MSC4189: Allowing guests to access uploaded media #4189
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| # MSC4189: Allowing guests to access uploaded media | ||
|
There was a problem hiding this comment. Looks like a perfectly resonable proposal to me. Its clearly fixing a oversight in MSC3916 since being able to access media seems pretty essential for guest accounts. Since even if its limited only to avatars by a server its still important to be able to render avatars. The argument for why this proposal seems sane writes it self as far as i can tell. |
||
|
|
||
| [MSC3916](https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/3916-authentication-for-media.md) | ||
| introduced new endpoints which require clients to provide a valid access token in order to access | ||
| media. The MSC failed to specify [guest access](https://spec.matrix.org/v1.11/client-server-api/#guest-access) | ||
| requirements for the new endpoints. | ||
|
|
||
| This MSC specifies the missing guest access requirements on the new endpoints. | ||
|
|
||
| ## Proposal | ||
|
|
||
| The following endpoints explicitly permit guest access, joining the | ||
| [list of other endpoints](https://spec.matrix.org/v1.11/client-server-api/#client-behaviour-13) | ||
| already in the specification: | ||
|
|
||
| * [`GET /_matrix/client/v1/media/download/{serverName}/{mediaId}`](https://spec.matrix.org/v1.11/client-server-api/#get_matrixclientv1mediadownloadservernamemediaid) | ||
| * [`GET /_matrix/client/v1/media/download/{serverName}/{mediaId}/{fileName}`](https://spec.matrix.org/v1.11/client-server-api/#get_matrixclientv1mediadownloadservernamemediaidfilename) | ||
| * [`GET /_matrix/client/v1/media/thumbnail/{serverName}/{mediaId}`](https://spec.matrix.org/v1.11/client-server-api/#get_matrixclientv1mediathumbnailservernamemediaid) | ||
|
|
||
| The rationale for the above endpoints is that being able to see events without the associated media | ||
| isn't very useful. | ||
|
|
||
| For clarity, the following endpoints are *not* added to the guest access list, as their prior (now | ||
| deprecated) versions are not already included. A future MSC may change this with sufficient rationale. | ||
| Note that guests cannot currently *upload* files, but can send messages/events. | ||
|
|
||
| * [`GET /_matrix/client/v1/media/config`](https://spec.matrix.org/v1.11/client-server-api/#get_matrixclientv1mediaconfig) | ||
| * [`GET /_matrix/client/v1/media/preview_url`](https://spec.matrix.org/v1.11/client-server-api/#get_matrixclientv1mediapreview_url) | ||
|
|
||
| ## Potential issues | ||
|
|
||
| This MSC fixes an issue where guests cannot download images/files. | ||
|
|
||
| ## Alternatives | ||
|
|
||
| None applicable. | ||
|
|
||
| ## Security considerations | ||
|
|
||
| This MSC does not materially increase the threat profile for guests: guests could already download | ||
| media using the unauthenticated endpoints. | ||
|
|
||
| ## Unstable prefix | ||
|
|
||
| Prefixed endpoints are excessive for this MSC. Implementations can enable guest access on the existing | ||
| endpoints safely, or continue to respond with "guest access forbidden" errors. No `/versions` flag | ||
| is specified for feature detection: clients with guest access tokens should expect failure until a | ||
| server advertises a specification version containing this MSC. Clients should continue trying to make | ||
| requests for the best user experience. | ||
|
|
||
| ## Dependencies | ||
|
|
||
| This MSC has no dependencies. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what level of implementation we require for this, but element-hq/synapse#17675 exists.