From 7b124eec640ca601d2cafc366867e1d6cd283577 Mon Sep 17 00:00:00 2001
From: Brahim Hadriche <brahim.hadriche@gmail.com>
Date: Mon, 20 Feb 2023 16:27:16 -0500
Subject: [PATCH 1/7] Add History API

---
 src/invidious/routes/api/v1/authenticated.cr | 50 ++++++++++++++++++++
 src/invidious/routing.cr                     |  5 ++
 2 files changed, 55 insertions(+)

diff --git a/src/invidious/routes/api/v1/authenticated.cr b/src/invidious/routes/api/v1/authenticated.cr
index 6b935312..e670a87c 100644
--- a/src/invidious/routes/api/v1/authenticated.cr
+++ b/src/invidious/routes/api/v1/authenticated.cr
@@ -54,6 +54,56 @@ module Invidious::Routes::API::V1::Authenticated
     env.response.status_code = 204
   end
 
+  def self.get_history(env)
+    env.response.content_type = "application/json"
+    user = env.get("user").as(User)
+
+    page = env.params.query["page"]?.try &.to_i?
+    page ||= 1
+
+    max_results = env.params.query["max_results"]?.try &.to_i?.try &.clamp(0, MAX_ITEMS_PER_PAGE)
+    max_results ||= user.preferences.max_results
+    max_results ||= CONFIG.default_user_preferences.max_results
+
+    if user.watched[(page - 1) * max_results]?
+      watched = user.watched.reverse[(page - 1) * max_results, max_results]
+    end
+    watched ||= [] of String
+
+    return watched.to_json
+  end
+
+  def self.mark_watched(env)
+    user = env.get("user").as(User)
+
+    id = env.params.url["id"]?.try &.as(String)
+    if !id
+      return error_json(400, "Invalid video id.")
+    end
+
+    Invidious::Database::Users.mark_watched(user, id)
+    env.response.status_code = 204
+  end
+
+  def self.mark_unwatched(env)
+    user = env.get("user").as(User)
+
+    id = env.params.url["id"]?.try &.as(String)
+    if !id
+      return error_json(400, "Invalid video id.")
+    end
+
+    Invidious::Database::Users.mark_unwatched(user, id)
+    env.response.status_code = 204
+  end
+
+  def self.clear_history(env)
+    user = env.get("user").as(User)
+
+    Invidious::Database::Users.clear_watch_history(user)
+    env.response.status_code = 204
+  end
+
   def self.feed(env)
     env.response.content_type = "application/json"
 
diff --git a/src/invidious/routing.cr b/src/invidious/routing.cr
index dca2f117..9e2ade3d 100644
--- a/src/invidious/routing.cr
+++ b/src/invidious/routing.cr
@@ -257,6 +257,11 @@ module Invidious::Routing
       get "/api/v1/auth/export/invidious", {{namespace}}::Authenticated, :export_invidious
       post "/api/v1/auth/import/invidious", {{namespace}}::Authenticated, :import_invidious
 
+      get "/api/v1/auth/history", {{namespace}}::Authenticated, :get_history
+      post "/api/v1/auth/history/:id", {{namespace}}::Authenticated, :mark_watched
+      delete "/api/v1/auth/history/:id", {{namespace}}::Authenticated, :mark_unwatched
+      delete "/api/v1/auth/history", {{namespace}}::Authenticated, :clear_history
+
       get "/api/v1/auth/feed", {{namespace}}::Authenticated, :feed
 
       get "/api/v1/auth/subscriptions", {{namespace}}::Authenticated, :get_subscriptions

From 15e9510ab212ac1f8b6bc2a5a3e83ebc4ba1fe90 Mon Sep 17 00:00:00 2001
From: Brahim Hadriche <brahim.hadriche@gmail.com>
Date: Mon, 20 Feb 2023 16:43:36 -0500
Subject: [PATCH 2/7] Check preferences before marking video as watched

---
 src/invidious/routes/api/v1/authenticated.cr | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/invidious/routes/api/v1/authenticated.cr b/src/invidious/routes/api/v1/authenticated.cr
index e670a87c..dc86bb3c 100644
--- a/src/invidious/routes/api/v1/authenticated.cr
+++ b/src/invidious/routes/api/v1/authenticated.cr
@@ -76,6 +76,10 @@ module Invidious::Routes::API::V1::Authenticated
   def self.mark_watched(env)
     user = env.get("user").as(User)
 
+    if !user.preferences.watch_history
+      return error_json(409, "Watch history is disabled in preferences.")
+    end
+
     id = env.params.url["id"]?.try &.as(String)
     if !id
       return error_json(400, "Invalid video id.")

From 27bf4d02a185e6750cdecdc4f1c169b0723dbbf5 Mon Sep 17 00:00:00 2001
From: Brahim Hadriche <brahim.hadriche@gmail.com>
Date: Wed, 1 Mar 2023 22:08:19 -0500
Subject: [PATCH 3/7] PR nursing

---
 src/invidious/routes/api/v1/authenticated.cr | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/invidious/routes/api/v1/authenticated.cr b/src/invidious/routes/api/v1/authenticated.cr
index dc86bb3c..a20d23d0 100644
--- a/src/invidious/routes/api/v1/authenticated.cr
+++ b/src/invidious/routes/api/v1/authenticated.cr
@@ -58,15 +58,16 @@ module Invidious::Routes::API::V1::Authenticated
     env.response.content_type = "application/json"
     user = env.get("user").as(User)
 
-    page = env.params.query["page"]?.try &.to_i?
+    page = env.params.query["page"]?.try &.to_i?.try &.clamp(0, Int32::MAX)
     page ||= 1
 
     max_results = env.params.query["max_results"]?.try &.to_i?.try &.clamp(0, MAX_ITEMS_PER_PAGE)
     max_results ||= user.preferences.max_results
     max_results ||= CONFIG.default_user_preferences.max_results
 
-    if user.watched[(page - 1) * max_results]?
-      watched = user.watched.reverse[(page - 1) * max_results, max_results]
+    start_index = (page - 1) * max_results
+    if user.watched[start_index]?
+      watched = user.watched.reverse[start_index, max_results]
     end
     watched ||= [] of String
 

From 8c0efb3ea9e409796ae860128b16d8aac860c5c6 Mon Sep 17 00:00:00 2001
From: Brahim Hadriche <brahim.hadriche@gmail.com>
Date: Thu, 2 Mar 2023 14:45:26 -0500
Subject: [PATCH 4/7] validate video id

---
 src/invidious/routes/api/v1/authenticated.cr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/invidious/routes/api/v1/authenticated.cr b/src/invidious/routes/api/v1/authenticated.cr
index a20d23d0..75dad6df 100644
--- a/src/invidious/routes/api/v1/authenticated.cr
+++ b/src/invidious/routes/api/v1/authenticated.cr
@@ -94,7 +94,7 @@ module Invidious::Routes::API::V1::Authenticated
     user = env.get("user").as(User)
 
     id = env.params.url["id"]?.try &.as(String)
-    if !id
+    if !id.match(/[a-zA-Z0-9_-]{11}/)
       return error_json(400, "Invalid video id.")
     end
 

From 38f6d08be6559915262cd246b7a82988700250a5 Mon Sep 17 00:00:00 2001
From: Brahim Hadriche <brahim.hadriche@gmail.com>
Date: Thu, 2 Mar 2023 14:47:14 -0500
Subject: [PATCH 5/7] Validate id, avoid db call if not needed

---
 src/invidious/routes/api/v1/authenticated.cr | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/invidious/routes/api/v1/authenticated.cr b/src/invidious/routes/api/v1/authenticated.cr
index 75dad6df..e8e7c524 100644
--- a/src/invidious/routes/api/v1/authenticated.cr
+++ b/src/invidious/routes/api/v1/authenticated.cr
@@ -82,7 +82,7 @@ module Invidious::Routes::API::V1::Authenticated
     end
 
     id = env.params.url["id"]?.try &.as(String)
-    if !id
+    if !id.match(/[a-zA-Z0-9_-]{11}/)
       return error_json(400, "Invalid video id.")
     end
 
@@ -93,6 +93,10 @@ module Invidious::Routes::API::V1::Authenticated
   def self.mark_unwatched(env)
     user = env.get("user").as(User)
 
+    if !user.preferences.watch_history
+      return error_json(409, "Watch history is disabled in preferences.")
+    end
+
     id = env.params.url["id"]?.try &.as(String)
     if !id.match(/[a-zA-Z0-9_-]{11}/)
       return error_json(400, "Invalid video id.")

From a5cc66e060578f801371fe3f4b53bcb3d61b3ef9 Mon Sep 17 00:00:00 2001
From: Brahim Hadriche <brahim.hadriche@gmail.com>
Date: Thu, 2 Mar 2023 16:11:50 -0500
Subject: [PATCH 6/7] Fix id check

---
 src/invidious/routes/api/v1/authenticated.cr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/invidious/routes/api/v1/authenticated.cr b/src/invidious/routes/api/v1/authenticated.cr
index e8e7c524..a024736c 100644
--- a/src/invidious/routes/api/v1/authenticated.cr
+++ b/src/invidious/routes/api/v1/authenticated.cr
@@ -81,7 +81,7 @@ module Invidious::Routes::API::V1::Authenticated
       return error_json(409, "Watch history is disabled in preferences.")
     end
 
-    id = env.params.url["id"]?.try &.as(String)
+    id = env.params.url["id"]
     if !id.match(/[a-zA-Z0-9_-]{11}/)
       return error_json(400, "Invalid video id.")
     end
@@ -97,7 +97,7 @@ module Invidious::Routes::API::V1::Authenticated
       return error_json(409, "Watch history is disabled in preferences.")
     end
 
-    id = env.params.url["id"]?.try &.as(String)
+    id = env.params.url["id"]
     if !id.match(/[a-zA-Z0-9_-]{11}/)
       return error_json(400, "Invalid video id.")
     end

From 0b17f68ebacdb54e74116cf3364c8229e896eff0 Mon Sep 17 00:00:00 2001
From: Brahim Hadriche <brahim.hadriche@gmail.com>
Date: Tue, 7 Mar 2023 13:50:02 -0500
Subject: [PATCH 7/7] Fix input validation

---
 src/invidious/routes/api/v1/authenticated.cr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/invidious/routes/api/v1/authenticated.cr b/src/invidious/routes/api/v1/authenticated.cr
index a024736c..ce2ee812 100644
--- a/src/invidious/routes/api/v1/authenticated.cr
+++ b/src/invidious/routes/api/v1/authenticated.cr
@@ -82,7 +82,7 @@ module Invidious::Routes::API::V1::Authenticated
     end
 
     id = env.params.url["id"]
-    if !id.match(/[a-zA-Z0-9_-]{11}/)
+    if !id.match(/^[a-zA-Z0-9_-]{11}$/)
       return error_json(400, "Invalid video id.")
     end
 
@@ -98,7 +98,7 @@ module Invidious::Routes::API::V1::Authenticated
     end
 
     id = env.params.url["id"]
-    if !id.match(/[a-zA-Z0-9_-]{11}/)
+    if !id.match(/^[a-zA-Z0-9_-]{11}$/)
       return error_json(400, "Invalid video id.")
     end