Closed vttranlina closed 1 month ago
using blobResolvers to get the blob of the asset
No.
Else lookup the publiczAsset repository and read the blob into the blobStore.
/publicAsset/{$accountId}/{$assetId}"
We can not infer username
from accountId
(1 way hashing).
Is it ok to expose the username in the URI e.g. /publicAsset/{$username}/{$assetId}"
?
Is it ok to expose the username in the URI e.g. /publicAsset/{$username}/{$assetId}"?
I think this is ok:
username
to accountId
, therefore using accountId
won't be much safer.Good point... Or what about more simple, just assetId is enough? /publicAsset/{$assetId}
? After all, asset ids are unique, the uri is public, no need auth...
Good point... Or what about more simple, just assetId is enough? /publicAsset/{$assetId} ? After all, asset ids are unique, the uri is public, no need auth...
Hmm, our repository API is relying on username though. Query only by assetId
is not visible.
If that, we need one more api for query by one PublicAssetId parameter Look like needing one more Cassandra table
You are right. Ok witht he username then
Why
Epic: https://github.com/linagora/tmail-backend/issues/1027 When a client (e.g., web browser, mobile app) requests the content of a public asset, the Tmail JMAP server needs to serve that content.
How
PublicAssetRoutes
class with the following implementation:Note that this is a public endpoint, so authentication is not required.
Bind
PublicAssetRoutes
toJMAPRoutes
usingGuice
:Write integration tests.
Dod
Ref: LinagoraServicesDiscoveryRoutes
DownloadRoutes