art-dag/mono
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CPU HLS streaming (yuv420p) and opt-in middleware for fragments
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 13m49s
Details

Browse Source 
- Add -pix_fmt yuv420p to multi_res_output.py libx264 path so browsers
  can decode CPU-encoded segments (was producing yuv444p / High 4:4:4).
- Switch silent auth check and coop fragment middlewares from opt-out
  blocklists to opt-in: only run for GET requests with Accept: text/html.
  Prevents unnecessary nav-tree/auth-menu HTTP calls on every HLS segment,
  IPFS proxy, and API request.
- Add opaque grant token verification to L1/L2 dependencies.
- Migrate client CLI to device authorization flow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
giles
2026-02-25 18:33:53 +00:00
parent 4f49985cd5
commit b788f1f778
5 changed files with 252 additions and 188 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
l2/app/dependencies.py
View File

@@ -19,6 +19,34 @@ def get_templates(request: Request):
return request.app.state.templates
async def _verify_opaque_grant(token: str) -> Optional[dict]:
"""Verify an opaque grant token via account server."""
import httpx
if not settings.internal_account_url:
return None
verify_url = f"{settings.internal_account_url.rstrip('/')}/auth/internal/verify-grant"
try:
async with httpx.AsyncClient(timeout=5.0) as client:
resp = await client.get(verify_url, params={"token": token})
if resp.status_code != 200:
return None
data = resp.json()
if not data.get("valid"):
return None
except Exception:
return None
username = data.get("username", "")
return {
"username": username,
"actor_id": f"https://{settings.domain}/users/{username}",
"token": token,
"sub": username,
}
async def get_current_user(request: Request) -> Optional[dict]:
"""
Get current user from cookie or header.
@@ -39,22 +67,20 @@ async def get_current_user(request: Request) -> Optional[dict]:
if not token:
return None
# Verify token
# Verify JWT token
username = verify_token(token)
if not username:
return None
if username:
claims = get_token_claims(token)
if claims:
return {
"username": username,
"actor_id": f"https://{settings.domain}/users/{username}",
"token": token,
**claims,
}
# Get full claims
claims = get_token_claims(token)
if not claims:
return None
return {
"username": username,
"actor_id": f"https://{settings.domain}/users/{username}",
"token": token,
**claims,
}
# JWT failed — try as opaque grant token
return await _verify_opaque_grant(token)
async def require_auth(request: Request) -> dict: