Implement JMAP route to get content of the public asset

[vttranlina]

Why

Epic: https://github.com/linagora/tmail-backend/issues/1027 When a client (e.g., web browser, mobile app) requests the content of a public asset, the Tmail JMAP server needs to serve that content.

How

• Create a new PublicAssetRoutes class with the following implementation:

class PublicAssetRoutes(publicAssetRepository: PublicAssetRepository,
                        blobResolvers: BlobResolvers) extends JMAPRoutes {

  override def routes(): Stream[JMAPRoute] = Stream.of(
    JMAPRoute.builder()
      .endpoint(new Endpoint(HttpMethod.GET, s"/publicAsset/{$accountId}/{$assetId}"))
      .action((request, response) => getAsset(request, response))
      .corsHeaders())

  private def getAsset(request: HttpServerRequest, response: HttpServerResponse): SMono[Unit] = {
    // checking if accountId and assetId are existing
    // if not, return 404
    // else, using blobResolvers to get the blob of the asset
    // then apply the blob to the response
  }
}

Note that this is a public endpoint, so authentication is not required.

• Bind PublicAssetRoutes to JMAPRoutes using Guice:

  Multibinder.newSetBinder(binder, classOf[JMAPRoutes])
  routes.addBinding().to(classOf[PublicAssetRoutes])

• Write integration tests.

Dod

• Tests pass.
• Documentation.

Ref: LinagoraServicesDiscoveryRoutes

DownloadRoutes

[chibenwa]

using blobResolvers to get the blob of the asset

No.

Else lookup the publiczAsset repository and read the blob into the blobStore.

[quantranhong1999]

/publicAsset/{$accountId}/{$assetId}"

We can not infer username from accountId (1 way hashing).

Is it ok to expose the username in the URI e.g. /publicAsset/{$username}/{$assetId}"?

[quantranhong1999]

Is it ok to expose the username in the URI e.g. /publicAsset/{$username}/{$assetId}"?

I think this is ok:

• the recipient got the username of the sender anyway
• Our code is public. If anyone really wants to do an exploration attack, they know how to hash username to accountId, therefore using accountId won't be much safer.
• This is a "public" route/feature already, so leaked public resources seem to be acceptable to me.

[Arsnael]

Good point... Or what about more simple, just assetId is enough? /publicAsset/{$assetId} ? After all, asset ids are unique, the uri is public, no need auth...

[quantranhong1999]

Good point... Or what about more simple, just assetId is enough? /publicAsset/{$assetId} ? After all, asset ids are unique, the uri is public, no need auth...

Hmm, our repository API is relying on username though. Query only by assetId is not visible.

[vttranlina]

If that, we need one more api for query by one PublicAssetId parameter Look like needing one more Cassandra table

[Arsnael]

You are right. Ok witht he username then

[quantranhong1999]

https://github.com/linagora/tmail-backend/pull/1062