🔒 Make downloading media API authenticated.

Author: Danieloni1

api/routes.go

@@ -32,7 +32,7 @@ func buildRoutes() http.Handler {
 	// Standard (spec) features
 	register([]string{"PUT"}, PrefixMedia, "upload/:server/:mediaId", mxV3, router, makeRoute(_routers.RequireAccessToken(r0.UploadMediaAsync), "upload_async", counter))
 	register([]string{"POST"}, PrefixMedia, "upload", mxSpecV3Transition, router, makeRoute(_routers.RequireAccessToken(r0.UploadMediaSync), "upload", counter))
-	downloadRoute := makeRoute(_routers.OptionalAccessToken(r0.DownloadMedia), "download", counter)
+	downloadRoute := makeRoute(_routers.RequireAccessToken(r0.DownloadMedia), "download", counter)
 	register([]string{"GET"}, PrefixMedia, "download/:server/:mediaId/:filename", mxSpecV3Transition, router, downloadRoute)
 	register([]string{"GET"}, PrefixMedia, "download/:server/:mediaId", mxSpecV3Transition, router, downloadRoute)
 	register([]string{"GET"}, PrefixMedia, "thumbnail/:server/:mediaId", mxSpecV3Transition, router, makeRoute(_routers.OptionalAccessToken(r0.ThumbnailMedia), "thumbnail", counter))

test/upload_suite_test.go

@@ -45,10 +45,10 @@ func (s *UploadTestSuite) TestUpload() {
 
 	client1 := s.deps.Homeservers[0].UnprivilegedUsers[0].WithCsUrl(s.deps.Machines[0].HttpUrl)
 	client2 := &test_internals.MatrixClient{
-		ClientServerUrl: s.deps.Machines[1].HttpUrl,       // deliberately the second machine
-		ServerName:      s.deps.Homeservers[1].ServerName, // deliberately the second machine
-		AccessToken:     "",                               // no auth for downloads
-		UserId:          "",                               // no auth for downloads
+		ClientServerUrl: s.deps.Machines[1].HttpUrl,                             // deliberately the second machine
+		ServerName:      s.deps.Homeservers[1].ServerName,                       // deliberately the second machine
+		AccessToken:     s.deps.Homeservers[1].UnprivilegedUsers[0].AccessToken, // GK CUSTOMIZATION: auth for downloads
+		UserId:          s.deps.Homeservers[1].UnprivilegedUsers[0].UserId,      // GK CUSTOMIZATION: auth for downloads
 	}
 
 	contentType, img, err := test_internals.MakeTestImage(512, 512)
@@ -256,10 +256,10 @@ func (s *UploadTestSuite) TestUploadAsyncFlow() {
 
 	client1 := s.deps.Homeservers[0].UnprivilegedUsers[0].WithCsUrl(s.deps.Machines[0].HttpUrl)
 	client2 := &test_internals.MatrixClient{
-		ClientServerUrl: s.deps.Machines[1].HttpUrl,       // deliberately the second machine
-		ServerName:      s.deps.Homeservers[1].ServerName, // deliberately the second machine
-		AccessToken:     "",                               // no auth for downloads
-		UserId:          "",                               // no auth for downloads
+		ClientServerUrl: s.deps.Machines[1].HttpUrl,                             // deliberately the second machine
+		ServerName:      s.deps.Homeservers[1].ServerName,                       // deliberately the second machine
+		AccessToken:     s.deps.Homeservers[1].UnprivilegedUsers[0].AccessToken, // GK CUSTOMIZATION: auth for downloads
+		UserId:          s.deps.Homeservers[1].UnprivilegedUsers[0].UserId,      // GK CUSTOMIZATION: auth for downloads
 	}
 
 	contentType, img, err := test_internals.MakeTestImage(512, 512)