From ccc99ac7617272d5e10686783154571c0a23b2bb Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 18 Nov 2024 14:00:32 -0700 Subject: [PATCH 1/3] Enabled authenticated media by default --- CHANGELOG.md | 4 ++++ common/config/conf_main.go | 2 +- config.sample.yaml | 8 ++++---- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b02fbf8a..15962c9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ## [Unreleased] +### Changed + +* The global `repo.freezeUnauthenticatedMedia` option now defaults to `true`, enabling authenticated media by default. A future release will remove this option, requiring the freeze behaviour. See `config.sample.yaml` for details. + ### Fixed * Return a 404 instead of 500 when clients access media which is frozen. diff --git a/common/config/conf_main.go b/common/config/conf_main.go index 8b7e3ac6..41d81bc1 100644 --- a/common/config/conf_main.go +++ b/common/config/conf_main.go @@ -32,7 +32,7 @@ func NewDefaultMainConfig() MainRepoConfig { LogLevel: "info", TrustAnyForward: false, UseForwardedHost: true, - FreezeUnauthenticatedMedia: false, + FreezeUnauthenticatedMedia: true, }, Database: DatabaseConfig{ Postgres: "postgres://your_username:your_password@localhost/database_name?sslmode=disable", diff --git a/config.sample.yaml b/config.sample.yaml index 5e037828..dd9dc286 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -40,10 +40,10 @@ repo: # only be accessible over authenticated endpoints, though future media will be accessible on both # authenticated and unauthenticated media. # - # This flag currently defaults to false. A future release, likely in August 2024, will remove this flag - # and have the same effect as it being true (always on). This flag is primarily intended for servers to - # opt-in to the behaviour early. - freezeUnauthenticatedMedia: false + # This flag defaults to true. Previously it defauled to false. A future release, likely in 2025, will + # remove this flag and have the same effect as it being true (always on). This flag is primarily + # intended for servers to opt-out of the behaviour while they are still testing compatibility. + freezeUnauthenticatedMedia: true # Options for dealing with federation federation: From eda0f3f24851d028a8da56216e1259d01fbfde26 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 18 Nov 2024 14:14:17 -0700 Subject: [PATCH 2/3] Fix tests --- test/upload_suite_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/upload_suite_test.go b/test/upload_suite_test.go index b203b8ce..042c2d85 100644 --- a/test/upload_suite_test.go +++ b/test/upload_suite_test.go @@ -62,7 +62,7 @@ func (s *UploadTestSuite) TestUpload() { assert.Equal(t, client1.ServerName, origin) assert.NotEmpty(t, mediaId) - raw, err := client2.DoRaw("GET", fmt.Sprintf("/_matrix/media/v3/download/%s/%s", origin, mediaId), nil, "", nil) + raw, err := client2.DoRaw("GET", fmt.Sprintf("/_matrix/client/v1/media/download/%s/%s", origin, mediaId), nil, "", nil) assert.NoError(t, err) assert.Equal(t, raw.StatusCode, http.StatusOK) test_internals.AssertIsTestImage(t, raw.Body) @@ -278,7 +278,7 @@ func (s *UploadTestSuite) TestUploadAsyncFlow() { assert.NotEmpty(t, mediaId) // Do a test download to ensure that the media doesn't (yet) exist - errRes, err := client2.DoExpectError("GET", fmt.Sprintf("/_matrix/media/v3/download/%s/%s", origin, mediaId), url.Values{ + errRes, err := client2.DoExpectError("GET", fmt.Sprintf("/_matrix/client/v1/media/download/%s/%s", origin, mediaId), url.Values{ "timeout_ms": []string{"1000"}, }, "", nil) assert.NoError(t, err) @@ -303,7 +303,7 @@ func (s *UploadTestSuite) TestUploadAsyncFlow() { assert.Equal(t, http.StatusConflict, errRes.InjectedStatusCode) // Download and test the upload - raw, err := client2.DoRaw("GET", fmt.Sprintf("/_matrix/media/v3/download/%s/%s", origin, mediaId), nil, "", nil) + raw, err := client2.DoRaw("GET", fmt.Sprintf("/_matrix/client/v1/media/download/%s/%s", origin, mediaId), nil, "", nil) assert.NoError(t, err) assert.Equal(t, raw.StatusCode, http.StatusOK) test_internals.AssertIsTestImage(t, raw.Body) From 2c558a6826ad96bb423da971d5b2780d641fb3fe Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 18 Nov 2024 14:47:19 -0700 Subject: [PATCH 3/3] Fix tests --- test/upload_suite_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/upload_suite_test.go b/test/upload_suite_test.go index 042c2d85..80bdcb9b 100644 --- a/test/upload_suite_test.go +++ b/test/upload_suite_test.go @@ -47,8 +47,8 @@ func (s *UploadTestSuite) TestUpload() { client2 := &test_internals.MatrixClient{ ClientServerUrl: s.deps.Machines[1].HttpUrl, // deliberately the second machine ServerName: s.deps.Homeservers[1].ServerName, // deliberately the second machine - AccessToken: "", // no auth for downloads - UserId: "", // no auth for downloads + AccessToken: s.deps.Homeservers[1].UnprivilegedUsers[0].AccessToken, + UserId: s.deps.Homeservers[1].UnprivilegedUsers[0].UserId, } contentType, img, err := test_internals.MakeTestImage(512, 512) @@ -258,8 +258,8 @@ func (s *UploadTestSuite) TestUploadAsyncFlow() { client2 := &test_internals.MatrixClient{ ClientServerUrl: s.deps.Machines[1].HttpUrl, // deliberately the second machine ServerName: s.deps.Homeservers[1].ServerName, // deliberately the second machine - AccessToken: "", // no auth for downloads - UserId: "", // no auth for downloads + AccessToken: s.deps.Homeservers[1].UnprivilegedUsers[0].AccessToken, + UserId: s.deps.Homeservers[1].UnprivilegedUsers[0].UserId, } contentType, img, err := test_internals.MakeTestImage(512, 512)