Content uploaded with encrypt: true gets a 64-byte Bee reference (128 hex = 32-byte address + 32-byte decryption key). swarm-gateway can't serve it:
- Requesting
/bzz/<128-hex-ref>/ → 302 to /forbidden, and the redirect carries only the first 64 hex (the address half). So the allow-rule lookup runs against the truncated 32-byte address — an allow rule for the full 128-hex reference never matches.
- Even adding an
allow rule for the 32-byte address half doesn't render it: the decryption key has been dropped, so Bee can't decrypt (400 / not found).
The same content is served correctly straight from the Bee API using the full 64-byte reference, so the upload is fine — the gateway is dropping the key half of the reference.
Expected: treat the full 64-byte reference as the identity for both the allow-rule check and the upstream Bee request, so encrypted content can be allowlisted and served.
Related (possibly bee-js / Bee, not this repo): a Swarm feed whose update points to an encrypted reference fails to resolve — bzz download: feed pointing to the wrapped chunk not found (and address not found or incorrect directly from the Bee API). This looks like the feed update may store only the 32-byte address (dropping the key) when written via bee-js write-feed, so the feed half may belong in bee-js/bee rather than swarm-gateway.
Version: swarm-gateway 0.1.6
Content uploaded with
encrypt: truegets a 64-byte Bee reference (128 hex = 32-byte address + 32-byte decryption key). swarm-gateway can't serve it:/bzz/<128-hex-ref>/→302to/forbidden, and the redirect carries only the first 64 hex (the address half). So the allow-rule lookup runs against the truncated 32-byte address — anallowrule for the full 128-hex reference never matches.allowrule for the 32-byte address half doesn't render it: the decryption key has been dropped, so Bee can't decrypt (400/ not found).The same content is served correctly straight from the Bee API using the full 64-byte reference, so the upload is fine — the gateway is dropping the key half of the reference.
Expected: treat the full 64-byte reference as the identity for both the allow-rule check and the upstream Bee request, so encrypted content can be allowlisted and served.
Related (possibly bee-js / Bee, not this repo): a Swarm feed whose update points to an encrypted reference fails to resolve —
bzz download: feed pointing to the wrapped chunk not found(andaddress not found or incorrectdirectly from the Bee API). This looks like the feed update may store only the 32-byte address (dropping the key) when written via bee-jswrite-feed, so the feed half may belong in bee-js/bee rather than swarm-gateway.Version: swarm-gateway 0.1.6