Merge branch 'bgervan/master'

document CORS_ALLOWED_ORIGINS variable
Don't mark live streams as seen
2026-06-13 16:40:05 +00:00 · 2026-04-10 08:10:00 +03:00 · 2026-04-10 08:09:20 +03:00 · 2026-04-10 06:41:45 +02:00 · 2026-04-09 19:45:51 -05:00 · 2026-04-09 21:00:26 +03:00
8 changed files with 476 additions and 446 deletions
@@ -32,7 +32,7 @@ jobs:
        env:
          CI: true
      - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@v7
      - name: Install Python dependencies
        run: uv sync --frozen --group dev
      - name: Run backend smoke checks
@@ -82,6 +82,7 @@ Certain values can be set via environment variables, using the `-e` parameter on
 * __HTTPS__: Use `https` instead of `http` (__CERTFILE__ and __KEYFILE__ required). Defaults to `false`.
 * __CERTFILE__: HTTPS certificate file path.
 * __KEYFILE__: HTTPS key file path.
+* __CORS_ALLOWED_ORIGINS__: Comma-separated list of origins permitted to make cross-origin requests to the MeTube API. When unset or empty, all cross-origin requests are denied. This must be configured for [bookmarklets](#-bookmarklet) and any other browser-based tools that contact MeTube from a different origin. Example: `https://www.youtube.com,https://www.vimeo.com`.
 * __ROBOTS_TXT__: A path to a `robots.txt` file mounted in the container.

 ### 🏠 Basic Setup
@@ -239,6 +240,8 @@ __Firefox:__ contributed by [nanocortex](https://github.com/nanocortex). You can

 [kushfest](https://github.com/kushfest) has created a Chrome bookmarklet for sending the currently open webpage to MeTube. Please note that if you're on an HTTPS page, your MeTube instance must be configured with `HTTPS` as `true` in the environment, or be behind an HTTPS reverse proxy (see below) for the bookmarklet to work.

+Since bookmarklets run in the context of the current page (e.g. youtube.com), the requests they make to MeTube are cross-origin. You must add the origins of sites where you use the bookmarklet to the __CORS_ALLOWED_ORIGINS__ environment variable, otherwise the browser will block the requests. For example, to use the bookmarklet on YouTube and Vimeo: `CORS_ALLOWED_ORIGINS=https://www.youtube.com,https://www.vimeo.com`.
+
 GitHub doesn't allow embedding JavaScript as a link, so the bookmarklet has to be created manually by copying the following code to a new bookmark you create on your bookmarks bar. Change the hostname in the URL below to point to your MeTube instance.

 ```javascript
@@ -60,6 +60,7 @@ class Config:
        'YTDL_OPTIONS_PRESETS': '{}',
        'YTDL_OPTIONS_PRESETS_FILE': '',
        'ALLOW_YTDL_OPTIONS_OVERRIDES': 'false',
+        'CORS_ALLOWED_ORIGINS': '',
        'ROBOTS_TXT': '',
        'HOST': '0.0.0.0',
        'PORT': '8081',
@@ -223,7 +224,8 @@ class ObjectSerializer(json.JSONEncoder):

 serializer = ObjectSerializer()
 app = web.Application()
-sio = socketio.AsyncServer(cors_allowed_origins='*')
+_cors_origins = [o.strip() for o in config.CORS_ALLOWED_ORIGINS.split(',') if o.strip()] if config.CORS_ALLOWED_ORIGINS else []
+sio = socketio.AsyncServer(cors_allowed_origins=_cors_origins if _cors_origins else [])
 sio.attach(app, socketio_path=config.URL_PREFIX + 'socket.io')
 routes = web.RouteTableDef()
 VALID_SUBTITLE_FORMATS = {'srt', 'txt', 'vtt', 'ttml', 'sbv', 'scc', 'dfxp'}
@@ -912,8 +914,9 @@ app.router.add_route('OPTIONS', config.URL_PREFIX + 'upload-cookies', add_cors)
 app.router.add_route('OPTIONS', config.URL_PREFIX + 'delete-cookies', add_cors)

 async def on_prepare(request, response):
-    if 'Origin' in request.headers:
-        response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']
+    origin = request.headers.get('Origin')
+    if origin and _cors_origins and origin in _cors_origins:
+        response.headers['Access-Control-Allow-Origin'] = origin
        response.headers['Access-Control-Allow-Headers'] = 'Content-Type'

 app.on_response_prepare.append(on_prepare)
@@ -359,6 +359,8 @@ class SubscriptionManager:
            if not eid or not vurl:
                continue
            queue_entry = dict(ent)
+            if "id" not in queue_entry:
+                queue_entry["id"] = eid
            queue_entry["_type"] = "video"
            queue_entry["webpage_url"] = vurl
            result = await self.dqueue.add_entry(
@@ -481,6 +483,8 @@ class SubscriptionManager:
            seen_entries = [ent for ent in entries if _is_media_entry(ent)]
            all_ids: list[str] = []
            for ent in seen_entries:
+                if ent.get("live_status") == "is_upcoming":
+                    continue  # Don't mark scheduled streams as seen; queue them when they go live
                eid = _entry_id(ent)
                if eid:
                    all_ids.append(eid)
@@ -660,7 +664,9 @@ class SubscriptionManager:
        new_ids: list[str] = []
        for ent in entries:
            eid = _entry_id(ent)
-            if not eid or eid in seen:
+            if not eid:
+                continue
+            if eid in seen and ent.get("live_status") != "is_live":
                continue
            new_entries.append(ent)
            new_ids.append(eid)
@@ -19,6 +19,7 @@ from yt_dlp.utils import STR_FORMAT_RE_TMPL, STR_FORMAT_TYPES
 from dl_formats import get_format, get_opts, AUDIO_FORMATS
 from datetime import datetime
 from state_store import AtomicJsonStore, from_json_compatible, read_legacy_shelf, to_json_compatible
+from subscriptions import _entry_id

 log = logging.getLogger('ytdl')

@@ -930,6 +931,8 @@ class DownloadQueue:
                if _add_gen is not None and self._add_generation != _add_gen:
                    log.info(f'Playlist add canceled after processing {len(already)} entries')
                    return {'status': 'ok', 'msg': f'Canceled - added {len(already)} items before cancel'}
+                if "id" not in etr:
+                    etr["id"] = _entry_id(etr)
                etr["_type"] = "video"
                etr[etype] = entry.get("id") or entry.get("channel_id") or entry.get("channel")
                etr[f"{etype}_index"] = '{{0:0{0:d}d}}'.format(index_digits).format(index)
@@ -23,21 +23,21 @@
  },
  "private": true,
  "dependencies": {
-    "@angular/animations": "^21.2.7",
-    "@angular/common": "^21.2.7",
-    "@angular/compiler": "^21.2.7",
-    "@angular/core": "^21.2.7",
-    "@angular/forms": "^21.2.7",
-    "@angular/platform-browser": "^21.2.7",
-    "@angular/platform-browser-dynamic": "^21.2.7",
-    "@angular/service-worker": "^21.2.7",
+    "@angular/animations": "^21.2.8",
+    "@angular/common": "^21.2.8",
+    "@angular/compiler": "^21.2.8",
+    "@angular/core": "^21.2.8",
+    "@angular/forms": "^21.2.8",
+    "@angular/platform-browser": "^21.2.8",
+    "@angular/platform-browser-dynamic": "^21.2.8",
+    "@angular/service-worker": "^21.2.8",
    "@fortawesome/angular-fontawesome": "~4.0.0",
    "@fortawesome/fontawesome-svg-core": "^7.2.0",
    "@fortawesome/free-brands-svg-icons": "^7.2.0",
    "@fortawesome/free-regular-svg-icons": "^7.2.0",
    "@fortawesome/free-solid-svg-icons": "^7.2.0",
    "@ng-bootstrap/ng-bootstrap": "^20.0.0",
-    "@ng-select/ng-select": "^21.7.0",
+    "@ng-select/ng-select": "^21.8.0",
    "@popperjs/core": "^2.11.8",
    "bootstrap": "^5.3.8",
    "ngx-cookie-service": "^21.3.1",
@@ -48,16 +48,16 @@
  },
  "devDependencies": {
    "@angular-eslint/builder": "21.1.0",
-    "@angular/build": "^21.2.6",
-    "@angular/cli": "^21.2.6",
-    "@angular/compiler-cli": "^21.2.7",
-    "@angular/localize": "^21.2.7",
+    "@angular/build": "^21.2.7",
+    "@angular/cli": "^21.2.7",
+    "@angular/compiler-cli": "^21.2.8",
+    "@angular/localize": "^21.2.8",
    "@eslint/js": "^9.39.4",
    "angular-eslint": "21.1.0",
    "eslint": "^9.39.4",
    "jsdom": "^27.4.0",
    "typescript": "~5.9.3",
    "typescript-eslint": "8.47.0",
-    "vitest": "^4.1.2"
+    "vitest": "^4.1.4"
  }
 }
@@ -602,11 +602,11 @@ wheels = [

 [[package]]
 name = "platformdirs"
-version = "4.9.4"
+version = "4.9.6"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/19/56/8d4c30c8a1d07013911a8fdbd8f89440ef9f08d07a1b50ab8ca8be5a20f9/platformdirs-4.9.4.tar.gz", hash = "sha256:1ec356301b7dc906d83f371c8f487070e99d3ccf9e501686456394622a01a934", size = 28737, upload-time = "2026-03-05T18:34:13.271Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/9f/4a/0883b8e3802965322523f0b200ecf33d31f10991d0401162f4b23c698b42/platformdirs-4.9.6.tar.gz", hash = "sha256:3bfa75b0ad0db84096ae777218481852c0ebc6c727b3168c1b9e0118e458cf0a", size = 29400, upload-time = "2026-04-09T00:04:10.812Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/63/d7/97f7e3a6abb67d8080dd406fd4df842c2be0efaf712d1c899c32a075027c/platformdirs-4.9.4-py3-none-any.whl", hash = "sha256:68a9a4619a666ea6439f2ff250c12a853cd1cbd5158d258bd824a7df6be2f868", size = 21216, upload-time = "2026-03-05T18:34:12.172Z" },
+    { url = "https://files.pythonhosted.org/packages/75/a6/a0a304dc33b49145b21f4808d763822111e67d1c3a32b524a1baf947b6e1/platformdirs-4.9.6-py3-none-any.whl", hash = "sha256:e61adb1d5e5cb3441b4b7710bea7e4c12250ca49439228cc1021c00dcfac0917", size = 21348, upload-time = "2026-04-09T00:04:09.463Z" },
 ]

 [[package]]
@@ -755,7 +755,7 @@ wheels = [

 [[package]]
 name = "pytest"
-version = "9.0.2"
+version = "9.0.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "colorama", marker = "sys_platform == 'win32'" },
@@ -764,9 +764,9 @@ dependencies = [
    { name = "pluggy" },
    { name = "pygments" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/d1/db/7ef3487e0fb0049ddb5ce41d3a49c235bf9ad299b6a25d5780a89f19230f/pytest-9.0.2.tar.gz", hash = "sha256:75186651a92bd89611d1d9fc20f0b4345fd827c41ccd5c299a868a05d70edf11", size = 1568901, upload-time = "2025-12-06T21:30:51.014Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/7d/0d/549bd94f1a0a402dc8cf64563a117c0f3765662e2e668477624baeec44d5/pytest-9.0.3.tar.gz", hash = "sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c", size = 1572165, upload-time = "2026-04-07T17:16:18.027Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/3b/ab/b3226f0bd7cdcf710fbede2b3548584366da3b19b5021e74f5bde2a8fa3f/pytest-9.0.2-py3-none-any.whl", hash = "sha256:711ffd45bf766d5264d487b917733b453d917afd2b0ad65223959f59089f875b", size = 374801, upload-time = "2025-12-06T21:30:49.154Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/24/a372aaf5c9b7208e7112038812994107bc65a84cd00e0354a88c2c77a617/pytest-9.0.3-py3-none-any.whl", hash = "sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9", size = 375249, upload-time = "2026-04-07T17:16:16.13Z" },
 ]

 [[package]]
Author	SHA1	Message	Date
Alex Shnitman	388aeb180d	Merge branch 'bgervan/master'	2026-04-10 08:10:00 +03:00
Alex Shnitman	aa60420ead	document CORS_ALLOWED_ORIGINS variable	2026-04-10 08:09:20 +03:00
Benjamin Gervan	a6e8617ad8	Don't mark live streams as seen	2026-04-10 06:41:45 +02:00
az10b	0072d3488a	Fix permissive CORS policy that allows cross-origin attacks The on_prepare handler unconditionally reflected the Origin request header into Access-Control-Allow-Origin, and Socket.IO was configured with cors_allowed_origins='*'. This allowed any website to make authenticated cross-origin requests to all API endpoints, enabling cross-origin download initiation, cookie overwrite, and data deletion. Replace the blanket origin reflection with an explicit allowlist via the CORS_ALLOWED_ORIGINS environment variable. When unset, cross-origin requests are denied by default. Users who need cross-origin access can set CORS_ALLOWED_ORIGINS to a comma-separated list of trusted origins.	2026-04-09 19:45:51 -05:00
Alex Shnitman	0b3645aea1	upgrade dependencies	2026-04-09 21:00:26 +03:00
Alex Shnitman	2c838e3d3d	Merge branch 'dependabot/github_actions/github-actions-7530ffc9b9' of https://github.com/alexta69/metube into McSwindler/master	2026-04-09 20:59:13 +03:00
McSwindler	d38d7bd1b1	fix: handle playlists that don't supply video ids	2026-04-09 10:15:11 -05:00
dependabot[bot]	b7709d3536	Bump astral-sh/setup-uv from 6 to 7 in the github-actions group Bumps the github-actions group with 1 update: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv). Updates `astral-sh/setup-uv` from 6 to 7 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](https://github.com/astral-sh/setup-uv/compare/v6...v7) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-05 16:12:43 +00:00