From 0a6d2b273127d697a7ddbf9c35bd70bea1bbb01f Mon Sep 17 00:00:00 2001
From: Charles Hall <charles@computer.surgery>
Date: Fri, 28 Feb 2025 10:40:26 -0800
Subject: [PATCH] make a media section in the config file

---
 book/changelog.md                                     |  7 ++++---
 src/cli/serve.rs                                      |  2 +-
 src/config.rs                                         | 11 +++++++++--
 ...tegrations__check_config__invalid_keys@stderr.snap |  2 +-
 4 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/book/changelog.md b/book/changelog.md
index 79801297..e303dc56 100644
--- a/book/changelog.md
+++ b/book/changelog.md
@@ -138,9 +138,10 @@ This will be the first release of Grapevine since it was forked from Conduit
 10. Try to generate thumbnails for remote media ourselves if the federation
     thumbnail request fails.
     ([!58](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/58))
-11. **BREAKING:** Disable unauthenticated access to media by default, set the
-    `serve_media_unauthenticated` config option to `true` to enable it.
-    ([!103](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/103))
+11. **BREAKING:** Disable unauthenticated access to media by default. Use
+    `media.serve_media_unauthenticated` to configure this behavior.
+    ([!103](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/103),
+    [!140](https://gitlab.computer.surgery/matrix/grapevine/-/merge_requests/140))
 12. **BREAKING:** Split CLI into multiple subcommands. The CLI invocation to run
     the server is now behind the `serve` command, so `grapevine --config ...`
     becomes `grapevine serve --config ...`.
diff --git a/src/cli/serve.rs b/src/cli/serve.rs
index 71776801..4660dc5c 100644
--- a/src/cli/serve.rs
+++ b/src/cli/serve.rs
@@ -443,7 +443,7 @@ fn legacy_media_routes(config: &Config) -> Router {
     // deprecated, but unproblematic
     let router = router.ruma_route(c2s::get_media_config_legacy_route);
 
-    if config.serve_media_unauthenticated {
+    if config.media.serve_media_unauthenticated {
         router
             .ruma_route(c2s::get_content_legacy_route)
             .ruma_route(c2s::get_content_as_filename_legacy_route)
diff --git a/src/config.rs b/src/config.rs
index d3100f41..b0f1aec7 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -45,6 +45,8 @@ pub(crate) struct Config {
     pub(crate) server_discovery: ServerDiscovery,
     pub(crate) database: DatabaseConfig,
     #[serde(default)]
+    pub(crate) media: MediaConfig,
+    #[serde(default)]
     pub(crate) federation: FederationConfig,
     #[serde(default)]
     pub(crate) cache: CacheConfig,
@@ -59,8 +61,6 @@ pub(crate) struct Config {
     pub(crate) allow_encryption: bool,
     #[serde(default = "true_fn")]
     pub(crate) allow_room_creation: bool,
-    #[serde(default = "false_fn")]
-    pub(crate) serve_media_unauthenticated: bool,
     #[serde(default = "default_default_room_version")]
     pub(crate) default_room_version: RoomVersionId,
     #[serde(default)]
@@ -74,6 +74,13 @@ pub(crate) struct Config {
     pub(crate) emergency_password: Option<String>,
 }
 
+#[derive(Debug, Deserialize, Default)]
+#[serde(deny_unknown_fields)]
+pub(crate) struct MediaConfig {
+    #[serde(default)]
+    pub(crate) serve_media_unauthenticated: bool,
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(deny_unknown_fields, default)]
 pub(crate) struct CacheConfig {
diff --git a/tests/integrations/snapshots/integrations__check_config__invalid_keys@stderr.snap b/tests/integrations/snapshots/integrations__check_config__invalid_keys@stderr.snap
index 2b7ce043..83cd650b 100644
--- a/tests/integrations/snapshots/integrations__check_config__invalid_keys@stderr.snap
+++ b/tests/integrations/snapshots/integrations__check_config__invalid_keys@stderr.snap
@@ -8,4 +8,4 @@ Error: failed to validate configuration
   |
 1 | some_name = "example.com"
   | ^^^^^^^^^
-unknown field `some_name`, expected one of `conduit_compat`, `listen`, `tls`, `server_name`, `server_discovery`, `database`, `federation`, `cache`, `cleanup_second_interval`, `max_request_size`, `allow_registration`, `registration_token`, `allow_encryption`, `allow_room_creation`, `serve_media_unauthenticated`, `default_room_version`, `proxy`, `jwt_secret`, `observability`, `turn`, `emergency_password`
+unknown field `some_name`, expected one of `conduit_compat`, `listen`, `tls`, `server_name`, `server_discovery`, `database`, `media`, `federation`, `cache`, `cleanup_second_interval`, `max_request_size`, `allow_registration`, `registration_token`, `allow_encryption`, `allow_room_creation`, `default_room_version`, `proxy`, `jwt_secret`, `observability`, `turn`, `emergency_password`