Make OPTIONS method on MSC3916 endpoints available without authentica…

…tion. OPTIONS method is usually sent by browser in preflight requests, most of the time we cannot control preflight request to add auth header. Synapse will return a 204 response directly without authentication for those OPTIONS method. According to firefox's documentation, both 200 and 204 are acceptable so I think there is no need to change handler in dendrite. This closes #3424 No need to add a test because this is just a fix and I have tested on my Cinny Web client personally. Signed-off-by: arenekosreal <17194552+arenekosreal@users.noreply.github.com>
matrix-org · Sep 20, 2024 · 0a5b7a0 · 0a5b7a0
1 parent f2db7cb
commit 0a5b7a0
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/mediaapi/routing/routing.go b/mediaapi/routing/routing.go
@@ -106,13 +106,19 @@ func Setup(
 
 	// v1 client endpoints requiring auth
 	downloadHandlerAuthed := httputil.MakeHTTPAPI("download", userAPI, cfg.Global.Metrics.Enabled, makeDownloadAPI("download_authed_client", &cfg.MediaAPI, rateLimits, db, client, federationClient, activeRemoteRequests, activeThumbnailGeneration, false), httputil.WithAuth())
+	downloadHandlerUnauthed := httputil.MakeHTTPAPI("download", userAPI, cfg.Global.Metrics.Enabled, makeDownloadAPI("download_unauthed_client", &cfg.MediaAPI, rateLimits, db, client, federationClient, activeRemoteRequests, activeThumbnailGeneration, false))
 	v1mux.Handle("/config", configHandler).Methods(http.MethodGet, http.MethodOptions)
-	v1mux.Handle("/download/{serverName}/{mediaId}", downloadHandlerAuthed).Methods(http.MethodGet, http.MethodOptions)
-	v1mux.Handle("/download/{serverName}/{mediaId}/{downloadName}", downloadHandlerAuthed).Methods(http.MethodGet, http.MethodOptions)
+	v1mux.Handle("/download/{serverName}/{mediaId}", downloadHandlerUnauthed).Methods(http.MethodOptions)
+	v1mux.Handle("/download/{serverName}/{mediaId}", downloadHandlerAuthed).Methods(http.MethodGet)
+	v1mux.Handle("/download/{serverName}/{mediaId}/{downloadName}", downloadHandlerUnauthed).Methods(http.MethodOptions)
+	v1mux.Handle("/download/{serverName}/{mediaId}/{downloadName}", downloadHandlerAuthed).Methods(http.MethodGet)
 
+	v1mux.Handle("/thumbnail/{serverName}/{mediaId}",
+		httputil.MakeHTTPAPI("thumbnail", userAPI, cfg.Global.Metrics.Enabled, makeDownloadAPI("thumbnail_unauthed_client", &cfg.MediaAPI, rateLimits, db, client, federationClient, activeRemoteRequests, activeThumbnailGeneration, false)),
+	).Methods(http.MethodOptions)
 	v1mux.Handle("/thumbnail/{serverName}/{mediaId}",
 		httputil.MakeHTTPAPI("thumbnail", userAPI, cfg.Global.Metrics.Enabled, makeDownloadAPI("thumbnail_authed_client", &cfg.MediaAPI, rateLimits, db, client, federationClient, activeRemoteRequests, activeThumbnailGeneration, false), httputil.WithAuth()),
-	).Methods(http.MethodGet, http.MethodOptions)
+	).Methods(http.MethodGet)
 
 	// same, but for federation
 	v1fedMux.Handle("/download/{mediaId}", routing.MakeFedHTTPAPI(cfg.Global.ServerName, cfg.Global.IsLocalServerName, keyRing,