This PR restricts the GET /<sha256> authorization to either a single blob sha256 or a single server.
It does this by requiring the get authorization event to either have a x tag with the sha256 ( ["x","b1674191a88ec5cdd733e4240a81803105dc412d6c6708d53ab94fc248f4f553"] ) or a server tag with the servers URL ( ["server", "https://cdn.example.com/"] )
This prevents malicious servers from reusing get auth events to impersonate the user with other servers
Example:
Server A and B both require authorization to read blobs
User creates an authorization event to read blobs and sends it to B to retrieve a single blob
Server B returns the blob but is malicious and reuses the users authorization event to talk to server A as the user to retrieve other blobs
This PR restricts the
GET /<sha256>authorization to either a single blob sha256 or a single server.It does this by requiring the get authorization event to either have a
xtag with the sha256 (["x","b1674191a88ec5cdd733e4240a81803105dc412d6c6708d53ab94fc248f4f553"]) or aservertag with the servers URL (["server", "https://cdn.example.com/"])This prevents malicious servers from reusing get auth events to impersonate the user with other servers
Example: Server
AandBboth require authorization to read blobs User creates an authorization event to read blobs and sends it toBto retrieve a single blob ServerBreturns the blob but is malicious and reuses the users authorization event to talk to serverAas the user to retrieve other blobs