I am sending a live RTMP stream from OBS to Wowza Streaming Engine and playing it back in JW Player on my website. Members of my website will be able to stream to their own "channels".
The only issue is that if a viewer on my website views the source, he/she can access the stream key. If a user gets another users stream key, then they would be able to stream to their channel.
What is a good way to protect this stream key?
You can write a module that does a server issued token based authentication. There also exist a free limited version of some commercial modules for similar purpose. Here is an article that shows how to start the work: https://streamtoolbox.com/hello-wowza-module-tutorial
Related
Let's say I have a use case where users can buy mp3 files inside an app. The objects are stored in GCP Cloud Storage . What is the best practice to deliver those objects only to the users that purchased the files?
After researching the topic I came up with three solutions:
Client calls a REST (e.g. one running inside App Engine) service. This service downloads the files from Cloud Storage and then sends them back to the client.
Instead of sending the files via the REST call, I could send the download URL (from Cloud Storage) to the client. This would be more cost efficient, however this sounds like a security concern to me as anyone who simply monitors his network could capture the URL.
Creating a (time-limited) signed url to allow the user the download
Obviously a permission check would have to happen first, e.g. a database that contains if user X purchased mp3 Y.
This problem could also be applied to Azure Blob Storage or AWS S3...
In your use case, you have a constant:
You need a backend to authenticate the user (for example Authentication performed with Cloud Identity Platform and hosted on App Engine or Cloud Run
You need to check the list of MP3 that it has bought (stored in Firestore for example)
And then, you need to allow him to download the file. On this last point I recommend you to generated a signedURL. Download URL exists only in Firebase area (maybe your project is a firebase projet?) but it's the same thing than signerURL. Finally I don't recommend you the #1 proposal. It will work, but in case of long download (because network is poor), the connexion will be interrupted after 60 seconds. And this will keep your AppEngine up for nothing (and you will pay for this...).
I am trying to get a list of music services to which the Sonos household has a subscription. Is it possible to obtain such information from HTTP API or from any other source? If yes, then under what conditions?
I have analyzed the traffic between the Sonos Connect and Windows Sonos Controller. I discover, that information about music services is transmitted from Connect to Controller inside the ThirdPartyMediaServersX tag of the NOTIFY HTTP request. But this content is encoded in the base64-like cipher.
<e:propertyset xmlns:e="urn:schemas-upnp-org:event-1-0">
<e:property>
<ThirdPartyMediaServersX>
2:oZoYgaU5pqEq6IauQ1hYVS0oCUJnqbCkJL1vXP/DoeijejEwUBQT8UG0CksUG9VcarvLhCyElhKTUjfhQt0SAcV2oBOyLJ5BCmjd7TcJfPrVuTGHczd5/AS2tgj85n0U9yU9EwwHROFb5uV09syZNLVaZuJnENCWRKatIq1SNMm1SE4tHneLG6ULQoDOR50nf7TwyRQbkit8Bvy+kZyNPlrgBZFGmizoRmYjW8COFvHJpZhREEGruhQ2J6A8gnQOWyFzstAyHNZeLqp2xcNGnts6f2DQ56r/ducstbibFH0SZOZC0XM/BB4DvOT8UalezPL0R9/s8Jibm5T6mS1FWk14GWg2RMmRBIVE5G/gG2c=
</ThirdPartyMediaServersX>
</e:property>
</e:propertyset>
I expect to obtain list of music services, but the actual list were hidden.
As you figured out, Sonos disabled this functionality some time ago.
I've spend a lot of time figuring out how it works, and I now have a "work-a-round". External music services describes what to do.
And sonos-ts has support for external music services. If you read my first link and check the code in this library you should probably be able to figure out how to do that in your programming language.
I know this is no access to the list that is kept by Sonos, but this work-a-round also saves the tokens on the device for every client application to use.
Recently I've found someone who build an music service emulator. So that are both sides of external music services.
This is not supported by the Sonos API.
On Vimeo (using their API), is it possible to generate private links that automatically expire? If not, what would be a good workflow to approximate this function, based on the API's limitations?
Basically, we would like to provide subscribers to our website limited time access to our videos. We would embed the player links in a private area of the site.
We wouldn't want users to have the ability to copy the link code and keep accessing the videos after their access has expired. Also, in the case of multiple users wanting access to the same video, we wouldn't want any updates to the privacy settings of a video to interfere with previous user access granted (that has not yet expired).
The Vimeo API can only toggle a video's privacy settings, the API cannot grant playback to a viewer outside of the privacy settings available.
For example, the API can be used to set a video as password-protected and set the video's password, however the API cannot be used to authenticate and bypass password protection and allow playback.
You could deal with this by providing a redirect from your own site and have the redirect expire. That would provide the functionality you’re looking for, but it’s also very easy to circumvent. It depends how strict/hard you want to make the expiry.
I am asking this here because Soundcloud does not have support. I going to build a website that people can purchase audio files from using Soundcloud to download the files (and stream before buy). I want to be able to access the download file link in the Soundcloud API without the download link being enabled and showing on the Soundcloud UI. I can't seem to find this info in the Soundcloud API docs. I am going to have a Paypal redirect after the payment to the download link. I know this is a weird way of doing this but I have certain criteria I have to meet. I would host the audio files on my server but they are huge. Anyone have experience with this or can help?
im not sure its possible to do what you want. (very easily at least)
there would be no way for the purchaser to access the 'download' track on soundcloud directly unless downloads are specifically enabled for that track.
really the only way to not host the files and still be able to provide the download would be to use the api to download or proxy the track from soundcloud to your server, using your credentials (because you always have access to your own tracks, download or stream). mind you this would use 2x the bandwidth usage (the server getting the track from soundcloud, and the client downloading the track), and storage space would only be impacked on a temporary bases. but. this is a pretty hacky way and not really a good/proper solution.
you can:
-compress/re-encode the audio as to not use as much disk space
-pay for more storage space at your web host, its usually pretty cheap thse days.
So you want to charge on something free? Well, I think all the downloader out there are middleware where they stream the track from soundcloud and response to client as attachment upon request, one of many examples is http://wittysound.com. Cheapest way to get thing done is providing direct link to soundcloud server like what http://soundflush.com does
I have a Youtube video set to private so nobody can watch it via Youtube or the embedded player. However I do want people be to be able to watch it on my website. The goal is to make the video available exclusively on my website for a while before I open it to the world. I was thinking to login to my Youtube account seemlessly using Youtube's API and log out after the video's finished but that doesn't make security sense. What's your take on that?
I agree with your intuition. Making the private sharing secure seems tricky at best. Although the Data API has procedural authentication options, I don't think Player API has that facility. Furthermore even if it did, it's hard to see how it might work without exposing your password.
Your best bet is probably to directly host the video on your website. You would use your website's authentication for restricting access limited release video. Then when your ready for the public release you can either switch to YouTube hosting or relax the authentication of your self hosting. The Video for Everybody site has examples of several options for self hosting of videos.