🍿 TMDB Embed API

Modern, configurable streaming metadata + source aggregation API with a secure admin panel and multi-key TMDB rotation.

📸 Screenshots

✨ Features

Multi‑TMDB Key Rotation – Supply multiple API keys; one is chosen randomly per request.
Provider Aggregation – Pluggable providers (Showbox, 4khdhub, MoviesMod, MP4Hydra, VidZee, Vixsrc, UHDMovies) with per‑provider enable toggles + default selection.
🔥 Plugin System – Drop new provider files in providers/ and add its exported function to the registry map (providers/registry.js → providerFunctionMap).
Dynamic Filtering – Minimum quality presets, custom JSON quality map, codec exclusion rules (presets + JSON).
Runtime Overrides UI – Fully interactive web admin at / (login protected) writing to utils/user-config.json.
Session Auth + Rate Limiting – Login system with brute‑force lockouts, logout, password change.
Status & Health Panel – Live metrics, provider status, endpoint list, functional provider checks.
Config Propagation – Overrides mirrored to process.env for legacy compatibility (no .env required after first save).
Back‑Navigation Safe – Cache-control + visibility/session revalidation.
Extensible – Simple drop-in provider plugin system.
Optional Stream Proxy Layer – When enabled, rewrites returned stream URLs so HLS playlists, TS segments, and subtitles are served through internal endpoints (/m3u8-proxy, /ts-proxy, /sub-proxy) allowing uniform headers, origin shielding, and optional segment caching. When active the API omits per-stream headers objects from responses (they're no longer needed by clients) to avoid leaking upstream header requirements.

Proxy Tuning Parameters (query flags accepted by /ts-proxy – defaults shown):
- clampOpen (on) – If a client sends an ambiguous Range: bytes=0-, constrain it to an initial window of openChunkKB (default 4096 KB) to avoid huge first reads.
- openChunkKB=4096 – Size (KB) used for both clamp window and each progressive expansion increment.
- progressiveOpen (on) – Grow successive ambiguous head requests (bytes=0-) incrementally instead of one large span. Maintains a per‑URL expansion map.
- initChunkKB=512 – Size used for a synthetic initial partial (206) when no client range is provided and progressive growth is disabled. Capped 64–2048 KB.
- noSynth=1 – Disable synthetic initial partial generation (forces pass‑through behavior).
- force200=1 – Normalize upstream 206 responses to 200 (diagnostics / edge player testing).
- tailPrefetch (on) – Enable asynchronous tail fetch of the file’s last bytes to satisfy rapid player tail probes.
- tailPrefetchKB=256 – Tail window size (64–2048 KB). Cached in memory with TTL cleanup. Behavior Notes:
- Synthetic partials auto‑disable when progressiveOpen is active (real progressive ranges preferred).
- Player tail probes (e.g., VLC metadata scans) are accelerated by the cached tail window.
- Forced 200 mode strips Content-Range to emulate full responses for troubleshooting.
- Host Overrides: pixeldrain.* and video-downloads.googleusercontent.com URLs are routed through /ts-proxy regardless of extension to ensure correct range + MIME handling.

📦 Quick Start

# 1. Install dependencies
npm install

# 2. (Optional) Copy example env if you want an initial TMDB key
cp .env.example .env   # then edit TMDB_API_KEY=

# 3. Start API with automatic restarts (recommended for local dev)
npm start

# Or production-style single run
# node apiServer.js

# 4. Open the Admin UI (login page) in browser
http://localhost:8787/

# 5. Health check
curl http://localhost:8787/api/health

🐳 Docker Usage

Pull & Run (Fastest)

If you just want to run it (no building):

docker pull inside4ndroid/tmdb-embed-api:latest
docker run --name tmdb-embed-api -p 8787:8787 \ 
  -e TMDB_API_KEY=YOUR_TMDB_KEY \
  inside4ndroid/tmdb-embed-api:latest

Or the minimal quick-test run:

docker run -it -p 8787:8787 inside4ndroid/tmdb-embed-api:latest

Persist overrides (Windows PowerShell example) by mounting a local file:

New-Item -ItemType File -Path .\utils\user-config.json -Force | Out-Null
docker run --name tmdb-embed-api -p 8787:8787 `
  -e TMDB_API_KEY=YOUR_TMDB_KEY `
  -v ${PWD}/utils/user-config.json:/app/utils/user-config.json `
  inside4ndroid/tmdb-embed-api:latest

Build Locally

docker build -t tmdb-embed-api .
docker run --name tmdb-embed -p 8787:8787 \
  -e TMDB_API_KEY=YOUR_TMDB_KEY \
  -v "$(pwd)/utils/user-config.json:/app/utils/user-config.json" \
  tmdb-embed-api

After first login + save, the UI writes overrides into the mounted user-config.json so they persist across container restarts.

docker-compose

An example docker-compose.yml is included. Start with:

docker compose up -d --build

Environment variables can be supplied via a .env file in the same directory (Compose automatically loads it). Example .env:

TMDB_API_KEY=first_key
FEBBOX_COOKIES=cookie1,cookie2

To stop & remove:

docker compose down

Switching to Multiple TMDB Keys

Either set TMDB_API_KEYS to a JSON array string:

docker run -p 8787:8787 \
  -e TMDB_API_KEYS='["KEY1","KEY2","KEY3"]' \
  tmdb-embed-api

or add / remove keys inside the Admin UI (Keys panel) and save.

Key Environment Variables

Variable	Purpose	Notes
`API_PORT`	Port the server listens on	Defaults to 8787
`TMDB_API_KEY`	Single TMDB key (legacy)	Use if you only have one key
`TMDB_API_KEYS`	JSON array of keys	Overrides single key when present
`FEBBOX_COOKIES`	Comma separated FebBox cookies	Enables Showbox provider immediately
`PASSWORD_HASH`	Pre-seed admin password hash	Optional (UI can set)
`ADMIN_USERNAME`	Override default username	Default: `admin`

If both TMDB_API_KEY and TMDB_API_KEYS are provided, rotation uses the array. Clearing the array in the UI also clears the legacy key.

Updating the Image

docker compose pull   # if using an external registry (future)
docker compose up -d --build

### Restart from Admin UI
The Admin panel includes a Restart Server control.
- Local (nodemon): the backend writes a `restart.trigger` file and exits; nodemon detects the change and restarts automatically.
- Docker Compose: the container exits and is restarted by `restart: unless-stopped`.

Healthcheck

Container health relies on GET /api/health. If you disable or modify that route, adjust the Dockerfile / compose healthcheck accordingly.

�🔐 Authentication

The root (/) serves the login page. After successful login a session cookie (session) is issued (HttpOnly; 12h lifetime). All admin pages (e.g. config.html) require an active session.

Endpoint	Method	Purpose
`/auth/login`	POST	Authenticate (JSON: `{ username, password }`)
`/auth/logout`	POST	Destroy session
`/auth/session`	GET	Check session status
`/auth/change-password`	POST	Update password (requires session)

Repeated failed logins trigger exponential lockouts (Retry-After header emitted).

🛠 Configuration Model

All runtime state collapses into a merged object displayed in the UI (Live Config panel). Source order:

Initial environment variables / optional .env
JSON overrides: utils/user-config.json

Saving in the UI writes only changed keys. Setting a field to empty removes the override (reverting to env/default). Removing all TMDB keys (and saving) clears tmdbApiKeys and the legacy tmdbApiKey.

Override File: utils/user-config.json

{
  "defaultProviders": ["showbox","4khdhub"],
  "tmdbApiKeys": ["KEY_A","KEY_B"],
  "enableShowboxProvider": true
}

🎛 Admin UI Sections

Panel	Summary
Core	Port, default providers, default region
Quality / Filters	Min quality presets & codec exclusion JSON
Keys	Add/remove TMDB API keys (rotated randomly)
FebBox / PStream	Manage FebBox cookies powering Showbox provider
Advanced	Provider toggles, cache & validation flags
Server Status	Live metrics, provider functional checks
Live Config	View merged + override JSON snapshots

Session is revalidated on visibility and back/forward navigation to prevent stale access.

🔌 Providers

The API supports a plugin system. Drop a new provider file in the providers/ folder and register its exported function in providers/registry.js under providerFunctionMap.

Current Built-in Providers

showbox - Showbox/PStream integration
4khdhub - 4KHDHub streams
moviesmod - MoviesMod streams
mp4hydra - MP4Hydra streams
vidzee - VidZee streams
vixsrc - Vixsrc streams
uhdmovies - UHD Movies streams

Adding a New Provider

Create providers/yourprovider.js with your stream fetching logic
Export a function like getYourproviderStreams(tmdbId, mediaType, season, episode)

Register it in providers/registry.js → providerFunctionMap:

// providers/registry.js
const providerFunctionMap = {
  'Showbox.js': 'getStreamsFromTmdbId',
  '4khdhub.js': 'get4KHDHubStreams',
  'moviesmod.js': 'getMoviesModStreams',
  'MP4Hydra.js': 'getMP4HydraStreams',
  'VidZee.js': 'getVidZeeStreams',
  'vixsrc.js': 'getVixsrcStreams',

'uhdmovies.js': 'getUHDMoviesStreams', 'yourprovider.js': 'getYourproviderStreams' };

4. The provider will appear in the admin UI with an enable/disable toggle.

**Example Provider (Unified Output):**
```javascript
async function getYourproviderStreams(tmdbId, mediaType, season, episode) {
// Your scraping/API logic here
return [{
 title: "Fight Club - 1080p [YourProvider #1]",
 url: "https://stream.url/video.mp4",
 quality: "1080p",
 provider: "yourprovider",
 headers: { "User-Agent": "Mozilla/5.0" }
}];
}

module.exports = { getYourproviderStreams };

⚠️ Important: All providers must return streams in the unified JSON format to ensure compatibility with filtering and aggregation.

The system automatically:

✅ Detects new provider files
✅ Adds enable/disable toggles in the admin UI
✅ Includes them in stream aggregation
✅ Applies filtering and quality controls
✅ No core file edits required!

📡 Key Endpoints

Endpoint	Description
`GET /api/health`	Basic heartbeat
`GET /api/metrics`	Runtime counters & summary
`GET /api/status`	Metrics + providers + endpoints list
`GET /api/providers`	Enabled providers summary
`GET /api/providers/:name`	Single provider status
`GET /api/streams/:type/:tmdbId`	Aggregate streams (`type` = movie
`GET /api/streams/:provider/:type/:tmdbId`	Provider-specific streams
`GET /api/config`	`{ merged, override }`
`POST /api/config`	Apply override patch

Aggregate endpoint auto-resolves IMDb when needed and merges provider output before filtering.

🧪 Stream Object Schema (Unified)

{
  "title": "Fight Club - 1080p [MP4Hydra #2]",
  "url": "https://stream.url/video.mp4",
  "quality": "1080p",
  "provider": "mp4hydra",
  "headers": { "User-Agent": "Mozilla/5.0" }
}

Filtering passes through applyFilters to enforce min quality + codec exclusions.

Note: When the enableProxy flag is turned on, provider-specific request headers are stripped from each stream object before responding. Clients should use the proxied URL directly without adding custom Referer/Origin headers.

⚙️ Configuration Flags (Advanced Panel)

Flag	Default	Purpose
disableCache	false	Disables internal caches (Showbox + proxy segment cache)
enablePStreamApi	true	Enables Showbox PStream-specific handling
disableUrlValidation	false	Skip general URL pattern validation checks
disable4khdhubUrlValidation	false	Skip 4khdhub-specific URL validation
enableProxy	false	Mounts proxy routes and rewrites stream URLs through them

Toggle enableProxy to activate the internal proxy. This adds lightweight playlist/segment/subtitle rewriting without modifying provider code. Disable it to return direct upstream URLs.

🧩 Quality & Codec Filtering

Presets: all, 480p, 720p, 1080p, 1440p, 2160p.
Custom quality JSON example:

{ "default": "900p", "showbox": "1080p" }

Codec exclusion JSON example:

{ "excludeDV": true, "excludeHDR": false }

🔐 Security Notes

Admin UI requires login; session cookie is HttpOnly.
Cache-control headers disable storing sensitive pages.
Login is rate limited with escalating lockouts.
Password change endpoint enforces minimum length.

🚀 Deployment Tips

Aspect	Recommendation
Node Version	18+ LTS
Reverse Proxy	Terminate TLS (e.g., Nginx) and forward to API port
Persistent Config	Mount / persist `utils/user-config.json`
Logs	Pipe stdout to centralized logger
Scaling	Use a single instance unless providers are CPU bound

For ephemeral platforms (e.g., Vercel) note that some providers use temporary directories; avoid enabling disk-heavy cache directories.

💡 Troubleshooting

Symptom	Cause / Fix
No streams from Showbox	Missing FebBox cookies
TMDB quota issues	Add more keys under Keys panel
Provider missing in matrix	Ensure its enable flag exists & UI updated
Empty merged config after restart	`user-config.json` deleted or unreadable
Streams low quality	Adjust min quality preset or custom JSON

🤝 Contributing

PRs welcome. Keep changes focused and avoid unrelated formatting churn. For new providers include:

A short rationale
Retry / timeout safeguards
Respect for existing filtering structure

❤️ Sponsorship

If this project helps you, consider sponsoring to support continued development & maintenance:

➡️ GitHub Sponsors: https://github.com/sponsors/Inside4ndroid

Every contribution accelerates feature delivery & sustainability.

📜 License

MIT. See LICENSE.

🙏 Acknowledgements

Inspired by community scraping/stream aggregation efforts. Credits also to the original NuvioStreamsAddon work for earlier concepts.

Happy streaming & hacking! ✨

Name		Name	Last commit message	Last commit date
Latest commit History 70 Commits
.github/workflows		.github/workflows
providers		providers
proxy		proxy
public		public
screenshots		screenshots
scripts		scripts
utils		utils
.dockerignore		.dockerignore
.eslintignore		.eslintignore
.eslintrc.cjs		.eslintrc.cjs
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
Dockerfile		Dockerfile
LICENSE.md		LICENSE.md
README.md		README.md
apiServer.js		apiServer.js
docker-compose.yml		docker-compose.yml
package-lock.json		package-lock.json
package.json		package.json
restart.trigger		restart.trigger

License

Inside4ndroid/TMDB-Embed-API

Folders and files

Latest commit

History

Repository files navigation