Feature innertube client fix #219
Conversation
alive4ever
force-pushed
the
feature-innertube-client-fix
branch
2 times, most recently
from
1da876d to
5276825
Compare
|
Hi, it's been a while without any feedback. For
|
|
Great work on this; still need to finish reviewing. Should have
something back to you this weekend
|
|
Thanks for the feedback. It gives a peace of mind for me. No need to rush. I am open for any improvement suggestions to this pull request. |
youtube/util.py
Outdated
| print('Unable to access ' + player_file) | ||
|
|
||
| signature_timestamp = None | ||
| signature_timestamp_cache = settings.data_dir + '/sts_' + player_version + 'txt' |
There was a problem hiding this comment.
Recommend using os.path.join here. Also, .txt, not txt
There was a problem hiding this comment.
Sorry for late reply.
I've used os.path.join in place of string concatenation in this file and similar places.
youtube/util.py
Outdated
| response_dict = json.loads(response) | ||
| if settings.use_visitor_data: | ||
| if not settings.use_po_token: | ||
| if response_dict['responseContext'].get('visitorData'): |
There was a problem hiding this comment.
We shouldn't assume 'responseContext' will be present - otherwise it will raise an exception when youtube changes something.
There was a problem hiding this comment.
I've put this inside try ... except block, with specific KeyError exception message.
youtube/util.py
Outdated
| if settings.use_visitor_data: | ||
| if not settings.use_po_token: | ||
| if response_dict['responseContext'].get('visitorData'): | ||
| if not os.path.exists(visitor_data_file): |
There was a problem hiding this comment.
Not sure how the visitor system works - but do we want to refresh this file ever? Maybe YouTube issues an updated token for example and marks the old one as invalid?
There was a problem hiding this comment.
I added os.path.getmtime check to make sure that the visitorData.txt file is less than 86400 seconds old before using its content. Otherwise, the visitor data file will be deleted and replaced with new one.
youtube/util.py
Outdated
| else: | ||
| if os.path.exists(visitor_data_file): | ||
| print('Removing visitor_data file') | ||
| os.remove(visitor_data_file) |
There was a problem hiding this comment.
For anonymity's sake - do we want to consider refreshing the visitor data every day? Again, not really sure what constraints go into it
server.py
Outdated
| with open(visitor_data_file, "r") as file: | ||
| visitor_data = file.read() | ||
| file.close() | ||
| except: |
There was a problem hiding this comment.
Use except Exception, otherwise you'll catch KeyboardInterrupt and SystemExit: https://stackoverflow.com/questions/54948548/what-is-wrong-with-using-a-bare-except
There was a problem hiding this comment.
I added except OSError to notify if there is a file access error which prevents access to the visitor data file.
|
|
||
| def extract_nsig_func(base_js): | ||
| for i, member in enumerate(NSIG_FUNCTION_ARRAYS): | ||
| func_array_re = regex.compile(member.replace('$', '\\$')) |
There was a problem hiding this comment.
I recommend against this; I would just put the three \ escapes you need into your regex instead of modifying it at runtime
There was a problem hiding this comment.
I only tried doing what inv_sig_helper does, copying exactly the same regex pattern with runtime replacement of escaping dollar sign which only done once for as long as the extracted nsig_func_{player_version}.js file exists.
The resulting n_sig_code is cached as data/nsig_func_{player_version}.js and loaded as info['nsig_func'] = { player_version: js_nsig_decrypt_code } during runtime of the youtube-local` session.
So the n_sig_function extraction is only done once and the subsequent access to it is either loaded directly from the info['nsig_func'] dict or loaded from nsig_func_{player_version}.js file if the file is already exists.
| func_body_re = [] | ||
| for i, member in enumerate(NSIG_FUNCTION_ENDINGS): | ||
| func_body_re_item = '' | ||
| func_body_re_item += func_context.group(1) |
There was a problem hiding this comment.
You need to do a re.escape() on this before appending it to your regexes
| print('jscode len is: ' + str(len(jscode))) | ||
| dukpy_session = dukpy.JSInterpreter() | ||
| # Loading the function into dukpy session | ||
| dukpy_session.evaljs(jscode) | ||
| print('n_sig = ' + n_sig) | ||
| #n_sig_result = dukpy_session.evaljs('decrypt_nsig("' + n_sig + '")') | ||
| n_sig_result = dukpy_session.evaljs("decrypt_nsig(dukpy['n'])", n=n_sig) | ||
| print('n_sig_result = ' + n_sig_result) | ||
| return n_sig_result |
There was a problem hiding this comment.
Have we verified that dukpy has limited execution privileges? For instance, can javascript code executed with Dukpy make network requests or open files? If so it would be a massive security hole
Also recommend removing these debugging print statmenets when you're done
There was a problem hiding this comment.
dukpy is just a python wrapper for duktape js engine.
The pypi package of dukpy has dukpy-install command which is able to download npm packages from the internet.
Unless told to do so, dukpy module doesn't access the internet for as far as I know. The nsig_func doesn't need access to the internet during runtime, which I have verified doing manual n_sig decryption using various python js bindings.
I also consider dukpy as just-work lightweight js engine for python, since it has wheels for arm64 on pypi and armhf on piwheels.org so if anyone runs this on their single board computers, they will hopefully meet no problems during runtime.
requirements.txt
Outdated
| @@ -6,3 +6,6 @@ urllib3>=1.24.1 | |||
| defusedxml>=0.5.0 | |||
| cachetools>=4.0.0 | |||
| stem>=1.8.0 | |||
| fake-useragent>=1.5.1 | |||
| flpc>=0.2.5 | |||
There was a problem hiding this comment.
Did you do any performance testing that suggested the need for this? Is there a noticeable speedup? Would rather avoid dependencies if possible
There was a problem hiding this comment.
With no break statement, the re module will hang for some time. flpc will not hang in finding the specified regex, even without break statement in the for loop.
I added the break statement in the for loop so the regex engine will be freed from work (i.e. testing another regex pattern) after a match is found, which mitigates hanging on the built-in re module.
I've removed flpc from the requirements to use the built-in re module as you wish, with very small or no performance degradation during my extended testing.
youtube/util.py
Outdated
| print("Debugging headers") | ||
| for item in headers: | ||
| print(item) | ||
| print("Debugging data payload") | ||
| print(json.dumps(data, indent=4)) |
There was a problem hiding this comment.
Recommend removing these debugging print statmenets
|
Any chance you could make a version of this similar to the youtube local main branch that uses Python 3.6 or earlier so it can run on Windows 7? |
I actually tried several times to also build packages for So I reverted my github action recipe to only build for python 3.11 on Windows. |
Add a setting option to enable video download. Downloading is disabled by default.
Use fake useragent library instead of hardcoded useragent.
Allow selecting innertube client via settings page.
Update ios and web innertube client context.
Make the loading of age_restricted contents configurable. Disabled by default.
Add functional mweb client. Also several features included:
- Fix sig decryption code
- Add nsig decryption with function body extraction taken from
iv-org/inv_sig_helper, using dukpy to execute nsig js decryption code.
- Add support to use visitorData from api response
- Add support to use poToken by saving a json file as
'po_token_cache.txt':
{
"visitorData": "long_base64_visitorData_value",
"poToken": "long_base64_poToken_value"
}
- More consistent request headers around several module: server.py,
channel.py, and comments.py
Avoid removing dist-info directories so fake-useragent can start, since the module will call importlib.metadata on init. Also use HEAD instead of master during archive copying step to allow generate_release.py to run on branch other than master.
- use os.path.join to access visitorData.txt and signature timestamp cache file - remove visitorData.txt if file is more than 24h old. - try accessing responseContext and raise exception on KeyError
- use os.path.join to define visitorData.txt file - use OSError exception instead of blank exception
- remove flpc import - add re.escape to extracted function name before appending to list - remove debugging messages
remove flpc from requirements, since built-in python regex engine is good enough.
Return error message when n signature is None
Remove debugging messages during yt-api request
Only send visitor data header to specific google domains.
alive4ever
force-pushed
the
feature-innertube-client-fix
branch
from
f50cae3 to
c7e1cac
Compare
Update ios innertube client context.
Update to require fake-useragent>=2.0.0
Update player version for innertube clients.
Emergency fix for player 3bb1f723 to fix both signature and `n` query parameter decryption. Credits to /yt-dlp team.
Fix wrong indentation in po_token conditinal statements.
|
Update for today: Currently experiencing 403 errors with Full video can only be played on |
Update for today: It seems that the cause of 1 minute playable stream is
Adding Btw, Any improvement suggestion is appreciated. |
The major change is the addition of
mwebinnertube client, which includes some refactoring of howbase_jsis handled and a new trick to decryptnsignature by extracting the relevant decryption code frombase_jsfile, using technique similar toiv-org/inv_sig_helper.This pull request also introduce three dependencies:
fake-useragentto simplify user agent header creation of mobile and desktop browser,flpcto parse nsig decryption regex, anddukpyto execute the extracted nsig decryption code.Also add the ability to parse
visitorDatain the YT Api response and specifying ownvisitorDataandpoTokenpair using properly formatted json in thedata/po_token_cache.txtfile.Also several more fixes for
androidandiosclient and makeinnertubeclient selectable.Also several changes in
settings.py, notably to allow reloading oftv_embeddedclient in case of missing player urls and showingDownloadplaceholder viause_video_downloadoption, which credits~heckyel/yt-local.This will hopefully fix #218