MSC2461: Proposal for Authenticated Content Repository API #2461
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| # Authenticated Content Repository API | ||
|
|
||
| Currently anyone can fetch resources from content repositories. | ||
| This can be undesired behaviour for several reasons as discussed | ||
| in [synapse#2133](https://github.com/matrix-org/synapse/issues/2133) and | ||
| somewhat in [synapse#2150](https://github.com/matrix-org/synapse/issues/2150). | ||
|
|
||
| Homeserver administrators might want to be able to | ||
| restrict access to the content they serve. | ||
|
|
||
| This is unrelated to controlling access to content on a per-file basis, | ||
| which is something a user might desire. | ||
|
|
||
| ## Proposal | ||
|
|
||
| Homeservers may reject unauthenticated access to media endpoints. | ||
|
|
||
| When an unauthenticated client accesses an endpoint, the homeserver | ||
| may reject the request like it would with an authenticated endpoint. | ||
|
|
||
| Thus it returns status code 401 and an error | ||
| with an errcode of `M_MISSING_TOKEN` or `M_UNKNOWN_TOKEN` as apropriate. | ||
|
|
||
| Example response: | ||
|
|
||
| ```json | ||
| { | ||
| "errcode": "M_MISSING_TOKEN", | ||
| "error": "Media access is restricted to authenticated clients" | ||
| } | ||
| ``` | ||
|
|
||
| ### Configuration | ||
|
|
||
| To allow clients to predetermine whether authentication is required, | ||
| the field m.media.unauthenticated is added to | ||
| `GET /_matrix/media/r0/config`. | ||
| It specifies what content can be accessed unauthenticated. | ||
|
|
||
| The following behaviours are defined, | ||
| when a client encounters an unknown enum value it should be treated like `m.unspecified` : | ||
|
|
||
| | Enum value | Description | | ||
| | ------------------ | -------------------------------------------------------------------------------------------- | | ||
| | `m.none` / missing | All content can be accessed unauthenticated | | ||
| | `m.local` | Only content with an authority the server is responsible for can be accessed unauthenticated | | ||
| | `m.cached` | Cached content can be accessed unauthenticated | | ||
| | `m.unspecified` | Authenticated access might be required in some cases | | ||
| | `m.all` | No content can be accessed unauthenticated | | ||
|
|
||
| Example response: | ||
|
|
||
| ```json | ||
| { | ||
| "m.media.unauthenticated": "m.local" | ||
| } | ||
| ``` | ||
|
|
||
| Clients can decide based on this | ||
|
There was a problem hiding this comment. why not add the authentification type to {
"url": "blah",
"info": { ... },
"authenticated": "m.local"
}There was a problem hiding this comment. I might have miscommunicated the intent of this proposal by adding synapse#2150 considering it is only tagentally related. I've read the conversation some time ago and added it from memory. Only checking whether I cought the issues I was thinking of. I have clarified the intent in a new revision. |
||
| if sharing a download link to a non Matrix user is possible. | ||
|
|
||
| ### Server to server | ||
|
|
||
| To reduce the amount of server to server communication, | ||
| when one homeserver tries to fetch content from another homeserver, | ||
| the configuration should first be retrieved and cached. | ||
|
There was a problem hiding this comment. There is no federation API for this. There was a problem hiding this comment. I figured that because servers use the client API for media downloads they could also use it for the media config endpoint There was a problem hiding this comment. They cannot. Also they aren't supposed to be using the client endpoints, they just haven't been defined correctly in the server-side endpoints. There was a problem hiding this comment. Then this proposal is the time to specify that I'd say. Sharing media will be hard. There was a problem hiding this comment. Maybe the "federation api" could be an extra query parameter on existing download/thumbnail endpoints, which can be as simple as |
||
| When the value is m.none the server should not attempt to fetch the | ||
|
There was a problem hiding this comment. Does There was a problem hiding this comment. I assume my other comment clears the first part up, but For the latter, yes, that is an expected consequence of this proposal. There was a problem hiding this comment. "restricted" as in "can only be accessed once authenticated"? And that any server over federation can request such media in an authenticated user's stead? |
||
| content from the remote server | ||
| and return status code 404 and an error with an errcode of M_NOT_FOUND. | ||
|
|
||
| Example response: | ||
|
|
||
| ```json | ||
| { | ||
| "errcode": "M_NOT_FOUND", | ||
| "error": "Remote homeserver rejected access" | ||
| } | ||
| ``` | ||
|
|
||
| ## Potential issues | ||
|
There was a problem hiding this comment. Also mentioned in MSC701 (I think, I'm going off memory) is a way to solve the authentication issue without potentially leaking your access token. Clients which have 'download this file' or 'open in new tab' buttons will need to pass along the access token via the query string. In doing so, when someone copies the link and pastes it to someone else they've exposed their account. There was a problem hiding this comment. I really try to stay away from crypto, so this is just a naive simplification of MSC701: The authentication token is created through HMAC(access_token, media_id). |
||
|
|
||
| - Once homeservers enable this behaviour with a m.media.unauthenticated | ||
| value other than null, older clients will not be able to access some content. | ||
| This is desired for the server operator and undesired for the user. | ||
|
|
||
| - Older clients and servers might encounter an unexpected error code | ||
| which may lead to unknown behaviour. | ||
|
|
||
| - GUI toolkits used by client authors might not support modifying request headers | ||
| for image widgets. This change would thus increase client complexity in these cases. | ||
|
|
||
| ## Alternatives and comparisons | ||
|
|
||
| - All media endpoints could always require authentication, | ||
| but then the server to server exchange would still need | ||
| to be extended to allow access for remote homeservers. | ||
|
|
||
| - **MSC701** | ||
|
|
||
| This MSC proposes a way to authenticate content repo access on a per file basis. | ||
| With it uploads that are not marked public are inaccessible to clients without a | ||
| content token. | ||
|
|
||
| MSC701 provides control to the user as to who sees content. | ||
| Which is unrelated to this proposal which tries to give control to server admins. | ||
|
|
||
| For the following reasons can MSC701 not provide the functionality of this MSC: | ||
|
|
||
| - When the server allows the public flag its admin has no control as | ||
| to who can access content | ||
| - When the server forbids the public flag (which is not specified in MSC701), | ||
| its admin can still not block non-local users who share rooms with local users | ||
| - The federation API of this proposal allows access to non-Matrix users if they can | ||
| get access to a content token (unless the HMAC is enforced) | ||
|
|
||
| ## Security considerations | ||
|
|
||
| - Download links for content might leak the users access token when shared | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
generally we should be naming things in the positive:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would lead to the inverted enum values
m.non-localandm.uncachedwhich are in my opinion worse than having the field name in the negative.
I'm open to suggestions for better enum names
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tbh when I was leaving this comment I was expecting it to be a boolean, not an enum. Not sure there's a benefit for having it be an enum at all, or even really needing this flag is needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, that depends on whether servers can actually make use of that value (according to you they should not) and whether its considered useful enough for clients (as noted in the MSC).
If those are not considered useful then all that stuff can be thrown out.