
let bestIndex = -1;
|
||||
let bestScore = -1;
|
||||
configs.forEach((config, index) => {
|
||||
const score = drmConfigMatchScore(config, selected);
|
||||
if (score > bestScore) {
|
||||
bestScore = score;
|
||||
bestIndex = index;
|
||||
}
|
||||
});
|
||||
return bestIndex;
|
||||
}
|
||||
|
||||
function formatShakaError(error) {
|
||||
if (!error) return t('drm_playback_error');
|
||||
@@ -464,22 +711,36 @@
|
||||
function installShakaQualityControl(art, player) {
|
||||
const update = () => {
|
||||
const tracks = player.getVariantTracks()
|
||||
.filter(track => track.videoId !== null && track.videoId !== undefined)
|
||||
.filter(track => track.videoId !== null && track.videoId !== undefined && (track.height || track.bandwidth))
|
||||
.sort((a, b) => (b.height || 0) - (a.height || 0) || (b.bandwidth || 0) - (a.bandwidth || 0));
|
||||
const unique = [];
|
||||
const seen = new Set();
|
||||
const byVideoTrack = new Map();
|
||||
tracks.forEach(track => {
|
||||
const key = `${track.height || 0}-${Math.round((track.bandwidth || 0) / 1000)}`;
|
||||
if (seen.has(key)) return;
|
||||
seen.add(key);
|
||||
unique.push(track);
|
||||
const key = track.videoId != null ? `video-${track.videoId}` : `${track.width || 0}x${track.height || 0}-${track.codecs || ''}-${Math.round((track.bandwidth || 0) / 250000)}`;
|
||||
const current = byVideoTrack.get(key);
|
||||
if (!current || track.active || (!current.active && (track.bandwidth || 0) > (current.bandwidth || 0))) {
|
||||
byVideoTrack.set(key, track);
|
||||
}
|
||||
});
|
||||
const unique = Array.from(byVideoTrack.values())
|
||||
.sort((a, b) => (b.height || 0) - (a.height || 0) || (b.bandwidth || 0) - (a.bandwidth || 0));
|
||||
if (!unique.length) return;
|
||||
const active = unique.find(track => track.active) || tracks.find(track => track.active);
|
||||
const autoLabel = 'Auto';
|
||||
const selectedLabel = active?.height ? `${active.height}P` : autoLabel;
|
||||
const heightCounts = unique.reduce((acc, track) => {
|
||||
const key = track.height || 0;
|
||||
acc.set(key, (acc.get(key) || 0) + 1);
|
||||
return acc;
|
||||
}, new Map());
|
||||
const qualityLabel = track => {
|
||||
if (!track) return autoLabel;
|
||||
const kbps = Math.round((track.videoBandwidth || track.bandwidth || 0) / 1000);
|
||||
if (!track.height) return `${kbps}K`;
|
||||
if ((heightCounts.get(track.height) || 0) <= 1) return `${track.height}P`;
|
||||
return kbps >= 1000 ? `${track.height}P (${(kbps / 1000).toFixed(1)}M)` : `${track.height}P (${kbps}K)`;
|
||||
};
|
||||
const selectedLabel = active ? qualityLabel(active) : autoLabel;
|
||||
const selector = unique.map(track => ({
|
||||
html: track.height ? `${track.height}P` : `${Math.round((track.bandwidth || 0) / 1000)}K`,
|
||||
html: qualityLabel(track),
|
||||
value: track.id,
|
||||
default: !!track.active
|
||||
}));
|
||||
@@ -526,6 +787,15 @@
|
||||
}
|
||||
|
||||
function getLinkType(link) {
|
||||
if (linkUsesShakaDrm(link)) return 'm3u8';
|
||||
const selectedDrm = selectDrmConfig(link);
|
||||
if (selectedDrm?.playbackUrl) {
|
||||
if (selectedDrm.playbackType) return selectedDrm.playbackType;
|
||||
const drmPath = selectedDrm.playbackUrl.split('?')[0].toLowerCase();
|
||||
if (drmPath.endsWith('.mpd')) return 'dash';
|
||||
if (drmPath.endsWith('.m3u8')) return 'm3u8';
|
||||
if (drmPath.endsWith('.flv')) return 'flv';
|
||||
}
|
||||
if (link.type) return link.type;
|
||||
const path = (link.url || '').split('?')[0].toLowerCase();
|
||||
if (path.endsWith('.mpd')) return 'dash';
|
||||
@@ -535,6 +805,8 @@
|
||||
}
|
||||
|
||||
function getPlaybackUrl(link) {
|
||||
const selectedDrm = selectDrmConfig(link);
|
||||
if (selectedDrm?.playbackUrl) return selectedDrm.playback_url || selectedDrm.playbackUrl;
|
||||
return link.playback_url || link.url;
|
||||
}
|
||||
|
||||
@@ -555,6 +827,7 @@
|
||||
let viewerHeartbeatTimer = null;
|
||||
let viewerSessionId = '';
|
||||
let viewerVisitorId = localStorage.getItem('streamhall_visitor_id') || '';
|
||||
let viewerToken = '';
|
||||
let playerInstance = null;
|
||||
let playbackMisses = 0;
|
||||
if (!viewerVisitorId) {
|
||||
@@ -632,6 +905,7 @@
|
||||
const data = await postViewerEvent('viewer_start', {
|
||||
id: streamId,
|
||||
visitorId: viewerVisitorId,
|
||||
viewerToken,
|
||||
referer: document.referrer || '',
|
||||
state: viewerState()
|
||||
});
|
||||
@@ -739,6 +1013,7 @@
|
||||
els.pwdModal.classList.remove('hidden');
|
||||
document.getElementById('pwd-in').focus();
|
||||
} else {
|
||||
viewerToken = data.viewerToken || '';
|
||||
startViewerStats();
|
||||
waitForLiveAndStart(data);
|
||||
}
|
||||
@@ -754,6 +1029,7 @@
|
||||
applyPlayerTitle(data);
|
||||
applySiteIcon(data.siteIconUrl || '');
|
||||
els.pwdModal.classList.add('hidden');
|
||||
viewerToken = data.viewerToken || '';
|
||||
startViewerStats();
|
||||
waitForLiveAndStart(data, pwd);
|
||||
} catch (err) {
|
||||
@@ -793,7 +1069,7 @@
|
||||
return;
|
||||
}
|
||||
|
||||
const activeLinks = [...links];
|
||||
const activeLinks = links.map((link, index) => ({ ...link, _sourceIndex: index }));
|
||||
const preferredIndex = activeLinks.findIndex(link => link.url === preferredUrl || getPlaybackUrl(link) === preferredUrl);
|
||||
if (preferredIndex > 0) {
|
||||
activeLinks.unshift(activeLinks.splice(preferredIndex, 1)[0]);
|
||||
@@ -806,6 +1082,12 @@
|
||||
type: getLinkType(l)
|
||||
}));
|
||||
const initialLink = activeLinks[0] || null;
|
||||
const initialUsesDrm = linkUsesShakaDrm(initialLink);
|
||||
const hlsControlPlugins = initialUsesDrm ? [] : [
|
||||
artplayerPluginHlsControl({
|
||||
quality: { control: true, setting: true, getName: (l) => l.height + 'P', title: t('quality') }
|
||||
})
|
||||
];
|
||||
|
||||
playerInstance = new Artplayer({
|
||||
container: '.artplayer-app',
|
||||
@@ -814,7 +1096,7 @@
|
||||
quality: quality,
|
||||
title: data.eventName,
|
||||
autoplay: true,
|
||||
isLive: linkUsesShakaDrm(initialLink),
|
||||
isLive: data.streamLabel === 'LIVE' && !initialUsesDrm,
|
||||
volume: 0.5,
|
||||
autoSize: true,
|
||||
fullscreen: true,
|
||||
@@ -840,35 +1122,76 @@
|
||||
return;
|
||||
}
|
||||
if (linkUsesShakaDrm(currentLink)) {
|
||||
if (art.hls) art.hls.destroy();
|
||||
if (window.shaka?.polyfill) shaka.polyfill.installAll();
|
||||
if (!window.shaka || !shaka.Player || !shaka.Player.isBrowserSupported()) {
|
||||
art.notice.show = t('drm_unavailable');
|
||||
return;
|
||||
}
|
||||
const selectedDrm = selectDrmConfig(currentLink);
|
||||
if (selectedDrm?.drmType === 'widevine' && isAndroidRestrictedWebView()) {
|
||||
art.notice.show = t('drm_android_webview_unsupported');
|
||||
return;
|
||||
}
|
||||
const fairplay = selectedDrm?.drmType === 'fairplay';
|
||||
const certificateUrl = String(selectedDrm?.certificateUrl || '').trim();
|
||||
const licenseUrl = String(selectedDrm?.licenseUrl || '').trim();
|
||||
if (!licenseUrl) {
|
||||
art.notice.show = t('drm_license_missing');
|
||||
return;
|
||||
}
|
||||
if (fairplay && !certificateUrl) {
|
||||
art.notice.show = t('drm_certificate_missing');
|
||||
return;
|
||||
}
|
||||
|
||||
if (selectedDrm?.drmType === 'widevine' && isAndroidRestrictedWebView()) {
|
||||
canUseWidevineKeySystem().then(supported => {
|
||||
if (!supported) art.notice.show = t('drm_android_webview_unsupported');
|
||||
});
|
||||
}
|
||||
if (art.nativeFairPlayCleanup) {
|
||||
art.nativeFairPlayCleanup();
|
||||
art.nativeFairPlayCleanup = null;
|
||||
}
|
||||
safeDestroyHls(art);
|
||||
const linkIndex = Number.isInteger(currentLink?._sourceIndex) ? currentLink._sourceIndex : activeLinks.indexOf(currentLink);
|
||||
const drmIndex = getDrmConfigIndex(currentLink, selectedDrm);
|
||||
if (fairplay && isAppleWebKitFairPlayCapable() && window.WebKitMediaKeys) {
|
||||
if (art.shaka) {
|
||||
art.shaka.destroy().catch(() => {});
|
||||
art.shaka = null;
|
||||
}
|
||||
if (art.streamhallDurationGuard) art.streamhallDurationGuard();
|
||||
art.streamhallDurationGuard = installLiveDurationGuard(art);
|
||||
const licenseProxyUrl = linkIndex >= 0 && drmIndex >= 0
|
||||
? `/api?action=fairplay_license&id=${encodeURIComponent(streamId)}&link=${encodeURIComponent(linkIndex)}&drm=${encodeURIComponent(drmIndex)}`
|
||||
: '';
|
||||
const cleanup = setupNativeFairPlayHls(video, url, selectedDrm, art, { licenseProxyUrl, viewerToken });
|
||||
if (!cleanup) {
|
||||
art.notice.show = t('drm_unavailable');
|
||||
return;
|
||||
}
|
||||
art.nativeFairPlayCleanup = cleanup;
|
||||
art.on('destroy', () => {
|
||||
if (art.streamhallDurationGuard) art.streamhallDurationGuard();
|
||||
if (art.nativeFairPlayCleanup) {
|
||||
art.nativeFairPlayCleanup();
|
||||
art.nativeFairPlayCleanup = null;
|
||||
}
|
||||
});
|
||||
return;
|
||||
}
|
||||
if (window.shaka?.polyfill) shaka.polyfill.installAll();
|
||||
if (!window.shaka || !shaka.Player || !shaka.Player.isBrowserSupported()) {
|
||||
art.notice.show = t('drm_unavailable');
|
||||
return;
|
||||
}
|
||||
if (art.shaka) art.shaka.destroy().catch(() => {});
|
||||
if (art.streamhallDurationGuard) art.streamhallDurationGuard();
|
||||
art.streamhallDurationGuard = installLiveDurationGuard(art);
|
||||
const player = new shaka.Player();
|
||||
const headers = parseHeaderConfig(selectedDrm?.licenseHeaders || '');
|
||||
const fairplay = selectedDrm?.drmType === 'fairplay';
|
||||
const keySystem = fairplay ? 'com.apple.fps' : 'com.widevine.alpha';
|
||||
const fairplayLegacyKeySystem = 'com.apple.fps.1_0';
|
||||
const certificateUrl = String(selectedDrm?.certificateUrl || '').trim();
|
||||
const servers = { [keySystem]: licenseUrl };
|
||||
const widevineProxyUrl = !fairplay && linkIndex >= 0 && drmIndex >= 0
|
||||
? `/api?action=widevine_license&id=${encodeURIComponent(streamId)}&link=${encodeURIComponent(linkIndex)}&drm=${encodeURIComponent(drmIndex)}&vt=${encodeURIComponent(viewerToken || '')}`
|
||||
: '';
|
||||
const shakaLicenseUrl = widevineProxyUrl || licenseUrl;
|
||||
const servers = { [keySystem]: shakaLicenseUrl };
|
||||
const advanced = {};
|
||||
if (fairplay) {
|
||||
servers[fairplayLegacyKeySystem] = licenseUrl;
|
||||
servers[fairplayLegacyKeySystem] = shakaLicenseUrl;
|
||||
advanced[keySystem] = {
|
||||
serverCertificateUri: certificateUrl,
|
||||
audioRobustness: '',
|
||||
@@ -892,22 +1215,22 @@
|
||||
servers,
|
||||
advanced
|
||||
};
|
||||
if (fairplay && !certificateUrl) {
|
||||
art.notice.show = t('drm_certificate_missing');
|
||||
return;
|
||||
}
|
||||
|
||||
player.configure({
|
||||
drm: {
|
||||
...drmConfig,
|
||||
...(fairplay ? { initDataTransform: transformFairPlayInitData } : {})
|
||||
},
|
||||
...(fairplay ? { streaming: { useNativeHlsForFairPlay: false } } : {})
|
||||
...(fairplay ? { streaming: { useNativeHlsForFairPlay: isAppleWebKitFairPlayCapable() } } : {})
|
||||
});
|
||||
player.getNetworkingEngine().registerRequestFilter((type, request) => {
|
||||
if (type !== shaka.net.NetworkingEngine.RequestType.LICENSE) return;
|
||||
if (fairplay) {
|
||||
request.headers['Content-Type'] = request.headers['Content-Type'] || 'application/octet-stream';
|
||||
}
|
||||
if (widevineProxyUrl) {
|
||||
request.headers['X-StreamHall-Viewer-Token'] = viewerToken || '';
|
||||
}
|
||||
if (Object.keys(headers).length) {
|
||||
Object.assign(request.headers, headers);
|
||||
}
|
||||
@@ -935,6 +1258,10 @@
|
||||
return;
|
||||
}
|
||||
if (Hls.isSupported()) {
|
||||
if (art.nativeFairPlayCleanup) {
|
||||
art.nativeFairPlayCleanup();
|
||||
art.nativeFairPlayCleanup = null;
|
||||
}
|
||||
if (art.shaka) {
|
||||
art.shaka.destroy().catch(() => {});
|
||||
art.shaka = null;
|
||||
@@ -943,7 +1270,7 @@
|
||||
art.streamhallDurationGuard();
|
||||
art.streamhallDurationGuard = null;
|
||||
}
|
||||
if (art.hls) art.hls.destroy();
|
||||
safeDestroyHls(art);
|
||||
const keyOverride = currentLink ? parseHlsKeyOverride(currentLink.key) : null;
|
||||
|
||||
class CustomLoader extends Hls.DefaultConfig.loader {
|
||||
@@ -1002,11 +1329,7 @@
|
||||
art.on('destroy', () => dash.destroy());
|
||||
}
|
||||
},
|
||||
plugins: [
|
||||
artplayerPluginHlsControl({
|
||||
quality: { control: true, setting: true, getName: (l) => l.height + 'P', title: t('quality') }
|
||||
})
|
||||
]
|
||||
plugins: hlsControlPlugins
|
||||
});
|
||||
startPlaybackMonitor(data, password);
|
||||
}
|
||||
|
||||
+2
-1
@@ -1,8 +1,9 @@
|
||||
/*
|
||||
@license
|
||||
Shaka Player
|
||||
Shaka Player v4.10.6
|
||||
Copyright 2016 Google LLC
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
Source: https://github.com/shaka-project/shaka-player/releases/tag/v4.10.6
|
||||
*/
|
||||
(function(){var innerGlobal=typeof window!="undefined"?window:global;var exportTo={};(function(window,global,module){/*
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@ import csv
|
||||
import hashlib
|
||||
import hmac
|
||||
import io
|
||||
import ipaddress
|
||||
import json
|
||||
import mimetypes
|
||||
import os
|
||||
@@ -17,13 +18,14 @@ import tempfile
|
||||
import threading
|
||||
import time
|
||||
import uuid
|
||||
import xml.etree.ElementTree as ET
|
||||
from http import HTTPStatus
|
||||
from http.cookies import SimpleCookie
|
||||
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
|
||||
from pathlib import Path
|
||||
from urllib.error import HTTPError, URLError
|
||||
from urllib.parse import parse_qs, quote, urlencode, urljoin, urlparse
|
||||
from urllib.request import Request, urlopen
|
||||
from urllib.request import HTTPRedirectHandler, Request, build_opener, urlopen
|
||||
|
||||
try:
|
||||
import psycopg
|
||||
@@ -90,6 +92,8 @@ VIDEO_EXTS = frozenset({".mp4", ".mkv", ".avi", ".flv", ".ts", ".mov", ".wmv", "
|
||||
active_pushes: dict[str, dict] = {}
|
||||
_pushes_lock = threading.Lock()
|
||||
HLS_PROXY_PREFIX = "/proxy/hls"
|
||||
HLS_MANIFEST_PROXY_PREFIX = "/proxy/hls-manifest"
|
||||
VIEWER_TOKEN_TTL = 300 # seconds
|
||||
HLS_URI_RE = re.compile(r'URI="([^"]+)"') # matches URI="..." attributes in HLS tag lines (e.g. EXT-X-KEY)
|
||||
|
||||
DEFAULT_SITE_SETTINGS = {
|
||||
@@ -421,14 +425,59 @@ def decode_proxy_target(value: str) -> str:
|
||||
return base64.urlsafe_b64decode(padded.encode("ascii")).decode("utf-8")
|
||||
|
||||
|
||||
def hls_proxy_host_token(host: str) -> str:
|
||||
return sign(f"hls-proxy-host:{host.lower()}")
|
||||
def hls_proxy_url_token(url: str) -> str:
|
||||
return sign(f"hls-proxy-url:{url}")
|
||||
|
||||
|
||||
def make_viewer_token(stream_id: int) -> str:
|
||||
expiry = now() + VIEWER_TOKEN_TTL
|
||||
payload = f"{stream_id}:{expiry}"
|
||||
encoded = base64.urlsafe_b64encode(payload.encode()).decode().rstrip("=")
|
||||
return f"{encoded}.{sign(f'viewer-token:{payload}')}"
|
||||
|
||||
|
||||
def verify_viewer_token(token: str, stream_id: int) -> bool:
|
||||
if not token or "." not in token:
|
||||
return False
|
||||
encoded, sig = token.rsplit(".", 1)
|
||||
try:
|
||||
padded = encoded + "=" * (-len(encoded) % 4)
|
||||
payload = base64.urlsafe_b64decode(padded.encode()).decode()
|
||||
tid_str, expiry_str = payload.split(":", 1)
|
||||
except Exception:
|
||||
return False
|
||||
if int(tid_str) != stream_id:
|
||||
return False
|
||||
if now() > int(expiry_str):
|
||||
return False
|
||||
return hmac.compare_digest(sig, sign(f"viewer-token:{payload}"))
|
||||
|
||||
|
||||
def hls_proxy_path(url: str) -> str:
|
||||
host = urlparse(url).netloc
|
||||
encoded = encode_proxy_target(url)
|
||||
return f"{HLS_PROXY_PREFIX}/{hls_proxy_host_token(host)}/{encoded}"
|
||||
return f"{HLS_PROXY_PREFIX}/{hls_proxy_url_token(url)}/{encoded}"
|
||||
|
||||
|
||||
def hls_manifest_proxy_path(url: str) -> str:
|
||||
encoded = encode_proxy_target(url)
|
||||
return f"{HLS_MANIFEST_PROXY_PREFIX}/{hls_proxy_url_token(url)}/{encoded}"
|
||||
|
||||
|
||||
def normalize_proxy_mode(value: object) -> str:
|
||||
mode = str(value or "").strip().lower()
|
||||
return mode if mode in ("auto", "direct", "full", "manifest") else "auto"
|
||||
|
||||
|
||||
def playback_url_for_mode(url: str, link: dict[str, object], proxy_mode: str) -> str:
|
||||
parsed = urlparse(url)
|
||||
if not (is_hls_link(link) and parsed.scheme in ("http", "https")):
|
||||
return url
|
||||
mode = normalize_proxy_mode(proxy_mode)
|
||||
if mode == "direct":
|
||||
return url
|
||||
if mode == "manifest":
|
||||
return hls_manifest_proxy_path(url)
|
||||
return hls_proxy_path(url)
|
||||
|
||||
|
||||
PLAYABLE_VIDEO_EXTS = frozenset({".mp4", ".mkv", ".mov", ".webm", ".m4v"})
|
||||
@@ -473,9 +522,24 @@ def add_playback_urls(links: list[dict[str, object]]) -> list[dict[str, object]]
|
||||
for link in links:
|
||||
item = dict(link)
|
||||
raw_url = str(item.get("url") or "")
|
||||
parsed = urlparse(raw_url)
|
||||
if is_hls_link(item) and parsed.scheme in ("http", "https"):
|
||||
item["playback_url"] = hls_proxy_path(raw_url)
|
||||
proxy_mode = normalize_proxy_mode(item.get("proxyMode", item.get("proxy_mode", "")))
|
||||
item["proxyMode"] = proxy_mode
|
||||
if raw_url:
|
||||
item["playback_url"] = playback_url_for_mode(raw_url, item, proxy_mode)
|
||||
drm_configs = item.get("drmConfigs", [])
|
||||
if isinstance(drm_configs, list):
|
||||
prepared_configs: list[dict[str, object]] = []
|
||||
for config in drm_configs:
|
||||
if not isinstance(config, dict):
|
||||
continue
|
||||
config_item = dict(config)
|
||||
drm_playback_url = str(config_item.get("playbackUrl") or "")
|
||||
drm_playback_type = str(config_item.get("playbackType") or "")
|
||||
if drm_playback_url:
|
||||
probe_item = {"url": drm_playback_url, "type": drm_playback_type}
|
||||
config_item["playback_url"] = playback_url_for_mode(drm_playback_url, probe_item, proxy_mode)
|
||||
prepared_configs.append(config_item)
|
||||
item["drmConfigs"] = prepared_configs
|
||||
prepared.append(item)
|
||||
return prepared
|
||||
|
||||
@@ -514,6 +578,27 @@ def admin_session_not_before() -> int:
|
||||
return 0
|
||||
|
||||
|
||||
def parse_header_config(text: object) -> dict[str, str]:
|
||||
raw = str(text or "").strip()
|
||||
if not raw:
|
||||
return {}
|
||||
try:
|
||||
parsed = json.loads(raw)
|
||||
if isinstance(parsed, dict):
|
||||
return {str(k): str(v) for k, v in parsed.items() if k and v is not None}
|
||||
except json.JSONDecodeError:
|
||||
pass
|
||||
headers: dict[str, str] = {}
|
||||
for line in raw.splitlines():
|
||||
if ":" not in line:
|
||||
continue
|
||||
key, value = line.split(":", 1)
|
||||
key = key.strip()
|
||||
value = value.strip()
|
||||
if key and value:
|
||||
headers[key] = value
|
||||
return headers
|
||||
|
||||
def normalize_drm_configs(item: dict[str, object]) -> list[dict[str, str]]:
|
||||
raw_configs = item.get("drmConfigs", item.get("drm_configs", []))
|
||||
configs = raw_configs if isinstance(raw_configs, list) else []
|
||||
@@ -528,6 +613,9 @@ def normalize_drm_configs(item: dict[str, object]) -> list[dict[str, str]]:
|
||||
license_url = str(config.get("licenseUrl", config.get("license_url", ""))).strip()
|
||||
if not license_url:
|
||||
continue
|
||||
playback_type = str(config.get("playbackType", config.get("playback_type", ""))).strip().lower()
|
||||
if playback_type not in ("", "m3u8", "flv", "dash"):
|
||||
playback_type = ""
|
||||
normalized.append(
|
||||
{
|
||||
"drmType": drm_type,
|
||||
@@ -535,12 +623,17 @@ def normalize_drm_configs(item: dict[str, object]) -> list[dict[str, str]]:
|
||||
"certificateUrl": str(config.get("certificateUrl", config.get("certificate_url", ""))).strip(),
|
||||
"licenseHeaders": str(config.get("licenseHeaders", config.get("license_headers", ""))).strip(),
|
||||
"pssh": str(config.get("pssh", "")).strip(),
|
||||
"playbackUrl": str(config.get("playbackUrl", config.get("playback_url", ""))).strip(),
|
||||
"playbackType": playback_type,
|
||||
}
|
||||
)
|
||||
|
||||
legacy_type = str(item.get("drmType", item.get("drm_type", ""))).strip().lower()
|
||||
legacy_license = str(item.get("licenseUrl", item.get("license_url", ""))).strip()
|
||||
if legacy_type in ("widevine", "fairplay") and legacy_license:
|
||||
legacy_playback_type = str(item.get("playbackType", item.get("playback_type", ""))).strip().lower()
|
||||
if legacy_playback_type not in ("", "m3u8", "flv", "dash"):
|
||||
legacy_playback_type = ""
|
||||
has_legacy = any(config["drmType"] == legacy_type for config in normalized)
|
||||
if not has_legacy:
|
||||
normalized.append(
|
||||
@@ -550,6 +643,8 @@ def normalize_drm_configs(item: dict[str, object]) -> list[dict[str, str]]:
|
||||
"certificateUrl": str(item.get("certificateUrl", item.get("certificate_url", ""))).strip(),
|
||||
"licenseHeaders": str(item.get("licenseHeaders", item.get("license_headers", ""))).strip(),
|
||||
"pssh": str(item.get("pssh", "")).strip(),
|
||||
"playbackUrl": str(item.get("playbackUrl", item.get("playback_url", ""))).strip(),
|
||||
"playbackType": legacy_playback_type,
|
||||
}
|
||||
)
|
||||
return normalized
|
||||
@@ -568,6 +663,7 @@ def normalize_links(raw: object) -> list[dict[str, object]]:
|
||||
link_type = str(item.get("type", "")).strip().lower()
|
||||
if link_type not in ("", "m3u8", "flv", "dash"):
|
||||
link_type = ""
|
||||
proxy_mode = normalize_proxy_mode(item.get("proxyMode", item.get("proxy_mode", "")))
|
||||
drm_configs = normalize_drm_configs(item)
|
||||
first_drm = drm_configs[0] if drm_configs else {}
|
||||
normalized.append(
|
||||
@@ -575,6 +671,7 @@ def normalize_links(raw: object) -> list[dict[str, object]]:
|
||||
"name": name,
|
||||
"type": link_type,
|
||||
"url": url,
|
||||
"proxyMode": proxy_mode,
|
||||
"key": str(item.get("key", "")).strip(),
|
||||
"clearkey": str(item.get("clearkey", "")).strip(),
|
||||
"drmConfigs": drm_configs,
|
||||
@@ -583,6 +680,8 @@ def normalize_links(raw: object) -> list[dict[str, object]]:
|
||||
"certificateUrl": str(first_drm.get("certificateUrl", "")),
|
||||
"licenseHeaders": str(first_drm.get("licenseHeaders", "")),
|
||||
"pssh": str(first_drm.get("pssh", "")),
|
||||
"playbackUrl": str(first_drm.get("playbackUrl", "")),
|
||||
"playbackType": str(first_drm.get("playbackType", "")),
|
||||
}
|
||||
)
|
||||
return normalized
|
||||
@@ -712,6 +811,285 @@ def hls_manifest_drm_types(text: str) -> set[str]:
|
||||
return types
|
||||
|
||||
|
||||
def hls_first_variant_url(text: str, base_url: str) -> str | None:
|
||||
lines = text.splitlines()
|
||||
for i, line in enumerate(lines):
|
||||
if line.strip().startswith("#EXT-X-STREAM-INF"):
|
||||
for j in range(i + 1, len(lines)):
|
||||
candidate = lines[j].strip()
|
||||
if candidate and not candidate.startswith("#"):
|
||||
return urljoin(base_url, candidate)
|
||||
return None
|
||||
|
||||
|
||||
def dash_manifest_drm_types(text: str) -> set[str]:
|
||||
lower = text.lower()
|
||||
types: set[str] = set()
|
||||
if "urn:uuid:edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" in lower or "com.widevine" in lower:
|
||||
types.add("widevine")
|
||||
return types
|
||||
|
||||
|
||||
class NoRedirectHandler(HTTPRedirectHandler):
|
||||
def redirect_request(self, req, fp, code, msg, headers, newurl):
|
||||
return None
|
||||
|
||||
|
||||
_NO_REDIRECT_OPENER = build_opener(NoRedirectHandler)
|
||||
|
||||
|
||||
def reject_private_http_url(url: str) -> None:
|
||||
parsed = urlparse(url)
|
||||
if parsed.scheme not in ("http", "https") or not parsed.hostname:
|
||||
raise AppError("invalid_request", "invalid manifest url")
|
||||
hostname = parsed.hostname.strip().lower().rstrip(".")
|
||||
if hostname in {"localhost", "ip6-localhost", "ip6-loopback"}:
|
||||
raise AppError("invalid_request", "private manifest host is not allowed")
|
||||
try:
|
||||
candidates = [ipaddress.ip_address(hostname.strip("[]"))]
|
||||
except ValueError:
|
||||
try:
|
||||
infos = socket.getaddrinfo(hostname, parsed.port or (443 if parsed.scheme == "https" else 80), type=socket.SOCK_STREAM)
|
||||
except socket.gaierror as exc:
|
||||
raise AppError("upstream_request_failed", f"DNS lookup failed: {hostname}") from exc
|
||||
candidates = []
|
||||
for info in infos:
|
||||
sockaddr = info[4]
|
||||
if not sockaddr:
|
||||
continue
|
||||
try:
|
||||
candidates.append(ipaddress.ip_address(sockaddr[0]))
|
||||
except ValueError:
|
||||
continue
|
||||
if not candidates:
|
||||
raise AppError("upstream_request_failed", f"DNS lookup returned no usable address: {hostname}")
|
||||
for address in candidates:
|
||||
if (
|
||||
address.is_private
|
||||
or address.is_loopback
|
||||
or address.is_link_local
|
||||
or address.is_multicast
|
||||
or address.is_reserved
|
||||
or address.is_unspecified
|
||||
):
|
||||
raise AppError("invalid_request", f"private manifest address is not allowed: {address}")
|
||||
|
||||
|
||||
def fetch_manifest_text(url: str, *, limit: int = 512 * 1024) -> tuple[str, int | None, str]:
|
||||
headers = {
|
||||
"User-Agent": "StreamHall/1.0",
|
||||
"Accept": "application/dash+xml, application/vnd.apple.mpegurl, application/x-mpegURL, text/plain;q=0.8, */*;q=0.6",
|
||||
}
|
||||
current_url = url
|
||||
for _ in range(4):
|
||||
reject_private_http_url(current_url)
|
||||
request = Request(current_url, headers=headers)
|
||||
try:
|
||||
with _NO_REDIRECT_OPENER.open(request, timeout=STREAM_PROBE_TIMEOUT) as resp:
|
||||
final_url = resp.geturl() or current_url
|
||||
reject_private_http_url(final_url)
|
||||
status_code = int(getattr(resp, "status", resp.getcode()) or 0)
|
||||
content_type = resp.headers.get("Content-Type", "")
|
||||
data = resp.read(limit)
|
||||
return decode_probe_text(data), status_code, content_type
|
||||
except HTTPError as exc:
|
||||
if exc.code in (301, 302, 303, 307, 308):
|
||||
location = exc.headers.get("Location", "").strip()
|
||||
if not location:
|
||||
raise
|
||||
current_url = urljoin(current_url, location)
|
||||
continue
|
||||
raise
|
||||
raise AppError("upstream_request_failed", "too many manifest redirects")
|
||||
|
||||
|
||||
def hls_attribute_value(line: str, name: str) -> str:
|
||||
match = re.search(rf'(?:^|,){re.escape(name)}=("([^"]*)"|[^,]*)', line, re.IGNORECASE)
|
||||
if not match:
|
||||
return ""
|
||||
value = match.group(2) if match.group(2) is not None else match.group(1)
|
||||
return value.strip().strip('"')
|
||||
|
||||
|
||||
def first_url_matching(text: str, pattern: str) -> str:
|
||||
match = re.search(pattern, text, re.IGNORECASE)
|
||||
return match.group(0) if match else ""
|
||||
|
||||
|
||||
def brightcove_account_from_url(url: str) -> str:
|
||||
parsed = urlparse(url)
|
||||
patterns = (
|
||||
r"/manifest/v1/hls/v\d+/fairplay/(\d+)/",
|
||||
r"/manifest/v1/dash/[^/]+/[^/]+/(\d+)/",
|
||||
r"/license/v1/[^/]+/[^/]+/(\d+)(?:/|$)",
|
||||
r"/license/v1/fairplay_app_cert/(\d+)(?:/|$)",
|
||||
)
|
||||
for pattern in patterns:
|
||||
match = re.search(pattern, parsed.path)
|
||||
if match:
|
||||
return match.group(1)
|
||||
return ""
|
||||
|
||||
|
||||
def discover_dash_drm(url: str, text: str) -> list[dict[str, str]]:
|
||||
discovered: list[dict[str, str]] = []
|
||||
try:
|
||||
root = ET.fromstring(text)
|
||||
except ET.ParseError:
|
||||
return discovered
|
||||
|
||||
def local_name(tag: str) -> str:
|
||||
return tag.rsplit("}", 1)[-1].lower()
|
||||
|
||||
content_nodes = [node for node in root.iter() if local_name(node.tag) == "contentprotection"]
|
||||
for node in content_nodes:
|
||||
scheme = str(node.attrib.get("schemeIdUri", "")).lower()
|
||||
if "edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" not in scheme and "widevine" not in scheme:
|
||||
continue
|
||||
license_url = ""
|
||||
for key, value in node.attrib.items():
|
||||
if key.rsplit("}", 1)[-1] == "licenseAcquisitionUrl":
|
||||
license_url = str(value).strip()
|
||||
break
|
||||
if not license_url:
|
||||
license_url = first_url_matching(ET.tostring(node, encoding="unicode"), r"https?://[^\s\"'<>]+/license/v1/cenc/widevine/[^\s\"'<>]+")
|
||||
pssh = ""
|
||||
for child in node.iter():
|
||||
if local_name(child.tag) == "pssh" and child.text:
|
||||
pssh = child.text.strip()
|
||||
break
|
||||
discovered.append(
|
||||
{
|
||||
"drmType": "widevine",
|
||||
"licenseUrl": license_url,
|
||||
"certificateUrl": "",
|
||||
"pssh": pssh,
|
||||
"playbackUrl": url,
|
||||
"playbackType": "dash",
|
||||
}
|
||||
)
|
||||
return [item for item in discovered if item.get("licenseUrl")]
|
||||
|
||||
|
||||
def discover_hls_drm(url: str, text: str, *, include_variants: bool = True) -> list[dict[str, str]]:
|
||||
discovered: list[dict[str, str]] = []
|
||||
seen: set[tuple[str, str, str]] = set()
|
||||
|
||||
def add_item(item: dict[str, str]) -> None:
|
||||
key = (item.get("drmType", ""), item.get("licenseUrl", ""), item.get("certificateUrl", ""))
|
||||
if key in seen:
|
||||
return
|
||||
seen.add(key)
|
||||
discovered.append(item)
|
||||
|
||||
cert_url = first_url_matching(text, r"https?://[^\s\"'<>]+/license/v1/fairplay_app_cert/[^\s\"'<>]+")
|
||||
account_id = brightcove_account_from_url(url)
|
||||
if not cert_url and account_id and "fairplay" in urlparse(url).path.lower():
|
||||
cert_url = f"https://manifest.prod.boltdns.net/license/v1/fairplay_app_cert/{account_id}"
|
||||
|
||||
direct_license = first_url_matching(text, r"https?://[^\s\"'<>]+/license/v1/fairplay/[^\s\"'<>]+")
|
||||
if direct_license or cert_url:
|
||||
add_item(
|
||||
{
|
||||
"drmType": "fairplay",
|
||||
"licenseUrl": direct_license,
|
||||
"certificateUrl": cert_url,
|
||||
"pssh": "",
|
||||
"playbackUrl": url,
|
||||
"playbackType": "m3u8",
|
||||
"partial": not bool(direct_license),
|
||||
}
|
||||
)
|
||||
|
||||
for line in text.splitlines():
|
||||
line = line.strip()
|
||||
if not line.upper().startswith("#EXT-X-KEY"):
|
||||
continue
|
||||
keyformat = hls_attribute_value(line, "KEYFORMAT").lower()
|
||||
uri = hls_attribute_value(line, "URI")
|
||||
if "com.apple.streamingkeydelivery" in keyformat or uri.lower().startswith("skd://"):
|
||||
license_url = uri if uri.lower().startswith(("http://", "https://")) else direct_license
|
||||
add_item(
|
||||
{
|
||||
"drmType": "fairplay",
|
||||
"licenseUrl": license_url,
|
||||
"certificateUrl": cert_url,
|
||||
"pssh": "",
|
||||
"playbackUrl": url,
|
||||
"playbackType": "m3u8",
|
||||
"partial": not bool(license_url),
|
||||
}
|
||||
)
|
||||
|
||||
if include_variants:
|
||||
for variant_url in hls_variant_urls(text, url)[:5]:
|
||||
try:
|
||||
variant_text, _, _ = fetch_manifest_text(variant_url)
|
||||
except Exception:
|
||||
continue
|
||||
for item in discover_hls_drm(url, variant_text, include_variants=False):
|
||||
add_item(item)
|
||||
|
||||
return [item for item in discovered if item.get("licenseUrl") or item.get("certificateUrl")]
|
||||
|
||||
|
||||
def hls_variant_urls(text: str, base_url: str) -> list[str]:
|
||||
urls: list[str] = []
|
||||
lines = text.splitlines()
|
||||
for i, line in enumerate(lines):
|
||||
if line.strip().startswith("#EXT-X-STREAM-INF"):
|
||||
for j in range(i + 1, len(lines)):
|
||||
candidate = lines[j].strip()
|
||||
if candidate and not candidate.startswith("#"):
|
||||
urls.append(urljoin(base_url, candidate))
|
||||
break
|
||||
return urls
|
||||
|
||||
|
||||
def discover_drm_from_url(raw_url: object, type_hint: object = "") -> dict[str, object]:
|
||||
url = str(raw_url or "").strip()
|
||||
parsed = urlparse(url)
|
||||
if parsed.scheme not in ("http", "https") or not parsed.netloc:
|
||||
raise AppError("invalid_request", "invalid playback url")
|
||||
|
||||
hint = str(type_hint or "").strip().lower()
|
||||
path = parsed.path.lower()
|
||||
is_hls = hint == "m3u8" or path.endswith(".m3u8")
|
||||
is_dash = hint == "dash" or path.endswith(".mpd")
|
||||
try:
|
||||
text, status_code, content_type = fetch_manifest_text(url)
|
||||
except HTTPError as exc:
|
||||
raise AppError("upstream_http_error", f"HTTP {exc.code}") from exc
|
||||
except (TimeoutError, URLError, OSError) as exc:
|
||||
raise AppError("upstream_request_failed", str(exc)) from exc
|
||||
|
||||
lowered_type = content_type.lower()
|
||||
if not is_hls and ("mpegurl" in lowered_type or "m3u8" in lowered_type or text.lstrip().startswith("#EXTM3U")):
|
||||
is_hls = True
|
||||
if not is_dash and ("dash+xml" in lowered_type or "<MPD" in text[:2048]):
|
||||
is_dash = True
|
||||
|
||||
discovered: list[dict[str, str]] = []
|
||||
if is_dash:
|
||||
discovered.extend(discover_dash_drm(url, text))
|
||||
if is_hls:
|
||||
discovered.extend(discover_hls_drm(url, text))
|
||||
|
||||
unsupported: list[str] = []
|
||||
lower = text.lower()
|
||||
if "9a04f079-9840-4286-ab92-e65be0885f95" in lower or "/playready/" in lower:
|
||||
unsupported.append("playready")
|
||||
|
||||
return {
|
||||
"url": url,
|
||||
"type": "dash" if is_dash else ("m3u8" if is_hls else ""),
|
||||
"status_code": status_code,
|
||||
"content_type": content_type,
|
||||
"drmConfigs": discovered,
|
||||
"unsupported": sorted(set(unsupported)),
|
||||
}
|
||||
|
||||
|
||||
def drm_config_types(configs: object) -> set[str]:
|
||||
normalized: set[str] = set()
|
||||
if not isinstance(configs, list):
|
||||
@@ -813,11 +1191,24 @@ def probe_stream_url(
|
||||
for marker in ("#EXTINF", "#EXT-X-STREAM-INF", "#EXT-X-MEDIA-SEQUENCE", "#EXT-X-PART")
|
||||
)
|
||||
drm_types = hls_manifest_drm_types(text)
|
||||
if "#EXT-X-STREAM-INF" in text:
|
||||
variant_url = hls_first_variant_url(text, url)
|
||||
if variant_url:
|
||||
try:
|
||||
with urlopen(Request(variant_url, headers=headers), timeout=STREAM_PROBE_TIMEOUT) as vresp:
|
||||
vdata = vresp.read(65536)
|
||||
drm_types |= hls_manifest_drm_types(decode_probe_text(vdata))
|
||||
except Exception:
|
||||
pass
|
||||
configured_types = drm_config_types(drm_configs)
|
||||
return stream_probe_drm_response(has_playlist and has_live_media, status_code, drm_types, configured_types)
|
||||
|
||||
if is_dash or "dash+xml" in content_type:
|
||||
return stream_probe_response(b"<MPD" in data[:2048], status_code)
|
||||
text = decode_probe_text(data)
|
||||
valid = "<MPD" in text[:2048]
|
||||
drm_types = dash_manifest_drm_types(text)
|
||||
configured_types = drm_config_types(drm_configs)
|
||||
return stream_probe_drm_response(valid, status_code, drm_types, configured_types)
|
||||
|
||||
if is_flv or "flv" in content_type:
|
||||
return stream_probe_response(data.startswith(b"FLV") or len(data) > 0, status_code)
|
||||
@@ -916,8 +1307,6 @@ def verify_admin_password(password: str) -> bool:
|
||||
|
||||
|
||||
def client_ip_hash(headers: object) -> str:
|
||||
# Hash the client IP with HMAC-SHA256 so unique visitors can be counted
|
||||
# without storing the raw IP address in the database.
|
||||
raw = headers.get("CF-Connecting-IP") or headers.get("X-Forwarded-For") or headers.get("X-Real-IP") or ""
|
||||
ip = str(raw).split(",", 1)[0].strip()
|
||||
if not ip:
|
||||
@@ -1066,9 +1455,11 @@ def player_data(row: dict[str, object], settings: dict[str, str] | None = None)
|
||||
site = settings or site_settings()
|
||||
return {
|
||||
"eventName": row["event_name"],
|
||||
"streamLabel": normalize_stream_label(row["stream_label"]),
|
||||
"siteTitle": site["site_title"],
|
||||
"siteIconUrl": site.get("site_icon_url", ""),
|
||||
"links": add_playback_urls(normalize_links(links)),
|
||||
"viewerToken": make_viewer_token(int(row["id"])),
|
||||
}
|
||||
|
||||
|
||||
@@ -1268,6 +1659,28 @@ def rewrite_external_hls_manifest(manifest: str, base_url: str) -> str:
|
||||
return "\n".join(rewritten) + ("\n" if manifest.endswith("\n") else "")
|
||||
|
||||
|
||||
def rewrite_external_hls_manifest_direct(manifest: str, base_url: str) -> str:
|
||||
# Manifest-only proxy: expose the manifest through StreamHall, but rewrite
|
||||
# relative media/key/map URLs to absolute upstream URLs so segment traffic
|
||||
# goes directly from the viewer to the source server.
|
||||
def absolute_uri(value: str) -> str:
|
||||
if not value or value.startswith(("data:", "skd:")):
|
||||
return value
|
||||
return urljoin(base_url, value)
|
||||
|
||||
rewritten: list[str] = []
|
||||
for line in manifest.splitlines():
|
||||
text = line.strip()
|
||||
if not text:
|
||||
rewritten.append(line)
|
||||
continue
|
||||
if text.startswith("#"):
|
||||
rewritten.append(HLS_URI_RE.sub(lambda match: f'URI="{absolute_uri(match.group(1))}"', line))
|
||||
continue
|
||||
rewritten.append(absolute_uri(text))
|
||||
return "\n".join(rewritten) + ("\n" if manifest.endswith("\n") else "")
|
||||
|
||||
|
||||
def monitor_streams_loop() -> None:
|
||||
while True:
|
||||
try:
|
||||
@@ -1294,6 +1707,9 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
if parsed.path.startswith("/h/"):
|
||||
self.proxy_obs_route(parsed.path, parsed.query, send_body=True)
|
||||
return
|
||||
if parsed.path.startswith(f"{HLS_MANIFEST_PROXY_PREFIX}/"):
|
||||
self.proxy_hls_manifest_route(parsed.path, send_body=True)
|
||||
return
|
||||
if parsed.path.startswith(f"{HLS_PROXY_PREFIX}/"):
|
||||
self.proxy_hls_route(parsed.path, send_body=True)
|
||||
return
|
||||
@@ -1310,6 +1726,9 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
if parsed.path.startswith("/h/"):
|
||||
self.proxy_obs_route(parsed.path, parsed.query, send_body=False)
|
||||
return
|
||||
if parsed.path.startswith(f"{HLS_MANIFEST_PROXY_PREFIX}/"):
|
||||
self.proxy_hls_manifest_route(parsed.path, send_body=False)
|
||||
return
|
||||
if parsed.path.startswith(f"{HLS_PROXY_PREFIX}/"):
|
||||
self.proxy_hls_route(parsed.path, send_body=False)
|
||||
return
|
||||
@@ -1333,13 +1752,10 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
return self._verify_api_key()
|
||||
|
||||
def _verify_api_key(self) -> bool:
|
||||
token = None
|
||||
auth = self.headers.get("Authorization", "")
|
||||
if auth.startswith("Bearer "):
|
||||
if not auth.startswith("Bearer "):
|
||||
return False
|
||||
token = auth[7:].strip()
|
||||
if not token:
|
||||
qs = parse_qs(urlparse(self.path).query)
|
||||
token = qs.get("api_key", [""])[0]
|
||||
if not token:
|
||||
return False
|
||||
token_hash = hashlib.sha256(token.encode("utf-8")).hexdigest()
|
||||
@@ -1406,6 +1822,10 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
self.api_verify_password()
|
||||
elif action == "check_player_stream":
|
||||
self.api_check_player_stream()
|
||||
elif action == "fairplay_license":
|
||||
self.api_fairplay_license(parse_qs(parsed.query))
|
||||
elif action == "widevine_license":
|
||||
self.api_widevine_license(parse_qs(parsed.query))
|
||||
elif action == "viewer_start":
|
||||
self.api_viewer_start()
|
||||
elif action == "viewer_heartbeat":
|
||||
@@ -1460,6 +1880,9 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
elif action == "check_stream_url":
|
||||
self.require_admin()
|
||||
self.api_check_stream_url()
|
||||
elif action == "discover_drm":
|
||||
self.require_admin()
|
||||
self.api_discover_drm()
|
||||
elif action == "check_stream":
|
||||
self.require_admin()
|
||||
self.api_check_stream()
|
||||
@@ -1644,8 +2067,184 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
raise AppError("auth_incorrect_password")
|
||||
self.send_json({"status": "success", "data": self.check_stream_row(row)})
|
||||
|
||||
def api_fairplay_license(self, query: dict[str, list[str]]) -> None:
|
||||
stream_ref = query.get("id", [""])[0]
|
||||
viewer_token = self.headers.get("X-StreamHall-Viewer-Token", "").strip()
|
||||
try:
|
||||
link_index = int(query.get("link", ["-1"])[0])
|
||||
drm_index = int(query.get("drm", ["-1"])[0])
|
||||
variant_index = int(query.get("variant", ["-1"])[0])
|
||||
except ValueError:
|
||||
raise AppError("invalid_request")
|
||||
if link_index < 0 or drm_index < 0:
|
||||
raise AppError("invalid_request")
|
||||
length = int(self.headers.get("Content-Length", "0") or "0")
|
||||
if length <= 0 or length > 1024 * 1024:
|
||||
raise AppError("invalid_request")
|
||||
spc_body = self.rfile.read(length)
|
||||
with db() as conn:
|
||||
row = find_stream(conn, stream_ref)
|
||||
if not row or int(row["is_enabled"] or 0) != 1:
|
||||
raise AppError("stream_not_found_or_disabled")
|
||||
if not verify_viewer_token(viewer_token, int(row["id"])):
|
||||
raise AppError("auth_required")
|
||||
try:
|
||||
links = normalize_links(json.loads(row["links_json"] or "[]"))
|
||||
except json.JSONDecodeError:
|
||||
links = []
|
||||
if link_index >= len(links):
|
||||
raise AppError("invalid_request")
|
||||
link_for_drm = links[link_index]
|
||||
variants = link_for_drm.get("variants", [])
|
||||
if variant_index >= 0:
|
||||
if not isinstance(variants, list) or variant_index >= len(variants):
|
||||
raise AppError("invalid_request")
|
||||
variant = variants[variant_index]
|
||||
if not isinstance(variant, dict):
|
||||
raise AppError("invalid_request")
|
||||
link_for_drm = variant
|
||||
drm_configs = link_for_drm.get("drmConfigs", [])
|
||||
if not isinstance(drm_configs, list) or drm_index >= len(drm_configs):
|
||||
raise AppError("invalid_request")
|
||||
drm_config = drm_configs[drm_index]
|
||||
if not isinstance(drm_config, dict):
|
||||
raise AppError("invalid_request")
|
||||
if str(drm_config.get("drmType", "")).lower() != "fairplay":
|
||||
raise AppError("invalid_request")
|
||||
license_url = str(drm_config.get("licenseUrl", "")).strip()
|
||||
parsed = urlparse(license_url)
|
||||
if parsed.scheme not in ("http", "https"):
|
||||
raise AppError("invalid_request")
|
||||
request_headers = {
|
||||
"User-Agent": self.headers.get("User-Agent", "StreamHall/1.0"),
|
||||
"Content-Type": "application/json",
|
||||
"Accept": "application/octet-stream, application/json;q=0.9, */*;q=0.8",
|
||||
**parse_header_config(drm_config.get("licenseHeaders", "")),
|
||||
}
|
||||
upstream_payload: dict[str, str] = {
|
||||
"server_playback_context": base64.b64encode(spc_body).decode("ascii")
|
||||
}
|
||||
upstream_body = json.dumps(upstream_payload).encode("utf-8")
|
||||
try:
|
||||
req = Request(license_url, data=upstream_body, headers=request_headers, method="POST")
|
||||
with urlopen(req, timeout=20) as resp:
|
||||
content = resp.read(2 * 1024 * 1024)
|
||||
content_type = resp.headers.get("Content-Type") or "application/octet-stream"
|
||||
self.send_response(HTTPStatus.OK)
|
||||
self.send_header("Content-Type", content_type)
|
||||
self.send_header("Content-Length", str(len(content)))
|
||||
self.send_header("Cache-Control", "no-cache")
|
||||
self.send_header("Access-Control-Allow-Origin", "*")
|
||||
self.send_header("X-Content-Type-Options", "nosniff")
|
||||
self.end_headers()
|
||||
self.wfile.write(content)
|
||||
except HTTPError as exc:
|
||||
error_body = exc.read(4096) if hasattr(exc, "read") else b""
|
||||
status = HTTPStatus(exc.code) if exc.code in HTTPStatus._value2member_map_ else HTTPStatus.BAD_GATEWAY
|
||||
body = error_body or f"upstream HTTP {exc.code}".encode("utf-8")
|
||||
self.send_response(status)
|
||||
self.send_header("Content-Type", exc.headers.get("Content-Type") or "text/plain; charset=utf-8")
|
||||
self.send_header("Content-Length", str(len(body)))
|
||||
self.send_header("Cache-Control", "no-cache")
|
||||
self.send_header("Access-Control-Allow-Origin", "*")
|
||||
self.send_header("X-StreamHall-Upstream-Status", str(exc.code))
|
||||
self.end_headers()
|
||||
self.wfile.write(body)
|
||||
except (URLError, TimeoutError, OSError) as exc:
|
||||
body = f"upstream request failed: {exc}".encode("utf-8")
|
||||
self.send_response(HTTPStatus.BAD_GATEWAY)
|
||||
self.send_header("Content-Type", "text/plain; charset=utf-8")
|
||||
self.send_header("Content-Length", str(len(body)))
|
||||
self.send_header("Cache-Control", "no-cache")
|
||||
self.send_header("Access-Control-Allow-Origin", "*")
|
||||
self.end_headers()
|
||||
self.wfile.write(body)
|
||||
|
||||
def api_widevine_license(self, query: dict[str, list[str]]) -> None:
|
||||
stream_ref = query.get("id", [""])[0]
|
||||
viewer_token = (self.headers.get("X-StreamHall-Viewer-Token", "") or query.get("vt", [""])[0]).strip()
|
||||
try:
|
||||
link_index = int(query.get("link", ["-1"])[0])
|
||||
drm_index = int(query.get("drm", ["-1"])[0])
|
||||
except ValueError:
|
||||
raise AppError("invalid_request", "invalid link or drm index")
|
||||
if link_index < 0 or drm_index < 0:
|
||||
raise AppError("invalid_request", "missing link or drm index")
|
||||
length = int(self.headers.get("Content-Length", "0") or "0")
|
||||
if length <= 0 or length > 1024 * 1024:
|
||||
raise AppError("invalid_request", f"invalid challenge length: {length}")
|
||||
challenge_body = self.rfile.read(length)
|
||||
with db() as conn:
|
||||
row = find_stream(conn, stream_ref)
|
||||
if not row or int(row["is_enabled"] or 0) != 1:
|
||||
raise AppError("stream_not_found_or_disabled")
|
||||
if not verify_viewer_token(viewer_token, int(row["id"])):
|
||||
raise AppError("auth_required", "missing or invalid viewer token")
|
||||
try:
|
||||
links = normalize_links(json.loads(row["links_json"] or "[]"))
|
||||
except json.JSONDecodeError:
|
||||
links = []
|
||||
if link_index >= len(links):
|
||||
raise AppError("invalid_request", f"link index out of range: {link_index}/{len(links)}")
|
||||
drm_configs = links[link_index].get("drmConfigs", [])
|
||||
if not isinstance(drm_configs, list) or drm_index >= len(drm_configs):
|
||||
raise AppError("invalid_request", f"drm index out of range: {drm_index}")
|
||||
drm_config = drm_configs[drm_index]
|
||||
if not isinstance(drm_config, dict):
|
||||
raise AppError("invalid_request", "invalid drm config")
|
||||
if str(drm_config.get("drmType", "")).lower() != "widevine":
|
||||
raise AppError("invalid_request", f"selected drm is not widevine: {drm_config.get('drmType', '')}")
|
||||
license_url = str(drm_config.get("licenseUrl", "")).strip()
|
||||
parsed = urlparse(license_url)
|
||||
if parsed.scheme not in ("http", "https"):
|
||||
raise AppError("invalid_request", "invalid widevine license url")
|
||||
request_headers = {
|
||||
"User-Agent": self.headers.get("User-Agent", "StreamHall/1.0"),
|
||||
"Content-Type": self.headers.get("Content-Type", "application/octet-stream"),
|
||||
"Accept": "application/octet-stream, application/json;q=0.9, */*;q=0.8",
|
||||
**parse_header_config(drm_config.get("licenseHeaders", "")),
|
||||
}
|
||||
for blocked in ("host", "content-length", "connection", "origin", "referer", "cookie"):
|
||||
request_headers.pop(blocked, None)
|
||||
request_headers.pop(blocked.title(), None)
|
||||
try:
|
||||
req = Request(license_url, data=challenge_body, headers=request_headers, method="POST")
|
||||
with urlopen(req, timeout=20) as resp:
|
||||
content = resp.read(2 * 1024 * 1024)
|
||||
content_type = resp.headers.get("Content-Type") or "application/octet-stream"
|
||||
self.send_response(HTTPStatus.OK)
|
||||
self.send_header("Content-Type", content_type)
|
||||
self.send_header("Content-Length", str(len(content)))
|
||||
self.send_header("Cache-Control", "no-cache")
|
||||
self.send_header("Access-Control-Allow-Origin", "*")
|
||||
self.send_header("X-Content-Type-Options", "nosniff")
|
||||
self.end_headers()
|
||||
self.wfile.write(content)
|
||||
except HTTPError as exc:
|
||||
error_body = exc.read(4096) if hasattr(exc, "read") else b""
|
||||
status = HTTPStatus(exc.code) if exc.code in HTTPStatus._value2member_map_ else HTTPStatus.BAD_GATEWAY
|
||||
body = error_body or f"upstream HTTP {exc.code}".encode("utf-8")
|
||||
self.send_response(status)
|
||||
self.send_header("Content-Type", exc.headers.get("Content-Type") or "text/plain; charset=utf-8")
|
||||
self.send_header("Content-Length", str(len(body)))
|
||||
self.send_header("Cache-Control", "no-cache")
|
||||
self.send_header("Access-Control-Allow-Origin", "*")
|
||||
self.send_header("X-StreamHall-Upstream-Status", str(exc.code))
|
||||
self.end_headers()
|
||||
self.wfile.write(body)
|
||||
except (URLError, TimeoutError, OSError) as exc:
|
||||
body = f"upstream request failed: {exc}".encode("utf-8")
|
||||
self.send_response(HTTPStatus.BAD_GATEWAY)
|
||||
self.send_header("Content-Type", "text/plain; charset=utf-8")
|
||||
self.send_header("Content-Length", str(len(body)))
|
||||
self.send_header("Cache-Control", "no-cache")
|
||||
self.send_header("Access-Control-Allow-Origin", "*")
|
||||
self.end_headers()
|
||||
self.wfile.write(body)
|
||||
|
||||
def api_viewer_start(self) -> None:
|
||||
body = self.read_json()
|
||||
viewer_token = str(body.get("viewerToken", "")).strip()
|
||||
visitor_id = str(body.get("visitorId", "")).strip()[:120] or secrets.token_urlsafe(18)
|
||||
stream_ref = body.get("id", "")
|
||||
referer = str(body.get("referer", self.headers.get("Referer", ""))).strip()[:500]
|
||||
@@ -1653,6 +2252,8 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
row = find_stream(conn, stream_ref)
|
||||
if not row or int(row["is_enabled"] or 0) != 1:
|
||||
raise AppError("stream_not_found_or_disabled")
|
||||
if not verify_viewer_token(viewer_token, int(row["id"])):
|
||||
raise AppError("auth_required")
|
||||
session_id = secrets.token_urlsafe(18)
|
||||
timestamp = now()
|
||||
conn.execute(
|
||||
@@ -1980,6 +2581,11 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
result = probe_stream_url(body.get("url", ""), body.get("type", ""), body.get("drmConfigs", body.get("drm_configs", [])))
|
||||
self.send_json({"status": "success", "data": result})
|
||||
|
||||
def api_discover_drm(self) -> None:
|
||||
body = self.read_json()
|
||||
result = discover_drm_from_url(body.get("url", ""), body.get("type", ""))
|
||||
self.send_json({"status": "success", "data": result})
|
||||
|
||||
def api_check_stream(self) -> None:
|
||||
body = self.read_json()
|
||||
stream_id = int(body.get("id", 0) or 0)
|
||||
@@ -2164,7 +2770,26 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
}})
|
||||
|
||||
def api_stats_export_csv(self) -> None:
|
||||
qs = parse_qs(urlparse(self.path).query)
|
||||
range_param = qs.get("range", ["30d"])[0]
|
||||
since_map = {"today": 86400, "7d": 7 * 86400, "30d": 30 * 86400}
|
||||
since = now() - since_map[range_param] if range_param in since_map else 0
|
||||
with db() as conn:
|
||||
if since:
|
||||
rows = conn.execute(
|
||||
"""
|
||||
SELECT vs.session_id, vs.visitor_id, s.event_name,
|
||||
vs.device_type, vs.referer,
|
||||
vs.started_at, vs.ended_at, vs.last_seen_at,
|
||||
vs.is_active, vs.play_state
|
||||
FROM viewer_sessions vs
|
||||
LEFT JOIN streams s ON vs.stream_id = s.id
|
||||
WHERE vs.started_at >= ?
|
||||
ORDER BY vs.started_at DESC
|
||||
""",
|
||||
(since,),
|
||||
).fetchall()
|
||||
else:
|
||||
rows = conn.execute(
|
||||
"""
|
||||
SELECT vs.session_id, vs.visitor_id, s.event_name,
|
||||
@@ -2650,7 +3275,7 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
|
||||
def proxy_hls_route(self, request_path: str, send_body: bool = True) -> None:
|
||||
# URL format: /proxy/hls/<token>/<base64-encoded-url>
|
||||
# The token is an HMAC of the target hostname; it ensures that only URLs
|
||||
# The token is an HMAC of the full target URL; it ensures that only URLs
|
||||
# generated by hls_proxy_path() can be proxied, preventing open-proxy abuse.
|
||||
parts = request_path.strip("/").split("/")
|
||||
if len(parts) != 4 or parts[0] != "proxy" or parts[1] != "hls":
|
||||
@@ -2666,7 +3291,12 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
if parsed.scheme not in ("http", "https"):
|
||||
self.send_error(HTTPStatus.BAD_REQUEST)
|
||||
return
|
||||
if not hmac.compare_digest(token, hls_proxy_host_token(parsed.netloc)):
|
||||
if not hmac.compare_digest(token, hls_proxy_url_token(target_url)):
|
||||
self.send_error(HTTPStatus.FORBIDDEN)
|
||||
return
|
||||
try:
|
||||
reject_private_http_url(target_url)
|
||||
except AppError:
|
||||
self.send_error(HTTPStatus.FORBIDDEN)
|
||||
return
|
||||
|
||||
@@ -2705,6 +3335,58 @@ class StreamHallHandler(BaseHTTPRequestHandler):
|
||||
except (URLError, TimeoutError, OSError):
|
||||
self.send_error(HTTPStatus.BAD_GATEWAY)
|
||||
|
||||
def proxy_hls_manifest_route(self, request_path: str, send_body: bool = True) -> None:
|
||||
# URL format: /proxy/hls-manifest/<token>/<base64-encoded-url>
|
||||
# This route only proxies the playlist itself. Segment/key/map URLs are
|
||||
# rewritten to absolute upstream URLs, so media bandwidth does not pass
|
||||
# through StreamHall.
|
||||
parts = request_path.strip("/").split("/")
|
||||
if len(parts) != 4 or parts[0] != "proxy" or parts[1] != "hls-manifest":
|
||||
self.send_error(HTTPStatus.NOT_FOUND)
|
||||
return
|
||||
token, encoded_url = parts[2], parts[3]
|
||||
try:
|
||||
target_url = decode_proxy_target(encoded_url)
|
||||
except (ValueError, UnicodeDecodeError):
|
||||
self.send_error(HTTPStatus.BAD_REQUEST)
|
||||
return
|
||||
parsed = urlparse(target_url)
|
||||
if parsed.scheme not in ("http", "https"):
|
||||
self.send_error(HTTPStatus.BAD_REQUEST)
|
||||
return
|
||||
if not hmac.compare_digest(token, hls_proxy_url_token(target_url)):
|
||||
self.send_error(HTTPStatus.FORBIDDEN)
|
||||
return
|
||||
try:
|
||||
reject_private_http_url(target_url)
|
||||
except AppError:
|
||||
self.send_error(HTTPStatus.FORBIDDEN)
|
||||
return
|
||||
|
||||
try:
|
||||
req = Request(target_url, headers={"User-Agent": "StreamHall/1.0"})
|
||||
with urlopen(req, timeout=STREAM_PROBE_TIMEOUT) as resp:
|
||||
content_type = resp.headers.get("Content-Type") or mimetypes.guess_type(parsed.path)[0] or "application/octet-stream"
|
||||
body = resp.read(2 * 1024 * 1024)
|
||||
text = decode_probe_text(body)
|
||||
is_manifest = parsed.path.lower().endswith(".m3u8") or "mpegurl" in content_type.lower() or text.lstrip().startswith("#EXTM3U")
|
||||
if not is_manifest:
|
||||
self.send_error(HTTPStatus.BAD_REQUEST)
|
||||
return
|
||||
content = rewrite_external_hls_manifest_direct(text, target_url).encode("utf-8")
|
||||
self.send_response(HTTPStatus.OK)
|
||||
self.send_header("Content-Type", "application/vnd.apple.mpegurl; charset=utf-8")
|
||||
self.send_header("Content-Length", str(len(content)))
|
||||
self.send_header("Cache-Control", "no-cache")
|
||||
self.send_header("Access-Control-Allow-Origin", "*")
|
||||
self.end_headers()
|
||||
if send_body:
|
||||
self.wfile.write(content)
|
||||
except HTTPError as exc:
|
||||
self.send_error(HTTPStatus(exc.code) if exc.code in HTTPStatus._value2member_map_ else HTTPStatus.BAD_GATEWAY)
|
||||
except (URLError, TimeoutError, OSError):
|
||||
self.send_error(HTTPStatus.BAD_GATEWAY)
|
||||
|
||||
def api_list_videos(self) -> None:
|
||||
qs = parse_qs(urlparse(self.path).query)
|
||||
dir_index_str = (qs.get("dir_index", [None])[0] or "").strip()
|
||||
@@ -3202,7 +3884,12 @@ def resume_push_jobs() -> None:
|
||||
pass
|
||||
|
||||
|
||||
_WEAK_KEYS = {b"change-this-secret", b"REPLACE_ME"}
|
||||
|
||||
def main() -> None:
|
||||
if SECRET_KEY in _WEAK_KEYS:
|
||||
print("WARNING: SECRET_KEY is set to a known default value. "
|
||||
"Generate a secure key with: openssl rand -hex 32", flush=True)
|
||||
init_db()
|
||||
threading.Thread(target=resume_push_jobs, daemon=True).start()
|
||||
threading.Thread(target=monitor_streams_loop, daemon=True).start()
|
||||
|
||||
Reference in New Issue
Block a user