Allow access to access_authority tracks when properly signed

api/auth_middleware.go

@@ -97,10 +97,22 @@ func (app *ApiServer) isAuthorizedRequest(ctx context.Context, userId int32, aut
 	return isAuthorized
 }
 
+// get the wallet that signed the request
 func (app *ApiServer) getAuthedWallet(c *fiber.Ctx) string {
 	return c.Locals("authedWallet").(string)
 }
 
+// get the wallet that signed the request, or "" if not set
+func (app *ApiServer) tryGetAuthedWallet(c *fiber.Ctx) string {
+	if c == nil {
+		return ""
+	}
+	if w, ok := c.Locals("authedWallet").(string); ok {
+		return w
+	}
+	return ""
+}
+
 // validateOAuthJWTTokenToUserId validates the OAuth JWT and returns the userId from the payload.
 func (app *ApiServer) validateOAuthJWTTokenToUserId(ctx context.Context, token string) (trashid.HashId, error) {
 	tokenParts := strings.Split(token, ".")

api/dbv1/parallel.go

@@ -7,10 +7,11 @@ import (
 )
 
 type ParallelParams struct {
-	UserIds     []int32
-	TrackIds    []int32
-	PlaylistIds []int32
-	MyID        int32
+	UserIds       []int32
+	TrackIds      []int32
+	PlaylistIds   []int32
+	MyID          int32
+	AuthedWallet  string
 }
 
 type ParallelResult struct {
@@ -42,8 +43,9 @@ func (q *Queries) Parallel(ctx context.Context, arg ParallelParams) (*ParallelRe
 			var err error
 			trackMap, err = q.TracksKeyed(ctx, TracksParams{
 				GetTracksParams: GetTracksParams{
-					Ids:  arg.TrackIds,
-					MyID: arg.MyID,
+					Ids:           arg.TrackIds,
+					MyID:          arg.MyID,
+					AuthedWallet:  arg.AuthedWallet,
 				},
 			})
 			return err
@@ -58,6 +60,7 @@ func (q *Queries) Parallel(ctx context.Context, arg ParallelParams) (*ParallelRe
 					Ids:  arg.PlaylistIds,
 					MyID: arg.MyID,
 				},
+				AuthedWallet: arg.AuthedWallet,
 			})
 			return err
 		})

api/dbv1/playlists.go

@@ -9,8 +9,9 @@ import (
 
 type PlaylistsParams struct {
 	GetPlaylistsParams
-	OmitTracks bool
-	TrackLimit int // 0 means use default (200), positive values set the limit
+	OmitTracks     bool
+	TrackLimit     int    // 0 means use default (200), positive values set the limit
+	AuthedWallet   string // wallet that signed the request; tracks with matching access_authorities are shown
 }
 
 type Playlist struct {
@@ -68,9 +69,10 @@ func (q *Queries) PlaylistsKeyed(ctx context.Context, arg PlaylistsParams) (map[
 
 	// fetch users + tracks in parallel
 	loaded, err := q.Parallel(ctx, ParallelParams{
-		UserIds:  userIds,
-		TrackIds: trackIds,
-		MyID:     arg.MyID.(int32),
+		UserIds:      userIds,
+		TrackIds:     trackIds,
+		MyID:         arg.MyID.(int32),
+		AuthedWallet: arg.AuthedWallet,
 	})
 	if err != nil {
 		return nil, err

api/dbv1/queries/get_tracks.sql

@@ -209,6 +209,8 @@ LEFT JOIN aggregate_plays on play_item_id = t.track_id
 LEFT JOIN track_routes on t.track_id = track_routes.track_id and track_routes.is_current = true
 WHERE (is_unlisted = false OR t.owner_id = @my_id OR @include_unlisted::bool = TRUE)
   AND t.track_id = ANY(@ids::int[])
-  AND t.access_authorities IS NULL
+  AND (t.access_authorities IS NULL
+    OR (COALESCE(@authed_wallet, '') <> ''
+        AND EXISTS (SELECT 1 FROM unnest(t.access_authorities) aa WHERE lower(aa) = lower(@authed_wallet))))
 ORDER BY t.track_id
 ;

api/request_helpers.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/gofiber/fiber/v2"
-	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgtype"
 )
 
@@ -139,22 +138,30 @@ func (app *ApiServer) getSignerFromApiAccessKey(ctx context.Context, apiAccessKe
 		JOIN api_keys ak ON LOWER(ak.api_key) = LOWER(aak.api_key)
 		WHERE aak.api_access_key = $1 AND aak.is_active = true
 	`, apiAccessKey).Scan(&parentApiKey, &apiSecret)
-	if err == pgx.ErrNoRows || err != nil || apiSecret == "" {
-		return nil
+	if err == nil && apiSecret != "" {
+		privateKey, keyErr := crypto.HexToECDSA(strings.TrimPrefix(apiSecret, "0x"))
+		if keyErr != nil {
+			return nil
+		}
+		parentApiKeyLower := strings.ToLower(parentApiKey)
+		app.apiAccessKeySignerCache.Set(apiAccessKey, apiAccessKeySignerEntry{
+			ApiKey:    parentApiKeyLower,
+			ApiSecret: apiSecret,
+		})
+		return &Signer{
+			Address:    parentApiKeyLower,
+			PrivateKey: privateKey,
+		}
 	}
 
-	parentApiKeyLower := strings.ToLower(parentApiKey)
-	app.apiAccessKeySignerCache.Set(apiAccessKey, apiAccessKeySignerEntry{
-		ApiKey:    parentApiKeyLower,
-		ApiSecret: apiSecret,
-	})
-
-	privateKey, err := crypto.HexToECDSA(strings.TrimPrefix(apiSecret, "0x"))
+	// Fallback: use apiAccessKey as raw private key when no api_secret is found
+	privateKey, err := crypto.HexToECDSA(strings.TrimPrefix(apiAccessKey, "0x"))
 	if err != nil {
 		return nil
 	}
+	address := crypto.PubkeyToAddress(privateKey.PublicKey)
 	return &Signer{
-		Address:    parentApiKeyLower,
+		Address:    address.Hex(),
 		PrivateKey: privateKey,
 	}
 }

api/v1_comments.go

@@ -109,9 +109,10 @@ func (app *ApiServer) queryFullComments(
 		}
 	}
 	related, err := app.queries.Parallel(c.Context(), dbv1.ParallelParams{
-		UserIds:  userIds,
-		TrackIds: trackIds,
-		MyID:     app.getMyId(c),
+		UserIds:      userIds,
+		TrackIds:     trackIds,
+		MyID:         app.getMyId(c),
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 	if err != nil {
 		return err

api/v1_explore_best_selling.go

@@ -111,9 +111,10 @@ func (app *ApiServer) v1ExploreBestSelling(c *fiber.Ctx) error {
 			}
 		}
 		related, err := app.queries.Parallel(c.Context(), dbv1.ParallelParams{
-			PlaylistIds: playlistIds,
-			TrackIds:    trackIds,
-			MyID:        app.getMyId(c),
+			PlaylistIds:  playlistIds,
+			TrackIds:     trackIds,
+			MyID:         app.getMyId(c),
+			AuthedWallet: app.tryGetAuthedWallet(c),
 		})
 		if err != nil {
 			return err

api/v1_playlist.go

@@ -81,6 +81,7 @@ func (app *ApiServer) v1Playlist(c *fiber.Ctx) error {
 			MyID: myId,
 			Ids:  []int32{int32(playlistId)},
 		},
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 	if err != nil {
 		return err

api/v1_playlist_by_permalink.go

@@ -33,6 +33,7 @@ func (app *ApiServer) v1PlaylistByPermalink(c *fiber.Ctx) error {
 			MyID: myId,
 			Ids:  ids,
 		},
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 	if err != nil {
 		return err

api/v1_playlist_stream.go

@@ -18,6 +18,7 @@ func (app *ApiServer) v1PlaylistStream(c *fiber.Ctx) error {
 			MyID: myId,
 			Ids:  []int32{int32(playlistId)},
 		},
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 	if err != nil {
 		return err

api/v1_playlist_tracks.go

@@ -58,8 +58,9 @@ func (app *ApiServer) v1PlaylistTracks(c *fiber.Ctx) error {
 
 	tracks, err := app.queries.Tracks(c.Context(), dbv1.TracksParams{
 		GetTracksParams: dbv1.GetTracksParams{
-			Ids:  trackIds,
-			MyID: myId,
+			Ids:          trackIds,
+			MyID:         myId,
+			AuthedWallet: app.tryGetAuthedWallet(c),
 		},
 	})
 

api/v1_playlists.go

@@ -54,7 +54,8 @@ func (app *ApiServer) v1Playlists(c *fiber.Ctx) error {
 			MyID: myId,
 			Ids:  ids,
 		},
-		OmitTracks: !withTracks,
+		OmitTracks:   !withTracks,
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 	if err != nil {
 		return err

api/v1_playlists_top.go

@@ -47,7 +47,8 @@ func (app *ApiServer) v1PlaylistsTop(c *fiber.Ctx) error {
 			Ids:  playlistsIds,
 			MyID: myId,
 		},
-		OmitTracks: true,
+		OmitTracks:   true,
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 
 	return v1PlaylistsResponse(c, playlists)

api/v1_playlists_trending.go

@@ -63,7 +63,9 @@ func (app *ApiServer) v1PlaylistsTrending(c *fiber.Ctx) error {
 					AND t.is_delete = false
 					AND t.is_current = true
 					AND t.stem_of IS NULL
-					AND t.access_authorities IS NULL
+					AND (t.access_authorities IS NULL
+					  OR (COALESCE(@authed_wallet, '') <> ''
+					      AND EXISTS (SELECT 1 FROM unnest(t.access_authorities) aa WHERE lower(aa) = lower(@authed_wallet))))
 			)
 			SELECT
 				playlist_id
@@ -95,9 +97,10 @@ func (app *ApiServer) v1PlaylistsTrending(c *fiber.Ctx) error {
 		`
 
 	rows, err := app.pool.Query(c.Context(), sql, pgx.NamedArgs{
-		"limit":  params.Limit,
-		"offset": params.Offset,
-		"time":   params.Time,
+		"limit":         params.Limit,
+		"offset":        params.Offset,
+		"time":          params.Time,
+		"authed_wallet": app.tryGetAuthedWallet(c),
 	})
 	if err != nil {
 		return err
@@ -113,7 +116,8 @@ func (app *ApiServer) v1PlaylistsTrending(c *fiber.Ctx) error {
 			Ids:  ids,
 			MyID: myId,
 		},
-		OmitTracks: params.OmitTracks,
+		OmitTracks:   params.OmitTracks,
+		AuthedWallet: app.tryGetAuthedWallet(c),
 		// Limit these to 5 items to prevent slow load times
 		TrackLimit: 5,
 	})

api/v1_search.go

@@ -171,8 +171,9 @@ func (app *ApiServer) searchTracks(c *fiber.Ctx) ([]dbv1.Track, error) {
 
 	tracks, err := app.queries.Tracks(c.Context(), dbv1.TracksParams{
 		GetTracksParams: dbv1.GetTracksParams{
-			Ids:  tracksIds,
-			MyID: myId,
+			Ids:          tracksIds,
+			MyID:         myId,
+			AuthedWallet: app.tryGetAuthedWallet(c),
 		},
 	})
 	return tracks, err
@@ -214,7 +215,8 @@ func (app *ApiServer) searchPlaylists(c *fiber.Ctx) ([]dbv1.Playlist, error) {
 			Ids:  playlistsIds,
 			MyID: myId,
 		},
-		OmitTracks: true,
+		OmitTracks:   true,
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 	return playlists, err
 }
@@ -256,7 +258,8 @@ func (app *ApiServer) searchAlbums(c *fiber.Ctx) ([]dbv1.Playlist, error) {
 			Ids:  playlistsIds,
 			MyID: myId,
 		},
-		OmitTracks: true,
+		OmitTracks:   true,
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 	return playlists, err
 }

api/v1_track.go

@@ -201,8 +201,9 @@ func (app *ApiServer) v1Track(c *fiber.Ctx) error {
 
 	tracks, err := app.queries.Tracks(c.Context(), dbv1.TracksParams{
 		GetTracksParams: dbv1.GetTracksParams{
-			MyID: myId,
-			Ids:  []int32{int32(trackId)},
+			MyID:         myId,
+			Ids:          []int32{int32(trackId)},
+			AuthedWallet: app.tryGetAuthedWallet(c),
 		},
 	})
 	if err != nil {

api/v1_track_access_info.go

@@ -58,6 +58,7 @@ func (app *ApiServer) v1TrackAccessInfo(c *fiber.Ctx) error {
 		GetTracksParams: dbv1.GetTracksParams{
 			MyID:            myId,
 			Ids:             []int32{int32(trackId)},
+			AuthedWallet:    app.tryGetAuthedWallet(c),
 			IncludeUnlisted: true,
 		},
 	})

api/v1_track_comment_count.go

@@ -16,7 +16,10 @@ func (app *ApiServer) v1TrackCommentCount(c *fiber.Ctx) error {
 	track AS (
 		SELECT track_id, owner_id
 		FROM tracks
-		WHERE track_id = @trackId AND access_authorities IS NULL
+		WHERE track_id = @trackId
+			AND (access_authorities IS NULL
+			  OR (COALESCE(@authed_wallet, '') <> ''
+			      AND EXISTS (SELECT 1 FROM unnest(access_authorities) aa WHERE lower(aa) = lower(@authed_wallet))))
 	),
 
 	-- Users muted by high-karma users
@@ -107,6 +110,7 @@ func (app *ApiServer) v1TrackCommentCount(c *fiber.Ctx) error {
 		"myId":                       myId,
 		"trackId":                    trackId,
 		"karmaCommentCountThreshold": karmaCommentCountThreshold,
+		"authed_wallet":              app.tryGetAuthedWallet(c),
 	})
 	if err != nil {
 		return err

api/v1_track_comments.go

@@ -14,7 +14,10 @@ func (app *ApiServer) v1TrackComments(c *fiber.Ctx) error {
 	track AS (
 		SELECT track_id, owner_id
 		FROM tracks
-		WHERE track_id = @track_id AND access_authorities IS NULL
+		WHERE track_id = @track_id
+			AND (access_authorities IS NULL
+			  OR (COALESCE(@authed_wallet, '') <> ''
+			      AND EXISTS (SELECT 1 FROM unnest(access_authorities) aa WHERE lower(aa) = lower(@authed_wallet))))
 	),
 
 	-- Users muted by high-karma users
@@ -107,6 +110,7 @@ func (app *ApiServer) v1TrackComments(c *fiber.Ctx) error {
 		"myId":                       myId,
 		"track_id":                   trackId,
 		"karmaCommentCountThreshold": karmaCommentCountThreshold,
+		"authed_wallet":              app.tryGetAuthedWallet(c),
 	}
 
 	return app.queryFullComments(c, sql, args, true)

api/v1_track_download.go

@@ -27,8 +27,9 @@ func (app *ApiServer) v1TrackDownload(c *fiber.Ctx) error {
 
 	tracks, err := app.queries.Tracks(c.Context(), dbv1.TracksParams{
 		GetTracksParams: dbv1.GetTracksParams{
-			MyID: myId,
-			Ids:  []int32{int32(trackId)},
+			MyID:         myId,
+			Ids:          []int32{int32(trackId)},
+			AuthedWallet: app.tryGetAuthedWallet(c),
 		},
 	})
 	if err != nil {