feat(pot): implement proof-of-origin token provider

notdeltaxd · notdeltaxd · commit bd7eb307534d · 2026-02-23T20:24:59.000Z
diff --git a/server.ts b/server.ts
@@ -4,6 +4,7 @@ import { initializeCache } from "./src/playerCache.ts";
 import { handleDecryptSignature } from "./src/handlers/decryptSignature.ts";
 import { handleGetSts } from "./src/handlers/getSts.ts";
 import { handleResolveUrl } from "./src/handlers/resolveUrl.ts";
+import { handleGetPoToken } from "./src/handlers/getPoToken.ts";
 import { withMetrics } from "./src/middleware.ts";
 import { withValidation } from "./src/validation.ts";
 import { registry } from "./src/metrics.ts";
@@ -70,6 +71,8 @@ async function baseHandler(req: Request): Promise<Response> {
         handle = handleGetSts;
     } else if (pathname === '/resolve_url') {
         handle = handleResolveUrl;
+    } else if (pathname === '/get_pot') {
+        handle = handleGetPoToken;
     } else {
         return new Response(JSON.stringify({ error: 'Not Found' }), { status: 404, headers: { "Content-Type": "application/json" } });
     }
diff --git a/src/handlers/getPoToken.ts b/src/handlers/getPoToken.ts
@@ -0,0 +1,30 @@
+import { potManager } from "../pot.ts";
+import type { RequestContext, PoTokenRequest, PoTokenResponse } from "../types.ts";
+
+export async function handleGetPoToken(ctx: RequestContext): Promise<Response> {
+    const { content_binding } = ctx.body as PoTokenRequest;
+
+    try {
+        const potData = await potManager.generatePoToken(content_binding);
+
+        const response: PoTokenResponse = {
+            poToken: potData.poToken,
+            visitorData: potData.contentBinding,
+            expiresAt: potData.expiresAt.toISOString(),
+        };
+
+        return new Response(JSON.stringify(response), {
+            status: 200,
+            headers: { "Content-Type": "application/json" },
+        });
+    } catch (e) {
+        console.error("Error generating PoToken:", e);
+        return new Response(
+            JSON.stringify({ error: e instanceof Error ? e.message : String(e) }),
+            {
+                status: 500,
+                headers: { "Content-Type": "application/json" },
+            },
+        );
+    }
+}
diff --git a/src/middleware.ts b/src/middleware.ts
@@ -7,7 +7,7 @@ type Next = (ctx: RequestContext) => Promise<Response>;
 export function withMetrics(handler: Next): Next {
     return async (ctx: RequestContext) => {
         const { pathname } = new URL(ctx.req.url);
-        const playerId = extractPlayerId(ctx.body.player_url);
+        const playerId = extractPlayerId((ctx.body as any)?.player_url);
         const pluginVersion = ctx.req.headers.get("Plugin-Version") ?? "unknown";
         const userAgent = ctx.req.headers.get("User-Agent") ?? "unknown";
 
diff --git a/src/pot.ts b/src/pot.ts
@@ -0,0 +1,243 @@
+import axios, { AxiosRequestConfig } from "npm:axios";
+import {
+    BG,
+    BgConfig,
+    DescrambledChallenge,
+    WebPoSignalOutput,
+    FetchFunction,
+    buildURL,
+    getHeaders,
+    USER_AGENT,
+} from "npm:bgutils-js";
+import { JSDOM } from "npm:jsdom";
+import { Innertube, type Context as InnertubeContext } from "npm:youtubei.js";
+
+interface YoutubeSessionData {
+    poToken: string;
+    contentBinding: string;
+    expiresAt: Date;
+}
+
+export interface ChallengeData {
+    interpreterUrl: {
+        privateDoNotAccessOrElseTrustedResourceUrlWrappedValue: string;
+    };
+    interpreterHash: string;
+    program: string;
+    globalName: string;
+    clientExperimentsStateBlob: string;
+}
+
+type TokenMinter = {
+    expiry: Date;
+    integrityToken: string;
+    minter: any; // BG.WebPoMinter
+};
+
+export class PoTokenManager {
+    private static readonly REQUEST_KEY = "O43z0dpjhgX20SCx4KAo";
+    private static hasDom = false;
+    private _minterCache: Map<string, TokenMinter> = new Map();
+    private TOKEN_TTL_HOURS = 6;
+    private innertube?: Innertube;
+
+    constructor() {
+        if (!PoTokenManager.hasDom) {
+            const dom = new JSDOM(
+                '<!DOCTYPE html><html lang="en"><head><title></title></head><body></body></html>',
+                {
+                    url: "https://www.youtube.com/",
+                    referrer: "https://www.youtube.com/",
+                    userAgent: USER_AGENT,
+                },
+            );
+
+            Object.assign(globalThis, {
+                window: dom.window,
+                document: dom.window.document,
+                location: dom.window.location,
+                origin: dom.window.origin,
+                navigator: dom.window.navigator,
+            });
+            PoTokenManager.hasDom = true;
+        }
+    }
+
+    private async getInnertube(): Promise<Innertube> {
+        if (!this.innertube) {
+            this.innertube = await Innertube.create({ retrieve_player: false });
+        }
+        return this.innertube;
+    }
+
+    private async generateVisitorData(): Promise<string | null> {
+        try {
+            const innertube = await this.getInnertube();
+            const visitorData = innertube.session.context.client.visitorData;
+            return visitorData || null;
+        } catch (e) {
+            console.error("Failed to generate visitor data:", e);
+            return null;
+        }
+    }
+
+    private async getDescrambledChallenge(
+        bgConfig: BgConfig,
+        innertubeContext?: InnertubeContext,
+    ): Promise<DescrambledChallenge> {
+        try {
+            if (!innertubeContext) {
+                const innertube = await this.getInnertube();
+                innertubeContext = innertube.session.context;
+            }
+            if (!innertubeContext) throw new Error("Innertube context unavailable");
+            
+            const attGetResponse = await bgConfig.fetch(
+                "https://www.youtube.com/youtubei/v1/att/get?prettyPrint=false",
+                {
+                    method: "POST",
+                    headers: {
+                        ...getHeaders(),
+                        "Content-Type": "application/json",
+                    },
+                    body: JSON.stringify({
+                        context: innertubeContext,
+                        engagementType: "ENGAGEMENT_TYPE_UNBOUND",
+                    }),
+                },
+            );
+            const attestation = await attGetResponse.json();
+            const challenge = attestation.bgChallenge as ChallengeData;
+            
+            const { program, globalName, interpreterHash } = challenge;
+            const { privateDoNotAccessOrElseTrustedResourceUrlWrappedValue } = challenge.interpreterUrl;
+            
+            const interpreterJSResponse = await bgConfig.fetch(
+                `https:${privateDoNotAccessOrElseTrustedResourceUrlWrappedValue}`,
+            );
+            const interpreterJS = await interpreterJSResponse.text();
+            
+            return {
+                program,
+                globalName,
+                interpreterHash,
+                interpreterJavascript: {
+                    privateDoNotAccessOrElseSafeScriptWrappedValue: interpreterJS,
+                    privateDoNotAccessOrElseTrustedResourceUrlWrappedValue,
+                },
+            };
+        } catch (e) {
+            console.warn("Failed to get challenge from Innertube, falling back to BG.Challenge.create", e);
+            const descrambledChallenge = await BG.Challenge.create(bgConfig);
+            if (descrambledChallenge) return descrambledChallenge;
+            throw new Error("Could not get Botguard challenge");
+        }
+    }
+
+    private async generateTokenMinter(
+        bgConfig: BgConfig,
+        innertubeContext?: InnertubeContext,
+    ): Promise<TokenMinter> {
+        const descrambledChallenge = await this.getDescrambledChallenge(bgConfig, innertubeContext);
+
+        const { program, globalName } = descrambledChallenge;
+        const interpreterJavascript = descrambledChallenge.interpreterJavascript?.privateDoNotAccessOrElseSafeScriptWrappedValue;
+
+        if (interpreterJavascript) {
+            new Function(interpreterJavascript)();
+        } else throw new Error("Could not load VM");
+
+        const bgClient = await BG.BotGuardClient.create({
+            program,
+            globalName,
+            globalObj: bgConfig.globalObj,
+        });
+
+        const webPoSignalOutput: WebPoSignalOutput = [];
+        const botguardResponse = await bgClient.snapshot({ webPoSignalOutput });
+        
+        const integrityTokenResp = await bgConfig.fetch(
+            buildURL("GenerateIT"),
+            {
+                method: "POST",
+                headers: getHeaders(),
+                body: JSON.stringify([
+                    PoTokenManager.REQUEST_KEY,
+                    botguardResponse,
+                ]),
+            },
+        );
+
+        const [integrityToken, estimatedTtlSecs, mintRefreshThreshold, websafeFallbackToken] = await integrityTokenResp.json();
+
+        const integrityTokenData = {
+            integrityToken,
+            estimatedTtlSecs,
+            mintRefreshThreshold,
+            websafeFallbackToken,
+        };
+
+        if (!integrityToken) throw new Error("Unexpected empty integrity token");
+
+        const tokenMinter: TokenMinter = {
+            expiry: new Date(Date.now() + estimatedTtlSecs * 1000),
+            integrityToken,
+            minter: await BG.WebPoMinter.create(integrityTokenData, webPoSignalOutput),
+        };
+        
+        this._minterCache.set("default", tokenMinter);
+        return tokenMinter;
+    }
+
+    private getFetch(): FetchFunction {
+        return async (url: string, options: any): Promise<any> => {
+            const method = (options?.method || "GET").toUpperCase();
+            const axiosOpt: AxiosRequestConfig = {
+                headers: options?.headers,
+                params: options?.params,
+            };
+            
+            const response = await (method === "GET"
+                ? axios.get(url, axiosOpt)
+                : axios.post(url, options?.body, axiosOpt));
+
+            return {
+                ok: response.status >= 200 && response.status < 300,
+                status: response.status,
+                json: async () => response.data,
+                text: async () => typeof response.data === "string" ? response.data : JSON.stringify(response.data),
+            };
+        };
+    }
+
+    async generatePoToken(contentBinding?: string): Promise<YoutubeSessionData> {
+        if (!contentBinding) {
+            contentBinding = (await this.generateVisitorData()) || undefined;
+            if (!contentBinding) throw new Error("Unable to generate visitor data");
+        }
+
+        const bgConfig: BgConfig = {
+            fetch: this.getFetch(),
+            globalObj: globalThis as any,
+            identifier: contentBinding,
+            requestKey: PoTokenManager.REQUEST_KEY,
+        };
+
+        let tokenMinter = this._minterCache.get("default");
+        if (!tokenMinter || new Date() >= tokenMinter.expiry) {
+            const innertube = await this.getInnertube();
+            tokenMinter = await this.generateTokenMinter(bgConfig, innertube.session.context);
+        }
+
+        const poToken = await tokenMinter.minter.mintAsWebsafeString(contentBinding);
+        if (!poToken) throw new Error("Unexpected empty POT");
+
+        return {
+            contentBinding,
+            poToken,
+            expiresAt: new Date(Date.now() + this.TOKEN_TTL_HOURS * 60 * 60 * 1000),
+        };
+    }
+}
+
+export const potManager = new PoTokenManager();
diff --git a/src/types.ts b/src/types.ts
@@ -36,6 +36,16 @@ export interface ResolveUrlResponse {
     resolved_url: string;
 }
 
+export interface PoTokenRequest {
+    content_binding?: string;
+}
+
+export interface PoTokenResponse {
+    poToken: string;
+    visitorData: string;
+    expiresAt?: string;
+}
+
 export interface WorkerWithStatus extends Worker {
     isIdle?: boolean;
 }
@@ -46,7 +56,7 @@ export interface Task {
     reject: (error: any) => void;
 }
 
-export type ApiRequest = SignatureRequest | StsRequest | ResolveUrlRequest;
+export type ApiRequest = SignatureRequest | StsRequest | ResolveUrlRequest | PoTokenRequest;
 
 // Parsing into this context helps avoid multi copies of requests
 // since request body can only be read once. 
diff --git a/src/utils.ts b/src/utils.ts
@@ -22,7 +22,8 @@ export function validateAndNormalizePlayerUrl(playerUrl: string): string {
         throw new Error(`Invalid player URL: ${playerUrl}`);
     }
 }
-export function extractPlayerId(playerUrl: string): string {
+export function extractPlayerId(playerUrl?: string): string {
+    if (!playerUrl) return 'unknown';
     try {
         const url = new URL(playerUrl);
         const pathParts = url.pathname.split('/');

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,8 @@ export function validateAndNormalizePlayerUrl(playerUrl: string): string {`
`22`	`22`	throw new Error(`Invalid player URL: ${playerUrl}`);
`23`	`23`	`}`
`24`	`24`	`}`
`25`		`-export function extractPlayerId(playerUrl: string): string {`
	`25`	`+export function extractPlayerId(playerUrl?: string): string {`
	`26`	`+ if (!playerUrl) return 'unknown';`
`26`	`27`	`try {`
`27`	`28`	`const url = new URL(playerUrl);`
`28`	`29`	`const pathParts = url.pathname.split('/');`