Skip to content

Encrypted content (64-byte references) is unservable — gateway truncates the reference to 32 bytes #23

Description

@darkobas2

Content uploaded with encrypt: true gets a 64-byte Bee reference (128 hex = 32-byte address + 32-byte decryption key). swarm-gateway can't serve it:

  • Requesting /bzz/<128-hex-ref>/302 to /forbidden, and the redirect carries only the first 64 hex (the address half). So the allow-rule lookup runs against the truncated 32-byte address — an allow rule for the full 128-hex reference never matches.
  • Even adding an allow rule for the 32-byte address half doesn't render it: the decryption key has been dropped, so Bee can't decrypt (400 / not found).

The same content is served correctly straight from the Bee API using the full 64-byte reference, so the upload is fine — the gateway is dropping the key half of the reference.

Expected: treat the full 64-byte reference as the identity for both the allow-rule check and the upstream Bee request, so encrypted content can be allowlisted and served.

Related (possibly bee-js / Bee, not this repo): a Swarm feed whose update points to an encrypted reference fails to resolve — bzz download: feed pointing to the wrapped chunk not found (and address not found or incorrect directly from the Bee API). This looks like the feed update may store only the 32-byte address (dropping the key) when written via bee-js write-feed, so the feed half may belong in bee-js/bee rather than swarm-gateway.

Version: swarm-gateway 0.1.6

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions