This PR restricts the GET /<sha256> authorization to either a single blob sha256 or a single server.
It does this by requiring the get authorization event to either have a x tag with the sha256 ( ["x","b1674191a88ec5cdd733e4240a81803105dc412d6c6708d53ab94fc248f4f553"] ) or a server tag with the servers URL ( ["server", "https://cdn.example.com/"] )
This prevents malicious servers from reusing get auth events to impersonate the user with other servers
Example:
Server A and B both require authorization to read blobs
User creates an authorization event to read blobs and sends it to B to retrieve a single blob
Server B returns the blob but is malicious and reuses the users authorization event to talk to server A as the user to retrieve other blobs
This PR restricts the
GET /<sha256>
authorization to either a single blob sha256 or a single server.It does this by requiring the get authorization event to either have a
x
tag with the sha256 (["x","b1674191a88ec5cdd733e4240a81803105dc412d6c6708d53ab94fc248f4f553"]
) or aserver
tag with the servers URL (["server", "https://cdn.example.com/"]
)This prevents malicious servers from reusing get auth events to impersonate the user with other servers
Example: Server
A
andB
both require authorization to read blobs User creates an authorization event to read blobs and sends it toB
to retrieve a single blob ServerB
returns the blob but is malicious and reuses the users authorization event to talk to serverA
as the user to retrieve other blobs