Unable to fetch remote authenticated media from unauthenticated c2s endpoints #586
Comments
|
This is intended behavior. If the client is not authenticated it doesn't enjoy authenticated media. |
|
Yes this is expected. Fetching authenticated media over unauthenticated endpoints would be a security issue. Is there something you're running into that's causing this concern? |
I'm using a client that does not yet support authenticated media, and all matrix.org media won't load. It seems weird that federation is not transparent through csapi. |
|
I do agree it is an unfortunate state of things that pretty much none of this is transparent and older clients, most specifically SchildiChat which is still a perfectly good client, are basically unusable now because this is not transparent; and because this was very, very rushed and shoehorned through. But it may likely upset a lot of folks or cause security issues/concerns if we made this transparent on the server-side and I don't want to step into that territory. |
If my understanding of the code is right, the problem lies in https://github.com/girlbossceo/conduwuit/blob/main/src/api/client/media_legacy.rs#L150C4-L150C76 , which will only request the remote unauthenticated s2s endpoint before trying the authenticated endpoint, if the c2s request is coming from the unauthenticated endpoint.
The text was updated successfully, but these errors were encountered: