1 files changed, 41 insertions, 25 deletions

diff --git a/server/src/routes/ui/player.rs b/server/src/routes/ui/player.rs
index 712f7fb..1ef0149 100644
--- a/server/src/routes/ui/player.rs
+++ b/server/src/routes/ui/player.rs
@@ -3,7 +3,10 @@
     which is licensed under the GNU Affero General Public License (version 3); see /COPYING.
     Copyright (C) 2024 metamuffin <metamuffin.org>
 */
-use super::{account::session::Session, layout::LayoutPage};
+use super::{
+    account::session::{token, Session},
+    layout::LayoutPage,
+};
 use crate::{
     database::DataAcid,
     routes::{
@@ -19,11 +22,12 @@ use crate::{
 use anyhow::anyhow;
 use jellybase::{
     database::{TableExt, T_NODE},
+    permission::PermissionSetExt,
     CONF,
 };
 use jellycommon::{
     stream::{StreamFormat, StreamSpec},
-    user::PlayerKind,
+    user::{PermissionSet, PlayerKind, UserPermission},
     Node, SourceTrackKind, TrackID,
 };
 use markup::DynRender;
@@ -46,20 +50,19 @@ impl PlayerConfig {
     }
 }
 
-fn jellynative_url(action: &str, secret: &str, node: &str) -> String {
-    format!(
-        "jellynative://{action}/{secret}/{}://{}{}",
-        if CONF.tls { "https" } else { "http" },
-        CONF.hostname,
-        uri!(r_stream(
-            node,
-            StreamSpec {
-                format: StreamFormat::HlsMaster,
-                ..Default::default()
-            }
-        ))
-    )
+fn jellynative_url(action: &str, secret: &str, node: &str, session: &str) -> String {
+    let protocol = if CONF.tls { "https" } else { "http" };
+    let host = &CONF.hostname;
+    let stream_url = uri!(r_stream(
+        node,
+        StreamSpec {
+            format: StreamFormat::HlsMaster,
+            ..Default::default()
+        }
+    ));
+    format!("jellynative://{action}/{secret}/{session}/{protocol}://{host}{stream_url}",)
 }
+
 #[get("/n/<id>/player?<conf..>", rank = 4)]
 pub fn r_player<'a>(
     sess: Session,
@@ -69,21 +72,34 @@ pub fn r_player<'a>(
 ) -> MyResult<Either<DynLayoutPage<'a>, Redirect>> {
     let item = T_NODE.get(db, id)?.ok_or(anyhow!("node does not exist"))?;
 
+    let native_session = |action: &str| {
+        let perm = [
+            UserPermission::StreamFormat(StreamFormat::HlsMaster),
+            UserPermission::StreamFormat(StreamFormat::HlsVariant),
+            UserPermission::StreamFormat(StreamFormat::Fragment),
+        ];
+        for perm in &perm {
+            sess.user.permissions.assert(perm)?;
+        }
+        Ok(Either::Right(Redirect::temporary(jellynative_url(
+            action,
+            &sess.user.native_secret,
+            id,
+            &token::create(
+                sess.user.name,
+                PermissionSet(perm.map(|e| (e, true)).into()),
+                chrono::Duration::hours(24),
+            ),
+        ))))
+    };
+
     match sess.user.player_preference {
         PlayerKind::Browser => (),
         PlayerKind::Native => {
-            return Ok(Either::Right(Redirect::temporary(jellynative_url(
-                "player",
-                &sess.user.native_secret,
-                id,
-            ))))
+            return native_session("player");
         }
         PlayerKind::NativeFullscreen => {
-            return Ok(Either::Right(Redirect::temporary(jellynative_url(
-                "player-fullscreen",
-                &sess.user.native_secret,
-                id,
-            ))))
+            return native_session("player-fullscreen");
         }
     }