From 7e4b3b182ab27024fddf77c6f1cc379d0ee81ee2 Mon Sep 17 00:00:00 2001
From: Samantaz Fox <coding@samantaz.fr>
Date: Tue, 29 Oct 2024 18:09:50 +0100
Subject: [PATCH 1/5] Routes: Simplify actions in playlist_ajax

---
 assets/js/playlist_widget.js            |  6 ++---
 src/invidious/routes/playlists.cr       | 31 +++++--------------------
 src/invidious/views/components/item.ecr |  4 ++--
 src/invidious/views/watch.ecr           |  2 +-
 4 files changed, 12 insertions(+), 31 deletions(-)

diff --git a/assets/js/playlist_widget.js b/assets/js/playlist_widget.js
index c92592ac5..96a51d70d 100644
--- a/assets/js/playlist_widget.js
+++ b/assets/js/playlist_widget.js
@@ -6,7 +6,7 @@ function add_playlist_video(target) {
     var select = target.parentNode.children[0].children[1];
     var option = select.children[select.selectedIndex];
 
-    var url = '/playlist_ajax?action_add_video=1&redirect=false' +
+    var url = '/playlist_ajax?action=add_video&redirect=false' +
         '&video_id=' + target.getAttribute('data-id') +
         '&playlist_id=' + option.getAttribute('data-plid');
 
@@ -21,7 +21,7 @@ function add_playlist_item(target) {
     var tile = target.parentNode.parentNode.parentNode.parentNode.parentNode;
     tile.style.display = 'none';
 
-    var url = '/playlist_ajax?action_add_video=1&redirect=false' +
+    var url = '/playlist_ajax?action=add_video&redirect=false' +
         '&video_id=' + target.getAttribute('data-id') +
         '&playlist_id=' + target.getAttribute('data-plid');
 
@@ -36,7 +36,7 @@ function remove_playlist_item(target) {
     var tile = target.parentNode.parentNode.parentNode.parentNode.parentNode;
     tile.style.display = 'none';
 
-    var url = '/playlist_ajax?action_remove_video=1&redirect=false' +
+    var url = '/playlist_ajax?action=remove_video&redirect=false' +
         '&set_video_id=' + target.getAttribute('data-index') +
         '&playlist_id=' + target.getAttribute('data-plid');
 
diff --git a/src/invidious/routes/playlists.cr b/src/invidious/routes/playlists.cr
index 9c6843e99..f2213da44 100644
--- a/src/invidious/routes/playlists.cr
+++ b/src/invidious/routes/playlists.cr
@@ -304,23 +304,6 @@ module Invidious::Routes::Playlists
       end
     end
 
-    if env.params.query["action_create_playlist"]?
-      action = "action_create_playlist"
-    elsif env.params.query["action_delete_playlist"]?
-      action = "action_delete_playlist"
-    elsif env.params.query["action_edit_playlist"]?
-      action = "action_edit_playlist"
-    elsif env.params.query["action_add_video"]?
-      action = "action_add_video"
-      video_id = env.params.query["video_id"]
-    elsif env.params.query["action_remove_video"]?
-      action = "action_remove_video"
-    elsif env.params.query["action_move_video_before"]?
-      action = "action_move_video_before"
-    else
-      return env.redirect referer
-    end
-
     begin
       playlist_id = env.params.query["playlist_id"]
       playlist = get_playlist(playlist_id).as(InvidiousPlaylist)
@@ -335,12 +318,8 @@ module Invidious::Routes::Playlists
       end
     end
 
-    email = user.email
-
-    case action
-    when "action_edit_playlist"
-      # TODO: Playlist stub
-    when "action_add_video"
+    case action = env.params.query["action"]?
+    when "add_video"
       if playlist.index.size >= CONFIG.playlist_length_limit
         if redirect
           return error_template(400, "Playlist cannot have more than #{CONFIG.playlist_length_limit} videos")
@@ -377,12 +356,14 @@ module Invidious::Routes::Playlists
 
       Invidious::Database::PlaylistVideos.insert(playlist_video)
       Invidious::Database::Playlists.update_video_added(playlist_id, playlist_video.index)
-    when "action_remove_video"
+    when "remove_video"
       index = env.params.query["set_video_id"]
       Invidious::Database::PlaylistVideos.delete(index)
       Invidious::Database::Playlists.update_video_removed(playlist_id, index)
-    when "action_move_video_before"
+    when "move_video_before"
       # TODO: Playlist stub
+    when nil
+      return error_json(400, "Missing action")
     else
       return error_json(400, "Unsupported action #{action}")
     end
diff --git a/src/invidious/views/components/item.ecr b/src/invidious/views/components/item.ecr
index 6d227cfc9..dc8421a53 100644
--- a/src/invidious/views/components/item.ecr
+++ b/src/invidious/views/components/item.ecr
@@ -138,14 +138,14 @@
                     <%- end -%>
 
                     <%- if plid_form = env.get?("add_playlist_items") -%>
-                        <%- form_parameters = "action_add_video=1&video_id=#{item.id}&playlist_id=#{plid_form}&referer=#{env.get("current_page")}" -%>
+                        <%- form_parameters = "action=add_video&video_id=#{item.id}&playlist_id=#{plid_form}&referer=#{env.get("current_page")}" -%>
                         <form data-onsubmit="return_false" action="/playlist_ajax?<%= form_parameters %>" method="post">
                             <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>">
                             <button type="submit" class="pure-button pure-button-secondary low-profile"
                                     data-onclick="add_playlist_item" data-id="<%= item.id %>" data-plid="<%= plid_form %>"><i class="icon ion-md-add"></i></button>
                         </form>
                     <%- elsif item.is_a?(PlaylistVideo) && (plid_form = env.get?("remove_playlist_items")) -%>
-                        <%- form_parameters = "action_remove_video=1&set_video_id=#{item.index}&playlist_id=#{plid_form}&referer=#{env.get("current_page")}" -%>
+                        <%- form_parameters = "action=remove_video&set_video_id=#{item.index}&playlist_id=#{plid_form}&referer=#{env.get("current_page")}" -%>
                         <form data-onsubmit="return_false" action="/playlist_ajax?<%= form_parameters %>" method="post">
                             <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>">
                             <button type="submit" class="pure-button pure-button-secondary low-profile"
diff --git a/src/invidious/views/watch.ecr b/src/invidious/views/watch.ecr
index 45c58a162..ce111d696 100644
--- a/src/invidious/views/watch.ecr
+++ b/src/invidious/views/watch.ecr
@@ -169,7 +169,7 @@ we're going to need to do it here in order to allow for translations.
                         </div>
 
                         <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>">
-                        <input type="hidden" name="action_add_video" value="1">
+                        <input type="hidden" name="action" value="add_video">
                         <input type="hidden" name="video_id" value="<%= video.id %>">
                         <button data-onclick="add_playlist_video" data-id="<%= video.id %>" type="submit" class="pure-button pure-button-primary">
                             <b><%= translate(locale, "Add to playlist") %></b>

From e453a2a682f3cf18cba37329d2f422217dd8e980 Mon Sep 17 00:00:00 2001
From: Samantaz Fox <coding@samantaz.fr>
Date: Tue, 29 Oct 2024 18:16:52 +0100
Subject: [PATCH 2/5] Routes: Simplify actions in subscription_ajax

---
 assets/js/handlers.js                              |  2 +-
 assets/js/subscribe_widget.js                      |  4 ++--
 src/invidious/routes/subscriptions.cr              | 14 +++-----------
 .../views/components/subscribe_widget.ecr          |  4 ++--
 src/invidious/views/user/subscription_manager.ecr  |  2 +-
 5 files changed, 9 insertions(+), 17 deletions(-)

diff --git a/assets/js/handlers.js b/assets/js/handlers.js
index 539974fbf..a3199fa7f 100644
--- a/assets/js/handlers.js
+++ b/assets/js/handlers.js
@@ -111,7 +111,7 @@
         var count = document.getElementById('count');
         count.textContent--;
 
-        var url = '/subscription_ajax?action_remove_subscriptions=1&redirect=false' +
+        var url = '/subscription_ajax?action=remove_subscriptions&redirect=false' +
             '&referer=' + encodeURIComponent(location.href) +
             '&c=' + target.getAttribute('data-ucid');
 
diff --git a/assets/js/subscribe_widget.js b/assets/js/subscribe_widget.js
index 7665a00b1..d462e8486 100644
--- a/assets/js/subscribe_widget.js
+++ b/assets/js/subscribe_widget.js
@@ -16,7 +16,7 @@ function subscribe() {
     subscribe_button.onclick = unsubscribe;
     subscribe_button.innerHTML = '<b>' + subscribe_data.unsubscribe_text + ' | ' + subscribe_data.sub_count_text + '</b>';
 
-    var url = '/subscription_ajax?action_create_subscription_to_channel=1&redirect=false' +
+    var url = '/subscription_ajax?action=create_subscription_to_channel&redirect=false' +
         '&c=' + subscribe_data.ucid;
 
     helpers.xhr('POST', url, {payload: payload, retries: 5, entity_name: 'subscribe request'}, {
@@ -32,7 +32,7 @@ function unsubscribe() {
     subscribe_button.onclick = subscribe;
     subscribe_button.innerHTML = '<b>' + subscribe_data.subscribe_text + ' | ' + subscribe_data.sub_count_text + '</b>';
 
-    var url = '/subscription_ajax?action_remove_subscriptions=1&redirect=false' +
+    var url = '/subscription_ajax?action=remove_subscriptions&redirect=false' +
         '&c=' + subscribe_data.ucid;
 
     helpers.xhr('POST', url, {payload: payload, retries: 5, entity_name: 'unsubscribe request'}, {
diff --git a/src/invidious/routes/subscriptions.cr b/src/invidious/routes/subscriptions.cr
index 7f9ec5926..1de655d20 100644
--- a/src/invidious/routes/subscriptions.cr
+++ b/src/invidious/routes/subscriptions.cr
@@ -32,24 +32,16 @@ module Invidious::Routes::Subscriptions
       end
     end
 
-    if env.params.query["action_create_subscription_to_channel"]?.try &.to_i?.try &.== 1
-      action = "action_create_subscription_to_channel"
-    elsif env.params.query["action_remove_subscriptions"]?.try &.to_i?.try &.== 1
-      action = "action_remove_subscriptions"
-    else
-      return env.redirect referer
-    end
-
     channel_id = env.params.query["c"]?
     channel_id ||= ""
 
-    case action
-    when "action_create_subscription_to_channel"
+    case action = env.params.query["action"]?
+    when "create_subscription_to_channel"
       if !user.subscriptions.includes? channel_id
         get_channel(channel_id)
         Invidious::Database::Users.subscribe_channel(user, channel_id)
       end
-    when "action_remove_subscriptions"
+    when "remove_subscriptions"
       Invidious::Database::Users.unsubscribe_channel(user, channel_id)
     else
       return error_json(400, "Unsupported action #{action}")
diff --git a/src/invidious/views/components/subscribe_widget.ecr b/src/invidious/views/components/subscribe_widget.ecr
index 05e4e253e..3cfcb0ebd 100644
--- a/src/invidious/views/components/subscribe_widget.ecr
+++ b/src/invidious/views/components/subscribe_widget.ecr
@@ -1,13 +1,13 @@
 <% if user %>
     <% if subscriptions.includes? ucid %>
-            <form action="/subscription_ajax?action_remove_subscriptions=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post">
+            <form action="/subscription_ajax?action=remove_subscriptions&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post">
                 <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>">
                 <button data-type="unsubscribe" id="subscribe" class="pure-button pure-button-primary">
                     <b><input style="all:unset" type="submit" value="<%= translate(locale, "Unsubscribe") %> | <%= sub_count_text %>"></b>
                 </button>
             </form>
     <% else %>
-            <form action="/subscription_ajax?action_create_subscription_to_channel=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post">
+            <form action="/subscription_ajax?action=create_subscription_to_channel&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post">
                 <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>">
                 <button data-type="subscribe" id="subscribe" class="pure-button pure-button-primary">
                     <b><input style="all:unset" type="submit" value="<%= translate(locale, "Subscribe") %> | <%= sub_count_text %>"></b>
diff --git a/src/invidious/views/user/subscription_manager.ecr b/src/invidious/views/user/subscription_manager.ecr
index c9801f094..d566e2285 100644
--- a/src/invidious/views/user/subscription_manager.ecr
+++ b/src/invidious/views/user/subscription_manager.ecr
@@ -37,7 +37,7 @@
             <div class="pure-u-2-5"></div>
             <div class="pure-u-1-5" style="text-align:right">
                 <h3 style="padding-right:0.5em">
-                    <form data-onsubmit="return_false" action="/subscription_ajax?action_remove_subscriptions=1&c=<%= channel.id %>&referer=<%= env.get("current_page") %>" method="post">
+                    <form data-onsubmit="return_false" action="/subscription_ajax?action=remove_subscriptions&c=<%= channel.id %>&referer=<%= env.get("current_page") %>" method="post">
                         <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>">
                         <input style="all:unset" type="submit" data-onclick="remove_subscription" data-ucid="<%= channel.id %>" value="<%= translate(locale, "unsubscribe") %>">
                     </form>

From dbd96c77e457ae17f55490315ffab325d2560e55 Mon Sep 17 00:00:00 2001
From: Samantaz Fox <coding@samantaz.fr>
Date: Tue, 29 Oct 2024 18:21:58 +0100
Subject: [PATCH 3/5] Routes: Simplify actions in token_ajax

---
 assets/js/handlers.js                      |  2 +-
 src/invidious/routes/account.cr            | 14 +++-----------
 src/invidious/views/user/token_manager.ecr |  2 +-
 3 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/assets/js/handlers.js b/assets/js/handlers.js
index a3199fa7f..67cd90813 100644
--- a/assets/js/handlers.js
+++ b/assets/js/handlers.js
@@ -91,7 +91,7 @@
         var count = document.getElementById('count');
         count.textContent--;
 
-        var url = '/token_ajax?action_revoke_token=1&redirect=false' +
+        var url = '/token_ajax?action=revoke_token&redirect=false' +
             '&referer=' + encodeURIComponent(location.href) +
             '&session=' + target.getAttribute('data-session');
 
diff --git a/src/invidious/routes/account.cr b/src/invidious/routes/account.cr
index dd65e7a60..c8db207c2 100644
--- a/src/invidious/routes/account.cr
+++ b/src/invidious/routes/account.cr
@@ -328,17 +328,9 @@ module Invidious::Routes::Account
       end
     end
 
-    if env.params.query["action_revoke_token"]?
-      action = "action_revoke_token"
-    else
-      return env.redirect referer
-    end
-
-    session = env.params.query["session"]?
-    session ||= ""
-
-    case action
-    when .starts_with? "action_revoke_token"
+    case action = env.params.query["action"]?
+    when "revoke_token"
+      session = env.params.query["session"]
       Invidious::Database::SessionIDs.delete(sid: session, email: user.email)
     else
       return error_json(400, "Unsupported action #{action}")
diff --git a/src/invidious/views/user/token_manager.ecr b/src/invidious/views/user/token_manager.ecr
index a73fa048c..8431deb04 100644
--- a/src/invidious/views/user/token_manager.ecr
+++ b/src/invidious/views/user/token_manager.ecr
@@ -29,7 +29,7 @@
         </div>
         <div class="pure-u-1-5" style="text-align:right">
             <h3 style="padding-right:0.5em">
-                <form data-onsubmit="return_false" action="/token_ajax?action_revoke_token=1&session=<%= token[:session] %>&referer=<%= env.get("current_page") %>" method="post">
+                <form data-onsubmit="return_false" action="/token_ajax?action=revoke_token&session=<%= token[:session] %>&referer=<%= env.get("current_page") %>" method="post">
                     <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>">
                     <input style="all:unset" type="submit" data-onclick="revoke_token" data-session="<%= token[:session] %>" value="<%= translate(locale, "revoke") %>">
                 </form>

From dbdf2ad23a3956617a124b193a4e7f2f2a4896e6 Mon Sep 17 00:00:00 2001
From: Samantaz Fox <coding@samantaz.fr>
Date: Tue, 29 Oct 2024 18:27:53 +0100
Subject: [PATCH 4/5] Routes: Simplify actions in watch_ajax

---
 assets/js/watched_widget.js             |  4 ++--
 src/invidious/routes/watch.cr           | 14 +++-----------
 src/invidious/views/components/item.ecr |  2 +-
 src/invidious/views/feeds/history.ecr   |  2 +-
 4 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/assets/js/watched_widget.js b/assets/js/watched_widget.js
index f1ac9cb47..06af62cc6 100644
--- a/assets/js/watched_widget.js
+++ b/assets/js/watched_widget.js
@@ -6,7 +6,7 @@ function mark_watched(target) {
     var tile = target.parentNode.parentNode.parentNode.parentNode.parentNode;
     tile.style.display = 'none';
 
-    var url = '/watch_ajax?action_mark_watched=1&redirect=false' +
+    var url = '/watch_ajax?action=mark_watched&redirect=false' +
         '&id=' + target.getAttribute('data-id');
 
     helpers.xhr('POST', url, {payload: payload}, {
@@ -22,7 +22,7 @@ function mark_unwatched(target) {
     var count = document.getElementById('count');
     count.textContent--;
 
-    var url = '/watch_ajax?action_mark_unwatched=1&redirect=false' +
+    var url = '/watch_ajax?action=mark_unwatched&redirect=false' +
         '&id=' + target.getAttribute('data-id');
 
     helpers.xhr('POST', url, {payload: payload}, {
diff --git a/src/invidious/routes/watch.cr b/src/invidious/routes/watch.cr
index aabe8dfc2..27b96730b 100644
--- a/src/invidious/routes/watch.cr
+++ b/src/invidious/routes/watch.cr
@@ -241,18 +241,10 @@ module Invidious::Routes::Watch
       end
     end
 
-    if env.params.query["action_mark_watched"]?
-      action = "action_mark_watched"
-    elsif env.params.query["action_mark_unwatched"]?
-      action = "action_mark_unwatched"
-    else
-      return env.redirect referer
-    end
-
-    case action
-    when "action_mark_watched"
+    case action = env.params.query["action"]?
+    when "mark_watched"
       Invidious::Database::Users.mark_watched(user, id)
-    when "action_mark_unwatched"
+    when "mark_unwatched"
       Invidious::Database::Users.mark_unwatched(user, id)
     else
       return error_json(400, "Unsupported action #{action}")
diff --git a/src/invidious/views/components/item.ecr b/src/invidious/views/components/item.ecr
index dc8421a53..c966a9264 100644
--- a/src/invidious/views/components/item.ecr
+++ b/src/invidious/views/components/item.ecr
@@ -128,7 +128,7 @@
 
                 <div class="top-left-overlay">
                     <%- if env.get? "show_watched" -%>
-                        <form data-onsubmit="return_false" action="/watch_ajax?action_mark_watched=1&id=<%= item.id %>&referer=<%= env.get("current_page") %>" method="post">
+                        <form data-onsubmit="return_false" action="/watch_ajax?action=mark_watched&id=<%= item.id %>&referer=<%= env.get("current_page") %>" method="post">
                             <input type="hidden" name="csrf_token" value="<%= HTML.escape(env.get?("csrf_token").try &.as(String) || "") %>">
                             <button type="submit" class="pure-button pure-button-secondary low-profile"
                                     data-onclick="mark_watched" data-id="<%= item.id %>">
diff --git a/src/invidious/views/feeds/history.ecr b/src/invidious/views/feeds/history.ecr
index bda4e1f3a..13fe41479 100644
--- a/src/invidious/views/feeds/history.ecr
+++ b/src/invidious/views/feeds/history.ecr
@@ -37,7 +37,7 @@
                     </a>
 
                     <div class="top-left-overlay"><div class="watched">
-                    <form data-onsubmit="return_false" action="/watch_ajax?action_mark_unwatched=1&id=<%= item %>&referer=<%= env.get("current_page") %>" method="post">
+                    <form data-onsubmit="return_false" action="/watch_ajax?action=mark_unwatched&id=<%= item %>&referer=<%= env.get("current_page") %>" method="post">
                         <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>">
                         <button type="submit" class="pure-button pure-button-secondary low-profile"
                                 data-onclick="mark_unwatched" data-id="<%= item %>"><i class="icon ion-md-trash"></i></button>

From b0c7dd977151d30e85f0095f35de892624e87a35 Mon Sep 17 00:00:00 2001
From: Samantaz Fox <coding@samantaz.fr>
Date: Tue, 29 Oct 2024 22:14:20 +0100
Subject: [PATCH 5/5] HTML: Replace hidden 'action' input with query parameter

The server side can only handle parameters passed as URL query
parameters and not inside the request body
---
 src/invidious/views/watch.ecr | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/invidious/views/watch.ecr b/src/invidious/views/watch.ecr
index ce111d696..6f9ced6fc 100644
--- a/src/invidious/views/watch.ecr
+++ b/src/invidious/views/watch.ecr
@@ -158,7 +158,7 @@ we're going to need to do it here in order to allow for translations.
             <% if user %>
                 <% playlists = Invidious::Database::Playlists.select_user_created_playlists(user.email) %>
                 <% if !playlists.empty? %>
-                    <form data-onsubmit="return_false" class="pure-form pure-form-stacked" action="/playlist_ajax" method="post" target="_blank">
+                    <form data-onsubmit="return_false" class="pure-form pure-form-stacked" action="/playlist_ajax?action=add_video" method="post" target="_blank">
                         <div class="pure-control-group">
                             <label for="playlist_id"><%= translate(locale, "Add to playlist: ") %></label>
                             <select style="width:100%" name="playlist_id" id="playlist_id">
@@ -169,7 +169,6 @@ we're going to need to do it here in order to allow for translations.
                         </div>
 
                         <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>">
-                        <input type="hidden" name="action" value="add_video">
                         <input type="hidden" name="video_id" value="<%= video.id %>">
                         <button data-onclick="add_playlist_video" data-id="<%= video.id %>" type="submit" class="pure-button pure-button-primary">
                             <b><%= translate(locale, "Add to playlist") %></b>