|Problem: Serve a video to a client if and only if the client has signed up and paid the price for the video.|
Constraints: Minimize theft and sharing of videos to any client which has not paid. Prevent videos from being downloaded(?).
Worst Case: Video is bought by a user, screen-captured, and redistributed. Alternatively, paying user decides to share their username/password with other users.
1. Implement a basic user accounts system.
2. Dynamically watermark/brand all videos to mitigate screen-capture theft.
3. Store encrypted/restricted videos on S3, restrict access via CloudFront.
4. Use Braintree/Stripe/Cryptocurrency to capture payments for a given video. Upon payment by client, mark the user as having access to the corresponding video.
5. Use a short-lived/one-time token to grant access to CloudFront endpoint for any paid client. Upon accessing the video after token expiration, a new token will be issued. This prevents users from sharing URLs with friends who haven't signed up and paid. The user would be forced to share their sign-in token or username/password, which is not preferable. Mitigating this with IP restrictions may not be worth the implementation time.
Are there any other major steps that need to be taken here, or have I covered all my bases?
With the above solution, generalizing to recurrent (subscription-based) payments or paying for a set of videos shouldn't be hard. Are there any additional steps required for these generalizations, or are they relatively straightforward alterations to the solution above?