#Delegated upload token in E-learning platform problem

I have been working in E-learning platform like udemy where instructor create courses and upload videos
and i want to use delegated upload token api.video
the problem is a bit hard to describe please check this simple diagram it would be easier

⌛ This post has been reserved for your question.

Hey @cold thistle! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 720 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

Why does the frontend trigger the user association?

Shouldn't that happen automatically with the webhook?

And doesn't it risk another user claiming the video?

@vapid portal API.video service only support webhook encoding completed

it doesnot support custom webhook

that's the body of webhook

video encoding completes webhook request ```java

{
"type": "video.encoding.quality.completed",
"emittedAt": "2024-08-151T10:18:47+00:00",
"videoId": "vi4blUQJFrYWbaG44NChkH11",
"encoding": "hls",
"quality": "1080p"
} ```

yes exactly that's the problem i am trying to solve

If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.

that's a solution i got but i am not sure if there is no way to solve this problem
frontend extract file name before upload and call a backend api
that return userId + old file name encrypted
and front end rename user file to that name before uploading
so when webhook arrives backend can extract video title and know which user uploaded

If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.

Is there an association between the upload token and the video?

no also
api.video upload token is very limited
you can upload unlimited number of videos with that token
but can't edit title or meta data or reterive video
and also you can't know which token is used to upload this video

I assume you don't want to proxy the video creation?

One thing you could do is save always save the first message (request claiming the video or the webhook) and then process both together once you have both

the problem is how should i verify that this user allowed to claim that video ?
what if another user gussed the video id and tried to claim it before the orignal user?

video id is something like that vi4blUQJFrYWbaG44NChkH27

is it save to just rely that user know the video id ??

proxying the video upload would be one option

if you have the bandwidth

what do you mean proxying the video upload?
you mean upload the video to the backend then to the external service?

yes

Who decides on the video name?

that's not an option since there are unlimited number of users can upload videos

for bandwidth reasons?

video name depend on the name of the file before uploading

Yes but when is it decided from the video API point of view?

yes and performance if 1000 instructor tried to upload large videos at the same time it would kill the backend server

Can the backend update metadata?

yes backend can edit every thing about the video name , description and metdata but after uploading

but frontend can't do anything like that only upload

the only work around frontend can do is change the video name before uploading so api.video use that name

So the file name is decided by the backend and the frontend just uses that name, right?

you have this one

yes in my solution
backend decides the video name and frontend uses that

yes it's generate file name

yeah that approach should work using the video name

by backend so when webhook arrives
backend can know the user that uploaded this video by decypting the video name

but you might want to do the following:

• You should probably store the video names between requesting a name and uploading in a database or similar
• You might want to rename the video after retrieving the webhook
• if you get a webhook with an unknown video (unknown name), you should probably delete it and possibly block the user from uploading videos (someone is doing funny business)
• you should verify that nobody fakes webhook requests

also I think you can just use the user ID and possibly a random or similar content/key as the temporary file name, idk why you need hmac there

you mean just create
temprary file name and associate it to user id in my database?

yes

and when you get the webhook, you rename it

but you should make sure that the webhook is actually from the video API

yes i can verify the webhook by it's signuture

i feel hmac encyption and decryption would be much faster than database access for every file generation and webhook handling

encyption of 64 char string take less than 1 micro second i think
while db insert depend on network and load , etc

Can hmacs be decoded?

yes it can be decoded
by a secret key that doesn't leave the backend server

yeah then it's fine

but make sure that you stay within the file name limits from your video API I guess

yes i and also browser storage file name limits i think

thank you for your help ❤️

If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.

Does the browser need to store it?

Also you can store a lot in the browser

no frontend just create a link to the file with new name in the browser not a whole copy with js

i think Aes 192 would fits well and also pretty fast