Fix CPU HLS streaming (yuv420p) and opt-in middleware for fragments

- Add -pix_fmt yuv420p to multi_res_output.py libx264 path so browsers can decode CPU-encoded segments (was producing yuv444p / High 4:4:4). - Switch silent auth check and coop fragment middlewares from opt-out blocklists to opt-in: only run for GET requests with Accept: text/html. Prevents unnecessary nav-tree/auth-menu HTTP calls on every HLS segment, IPFS proxy, and API request. - Add opaque grant token verification to L1/L2 dependencies. - Migrate client CLI to device authorization flow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 18:33:53 +00:00
parent 4f49985cd5
commit b788f1f778
5 changed files with 252 additions and 188 deletions
--- a/l2/app/dependencies.py
+++ b/l2/app/dependencies.py
@@ -19,6 +19,34 @@ def get_templates(request: Request):
    return request.app.state.templates


+async def _verify_opaque_grant(token: str) -> Optional[dict]:
+    """Verify an opaque grant token via account server."""
+    import httpx
+
+    if not settings.internal_account_url:
+        return None
+
+    verify_url = f"{settings.internal_account_url.rstrip('/')}/auth/internal/verify-grant"
+    try:
+        async with httpx.AsyncClient(timeout=5.0) as client:
+            resp = await client.get(verify_url, params={"token": token})
+        if resp.status_code != 200:
+            return None
+        data = resp.json()
+        if not data.get("valid"):
+            return None
+    except Exception:
+        return None
+
+    username = data.get("username", "")
+    return {
+        "username": username,
+        "actor_id": f"https://{settings.domain}/users/{username}",
+        "token": token,
+        "sub": username,
+    }
+
+
 async def get_current_user(request: Request) -> Optional[dict]:
    """
    Get current user from cookie or header.
@@ -39,22 +67,20 @@ async def get_current_user(request: Request) -> Optional[dict]:
    if not token:
        return None

-    # Verify token
+    # Verify JWT token
    username = verify_token(token)
-    if not username:
-        return None
+    if username:
+        claims = get_token_claims(token)
+        if claims:
+            return {
+                "username": username,
+                "actor_id": f"https://{settings.domain}/users/{username}",
+                "token": token,
+                **claims,
+            }

-    # Get full claims
-    claims = get_token_claims(token)
-    if not claims:
-        return None
-
-    return {
-        "username": username,
-        "actor_id": f"https://{settings.domain}/users/{username}",
-        "token": token,
-        **claims,
-    }
+    # JWT failed — try as opaque grant token
+    return await _verify_opaque_grant(token)


 async def require_auth(request: Request) -> dict: