Support Authenticated Media
Closed this issue · 1 comments
Since Matrix v1.11 Authenticated Media is a thing, and synapse-admin needs adjustments to migrate to the new endpoints.
Basically, the mxcUrlToHttp
func from src/synapse/dataProvider.ts
needs adjustment to return the new thumbnail endpoint, and everywhere that url is used, the request has to be sent with the authorization header by synapse-admin (you can't just return it to the browser anymore)
History
Previously, all media uploaded to a Matrix server could be fetched via a public URL. If you know the media ID and can construct:
- the media URL (e.g.
https://matrix.DOMAIN/_matrix/media/v1/download/SERVER_NAME/MEDIA_ID?allow_redirect=true
) - a thumbnail URL (e.g.
https://matrix.DOMAIN/_matrix/media/r0/thumbnail/SERVER_NAME/MEDIA_ID
)
Synapse now supports a new enable_authenticated_media configuration setting. When enabled:
- old media continues to work on the old URLs
- new media can only be fetched via a new API endpoint URLs (GET /_matrix/client/v1/media/download/{serverName}/{mediaId}, etc.), which also require an access token (
Authorization: Bearer syn_...
)
The matrix.org homeserver has disabled unauthenticated media already.
What remains to follow is:
- other homeservers doing the same (willingly, via manual changes)
- Synapse defaults for
enable_authenticated_media
changing (false
->true
) which will make many more servers start to use authenticated media
How this affects synapse-admin?
For now, synapse-admin is fine, but authenticated media is coming soon.
synapse-admin will still be able to access old media files via the old API endpoints, but new media will not be accessible.
User avatars
Avatar in the Users list (as well as user view pages) are currently loaded via the old thumbnail API (/_matrix/media/r0/thumbnail/SERVER_NAME/MEDIA_ID
), instead of the new one. This works for old media (which continues to be served on the old media endpoints URLs), but does not work for users who uploaded new avatars after Synapse's enable_authenticated_media
setting was set to true
Media
The user's media tab currently looks like this:
The icon on the left side is a button that opens the media in a new tab. It's very hard to see and click this icon (and most people will not even notice it), so it should be reworked.
Clicking this "view media" button right now leads to the old /_matrix/media/v1/download/SERVER_NAME/MEDIA_ID?allow_redirect=true
endpoint. This only works for old media.
For new media, the GET /_matrix/client/v1/media/download/{serverName}/{mediaId} API needs to be used.
What should we do?
We should switch all media access to the new endpoints. We don't need to worry if something is old media or new media. The new (authenticated) media endpoints will serve all media. We should stop using the old media endpoints completely.
Since the new authenticated media API URLs require an Authorization
HTTP header, you cannot use them directly in <img src=".." />
and will need to fetch the media separately (while passing the access token).
For the User's Media tab and its "view media" button, it probably means that opening it in a new tab will not be possible anymore and we'll need some kind of inline viewer or something. Here's some sample code:
fetch(imageUrl, {
headers: {
'Authorization': 'Bearer ......'
}
})
.then(response => response.blob())
.then(blob => {
const url = URL.createObjectURL(blob);
img_dom_element.src = url;
});
Perhaps this way of adjusting the href
(well, `src) works with all media and we may be able to have a generic "download" button anyway?