Open tusooa opened 2 weeks ago
This is intended behavior. If the client is not authenticated it doesn't enjoy authenticated media.
Yes this is expected. Fetching authenticated media over unauthenticated endpoints would be a security issue.
Is there something you're running into that's causing this concern?
Yes this is expected. Fetching authenticated media over unauthenticated endpoints would be a security issue.
Is there something you're running into that's causing this concern?
I'm using a client that does not yet support authenticated media, and all matrix.org media won't load. It seems weird that federation is not transparent through csapi.
I do agree it is an unfortunate state of things that pretty much none of this is transparent and older clients, most specifically SchildiChat which is still a perfectly good client, are basically unusable now because this is not transparent; and because this was very, very rushed and shoehorned through. But it may likely upset a lot of folks or cause security issues/concerns if we made this transparent on the server-side and I don't want to step into that territory.
If my understanding of the code is right, the problem lies in https://github.com/girlbossceo/conduwuit/blob/main/src/api/client/media_legacy.rs#L150C4-L150C76 , which will only request the remote unauthenticated s2s endpoint before trying the authenticated endpoint, if the c2s request is coming from the unauthenticated endpoint.