Security: Session tokens exposed in URL query parameters #30
Description
Description
In app/api/videos.py (~lines 182 and 222), the endpoints /api/videos/{id}/stream and /api/videos/{id}/preview-stream accept the session token via a token URL query parameter:
# Accept auth via query param (for <video> element) or header
auth_token = token or x_user_tokenWhile this is a common workaround for streaming video tags, sending sensitive bearer tokens in the URL is a security risk. URLs are frequently logged in plaintext by reverse proxies (like Nginx), container access logs, error trackers, and analytics tools. This can lead to session hijacking if logs are compromised or viewed by unauthorized personnel.
Suggested Fix
Consider exchanging the long-lived session token for a short-lived, one-time signed URL or JWT specifically scoped to the media stream. Alternatively, use a Set-Cookie approach specifically for media streaming requests so the browser naturally attaches the credential without exposing it in the path.
File Path
app/api/videos.py