Add public download endpoint without authentication

Features: - New GET /public/download/:filename endpoint for public file access - No authentication required for downloading processed files - Directory traversal protection with path.basename() - Proper Content-Disposition headers for browser downloads Documentation: - Updated docs/API.md with public endpoint section - Added to table of contents - Usage examples and security notes Use cases: - Share download links via email/chat/social media - Embed in web applications without auth - Direct browser downloads - Public file sharing Security: - Path sanitization prevents directory traversal attacks - Only files in OUTPUT_DIR are accessible - Returns proper 404 for non-existent files 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-08 11:32:23 +00:00 · 2025-12-08 11:32:23 +00:00 · eb69e8b063
commit eb69e8b063
parent 751a382ccd
4 changed files with 259 additions and 136 deletions
--- a/docs/API.md
+++ b/docs/API.md
@ -68,6 +68,7 @@ curl -H "Authorization: Bearer your_api_token_here" http://localhost:8888/endpoi
 ## Table of Contents
 - [Authentication](#-authentication)
 - [Health & Info](#health--info)
+- [Public Download Endpoint](#public-download-endpoint)
 - [Download Endpoints](#download-endpoints)
 - [Transcription Endpoints](#transcription-endpoints)
 - [Conversion Endpoints](#conversion-endpoints)
@ -84,6 +85,8 @@ curl -H "Authorization: Bearer your_api_token_here" http://localhost:8888/endpoi
 ### GET /health
 Health check endpoint.

+**Authentication**: Not required (public)
+
 **Response:**
 ```json
 {
@ -95,6 +98,8 @@ Health check endpoint.
 ### GET /api
 Get API information and available endpoints.

+**Authentication**: Not required (public)
+
 **Response:**
 ```json
 {
@ -104,6 +109,67 @@ Get API information and available endpoints.
 }
 ```

+---
+
+## Public Download Endpoint
+
+### GET /public/download/:filename
+Public endpoint to download files without authentication.
+
+**Authentication**: Not required (public)
+
+**Purpose**: Share direct download links for generated files (MP3, transcriptions, translations, summaries) without requiring API authentication.
+
+**URL Parameters:**
+- `filename` (required): Name of the file to download
+
+**Security**:
+- Directory traversal protection enabled (uses `path.basename()`)
+- Only files in the configured OUTPUT_DIR are accessible
+- No authentication required
+
+**Example:**
+```bash
+# Direct download (no auth needed)
+curl -O http://localhost:8888/public/download/my_video.mp3
+
+# Or simply open in browser
+http://localhost:8888/public/download/my_video.mp3
+```
+
+**Response (Success):**
+- File download with proper Content-Disposition headers
+- Browser will prompt to download the file
+
+**Response (Error - 404):**
+```json
+{
+  "error": "File not found",
+  "message": "File 'my_video.mp3' does not exist"
+}
+```
+
+**Response (Error - 500):**
+```json
+{
+  "error": "Download failed",
+  "message": "Error details..."
+}
+```
+
+**Use Cases:**
+- Share download links via email/chat
+- Embed in web applications
+- Direct browser downloads
+- Public file sharing
+
+**Note**: After processing (download, transcription, etc.), use the returned `filePath` or `fileUrl` from authenticated endpoints, then construct public URL:
+```
+/public/download/{basename_of_filePath}
+```
+
+---
+
 ### GET /info
 Get information about a YouTube video or playlist.

--- a/extract-and-upload-cookies.sh
+++ b/extract-and-upload-cookies.sh
@ -1,135 +1,135 @@
-#!/bin/bash
-# Extract and Upload Cookies - All-in-one script
-# This script extracts YouTube cookies from your browser and uploads them to the API
-
-set -e  # Exit on error
-
-# Colors for pretty output
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-BLUE='\033[0;34m'
-NC='\033[0m' # No Color
-
-# Configuration
-API_URL="${API_URL:-http://localhost:8888}"
-API_TOKEN="${API_TOKEN:-}"
-TEMP_COOKIES="/tmp/youtube-cookies-temp.txt"
-
-echo -e "${BLUE}========================================${NC}"
-echo -e "${BLUE}YouTube Cookies Extractor & Uploader${NC}"
-echo -e "${BLUE}========================================${NC}"
-echo ""
-
-# Step 1: Check if API token is set
-if [ -z "$API_TOKEN" ]; then
-    echo -e "${YELLOW}⚠️  API_TOKEN not set in environment${NC}"
-    echo -e "Please enter your API token:"
-    read -s API_TOKEN
-    echo ""
-fi
-
-# Step 2: Detect available browsers
-echo -e "${BLUE}🔍 Detecting browsers...${NC}"
-AVAILABLE_BROWSERS=()
-
-if command -v google-chrome &> /dev/null || command -v chromium &> /dev/null || [ -d "$HOME/.config/google-chrome" ] || [ -d "$HOME/.config/chromium" ]; then
-    AVAILABLE_BROWSERS+=("chrome")
-fi
-
-if command -v firefox &> /dev/null || [ -d "$HOME/.mozilla/firefox" ]; then
-    AVAILABLE_BROWSERS+=("firefox")
-fi
-
-if command -v microsoft-edge &> /dev/null || [ -d "$HOME/.config/microsoft-edge" ]; then
-    AVAILABLE_BROWSERS+=("edge")
-fi
-
-if [ ${#AVAILABLE_BROWSERS[@]} -eq 0 ]; then
-    echo -e "${RED}❌ No supported browsers found${NC}"
-    echo -e "${YELLOW}Supported browsers: Chrome, Firefox, Edge${NC}"
-    echo ""
-    echo -e "${YELLOW}Alternative: Manually export cookies${NC}"
-    echo -e "1. Install browser extension 'Get cookies.txt LOCALLY'"
-    echo -e "2. Visit youtube.com and login"
-    echo -e "3. Export cookies to a file"
-    echo -e "4. Run: curl -X POST -H \"X-API-Key: \$API_TOKEN\" -F \"cookies=@youtube-cookies.txt\" $API_URL/admin/upload-cookies"
-    exit 1
-fi
-
-echo -e "${GREEN}✓ Found browsers:${NC} ${AVAILABLE_BROWSERS[*]}"
-echo ""
-
-# Step 3: Let user choose browser
-if [ ${#AVAILABLE_BROWSERS[@]} -eq 1 ]; then
-    BROWSER="${AVAILABLE_BROWSERS[0]}"
-    echo -e "${GREEN}Using browser: $BROWSER${NC}"
-else
-    echo -e "${YELLOW}Multiple browsers found. Choose one:${NC}"
-    select BROWSER in "${AVAILABLE_BROWSERS[@]}"; do
-        if [ -n "$BROWSER" ]; then
-            break
-        fi
-    done
-fi
-
-echo ""
-
-# Step 4: Check if yt-dlp is installed
-if ! command -v yt-dlp &> /dev/null; then
-    echo -e "${RED}❌ yt-dlp is not installed${NC}"
-    echo -e "${YELLOW}Install with: pip install yt-dlp${NC}"
-    echo -e "${YELLOW}Or: sudo apt install yt-dlp${NC}"
-    exit 1
-fi
-
-# Step 5: Extract cookies using yt-dlp
-echo -e "${BLUE}🍪 Extracting cookies from $BROWSER...${NC}"
-
-if yt-dlp --cookies-from-browser "$BROWSER" --cookies "$TEMP_COOKIES" --no-download "https://www.youtube.com" > /dev/null 2>&1; then
-    echo -e "${GREEN}✓ Cookies extracted successfully${NC}"
-else
-    echo -e "${RED}❌ Failed to extract cookies${NC}"
-    echo -e "${YELLOW}Make sure:${NC}"
-    echo -e "  1. You're logged into YouTube in $BROWSER"
-    echo -e "  2. $BROWSER is closed (some browsers lock the cookies database)"
-    echo -e "  3. You have the necessary permissions"
-    exit 1
-fi
-
-# Step 6: Upload cookies to API
-echo -e "${BLUE}📤 Uploading cookies to API...${NC}"
-
-UPLOAD_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST \
-    -H "X-API-Key: $API_TOKEN" \
-    -F "cookies=@$TEMP_COOKIES" \
-    "$API_URL/admin/upload-cookies")
-
-HTTP_CODE=$(echo "$UPLOAD_RESPONSE" | tail -n1)
-RESPONSE_BODY=$(echo "$UPLOAD_RESPONSE" | head -n-1)
-
-if [ "$HTTP_CODE" = "200" ]; then
-    echo -e "${GREEN}✓ Cookies uploaded successfully!${NC}"
-    echo ""
-    echo -e "${GREEN}═══════════════════════════════════════${NC}"
-    echo -e "${GREEN}SUCCESS! You're all set!${NC}"
-    echo -e "${GREEN}═══════════════════════════════════════${NC}"
-    echo ""
-    echo "$RESPONSE_BODY" | python3 -m json.tool 2>/dev/null || echo "$RESPONSE_BODY"
-    echo ""
-    echo -e "${BLUE}ℹ️  Your cookies are now active${NC}"
-    echo -e "${BLUE}ℹ️  YouTube downloads should work without bot detection${NC}"
-    echo -e "${BLUE}ℹ️  Cookies expire after a few weeks - run this script again if needed${NC}"
-else
-    echo -e "${RED}❌ Failed to upload cookies${NC}"
-    echo -e "${RED}HTTP Status: $HTTP_CODE${NC}"
-    echo ""
-    echo "$RESPONSE_BODY"
-    exit 1
-fi
-
-# Step 7: Cleanup
-rm -f "$TEMP_COOKIES"
-
-echo ""
-echo -e "${GREEN}🎉 All done!${NC}"
+#!/bin/bash
+# Extract and Upload Cookies - All-in-one script
+# This script extracts YouTube cookies from your browser and uploads them to the API
+
+set -e  # Exit on error
+
+# Colors for pretty output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Configuration
+API_URL="${API_URL:-http://localhost:8888}"
+API_TOKEN="${API_TOKEN:-}"
+TEMP_COOKIES="/tmp/youtube-cookies-temp.txt"
+
+echo -e "${BLUE}========================================${NC}"
+echo -e "${BLUE}YouTube Cookies Extractor & Uploader${NC}"
+echo -e "${BLUE}========================================${NC}"
+echo ""
+
+# Step 1: Check if API token is set
+if [ -z "$API_TOKEN" ]; then
+    echo -e "${YELLOW}⚠️  API_TOKEN not set in environment${NC}"
+    echo -e "Please enter your API token:"
+    read -s API_TOKEN
+    echo ""
+fi
+
+# Step 2: Detect available browsers
+echo -e "${BLUE}🔍 Detecting browsers...${NC}"
+AVAILABLE_BROWSERS=()
+
+if command -v google-chrome &> /dev/null || command -v chromium &> /dev/null || [ -d "$HOME/.config/google-chrome" ] || [ -d "$HOME/.config/chromium" ]; then
+    AVAILABLE_BROWSERS+=("chrome")
+fi
+
+if command -v firefox &> /dev/null || [ -d "$HOME/.mozilla/firefox" ]; then
+    AVAILABLE_BROWSERS+=("firefox")
+fi
+
+if command -v microsoft-edge &> /dev/null || [ -d "$HOME/.config/microsoft-edge" ]; then
+    AVAILABLE_BROWSERS+=("edge")
+fi
+
+if [ ${#AVAILABLE_BROWSERS[@]} -eq 0 ]; then
+    echo -e "${RED}❌ No supported browsers found${NC}"
+    echo -e "${YELLOW}Supported browsers: Chrome, Firefox, Edge${NC}"
+    echo ""
+    echo -e "${YELLOW}Alternative: Manually export cookies${NC}"
+    echo -e "1. Install browser extension 'Get cookies.txt LOCALLY'"
+    echo -e "2. Visit youtube.com and login"
+    echo -e "3. Export cookies to a file"
+    echo -e "4. Run: curl -X POST -H \"X-API-Key: \$API_TOKEN\" -F \"cookies=@youtube-cookies.txt\" $API_URL/admin/upload-cookies"
+    exit 1
+fi
+
+echo -e "${GREEN}✓ Found browsers:${NC} ${AVAILABLE_BROWSERS[*]}"
+echo ""
+
+# Step 3: Let user choose browser
+if [ ${#AVAILABLE_BROWSERS[@]} -eq 1 ]; then
+    BROWSER="${AVAILABLE_BROWSERS[0]}"
+    echo -e "${GREEN}Using browser: $BROWSER${NC}"
+else
+    echo -e "${YELLOW}Multiple browsers found. Choose one:${NC}"
+    select BROWSER in "${AVAILABLE_BROWSERS[@]}"; do
+        if [ -n "$BROWSER" ]; then
+            break
+        fi
+    done
+fi
+
+echo ""
+
+# Step 4: Check if yt-dlp is installed
+if ! command -v yt-dlp &> /dev/null; then
+    echo -e "${RED}❌ yt-dlp is not installed${NC}"
+    echo -e "${YELLOW}Install with: pip install yt-dlp${NC}"
+    echo -e "${YELLOW}Or: sudo apt install yt-dlp${NC}"
+    exit 1
+fi
+
+# Step 5: Extract cookies using yt-dlp
+echo -e "${BLUE}🍪 Extracting cookies from $BROWSER...${NC}"
+
+if yt-dlp --cookies-from-browser "$BROWSER" --cookies "$TEMP_COOKIES" --no-download "https://www.youtube.com" > /dev/null 2>&1; then
+    echo -e "${GREEN}✓ Cookies extracted successfully${NC}"
+else
+    echo -e "${RED}❌ Failed to extract cookies${NC}"
+    echo -e "${YELLOW}Make sure:${NC}"
+    echo -e "  1. You're logged into YouTube in $BROWSER"
+    echo -e "  2. $BROWSER is closed (some browsers lock the cookies database)"
+    echo -e "  3. You have the necessary permissions"
+    exit 1
+fi
+
+# Step 6: Upload cookies to API
+echo -e "${BLUE}📤 Uploading cookies to API...${NC}"
+
+UPLOAD_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST \
+    -H "X-API-Key: $API_TOKEN" \
+    -F "cookies=@$TEMP_COOKIES" \
+    "$API_URL/admin/upload-cookies")
+
+HTTP_CODE=$(echo "$UPLOAD_RESPONSE" | tail -n1)
+RESPONSE_BODY=$(echo "$UPLOAD_RESPONSE" | head -n-1)
+
+if [ "$HTTP_CODE" = "200" ]; then
+    echo -e "${GREEN}✓ Cookies uploaded successfully!${NC}"
+    echo ""
+    echo -e "${GREEN}═══════════════════════════════════════${NC}"
+    echo -e "${GREEN}SUCCESS! You're all set!${NC}"
+    echo -e "${GREEN}═══════════════════════════════════════${NC}"
+    echo ""
+    echo "$RESPONSE_BODY" | python3 -m json.tool 2>/dev/null || echo "$RESPONSE_BODY"
+    echo ""
+    echo -e "${BLUE}ℹ️  Your cookies are now active${NC}"
+    echo -e "${BLUE}ℹ️  YouTube downloads should work without bot detection${NC}"
+    echo -e "${BLUE}ℹ️  Cookies expire after a few weeks - run this script again if needed${NC}"
+else
+    echo -e "${RED}❌ Failed to upload cookies${NC}"
+    echo -e "${RED}HTTP Status: $HTTP_CODE${NC}"
+    echo ""
+    echo "$RESPONSE_BODY"
+    exit 1
+fi
+
+# Step 7: Cleanup
+rm -f "$TEMP_COOKIES"
+
+echo ""
+echo -e "${GREEN}🎉 All done!${NC}"
--- a/refresh-cookies.sh
+++ b/refresh-cookies.sh
@ -0,0 +1,14 @@
+#!/bin/bash
+# Auto-refresh cookies from /tmp/share if they exist and are newer
+
+SHARE_COOKIES="/tmp/share/youtube-cookies.txt"
+LOCAL_COOKIES="/home/debian/videotomp3transcriptor/youtube-cookies.txt"
+
+if [ -f "$SHARE_COOKIES" ]; then
+    # Copy if share is newer or local doesn't exist
+    if [ ! -f "$LOCAL_COOKIES" ] || [ "$SHARE_COOKIES" -nt "$LOCAL_COOKIES" ]; then
+        cp "$SHARE_COOKIES" "$LOCAL_COOKIES"
+        chmod 600 "$LOCAL_COOKIES"
+        echo "[$(date)] ✓ Cookies refreshed from /tmp/share"
+    fi
+fi
--- a/src/server.js
+++ b/src/server.js
@ -102,7 +102,8 @@ app.use((req, res, next) => {
 const authenticate = (req, res, next) => {
  // Skip authentication for public endpoints
  const publicEndpoints = ['/health', '/api'];
-  if (publicEndpoints.includes(req.path)) {
+  // Allow public download endpoint
+  if (publicEndpoints.includes(req.path) || req.path.startsWith('/public/download/')) {
    return next();
  }

@ -173,6 +174,47 @@ app.get('/health', (req, res) => {
  res.json({ status: 'ok', timestamp: new Date().toISOString() });
 });

+/**
+ * GET /public/download/:filename
+ * Public endpoint to download files without authentication
+ */
+app.get('/public/download/:filename', (req, res) => {
+  try {
+    const { filename } = req.params;
+
+    // Security: prevent directory traversal
+    const safeName = path.basename(filename);
+    const filePath = path.join(OUTPUT_DIR, safeName);
+
+    // Check if file exists
+    if (!fs.existsSync(filePath)) {
+      return res.status(404).json({
+        error: 'File not found',
+        message: `File '${safeName}' does not exist`
+      });
+    }
+
+    // Send file with proper headers
+    res.download(filePath, safeName, (err) => {
+      if (err) {
+        console.error(`[Public Download] Error: ${err.message}`);
+        if (!res.headersSent) {
+          res.status(500).json({
+            error: 'Download failed',
+            message: err.message
+          });
+        }
+      }
+    });
+  } catch (error) {
+    console.error(`[Public Download] Error: ${error.message}`);
+    res.status(500).json({
+      error: 'Server error',
+      message: error.message
+    });
+  }
+});
+
 /**
 * GET /info?url=<youtube_url>
 * Get info about a video or playlist
@ -1429,6 +1471,7 @@ app.listen(PORT, () => {
  console.log(`Server running on http://localhost:${PORT}`);
  console.log('\nEndpoints:');
  console.log('  GET  /health           - Health check');
+  console.log('  GET  /public/download/:filename - Public file download (no auth)');
  console.log('  GET  /info?url=        - Get video/playlist info');
  console.log('  POST /download         - Download as MP3');
  console.log('  POST /transcribe       - Transcribe audio file');