From Legal Nightmare to Live Product: How I Finally Finished Opticast
This is a submission for the GitHub Finish-Up-A-Thon Challenge
What I Built
Opticast is a creator-permissioned SaaS platform that automatically converts YouTube video uploads into podcast-quality audio episodes and distributes them to Spotify, Apple Podcasts, Amazon Music, and every major podcast directory — via a standard RSS 2.0 feed.
The moment a creator publishes a new YouTube video, Opticast detects it via YouTube's WebSub (PubSubHubbub) push notification system, extracts the audio using yt-dlp, normalises it to broadcast-standard –16 LUFS with FFmpeg, uploads it to Cloudinary, and regenerates the creator's RSS feed — all without the creator lifting a finger after the initial setup.
Core features:
- Google OAuth onboarding — creators connect their YouTube channel in under 5 minutes
- Real-time video detection via WebSub with a 15-minute polling fallback
- Automated audio pipeline: yt-dlp → FFmpeg loudness normalisation → Cloudinary storage
- RSS 2.0 feed with full Apple Podcasts namespace and Podcasting 2.0 support (chapters, transcripts, funding)
- Directory submission wizard for Spotify, Apple Podcasts, and Amazon Music
- IABv2 analytics — downloads, geographic breakdown, podcast app breakdown, weekly digest email
- Tiered subscriptions (Free, Starter, Pro, Agency) via Polar.sh
Tech stack: Next.js · Django 5 · DRF · Inngest · PostgreSQL · Redis · Cloudinary · Polar.sh · Docker
This project means a lot to me — not just as a technical achievement, but because it represents two years of iteration, a hard pivot, and the stubborn refusal to let a good idea die.
Demo
🔗 Live app: https://opticast-eta.vercel.app/
⚠️ Note on the Google OAuth warning: When signing in, you may see a Google security screen warning about an unverified app. This is expected — the project is registered under the domain
satiric-techin Google Console, which hasn't been verified yet. The OAuth flow is fully functional; the warning is purely a domain verification formality and will be resolved before the public launch.
🎬 Video walkthrough: [https://www.loom.com/share/dd51a9bd1f3641cb906e71dd29f5189b]
Screenshots:
The Comeback Story
Act 1: YouAudio (2 years ago)
Two years ago I built the first version of this idea and called it YouAudio.
The concept was simple: users subscribe to any YouTube channel they like, and the moment a new video drops, they automatically receive the audio version as a podcast episode in their feed. No creator involvement needed.
YouAudio launched, worked, and had real users. Then reality arrived: YouTube's Terms of Service made the user-side audio ripping approach legally untenable. I wasn't processing content with creator consent — I was doing it on behalf of subscribers without it. Continuing down that road wasn't something I was willing to do.
YouAudio still runs today. But I knew the model was broken.
Act 2: The Rewrite
Rather than abandon the core idea, I rebuilt it correctly from scratch as Opticast.
The insight was simple: if creators explicitly authorise access via Google OAuth, every legal concern evaporates — and you end up with a better product anyway, because creators can customise their feed, track analytics, and actually own their podcast presence.
The full rewrite gave me:
| Before (YouAudio) | After (Opticast) |
|---|---|
| User-side subscription model | Creator-permissioned via Google OAuth |
| No creator involvement | Creator dashboard, feed settings, billing |
| Legally questionable | Within YouTube TOS |
| No analytics | IABv2 download analytics |
| No monetisation | Tiered plans via Polar.sh |
Act 3: The Finish Line (This Challenge)
When I found this challenge, Opticast was deployed and functional — but incomplete. Here's exactly what the state was before I started:
- ✅ Google OAuth onboarding — working
- ✅ Creator dashboard, episode manager, feed settings — working
- ✅ FFmpeg audio pipeline — working
- ✅ RSS feed generation — working
- ✅ Polar.sh billing — working
- ❌ WebSub pipeline — absent
- ❌ HMAC signature verification on push callbacks — absent
- ❌ Polling fallback for missed WebSub pings — absent
Without WebSub, Opticast was a manual tool. With it, it's an autonomous pipeline. That's the difference between a prototype and a product.
This challenge gave me the deadline I needed. The WebSub pipeline is now fully implemented, HMAC-verified, and live. Opticast is finished.
My Experience with GitHub Copilot
I built Opticast as a team of two: me and GitHub Copilot. I was the architect — I designed the app structure, wrote the AGENTS.md and SKILL.md rules, chose every external integration, and reviewed and tested every change before it was committed. Copilot was the executor.
Where it saved me the most time
The FFmpeg/yt-dlp audio pipeline was the first major win. Getting the right combination of yt-dlp flags for audio-only extraction, then chaining FFmpeg's loudnorm filter correctly to hit the –16 LUFS broadcast standard, involves a lot of fiddly parameter tuning. Copilot generated a solid first-pass implementation that I refined — work that would have cost me hours of documentation-diving compressed into minutes.
Here's the core of what it produced:
import logging
from googleapiclient.discovery import build
from google.oauth2.credentials import Credentials
from google.auth.transport.requests import Request
from django.utils import timezone
from django.conf import settings
logger = logging.getLogger('apps.channels')
class YouTubeService:
"""
Thin wrapper around the YouTube Data API v3.
Automatically refreshes expired OAuth tokens.
"""
def __init__(self, creator):
self.creator = creator
self._client = None
@property
def client(self):
if self._client is None:
logger.debug(f"Initializing YouTube client for creator {self.creator.email}")
try:
creds = Credentials(
token = self.creator.google_access_token,
refresh_token = self.creator.google_refresh_token,
token_uri = 'https://oauth2.googleapis.com/token',
client_id = settings.GOOGLE_OAUTH_CLIENT_ID,
client_secret = settings.GOOGLE_OAUTH_CLIENT_SECRET,
)
if not creds.token:
logger.warning(f"No access token for creator {self.creator.email}")
if creds.expired:
logger.info(f"Token expired for creator {self.creator.email}, attempting refresh")
if not creds.refresh_token:
logger.error(f"Cannot refresh token for {self.creator.email}: missing refresh token")
creds.refresh(Request())
self.creator.google_access_token = creds.token
self.creator.token_expiry = creds.expiry
self.creator.save(update_fields=['google_access_token', 'token_expiry'])
logger.info(f"Token refreshed successfully for {self.creator.email}")
self._client = build('youtube', 'v3', credentials=creds)
except Exception as e:
logger.exception(f"Failed to initialize YouTube client for {self.creator.email}: {e}")
raise
return self._client
def verify_channel_ownership(self, youtube_channel_id):
"""Returns channel metadata only if the authenticated creator owns the channel."""
logger.debug(f"Verifying ownership for channel {youtube_channel_id}")
try:
response = self.client.channels().list(
part='snippet,contentDetails',
mine=True,
).execute()
for item in response.get('items', []):
if item['id'] == youtube_channel_id:
logger.info(f"Ownership verified for channel {youtube_channel_id}")
return self._parse_channel_item(item)
logger.warning(f"Ownership NOT verified for channel {youtube_channel_id}. Channel not in user's list.")
return None
except Exception as e:
logger.exception(f"YouTube API error during verify_channel_ownership: {e}")
raise
def list_my_channels(self):
"""Returns all channels owned by the authenticated creator."""
logger.debug(f"Listing channels for creator {self.creator.email}")
try:
response = self.client.channels().list(
part='snippet,contentDetails',
mine=True,
).execute()
channels = []
for item in response.get('items', []):
channels.append(self._parse_channel_item(item))
logger.info(f"Retrieved {len(channels)} channels for {self.creator.email}")
return channels
except Exception as e:
logger.exception(f"YouTube API error during list_my_channels for {self.creator.email}: {e}")
raise
def get_channel_metadata(self, youtube_channel_id):
response = self.client.channels().list(
part='snippet,contentDetails',
id=youtube_channel_id,
).execute()
items = response.get('items', [])
return self._parse_channel_item(items[0]) if items else None
def get_latest_videos(self, uploads_playlist_id, max_results=50):
"""Used by polling fallback task."""
response = self.client.playlistItems().list(
part='snippet,contentDetails',
playlistId=uploads_playlist_id,
maxResults=max_results,
).execute()
return response.get('items', [])
def get_video_details(self, video_id):
response = self.client.videos().list(
part='snippet,contentDetails,status',
id=video_id,
).execute()
items = response.get('items', [])
return items[0] if items else None
def _parse_channel_item(self, item):
snippet = item['snippet']
content_details = item.get('contentDetails', {})
thumbnails = snippet.get('thumbnails', {})
thumbnail_url = (thumbnails.get('high') or thumbnails.get('default') or {}).get('url', '')
return {
'id': item['id'],
'title': snippet['title'],
'description': snippet.get('description', ''),
'thumbnail_url': thumbnail_url,
'uploads_playlist_id': content_details.get('relatedPlaylists', {}).get('uploads', ''),
}
The WebSub callback verification logic was the second. WebSub's challenge-response handshake (the hub.challenge verification flow) is well-specified but verbose to implement correctly. Copilot handled the boilerplate fluently.
Where I had to take the wheel
HMAC signature verification was a critical gap. Copilot implemented the WebSub callback handler but left out the HMAC-SHA1 signature check on incoming push notifications — the step that verifies the payload actually came from Google's hub and not an attacker spoofing the endpoint. Without it, the backend was open to forged push notifications.
I caught it during code review, implemented the fix, and added it to my AGENTS.md rules so Copilot would never skip it again on security-sensitive handlers:
@classmethod
def verify_notification_signature(cls, channel, body: bytes, signature_header: str) -> bool:
"""
Validates the X-Hub-Signature header on incoming POST notifications.
Always call this before processing any notification payload.
Usage in your view:
if not WebSubService.verify_notification_signature(channel, request.body, request.headers.get('X-Hub-Signature', '')):
return HttpResponse(status=403)
"""
if not signature_header:
logger.warning(
'Missing X-Hub-Signature for channel %s', channel.youtube_channel_id,
)
return False
try:
method, provided_digest = signature_header.split('=', 1)
except ValueError:
logger.warning('Malformed X-Hub-Signature header: %s', signature_header)
return False
hash_fn = {'sha1': hashlib.sha1, 'sha256': hashlib.sha256}.get(method)
if not hash_fn:
logger.warning('Unsupported X-Hub-Signature method: %s', method)
return False
expected_digest = hmac.new(
cls._hub_secret(channel).encode(),
body,
hash_fn,
).hexdigest()
if not hmac.compare_digest(expected_digest, provided_digest):
logger.warning(
'X-Hub-Signature mismatch for channel %s', channel.youtube_channel_id,
)
return False
return True
Every time Copilot missed something like this, I encoded the fix into AGENTS.md. By the end, the rules file meant Copilot's first drafts were structurally correct far more often. The rules compound.
UI design required more iteration than expected. Opticast uses a custom design system (Soft Minimalism / "Digital Curator" aesthetic — no 1px borders, surface-tier depth instead of shadows, electric violet accent). Copilot's default component suggestions drifted toward generic SaaS patterns. Getting the frontend to match the design spec took several rounds of correction and explicit prompting.
The meta-lesson
The most valuable thing I did was write AGENTS.md upfront — explicit rules about architecture decisions, security requirements, and design constraints. Every time Copilot missed something (like the HMAC check), I updated the rules. By the end, Copilot was generating code that matched my standards on the first pass far more consistently than at the start. The rules file compounds.
What I Learned
Write the rules before writing the code. The
AGENTS.mdfile was the highest-leverage thing I produced. It turns Copilot from a generic code generator into something that understands your specific system — and the value grows with every correction you encode into it.A legal constraint can be a product insight. YouAudio's TOS problem forced a pivot to creator-permissioned architecture. That constraint produced a better product: one where creators own their feed, control their brand, and can actually monetise their audience. The obstacle became the design.
Ship the automation last, not first. The WebSub pipeline is the heart of Opticast — but I built everything around it first (dashboard, billing, analytics, feed generation). By the time I wired up WebSub, I had a stable system to plug it into. Finishing in the right order matters.
Built solo by [@oseni03] — just me, two years of iteration, and a very capable AI pair programmer.
Top comments (0)