[Bug]: Users unable to delete their images (pictrs API)

[maltfield]

Requirements

• [X] Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
• [X] Did you check to see if this issue already exists?
• [X] Is this only a single bug? Do not put multiple bugs in one issue.
• [X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

Bug: Given a pictrs alias (fileaname) and a delete_token, users cannot delete image that they've uploaded to lemmy.

Problem

Currently there is no way for users to be able to delete images that they've uploaded to a lemmy instance from the WUI.

Moreover, even if a user deletes there entire account from the lemmy instance, their uploaded files are not deleted.

It has been mentioned that it's possible to do this via the API, but--due to this bug--that's actually not true.

Example

For example, let's consider the following image that I've uploaded to lemmy.ml (following the Steps to Reproduce below)

• https://lemmy.ml/pictrs/image/d99cf141-f03b-4c82-8c66-09db8eaba1fb.png

When my browser uploaded the file, I got the following JSON response

{
   "msg":"ok",
   "files":[
      {
         "file":"d99cf141-f03b-4c82-8c66-09db8eaba1fb.png",
         "delete_token":"6030a3b8-5066-439c-8880-35438eda4403"
      }
   ]
}

I attempt to delete it at the /image/delete endpoint per the pict-rs reference documentation, but I get a 404 error

user@disp9140:~/lemmy$ curl -iX DELETE "https://lemmy.ml/image/delete/6ac4d09b-e812-460e-8088-4a7c8410d7c8/5dc960cb-fb6b-4f2f-a756-8c651ded184b.png"
HTTP/2 404 
server: nginx
date: Thu, 08 Feb 2024 23:54:50 GMT
content-length: 0
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
cache-control: public, max-age=60

user@disp9140:~/lemmy$ 

Just in-case lemmy puts this at a subdir endpoint for proxying between multiple services (since this isn't documented anywhere), I also tried the pictrs/image/delete endpoint, but I get a 405 error

user@disp9140:~/lemmy$ curl -iX DELETE "https://lemmy.ml/pictrs/image/delete/6ac4d09b-e812-460e-8088-4a7c8410d7c8/5dc960cb-fb6b-4f2f-a756-8c651ded184b.png"
HTTP/2 405 
server: nginx
date: Thu, 08 Feb 2024 23:56:12 GMT
content-length: 0
cache-control: public, max-age=60
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
access-control-expose-headers: allow
allow: GET

user@disp9140:~/lemmy$ 

Steps to Reproduce

1. Log into your lemmy account in firefox
2. Click Create Post at the top (to visit /create_post)
3. Open the browsers (javascript) debug console (eg press F12 on linux)
4. Click the Network tab of the debug console
5. Click the Browse button on the webpage next to the Image label
6. Choose some image on your computer and click Open to upload it to the lemmy server's pictrs service
7. Wait a few seconds for the upload to complete
8. In the browser's debug console, click on the POST request sent to pictrs/image
9. In the browser's debug console, click the Response tab
10. Click the Raw toggle
11. Copy the raw JSON response
12. Extract the file and delete_token values from the JSON
13. Attempt to delete the image using curl and the image/delete/<delete_token>/<file> endpoint, get 404 error from server
14. Attempt to delete the image using curl and the pictrs/image/delete/<delete_token>/<file> endpoint, get 405 error from server

Technical Details

tested on lemmy.ml running v0.19.3

Version

0.19.3

Lemmy Instance URL

lemmy.ml

[Nutomic]

The request should look like GET https://lemmy.ml/pictrs/image/delete/3d47ffc0-8dc2-440d-aa28-0ac9047c035d/e9e9e35c-6a49-4016-bb6b-ae299ce0d784.png. Not sure why its get...

https://github.com/LemmyNet/lemmy/blob/main/crates/routes/src/images.rs#L43

[maltfield]

Thanks, I tried GET this but now I get a 401 error

user@disp3837:~$ curl -i "https://lemmy.ml/pictrs/image/delete/677b9c8e-56ac-4242-b14c-e3c64d145277/74e1afa2-27c8-4fad-ace0-884cac79d1b4.png"
HTTP/2 401 
server: nginx
date: Fri, 09 Feb 2024 15:34:03 GMT
content-type: application/json
content-length: 27
access-control-expose-headers: content-type
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
cache-control: public, max-age=60

{"error":"incorrect_login"}user@disp3837:~$ 

Perhaps the reason for this bug is that your lemmy installs are blocking DELETE requests? The server's response includes a header allow: GET that makes me think this.

user@disp9140:~/lemmy$ curl -iX DELETE "https://lemmy.ml/pictrs/image/delete/6ac4d09b-e812-460e-8088-4a7c8410d7c8/5dc960cb-fb6b-4f2f-a756-8c651ded184b.png"
...
allow: GET

user@disp9140:~/lemmy$ 

Is nginx or some other component configured to restrict request types?

[maltfield]

@Nutomic is there any way for a non-admin lemmy user to get the delete_token for a given image out of pict-rs after they've uploaded it? Or is it only possible if they monitored the initial upload POST to /pictrs/image

[Nutomic]

You can upload an image on lemmy-ui, then delete it and monitor via browser developer tools the exact request it makes. As this works without any issues I dont think there is any bug here. Though it might be worth changing the method to DELETE as part of https://github.com/LemmyNet/lemmy/issues/4428.

The delete token is only returned when you upload the image.

[maltfield]

I don't think it's reasonable to say that users can currently delete their images, if they can't fetch the delete token. But I'll consider this new ticket to be a replacement that addresses this bug.

• https://github.com/LemmyNet/lemmy/issues/4445

[dessalines]

Just a note that it'll probably be a while till I can work on that, so if someone else could handle that'd be appreciated.

[maltfield]

For additional context of this issue, please see Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)