encrypt original path in download links and move apikey to parameters

src/Jackett/Controllers/BlackholeController.cs

@@ -23,16 +23,18 @@ namespace Jackett.Controllers
         private Logger logger;
         private IIndexerManagerService indexerService;
         IServerService serverService;
+        IProtectionService protectionService;
 
-        public BlackholeController(IIndexerManagerService i, Logger l, IServerService s)
+        public BlackholeController(IIndexerManagerService i, Logger l, IServerService s, IProtectionService ps)
         {
             logger = l;
             indexerService = i;
             serverService = s;
+            protectionService = ps;
         }
 
         [HttpGet]
-        public async Task<IHttpActionResult> Blackhole(string indexerID, string path, string apikey, string file)
+        public async Task<IHttpActionResult> Blackhole(string indexerID, string path, string jackett_apikey, string file)
         {
 
             var jsonReply = new JObject();
@@ -45,10 +47,12 @@ namespace Jackett.Controllers
                     throw new Exception("This indexer is not configured.");
                 }
 
-                if (serverService.Config.APIKey != apikey)
+                if (serverService.Config.APIKey != jackett_apikey)
                     throw new Exception("Incorrect API key");
 
-                var remoteFile = new Uri(Encoding.UTF8.GetString(HttpServerUtility.UrlTokenDecode(path)), UriKind.RelativeOrAbsolute);
+                path = Encoding.UTF8.GetString(HttpServerUtility.UrlTokenDecode(path));
+                path = protectionService.UnProtect(path);
+                var remoteFile = new Uri(path, UriKind.RelativeOrAbsolute);
                 var downloadBytes = await indexer.Download(remoteFile);
 
                 if (string.IsNullOrWhiteSpace(Engine.Server.Config.BlackholeDir))

src/Jackett/Controllers/DownloadController.cs

@@ -22,16 +22,18 @@ namespace Jackett.Controllers
         Logger logger;
         IIndexerManagerService indexerService;
         IServerService serverService;
+        IProtectionService protectionService;
 
-        public DownloadController(IIndexerManagerService i, Logger l, IServerService s)
+        public DownloadController(IIndexerManagerService i, Logger l, IServerService s, IProtectionService ps)
         {
             logger = l;
             indexerService = i;
             serverService = s;
+            protectionService = ps;
         }
 
         [HttpGet]
-        public async Task<HttpResponseMessage> Download(string indexerID, string path, string apikey, string file)
+        public async Task<HttpResponseMessage> Download(string indexerID, string path, string jackett_apikey, string file)
         {
             try
             {
@@ -44,8 +46,9 @@ namespace Jackett.Controllers
                 }
 
                 path = Encoding.UTF8.GetString(HttpServerUtility.UrlTokenDecode(path));
+                path = protectionService.UnProtect(path);
 
-                if (serverService.Config.APIKey != apikey)
+                if (serverService.Config.APIKey != jackett_apikey)
                     return new HttpResponseMessage(HttpStatusCode.Unauthorized);
 
                 var target = new Uri(path, UriKind.RelativeOrAbsolute);

src/Jackett/Services/ServerService.cs

@@ -46,6 +46,7 @@ namespace Jackett.Services
         private IWebClient client;
         private IUpdateService updater;
         private List<string> _notices = new List<string>();
+        IProtectionService protectionService;
 
         public ServerService(IIndexerManagerService i, IProcessService p, ISerializeService s, IConfigurationService c, Logger l, IWebClient w, IUpdateService u, IProtectionService protectionService)
         {
@@ -56,6 +57,7 @@ namespace Jackett.Services
             logger = l;
             client = w;
             updater = u;
+            this.protectionService = protectionService;
 
             LoadConfig();
             // "TEMPORARY" HACK
@@ -80,9 +82,10 @@ namespace Jackett.Services
             if (link == null || (link.IsAbsoluteUri && link.Scheme == "magnet"))
                 return link;
 
-            var encodedLink = HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(link.ToString()));
+            var encryptedLink = protectionService.Protect(link.ToString());
+            var encodedLink = HttpServerUtility.UrlTokenEncode(Encoding.UTF8.GetBytes(encryptedLink));
             string urlEncodedFile = WebUtility.UrlEncode(file);
-            var proxyLink = string.Format("{0}{1}/{2}/{3}?path={4}&file={5}", serverUrl, action, indexerId, config.APIKey, encodedLink, urlEncodedFile);
+            var proxyLink = string.Format("{0}{1}/{2}/?jackett_apikey={3}&path={4}&file={5}", serverUrl, action, indexerId, config.APIKey, encodedLink, urlEncodedFile);
             return new Uri(proxyLink);
         }
 

src/Jackett/Startup.cs

@@ -210,13 +210,13 @@ namespace Jackett
 
             config.Routes.MapHttpRoute(
                 name: "download",
-                routeTemplate: "dl/{indexerID}/{apiKey}",
+                routeTemplate: "dl/{indexerID}",
                 defaults: new { controller = "Download", action = "Download" }
             );
 
             config.Routes.MapHttpRoute(
               name: "blackhole",
-              routeTemplate: "bh/{indexerID}/{apikey}",
+              routeTemplate: "bh/{indexerID}",
               defaults: new { controller = "Blackhole", action = "Blackhole" }
             );