Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement JMAP route to get content of the public asset #1045

Closed
vttranlina opened this issue May 15, 2024 · 8 comments · Fixed by #1062
Closed

Implement JMAP route to get content of the public asset #1045

vttranlina opened this issue May 15, 2024 · 8 comments · Fixed by #1062
Assignees
@quantranhong1999

Comments

@vttranlina
Copy link
Member

Why

Epic: #1027
When a client (e.g., web browser, mobile app) requests the content of a public asset, the Tmail JMAP server needs to serve that content.

How

  • Create a new PublicAssetRoutes class with the following implementation:
class PublicAssetRoutes(publicAssetRepository: PublicAssetRepository,
                        blobResolvers: BlobResolvers) extends JMAPRoutes {

  override def routes(): Stream[JMAPRoute] = Stream.of(
    JMAPRoute.builder()
      .endpoint(new Endpoint(HttpMethod.GET, s"/publicAsset/{$accountId}/{$assetId}"))
      .action((request, response) => getAsset(request, response))
      .corsHeaders())

  private def getAsset(request: HttpServerRequest, response: HttpServerResponse): SMono[Unit] = {
    // checking if accountId and assetId are existing
    // if not, return 404
    // else, using blobResolvers to get the blob of the asset
    // then apply the blob to the response
  }
}

Note that this is a public endpoint, so authentication is not required.

  • Bind PublicAssetRoutes to JMAPRoutes using Guice:
Multibinder.newSetBinder(binder, classOf[JMAPRoutes])
    routes.addBinding().to(classOf[PublicAssetRoutes])
  • Write integration tests.

Dod

  • Tests pass.
  • Documentation.

Ref:
LinagoraServicesDiscoveryRoutes

DownloadRoutes
This was referenced May 15, 2024
Open
Closed
@chibenwa
Copy link
Member

using blobResolvers to get the blob of the asset

No.

Else lookup the publiczAsset repository and read the blob into the blobStore.

@quantranhong1999 quantranhong1999 self-assigned this May 21, 2024
@vttranlina vttranlina mentioned this issue May 22, 2024
Merged
@quantranhong1999
Copy link
Member

/publicAsset/{$accountId}/{$assetId}"

We can not infer username from accountId (1 way hashing).

Is it ok to expose the username in the URI e.g. /publicAsset/{$username}/{$assetId}"?

@quantranhong1999
Copy link
Member

Is it ok to expose the username in the URI e.g. /publicAsset/{$username}/{$assetId}"?

I think this is ok:

  • the recipient got the username of the sender anyway
  • Our code is public. If anyone really wants to do an exploration attack, they know how to hash username to accountId, therefore using accountId won't be much safer.
  • This is a "public" route/feature already, so leaked public resources seem to be acceptable to me.

@Arsnael
Copy link
Member

Arsnael commented May 22, 2024

Good point... Or what about more simple, just assetId is enough? /publicAsset/{$assetId} ? After all, asset ids are unique, the uri is public, no need auth...

@quantranhong1999
Copy link
Member

Good point... Or what about more simple, just assetId is enough? /publicAsset/{$assetId} ? After all, asset ids are unique, the uri is public, no need auth...

Hmm, our repository API is relying on username though. Query only by assetId is not visible.

@vttranlina
Copy link
Member Author

If that, we need one more api for query by one PublicAssetId parameter
Look like needing one more Cassandra table

@Arsnael
Copy link
Member

Arsnael commented May 22, 2024

You are right. Ok witht he username then

This was referenced May 23, 2024
Merged
Merged
@quantranhong1999
Copy link
Member

#1062

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@quantranhong1999 quantranhong1999

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ISSUE-1045 Implement JMAP route to get content of the public asset quantranhong1999/openpaas-james
4 participants
@chibenwa @Arsnael @quantranhong1999 @vttranlina