Authenticated Media Support

[beastafk]

Fixes #31

History

Previously, all media uploaded to a Matrix server could be fetched via a public URL. If you know the media ID and can construct:

• the media URL (e.g. https://matrix.DOMAIN/_matrix/media/v1/download/SERVER_NAME/MEDIA_ID?allow_redirect=true)
• a thumbnail URL (e.g. https://matrix.DOMAIN/_matrix/media/r0/thumbnail/SERVER_NAME/MEDIA_ID)

Synapse now supports a new enable_authenticated_media configuration setting. When enabled:

• old media continues to work on the old URLs
• new media can only be fetched via a new API endpoint URLs (GET /_matrix/client/v1/media/download/{serverName}/{mediaId}, etc.), which also require an access token (Authorization: Bearer syn_...)

The matrix.org homeserver has disabled unauthenticated media already.

What remains to follow is:

• other homeservers doing the same (willingly, via manual changes)
• Synapse defaults for enable_authenticated_media changing (false -> true) which will make many more servers start to use authenticated media

---

How this affects synapse-admin?

For now, synapse-admin is fine, but authenticated media is coming soon.

synapse-admin will still be able to access old media files via the old API endpoints, but new media will not be accessible.

User avatars

Avatar in the Users list (as well as user view pages) are currently loaded via the old thumbnail API (/_matrix/media/r0/thumbnail/SERVER_NAME/MEDIA_ID), instead of the new one. This works for old media (which continues to be served on the old media endpoints URLs), but does not work for users who uploaded new avatars after Synapse's enable_authenticated_media setting was set to true

Media

The user's media tab currently looks like this:

The icon on the left side is a button that opens the media in a new tab. It's very hard to see and click this icon (and most people will not even notice it), so it should be reworked.

Clicking this "view media" button right now leads to the old /_matrix/media/v1/download/SERVER_NAME/MEDIA_ID?allow_redirect=true endpoint. This only works for old media.

For new media, the GET /_matrix/client/v1/media/download/{serverName}/{mediaId} API needs to be used.

---

What should we do?

We should switch all media access to the new endpoints. We don't need to worry if something is old media or new media. The new (authenticated) media endpoints will serve all media. We should stop using the old media endpoints completely.

Since the new authenticated media API URLs require an Authorization HTTP header, you cannot use them directly in <img src=".." /> and will need to fetch the media separately (while passing the access token).

For the User's Media tab and its "view media" button, it probably means that opening it in a new tab will not be possible anymore and we'll need some kind of inline viewer or something. Here's some sample code:

fetch(imageUrl, {
  headers: {
    'Authorization': 'Bearer ......'
  }
})
.then(response => response.blob())
.then(blob => {
  const url = URL.createObjectURL(blob);
  img_dom_element.src = url;
});

Perhaps this way of adjusting the href (well, `src) works with all media and we may be able to have a generic "download" button anyway?