fix: resolve AES-128 key delivery blocking HLS video playback

Root cause: HLS content is AES-128 encrypted, but the key endpoint required mandatory auth (HybridAuthGuard). HLS.js fetches the key without auth headers, causing a silent 401 and playback failure. Backend: - Changed key.controller.ts to use OptionalHybridAuthGuard - Free content (price <= 0) now serves keys without authentication - Paid content still requires auth, returns 401 for anon requests - Added Content entity injection to look up pricing Frontend: - Configured HLS.js xhrSetup to attach Bearer token on /key requests - Uses nostr_token or auth_token from sessionStorage - Ensures logged-in users can play paid encrypted content Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-13 22:54:52 +00:00
parent 31a225ec15
commit ae97cbe67b
3 changed files with 42 additions and 9 deletions
--- a/src/components/VideoPlayer.vue
+++ b/src/components/VideoPlayer.vue
@@ -367,6 +367,15 @@ function initPlayer(url: string) {
    hls = new Hls({
      enableWorker: true,
      lowLatencyMode: false,
+      // Attach auth tokens to key requests so paid content can be decrypted
+      xhrSetup(xhr: XMLHttpRequest, xhrUrl: string) {
+        if (xhrUrl.includes('/key')) {
+          const token = sessionStorage.getItem('nostr_token') || sessionStorage.getItem('auth_token')
+          if (token) {
+            xhr.setRequestHeader('Authorization', `Bearer ${token}`)
+          }
+        }
+      },
    })
    hls.loadSource(url)
    hls.attachMedia(video)