support for private instances

config/config.example.yml

@@ -236,6 +236,22 @@ https_only: false
 #  Users and accounts
 # -----------------------------
 
+##
+## Allow/Forbid the usage of the Invidious Instance without an account.
+## Only /login and /privacy are accessible on such instances for unregistered
+## users on the web interface. Moreover, certain API endpoints are accessible,
+## to allow third-party clients to add the instance and login to an existing
+## account.
+##
+## To avoid any data leakage it is recommended to set popular_enabled and
+## statistics_enabled to 'false'. Furthermore, registration_enabled should be
+## set to 'false' to only allow existing users to access the instance.
+##
+## Accepted values: true, false
+## Default: false
+##
+#private_instance: false
+
 ##
 ## Allow/Forbid Invidious (local) account creation. Invidious
 ## accounts allow users to subscribe to channels and to create
@@ -777,7 +793,7 @@ default_user_preferences:
   ##
   ## Default dash video quality.
   ##
-  ## Note: this setting only takes effet if the
+  ## Note: this setting only takes effect if the
   ## 'quality' parameter is set to "dash".
   ##
   ## Accepted values:
@@ -812,7 +828,7 @@ default_user_preferences:
   ## Default: true
   ##
   #vr_mode: true
-  
+
   ##
   ## Save the playback position
   ## Allow to continue watching at the previous position when

src/invidious/config.cr

@@ -92,6 +92,8 @@ class Config
   property use_pubsub_feeds : Bool | Int32 = false
   property popular_enabled : Bool = true
   property captcha_enabled : Bool = true
+  # Only allow usage of the Invidious instance with an existing account
+  property private_instance : Bool = false
   property login_enabled : Bool = true
   property registration_enabled : Bool = true
   property statistics_enabled : Bool = false

src/invidious/routes/before_all.cr

@@ -61,18 +61,6 @@ module Invidious::Routes::BeforeAll
       env.response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
     end
 
-    return if {
-                "/sb/",
-                "/vi/",
-                "/s_p/",
-                "/yts/",
-                "/ggpht/",
-                "/api/manifest/",
-                "/videoplayback",
-                "/latest_version",
-                "/download",
-              }.any? { |r| env.request.resource.starts_with? r }
-
     if env.request.cookies.has_key? "SID"
       sid = env.request.cookies["SID"].value
 
@@ -100,6 +88,38 @@ module Invidious::Routes::BeforeAll
       end
     end
 
+    # TODO: popular and trending are whitelisted for clients that require these endpoints to be accessible e.g. Clipious
+    # can be removed as soon as those clients can handele these request on private instances
+    unregistered_path_whitelist = {
+      "/login",
+      "/privacy",
+      "/api/v1/stats",
+      "/api/v1/popular",
+      "/api/v1/trending",
+      "/feed/webhook/v1:",
+      "/api/v1/videos/dQw4w9WgXcQ",
+      "/api/v1/comments/jNQXAC9IVRw",
+    }
+
+    if CONFIG.private_instance && !env.get?("user") && !unregistered_path_whitelist.any? { |r| env.request.path.starts_with? r }
+      env.response.headers["Location"] = "/login"
+      haltf env, status_code: 302
+    end
+
+    return if {
+                "/sb/",
+                "/vi/",
+                "/s_p/",
+                "/yts/",
+                "/ggpht/",
+                "/download",
+                "/licenses",
+                "/api/manifest/",
+                "/videoplayback",
+                "/latest_version",
+                "/opensearch.xml",
+              }.any? { |r| env.request.resource.starts_with? r }
+
     dark_mode = convert_theme(env.params.query["dark_mode"]?) || preferences.dark_mode.to_s
     thin_mode = env.params.query["thin_mode"]? || preferences.thin_mode.to_s
     thin_mode = thin_mode == "true"