Enable authenticated media by default (#625)

* Enabled authenticated media by default * Fix tests * Fix tests
t2bot · Dec 23, 2024 · 78d9ad2 · 78d9ad2
1 parent a53f6db
commit 78d9ad2
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Changed
 
 * MMR now requires Go 1.22 for compilation.
+* The global `repo.freezeUnauthenticatedMedia` option now defaults to `true`, enabling authenticated media by default. A future release will remove this option, requiring the freeze behaviour. See `config.sample.yaml` for details.
 
 ### Fixed
 

diff --git a/common/config/conf_main.go b/common/config/conf_main.go
@@ -32,7 +32,7 @@ func NewDefaultMainConfig() MainRepoConfig {
 			LogLevel:                   "info",
 			TrustAnyForward:            false,
 			UseForwardedHost:           true,
-			FreezeUnauthenticatedMedia: false,
+			FreezeUnauthenticatedMedia: true,
 		},
 		Database: DatabaseConfig{
 			Postgres: "postgres://your_username:your_password@localhost/database_name?sslmode=disable",

diff --git a/config.sample.yaml b/config.sample.yaml
@@ -40,10 +40,10 @@ repo:
   # only be accessible over authenticated endpoints, though future media will be accessible on both
   # authenticated and unauthenticated media.
   #
-  # This flag currently defaults to false. A future release, likely in August 2024, will remove this flag
-  # and have the same effect as it being true (always on). This flag is primarily intended for servers to
-  # opt-in to the behaviour early.
-  freezeUnauthenticatedMedia: false
+  # This flag defaults to true. Previously it defauled to false. A future release, likely in 2025, will
+  # remove this flag and have the same effect as it being true (always on). This flag is primarily
+  # intended for servers to opt-out of the behaviour while they are still testing compatibility.
+  freezeUnauthenticatedMedia: true
 
 # Options for dealing with federation
 federation:

diff --git a/test/upload_suite_test.go b/test/upload_suite_test.go
@@ -47,8 +47,8 @@ func (s *UploadTestSuite) TestUpload() {
 	client2 := &test_internals.MatrixClient{
 		ClientServerUrl: s.deps.Machines[1].HttpUrl,       // deliberately the second machine
 		ServerName:      s.deps.Homeservers[1].ServerName, // deliberately the second machine
-		AccessToken:     "",                               // no auth for downloads
-		UserId:          "",                               // no auth for downloads
+		AccessToken:     s.deps.Homeservers[1].UnprivilegedUsers[0].AccessToken,
+		UserId:          s.deps.Homeservers[1].UnprivilegedUsers[0].UserId,
 	}
 
 	contentType, img, err := test_internals.MakeTestImage(512, 512)
@@ -62,7 +62,7 @@ func (s *UploadTestSuite) TestUpload() {
 	assert.Equal(t, client1.ServerName, origin)
 	assert.NotEmpty(t, mediaId)
 
-	raw, err := client2.DoRaw("GET", fmt.Sprintf("/_matrix/media/v3/download/%s/%s", origin, mediaId), nil, "", nil)
+	raw, err := client2.DoRaw("GET", fmt.Sprintf("/_matrix/client/v1/media/download/%s/%s", origin, mediaId), nil, "", nil)
 	assert.NoError(t, err)
 	assert.Equal(t, raw.StatusCode, http.StatusOK)
 	test_internals.AssertIsTestImage(t, raw.Body)
@@ -258,8 +258,8 @@ func (s *UploadTestSuite) TestUploadAsyncFlow() {
 	client2 := &test_internals.MatrixClient{
 		ClientServerUrl: s.deps.Machines[1].HttpUrl,       // deliberately the second machine
 		ServerName:      s.deps.Homeservers[1].ServerName, // deliberately the second machine
-		AccessToken:     "",                               // no auth for downloads
-		UserId:          "",                               // no auth for downloads
+		AccessToken:     s.deps.Homeservers[1].UnprivilegedUsers[0].AccessToken,
+		UserId:          s.deps.Homeservers[1].UnprivilegedUsers[0].UserId,
 	}
 
 	contentType, img, err := test_internals.MakeTestImage(512, 512)
@@ -278,7 +278,7 @@ func (s *UploadTestSuite) TestUploadAsyncFlow() {
 	assert.NotEmpty(t, mediaId)
 
 	// Do a test download to ensure that the media doesn't (yet) exist
-	errRes, err := client2.DoExpectError("GET", fmt.Sprintf("/_matrix/media/v3/download/%s/%s", origin, mediaId), url.Values{
+	errRes, err := client2.DoExpectError("GET", fmt.Sprintf("/_matrix/client/v1/media/download/%s/%s", origin, mediaId), url.Values{
 		"timeout_ms": []string{"1000"},
 	}, "", nil)
 	assert.NoError(t, err)
@@ -303,7 +303,7 @@ func (s *UploadTestSuite) TestUploadAsyncFlow() {
 	assert.Equal(t, http.StatusConflict, errRes.InjectedStatusCode)
 
 	// Download and test the upload
-	raw, err := client2.DoRaw("GET", fmt.Sprintf("/_matrix/media/v3/download/%s/%s", origin, mediaId), nil, "", nil)
+	raw, err := client2.DoRaw("GET", fmt.Sprintf("/_matrix/client/v1/media/download/%s/%s", origin, mediaId), nil, "", nil)
 	assert.NoError(t, err)
 	assert.Equal(t, raw.StatusCode, http.StatusOK)
 	test_internals.AssertIsTestImage(t, raw.Body)