Disable unauthenticated media access

book/changelog.md

@@ -128,6 +128,9 @@ This will be the first release of Grapevine since it was forked from Conduit
 11. Try to generate thumbnails for remote media ourselves if the federation
     thumbnail request fails.
     ([!58](https://gitlab.computer.surgery/matrix/grapevine-fork/-/merge_requests/58))
+12. **BREAKING:** Disable unauthenticated access to media by default, set the
+    `serve_media_unauthenticated` config option to `true` to enable it.
+    ([!103](https://gitlab.computer.surgery/matrix/grapevine-fork/-/merge_requests/103))
 
 ### Fixed
 

src/config.rs

@@ -60,6 +60,8 @@ pub(crate) struct Config {
     pub(crate) allow_encryption: bool,
     #[serde(default = "true_fn")]
     pub(crate) allow_room_creation: bool,
+    #[serde(default = "false_fn")]
+    pub(crate) serve_media_unauthenticated: bool,
     #[serde(default = "default_default_room_version")]
     pub(crate) default_room_version: RoomVersionId,
     #[serde(default)]

src/main.rs

@@ -408,12 +408,24 @@ fn routes(config: &Config) -> Router {
         .ruma_route(c2s::turn_server_route)
         .ruma_route(c2s::send_event_to_device_route);
 
-    // unauthenticated (legacy) media
-    let router = router
-        .ruma_route(c2s::get_media_config_legacy_route)
-        .ruma_route(c2s::get_content_legacy_route)
-        .ruma_route(c2s::get_content_as_filename_legacy_route)
-        .ruma_route(c2s::get_content_thumbnail_legacy_route);
+    // deprecated, but unproblematic
+    let router = router.ruma_route(c2s::get_media_config_legacy_route);
+    let router = if config.serve_media_unauthenticated {
+        router
+            .ruma_route(c2s::get_content_legacy_route)
+            .ruma_route(c2s::get_content_as_filename_legacy_route)
+            .ruma_route(c2s::get_content_thumbnail_legacy_route)
+    } else {
+        router
+            .route(
+                "/_matrix/media/v3/download/*path",
+                any(unauthenticated_media_disabled),
+            )
+            .route(
+                "/_matrix/media/v3/thumbnail/*path",
+                any(unauthenticated_media_disabled),
+            )
+    };
 
     // authenticated media
     let router = router
@@ -570,6 +582,13 @@ async fn federation_disabled(_: Uri) -> impl IntoResponse {
     Error::bad_config("Federation is disabled.")
 }
 
+async fn unauthenticated_media_disabled(_: Uri) -> impl IntoResponse {
+    Error::BadRequest(
+        ErrorKind::NotFound,
+        "Unauthenticated media access is disabled",
+    )
+}
+
 async fn not_found(method: Method, uri: Uri) -> impl IntoResponse {
     debug!(%method, %uri, "Unknown route");
     Error::BadRequest(ErrorKind::Unrecognized, "Unrecognized request")