From c862c6ef5e54110b4a67c96e8642ad769c08db5e Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Thu, 24 Jul 2025 12:51:22 -0600 Subject: [PATCH] Remove `enable_authenticated_media` flag Fixes https://github.com/element-hq/synapse/issues/17950 --- .../configuration/config_documentation.md | 24 ------ schema/synapse-config.schema.yaml | 44 ---------- scripts-dev/gen_config_documentation.py | 4 - synapse/config/repository.py | 2 - synapse/media/media_repository.py | 16 ++-- synapse/media/thumbnailer.py | 8 +- .../databases/main/media_repository.py | 18 ++-- tests/media/test_media_storage.py | 86 +++---------------- tests/replication/test_multi_media_repo.py | 5 +- tests/rest/admin/test_media.py | 11 +-- tests/rest/client/test_media.py | 1 - tests/rest/media/test_domain_blocking.py | 14 ++- tests/rest/media/test_url_preview.py | 20 +++-- 13 files changed, 55 insertions(+), 198 deletions(-) diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 96be5c2789..f77e25e6c7 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -2038,30 +2038,6 @@ federation_rr_transactions_per_room_per_second: 40 Config options related to Synapse's media store. ---- -### `enable_authenticated_media` - -*(boolean)* When set to true, all subsequent media uploads will be marked as authenticated, and will not be available over legacy unauthenticated media endpoints (`/_matrix/media/(r0|v3|v1)/download` and `/_matrix/media/(r0|v3|v1)/thumbnail`) – requests for authenticated media over these endpoints will result in a 404. All media, including authenticated media, will be available over the authenticated media endpoints `_matrix/client/v1/media/download` and `_matrix/client/v1/media/thumbnail`. Media uploaded prior to setting this option to true will still be available over the legacy endpoints. Note if the setting is switched to false after enabling, media marked as authenticated will be available over legacy endpoints. Defaults to true (previously false). In a future release of Synapse, this option will be removed and become always-on. - -In all cases, authenticated requests to download media will succeed, but for unauthenticated requests, this case-by-case breakdown describes whether media downloads are permitted: - -* `enable_authenticated_media = False`: - * unauthenticated client or homeserver requesting local media: allowed - * unauthenticated client or homeserver requesting remote media: allowed as long as the media is in the cache, or as long as the remote homeserver does not require authentication to retrieve the media -* `enable_authenticated_media = True`: - * unauthenticated client or homeserver requesting local media: allowed if the media was stored on the server whilst `enable_authenticated_media` was `False` (or in a previous Synapse version where this option did not exist); otherwise denied. - * unauthenticated client or homeserver requesting remote media: the same as for local media; allowed if the media was stored on the server whilst `enable_authenticated_media` was `False` (or in a previous Synapse version where this option did not exist); otherwise denied. - -It is especially notable that media downloaded before this option existed (in older Synapse versions), or whilst this option was set to `False`, will perpetually be available over the legacy, unauthenticated endpoint, even after this option is set to `True`. This is for backwards compatibility with older clients and homeservers that do not yet support requesting authenticated media; those older clients or homeservers will not be cut off from media they can already see. - -_Changed in Synapse 1.120:_ This option now defaults to `True` when not set, whereas before this version it defaulted to `False`. - -Defaults to `true`. - -Example configuration: -```yaml -enable_authenticated_media: false -``` --- ### `enable_media_repo` diff --git a/schema/synapse-config.schema.yaml b/schema/synapse-config.schema.yaml index 5b9ff1864f..998fd2cd3c 100644 --- a/schema/synapse-config.schema.yaml +++ b/schema/synapse-config.schema.yaml @@ -2251,50 +2251,6 @@ properties: default: 50 examples: - 40 - enable_authenticated_media: - type: boolean - description: >- - When set to true, all subsequent media uploads will be marked as - authenticated, and will not be available over legacy unauthenticated media - endpoints (`/_matrix/media/(r0|v3|v1)/download` and - `/_matrix/media/(r0|v3|v1)/thumbnail`) – requests for authenticated media - over these endpoints will result in a 404. All media, including - authenticated media, will be available over the authenticated media - endpoints `_matrix/client/v1/media/download` and - `_matrix/client/v1/media/thumbnail`. Media uploaded prior to setting this - option to true will still be available over the legacy endpoints. Note if - the setting is switched to false after enabling, media marked as - authenticated will be available over legacy endpoints. Defaults to true - (previously false). In a future release of Synapse, this option will be - removed and become always-on. - - - In all cases, authenticated requests to download media will succeed, but - for unauthenticated requests, this case-by-case breakdown describes - whether media downloads are permitted: - - - * `enable_authenticated_media = False`: - * unauthenticated client or homeserver requesting local media: allowed - * unauthenticated client or homeserver requesting remote media: allowed as long as the media is in the cache, or as long as the remote homeserver does not require authentication to retrieve the media - * `enable_authenticated_media = True`: - * unauthenticated client or homeserver requesting local media: allowed if the media was stored on the server whilst `enable_authenticated_media` was `False` (or in a previous Synapse version where this option did not exist); otherwise denied. - * unauthenticated client or homeserver requesting remote media: the same as for local media; allowed if the media was stored on the server whilst `enable_authenticated_media` was `False` (or in a previous Synapse version where this option did not exist); otherwise denied. - - It is especially notable that media downloaded before this option existed - (in older Synapse versions), or whilst this option was set to `False`, - will perpetually be available over the legacy, unauthenticated endpoint, - even after this option is set to `True`. This is for backwards - compatibility with older clients and homeservers that do not yet support - requesting authenticated media; those older clients or homeservers will - not be cut off from media they can already see. - - - _Changed in Synapse 1.120:_ This option now defaults to `True` when not - set, whereas before this version it defaulted to `False`. - default: true - examples: - - false enable_media_repo: type: boolean description: >- diff --git a/scripts-dev/gen_config_documentation.py b/scripts-dev/gen_config_documentation.py index 9a49c07a34..77e8432d33 100755 --- a/scripts-dev/gen_config_documentation.py +++ b/scripts-dev/gen_config_documentation.py @@ -151,10 +151,6 @@ SECTION_HEADERS = { "being throttled." ), }, - "enable_authenticated_media": { - "title": "Media Store", - "description": "Config options related to Synapse's media store.", - }, "recaptcha_public_key": { "title": "Captcha", "description": ( diff --git a/synapse/config/repository.py b/synapse/config/repository.py index efdc505659..a1389e8755 100644 --- a/synapse/config/repository.py +++ b/synapse/config/repository.py @@ -288,8 +288,6 @@ class ContentRepositoryConfig(Config): remote_media_lifetime ) - self.enable_authenticated_media = config.get("enable_authenticated_media", True) - self.media_upload_limits: List[MediaUploadLimit] = [] for limit_config in config.get("media_upload_limits", []): time_period_ms = self.parse_duration(limit_config["time_period"]) diff --git a/synapse/media/media_repository.py b/synapse/media/media_repository.py index aae88d25c9..d866791667 100644 --- a/synapse/media/media_repository.py +++ b/synapse/media/media_repository.py @@ -487,7 +487,7 @@ class MediaRepository: if not media_info: return - if self.hs.config.media.enable_authenticated_media and not allow_authenticated: + if not allow_authenticated: if media_info.authenticated: raise NotFoundError() @@ -684,7 +684,7 @@ class MediaRepository: """ media_info = await self.store.get_cached_remote_media(server_name, media_id) - if self.hs.config.media.enable_authenticated_media and not allow_authenticated: + if not allow_authenticated: # if it isn't cached then don't fetch it or if it's authenticated then don't serve it if not media_info or media_info.authenticated: raise NotFoundError() @@ -865,10 +865,8 @@ class MediaRepository: logger.info("Stored remote media in file %r", fname) - if self.hs.config.media.enable_authenticated_media: - authenticated = True - else: - authenticated = False + # Media used to be optionally authenticated, but now we force-authenticate it + authenticated = True return RemoteMedia( media_origin=server_name, @@ -998,10 +996,8 @@ class MediaRepository: logger.debug("Stored remote media in file %r", fname) - if self.hs.config.media.enable_authenticated_media: - authenticated = True - else: - authenticated = False + # Media used to be optionally authenticated, but now we force-authenticate it + authenticated = True return RemoteMedia( media_origin=server_name, diff --git a/synapse/media/thumbnailer.py b/synapse/media/thumbnailer.py index 5d9afda322..f903da68b3 100644 --- a/synapse/media/thumbnailer.py +++ b/synapse/media/thumbnailer.py @@ -291,7 +291,7 @@ class ThumbnailProvider: # if the media the thumbnail is generated from is authenticated, don't serve the # thumbnail over an unauthenticated endpoint - if self.hs.config.media.enable_authenticated_media and not allow_authenticated: + if not allow_authenticated: if media_info.authenticated: raise NotFoundError() @@ -336,7 +336,7 @@ class ThumbnailProvider: # if the media the thumbnail is generated from is authenticated, don't serve the # thumbnail over an unauthenticated endpoint - if self.hs.config.media.enable_authenticated_media and not allow_authenticated: + if not allow_authenticated: if media_info.authenticated: raise NotFoundError() @@ -437,7 +437,7 @@ class ThumbnailProvider: # if the media the thumbnail is generated from is authenticated, don't serve the # thumbnail over an unauthenticated endpoint - if self.hs.config.media.enable_authenticated_media and not allow_authenticated: + if not allow_authenticated: if media_info.authenticated: respond_404(request) return @@ -521,7 +521,7 @@ class ThumbnailProvider: # if the media the thumbnail is generated from is authenticated, don't serve the # thumbnail over an unauthenticated endpoint - if self.hs.config.media.enable_authenticated_media and not allow_authenticated: + if not allow_authenticated: if media_info.authenticated: raise NotFoundError() diff --git a/synapse/storage/databases/main/media_repository.py b/synapse/storage/databases/main/media_repository.py index f726846e57..2d52a7e381 100644 --- a/synapse/storage/databases/main/media_repository.py +++ b/synapse/storage/databases/main/media_repository.py @@ -452,10 +452,8 @@ class MediaRepositoryStore(MediaRepositoryBackgroundUpdateStore): time_now_ms: int, user_id: UserID, ) -> None: - if self.hs.config.media.enable_authenticated_media: - authenticated = True - else: - authenticated = False + # Media used to be optionally authenticated, but now we force-authenticate it + authenticated = True await self.db_pool.simple_insert( "local_media_repository", @@ -481,10 +479,8 @@ class MediaRepositoryStore(MediaRepositoryBackgroundUpdateStore): sha256: Optional[str] = None, quarantined_by: Optional[str] = None, ) -> None: - if self.hs.config.media.enable_authenticated_media: - authenticated = True - else: - authenticated = False + # Media used to be optionally authenticated, but now we force-authenticate it + authenticated = True await self.db_pool.simple_insert( "local_media_repository", @@ -730,10 +726,8 @@ class MediaRepositoryStore(MediaRepositoryBackgroundUpdateStore): filesystem_id: str, sha256: Optional[str], ) -> None: - if self.hs.config.media.enable_authenticated_media: - authenticated = True - else: - authenticated = False + # Media used to be optionally authenticated, but now we force-authenticate it + authenticated = True await self.db_pool.simple_insert( "remote_media_cache", diff --git a/tests/media/test_media_storage.py b/tests/media/test_media_storage.py index 2f7cf4569b..1378369768 100644 --- a/tests/media/test_media_storage.py +++ b/tests/media/test_media_storage.py @@ -370,6 +370,9 @@ class MediaRepoTests(unittest.HomeserverTestCase): self.media_id = "example.com/12345" + self.register_user("user", "password") + self.access_token = self.login("user", "password") + def create_resource_dict(self) -> Dict[str, Resource]: resources = super().create_resource_dict() resources["/_matrix/media"] = self.hs.get_media_repository_resource() @@ -380,9 +383,10 @@ class MediaRepoTests(unittest.HomeserverTestCase): ) -> FakeChannel: channel = self.make_request( "GET", - f"/_matrix/media/v3/download/{self.media_id}", + f"/_matrix/client/v1/media/download/{self.media_id}", shorthand=False, await_result=False, + access_token=self.access_token, ) self.pump() @@ -391,7 +395,7 @@ class MediaRepoTests(unittest.HomeserverTestCase): self.assertEqual(len(self.fetches), 1) self.assertEqual(self.fetches[0][1], "example.com") self.assertEqual( - self.fetches[0][2], "/_matrix/media/v3/download/" + self.media_id + self.fetches[0][2], "/_matrix/client/v1/media/download/" + self.media_id ) self.assertEqual( self.fetches[0][3], @@ -417,11 +421,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): return channel - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_handle_missing_content_type(self) -> None: channel = self._req( b"attachment; filename=out" + self.test_image.extension, @@ -433,11 +432,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): headers.getRawHeaders(b"Content-Type"), [b"application/octet-stream"] ) - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_disposition_filename_ascii(self) -> None: """ If the filename is filename= then Synapse will decode it as an @@ -458,11 +452,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): ], ) - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_disposition_filenamestar_utf8escaped(self) -> None: """ If the filename is filename=*utf8'' then Synapse will @@ -488,11 +477,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): ], ) - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_disposition_none(self) -> None: """ If there is no filename, Content-Disposition should only @@ -509,11 +493,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): [b"inline" if self.test_image.is_inline else b"attachment"], ) - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_thumbnail_crop(self) -> None: """Test that a cropped remote thumbnail is available.""" self._test_thumbnail( @@ -523,11 +502,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): unable_to_thumbnail=self.test_image.unable_to_thumbnail, ) - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_thumbnail_scale(self) -> None: """Test that a scaled remote thumbnail is available.""" self._test_thumbnail( @@ -537,11 +511,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): unable_to_thumbnail=self.test_image.unable_to_thumbnail, ) - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_invalid_type(self) -> None: """An invalid thumbnail type is never available.""" self._test_thumbnail( @@ -554,7 +523,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): @unittest.override_config( { "thumbnail_sizes": [{"width": 32, "height": 32, "method": "scale"}], - "enable_authenticated_media": False, }, ) def test_no_thumbnail_crop(self) -> None: @@ -571,7 +539,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): @unittest.override_config( { "thumbnail_sizes": [{"width": 32, "height": 32, "method": "crop"}], - "enable_authenticated_media": False, } ) def test_no_thumbnail_scale(self) -> None: @@ -585,11 +552,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): unable_to_thumbnail=self.test_image.unable_to_thumbnail, ) - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_thumbnail_repeated_thumbnail(self) -> None: """Test that fetching the same thumbnail works, and deleting the on disk thumbnail regenerates it. @@ -673,9 +635,10 @@ class MediaRepoTests(unittest.HomeserverTestCase): params = "?width=32&height=32&method=" + method channel = self.make_request( "GET", - f"/_matrix/media/r0/thumbnail/{self.media_id}{params}", + f"/_matrix/client/v1/media/thumbnail/{self.media_id}{params}", shorthand=False, await_result=False, + access_token=self.access_token, ) self.pump() headers = { @@ -708,7 +671,7 @@ class MediaRepoTests(unittest.HomeserverTestCase): channel.json_body, { "errcode": "M_UNKNOWN", - "error": "Cannot find any thumbnails for the requested media ('/_matrix/media/r0/thumbnail/example.com/12345'). This might mean the media is not a supported_media_format=(image/jpeg, image/jpg, image/webp, image/gif, image/png) or that thumbnailing failed for some other reason. (Dynamic thumbnails are disabled on this server.)", + "error": "Cannot find any thumbnails for the requested media ('/_matrix/client/v1/media/thumbnail/example.com/12345'). This might mean the media is not a supported_media_format=(image/jpeg, image/jpg, image/webp, image/gif, image/png) or that thumbnailing failed for some other reason. (Dynamic thumbnails are disabled on this server.)", }, ) else: @@ -718,7 +681,7 @@ class MediaRepoTests(unittest.HomeserverTestCase): channel.json_body, { "errcode": "M_NOT_FOUND", - "error": "Not found '/_matrix/media/r0/thumbnail/example.com/12345'", + "error": "Not found '/_matrix/client/v1/media/thumbnail/example.com/12345'", }, ) @@ -764,11 +727,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): ) ) - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_x_robots_tag_header(self) -> None: """ Tests that the `X-Robots-Tag` header is present, which informs web crawlers @@ -782,11 +740,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): [b"noindex, nofollow, noarchive, noimageindex"], ) - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_cross_origin_resource_policy_header(self) -> None: """ Test that the Cross-Origin-Resource-Policy header is set to "cross-origin" @@ -801,11 +754,6 @@ class MediaRepoTests(unittest.HomeserverTestCase): [b"cross-origin"], ) - @unittest.override_config( - { - "enable_authenticated_media": False, - } - ) def test_unknown_v3_endpoint(self) -> None: """ If the v3 endpoint fails, try the r0 one. @@ -1044,11 +992,6 @@ class RemoteDownloadLimiterTestCase(unittest.HomeserverTestCase): d.callback(52428800) return d - @override_config( - { - "enable_authenticated_media": False, - } - ) @patch( "synapse.http.matrixfederationclient.read_body_with_max_size", read_body_with_max_size_30MiB, @@ -1124,7 +1067,6 @@ class RemoteDownloadLimiterTestCase(unittest.HomeserverTestCase): { "remote_media_download_per_second": "50M", "remote_media_download_burst_count": "50M", - "enable_authenticated_media": False, } ) @patch( @@ -1187,7 +1129,6 @@ class RemoteDownloadLimiterTestCase(unittest.HomeserverTestCase): @override_config( { "remote_media_download_burst_count": "87M", - "enable_authenticated_media": False, } ) @patch( @@ -1229,7 +1170,7 @@ class RemoteDownloadLimiterTestCase(unittest.HomeserverTestCase): ) assert channel2.code == 429 - @override_config({"max_upload_size": "29M", "enable_authenticated_media": False}) + @override_config({"max_upload_size": "29M"}) @patch( "synapse.http.matrixfederationclient.read_body_with_max_size", read_body_with_max_size_30MiB, @@ -1320,11 +1261,6 @@ class MediaHashesTestCase(unittest.HomeserverTestCase): store_media_b.sha256, ) - @override_config( - { - "enable_authenticated_media": False, - } - ) # mock actually reading file body @patch( "synapse.http.matrixfederationclient.read_body_with_max_size", diff --git a/tests/replication/test_multi_media_repo.py b/tests/replication/test_multi_media_repo.py index f36af877c4..6c229c3cbe 100644 --- a/tests/replication/test_multi_media_repo.py +++ b/tests/replication/test_multi_media_repo.py @@ -92,7 +92,7 @@ class MediaRepoShardTestCase(BaseMultiWorkerStreamTestCase): self.reactor, self._hs_to_site[hs], "GET", - f"/_matrix/media/r0/download/{target}/{media_id}", + f"/_matrix/client/v1/media/download/{target}/{media_id}", shorthand=False, access_token=self.access_token, await_result=False, @@ -149,7 +149,6 @@ class MediaRepoShardTestCase(BaseMultiWorkerStreamTestCase): return channel, request - @override_config({"enable_authenticated_media": False}) def test_basic(self) -> None: """Test basic fetching of remote media from a single worker.""" hs1 = self.make_worker_hs("synapse.app.generic_worker") @@ -166,7 +165,6 @@ class MediaRepoShardTestCase(BaseMultiWorkerStreamTestCase): self.assertEqual(channel.code, 200) self.assertEqual(channel.result["body"], b"Hello!") - @override_config({"enable_authenticated_media": False}) def test_download_simple_file_race(self) -> None: """Test that fetching remote media from two different processes at the same time works. @@ -206,7 +204,6 @@ class MediaRepoShardTestCase(BaseMultiWorkerStreamTestCase): # We expect only one new file to have been persisted. self.assertEqual(start_count + 1, self._count_remote_media()) - @override_config({"enable_authenticated_media": False}) def test_download_image_race(self) -> None: """Test that fetching remote *images* from two different processes at the same time works. diff --git a/tests/rest/admin/test_media.py b/tests/rest/admin/test_media.py index da0e9749aa..256128505a 100644 --- a/tests/rest/admin/test_media.py +++ b/tests/rest/admin/test_media.py @@ -127,7 +127,6 @@ class DeleteMediaByIDTestCase(_AdminMediaTests): self.assertEqual(400, channel.code, msg=channel.json_body) self.assertEqual("Can only delete local media", channel.json_body["error"]) - @override_config({"enable_authenticated_media": False}) def test_delete_media(self) -> None: """ Tests that delete a media is successfully @@ -148,7 +147,7 @@ class DeleteMediaByIDTestCase(_AdminMediaTests): # Attempt to access media channel = self.make_request( "GET", - f"/_matrix/media/v3/download/{server_and_media_id}", + f"/_matrix/client/v1/media/download/{server_and_media_id}", shorthand=False, access_token=self.admin_user_tok, ) @@ -185,7 +184,7 @@ class DeleteMediaByIDTestCase(_AdminMediaTests): # Attempt to access media channel = self.make_request( "GET", - f"/_matrix/media/v3/download/{server_and_media_id}", + f"/_matrix/client/v1/media/download/{server_and_media_id}", shorthand=False, access_token=self.admin_user_tok, ) @@ -373,7 +372,6 @@ class DeleteMediaByDateSizeTestCase(_AdminMediaTests): self._access_media(server_and_media_id, False) - @override_config({"enable_authenticated_media": False}) def test_keep_media_by_date(self) -> None: """ Tests that media is not deleted if it is newer than `before_ts` @@ -411,7 +409,6 @@ class DeleteMediaByDateSizeTestCase(_AdminMediaTests): self._access_media(server_and_media_id, False) - @override_config({"enable_authenticated_media": False}) def test_keep_media_by_size(self) -> None: """ Tests that media is not deleted if its size is smaller than or equal @@ -447,7 +444,6 @@ class DeleteMediaByDateSizeTestCase(_AdminMediaTests): self._access_media(server_and_media_id, False) - @override_config({"enable_authenticated_media": False}) def test_keep_media_by_user_avatar(self) -> None: """ Tests that we do not delete media if is used as a user avatar @@ -492,7 +488,6 @@ class DeleteMediaByDateSizeTestCase(_AdminMediaTests): self._access_media(server_and_media_id, False) - @override_config({"enable_authenticated_media": False}) def test_keep_media_by_room_avatar(self) -> None: """ Tests that we do not delete media if it is used as a room avatar @@ -568,7 +563,7 @@ class DeleteMediaByDateSizeTestCase(_AdminMediaTests): channel = self.make_request( "GET", - f"/_matrix/media/v3/download/{server_and_media_id}", + f"/_matrix/client/v1/media/download/{server_and_media_id}", shorthand=False, access_token=self.admin_user_tok, ) diff --git a/tests/rest/client/test_media.py b/tests/rest/client/test_media.py index 7aa1f2406c..5ecc0740bc 100644 --- a/tests/rest/client/test_media.py +++ b/tests/rest/client/test_media.py @@ -2552,7 +2552,6 @@ class AuthenticatedMediaTestCase(unittest.HomeserverTestCase): os.mkdir(self.storage_path) os.mkdir(self.media_store_path) config["media_store_path"] = self.media_store_path - config["enable_authenticated_media"] = True provider_config = { "module": "synapse.media.storage_provider.FileStorageProviderBackend", diff --git a/tests/rest/media/test_domain_blocking.py b/tests/rest/media/test_domain_blocking.py index 26453f70dd..c7455cc46d 100644 --- a/tests/rest/media/test_domain_blocking.py +++ b/tests/rest/media/test_domain_blocking.py @@ -93,7 +93,6 @@ class MediaDomainBlockingTests(unittest.HomeserverTestCase): # Disable downloads from a domain we won't be requesting downloads from. # This proves we haven't broken anything. "prevent_media_downloads_from": ["not-listed.com"], - "enable_authenticated_media": False, } ) def test_remote_media_normally_unblocked(self) -> None: @@ -101,10 +100,14 @@ class MediaDomainBlockingTests(unittest.HomeserverTestCase): Tests to ensure that remote media is normally able to be downloaded when no domain block is in place. """ + self.register_user("user", "password") + access_token = self.login("user", "password") + response = self.make_request( "GET", - f"/_matrix/media/v3/download/evil.com/{self.remote_media_id}", + f"/_matrix/client/v1/media/download/evil.com/{self.remote_media_id}", shorthand=False, + access_token=access_token, ) self.assertEqual(response.code, 200) @@ -134,16 +137,19 @@ class MediaDomainBlockingTests(unittest.HomeserverTestCase): # This proves we haven't broken anything. "prevent_media_downloads_from": ["not-listed.com"], "dynamic_thumbnails": True, - "enable_authenticated_media": False, } ) def test_remote_media_thumbnail_normally_unblocked(self) -> None: """ Same test as test_remote_media_normally_unblocked but for thumbnails. """ + self.register_user("user", "password") + access_token = self.login("user", "password") + response = self.make_request( "GET", - f"/_matrix/media/v3/thumbnail/evil.com/{self.remote_media_id}?width=100&height=100", + f"/_matrix/client/v1/media/thumbnail/evil.com/{self.remote_media_id}?width=100&height=100", shorthand=False, + access_token=access_token, ) self.assertEqual(response.code, 200) diff --git a/tests/rest/media/test_url_preview.py b/tests/rest/media/test_url_preview.py index 2a7bee19f9..f8b97cf3d4 100644 --- a/tests/rest/media/test_url_preview.py +++ b/tests/rest/media/test_url_preview.py @@ -1260,11 +1260,13 @@ class URLPreviewTests(unittest.HomeserverTestCase): self.assertIsNone(_port) return host, media_id - @override_config({"enable_authenticated_media": False}) def test_storage_providers_exclude_files(self) -> None: """Test that files are not stored in or fetched from storage providers.""" host, media_id = self._download_image() + self.register_user("user", "password") + access_token = self.login("user", "password") + rel_file_path = self.media_repo.filepaths.url_cache_filepath_rel(media_id) media_store_path = os.path.join(self.media_store_path, rel_file_path) storage_provider_path = os.path.join(self.storage_path, rel_file_path) @@ -1279,9 +1281,10 @@ class URLPreviewTests(unittest.HomeserverTestCase): # Check fetching channel = self.make_request( "GET", - f"/_matrix/media/v3/download/{host}/{media_id}", + f"/_matrix/client/v1/media/download/{host}/{media_id}", shorthand=False, await_result=False, + access_token=access_token, ) self.pump() self.assertEqual(channel.code, 200) @@ -1292,9 +1295,10 @@ class URLPreviewTests(unittest.HomeserverTestCase): channel = self.make_request( "GET", - f"/_matrix/media/v3/download/{host}/{media_id}", + f"/_matrix/client/v1/media/download/{host}/{media_id}", shorthand=False, await_result=False, + access_token=access_token, ) self.pump() self.assertEqual( @@ -1303,11 +1307,13 @@ class URLPreviewTests(unittest.HomeserverTestCase): "URL cache file was unexpectedly retrieved from a storage provider", ) - @override_config({"enable_authenticated_media": False}) def test_storage_providers_exclude_thumbnails(self) -> None: """Test that thumbnails are not stored in or fetched from storage providers.""" host, media_id = self._download_image() + self.register_user("user", "password") + access_token = self.login("user", "password") + rel_thumbnail_path = ( self.media_repo.filepaths.url_cache_thumbnail_directory_rel(media_id) ) @@ -1328,9 +1334,10 @@ class URLPreviewTests(unittest.HomeserverTestCase): # Check fetching channel = self.make_request( "GET", - f"/_matrix/media/v3/thumbnail/{host}/{media_id}?width=32&height=32&method=scale", + f"/_matrix/client/v1/media/thumbnail/{host}/{media_id}?width=32&height=32&method=scale", shorthand=False, await_result=False, + access_token=access_token, ) self.pump() self.assertEqual(channel.code, 200) @@ -1346,9 +1353,10 @@ class URLPreviewTests(unittest.HomeserverTestCase): channel = self.make_request( "GET", - f"/_matrix/media/v3/thumbnail/{host}/{media_id}?width=32&height=32&method=scale", + f"/_matrix/client/v1/media/thumbnail/{host}/{media_id}?width=32&height=32&method=scale", shorthand=False, await_result=False, + access_token=access_token, ) self.pump() self.assertEqual(