Introduction
There are many video hosting solutions currently on the market, the most popular being Youtube, Vimeo, Wistia, SproutVideo, Brightcove, Vidyard. However, these platforms all have their advantages and disadvantages, and in our research we discovered Bunny.net, a fast, flexible, and feature-full service at little to no cost.
But Paying more for video hosting means higher quality service and better protection, doesn’t it?
Yes. That’s true. You do get what you pay for. Services like Vimeo are considered top-tier, they provide excellent security, anti-piracy, and permission-based access control that is critical for businesses that sell video streaming services online.
Embed View Token Authentication
The Embed View Token Authentication allows you to secure your iframe to prevent unauthorized embedding of your videos.
If enabled, the embedded video player view will need to be authenticated with a token code. Otherwise, any requests to the video resources will be rejected and the player will not load. This particular feature helps in creating a privileged access feature to differentiate between paying and free users when serving content.
You can generate a 1 hour expiring token on the fly everytime a video resource is retrieved from the database and append it to your iframe on the front-end.
Now, no one can just copy your iframe and embed it on their website without your permission.
In a realistic sense, it is impossible to completely prevent piracy or the unauthorized sharing of videos. Someone can still physically video record their computer screen if they desire. However, utilizing the Embed Video Token Authentication feature will at least create some basic technical barriers that prevent the direct download and access of your actual video resources on the internet.
Pseudo-code example:
//Pseudocode Example:
SHA256_HEX(token_security_key + video_id + expiration)
//Example of a SHA256 hash:
SHA256(
'4742a81b-bf15-42fe-8b1c-8fcb9024c550' +
'32d140e2-e4f4-4eec-9d53-20371e9be607' +
1623440202
)
In this example, the SHA256 function could be a Node.js Crypto method.
The actual solution
So we at Sazokashi actually built a custom solution for this using Bunny.net’s API and a Node.js server. The server generates a token for each video request and appends it to the iframe URL, and its design to minimize the burden of repeat requests to the server or database.
We’re going to assume that you know how to connect to a 3rd-party API service, retrieve and persist Video Item Objects in some relational or JSON related scheme.
embed.js
const crypto = require('crypto')
// expires default to an hour when not set
function generateEmbedURL(
securityKey,
library_id,
video_id,
expires = Math.floor(Date.now() / 1000) + 3600
) {
const hash_path = securityKey + video_id + expires
const sha256 = crypto.createHash('sha256')
sha256.update(hash_path)
const token = sha256.digest('hex')
return `https://iframe.mediadelivery.net/embed/${library_id}/${video_id}?token=${token}&expires=${expires}`
}
module.exports = { generateEmbedURL }
Next, let’s define a iFrame embed URL
in your API endpoint business logic:
// Import the generateEmbedURL function from the "embed.js" file
const { generateEmbedURL } = require('./embed')
// The security key can be found in the API section of the bunny.net stream library.
const securityKey = ''
// The library ID can be found in the API section of the bunny.net stream library.
const library_id = ''
// The video ID can be found in the video manager of the bunny.net stream library once you click on a video.
const video_id = ''
// The expiration time is set to one hour by default.
const expires = Math.floor(Date.now() / 1000) + 3600
// Generate the embed URL using the provided parameters.
console.log(generateEmbedURL(securityKey, library_id, video_id, expires))
Please be advised, we didn’t use this above implementation 100% faithfully. There are some limitations to sha256 that we deemed inexcusable. The above is just a working guidance of how you can implement the Embed View Token Authentication feature.
EDIT: As of Dec 20th, 2024 - It seems Bunny.net’s development team has released a API Endpoint that does this work for you: https://docs.bunny.net/reference/oembed_getoembed
How great?!
Mediacage Basic DRM Protection
Last, but not least, Bunny.net also offers a Basic DRM protection feature called Mediacage. There also is an Enterprise level DRM solution, but I actually don’t even recommend that, because it’s mostly focused on Apple Devices. The biggest issue is bad actors stealing content through the Desktop or through browser based scraping. The Mediacage Basic DRM protection feature is a great solution for this. Combined with the Embed View Token Authentication, you can create a very complete basic anti-piracy solution for your video streaming service.
Considerations and Limitations
Given that the token that is created is usable by ALL paid users across our private web app, it is important to consider the following:
There has to be a token check to requery for a new token and Embed URL by the backend, OR
Engineer the frontend to requery for a new token when they encounter a 401 Unauthorized or 403 Forbidden level request error.
You will have to reconsider the re-rendering of the frontend UI if this happens.
Another consideration is that the token is generated on the fly, so it is important to consider the performance of the server and the database.
One idea that we really liked was perhaps to persist the expiration time stamp in the database at the time of the token creation, and compare the current time stamp with the expiration time stamp at every GET request for the resource. If the Javascript Date values show that they video token is outdated, then we can just re-request a token.
Another idea we liked was: Instead of setting the url of the frame in the src attribute, we could “test” the url by sending a HEAD request to the url with Ajax and in case of success, you set the src attribute of the iframe. If you receive an error, we quickly requery for a new token in the server before the user notices anything.
Conclusion
Bunny.net’s Stream Embed View Token Authentication for iFrames combined with the Mediacage Basic DRM protection feature creates a fantastic and secure basic anti-piracy solution for your video streaming service.
Last updated on January 9, 2025 at 7:51 PM UTC+7.