!JiiOHXrIUCtcOJsZCa:matrix.org

nio

342 Members
The nio matrix python library | Latest stable release 0.25.2 | https://pypi.org/project/matrix-nio/ | Documentation: https://matrix-nio.readthedocs.io/en/stable/133 Servers

Load older messages

SenderMessageTime
7 Sep 2024
@timegrid:matrix.c3s.ccAlex

for moment it will be ok, i already made an MR to remove the sharing functionality. i'm just thinking of the others

13:17:59
@nex:nexy7574.co.uknex (she/it)See, in the context of bridges, they've got to just find another way to share the media, usually by proxying it themselves. For example, the mautrix-discord bridge requires that you expose part of the appservice to a reverse proxy in order to get matrix avatars to show in the discord webhooks. If the access token is stripped from these URLs, without viewing them from a logged in client, sharing them wouldn't work anyway13:44:21
@nex:nexy7574.co.uknex (she/it)I apologise if that sounds stubborn but I don't see a way that directly sharing the resulting HTTP URL can be useful in many cases anymore for home servers with authenticated media13:44:53
@nex:nexy7574.co.uknex (she/it)A flag to force unauthenticated media is definitely an option though, although mileage may vary regardless13:45:47
@nex:nexy7574.co.uknex (she/it)Honestly, might it be worth considering #511 a blocker for this, given the security implications? Rather than trying to hack a way around it?13:46:48
@tulir:maunium.nettulirwhy don't you just add the header in the send function that makes the http request, rather than immediately making breaking changes and refactoring all methods to return a map of headers?13:51:55
@timegrid:matrix.c3s.ccAlex

i also don't find sharing useful, but i have to live with the fact, that moment implemented a function for it and users might use it for whatever reason :P

13:52:01
@timegrid:matrix.c3s.ccAlexblocking kind of makes sense, but would be unfortunate, as media in moment will be broken until then13:52:23
@nex:nexy7574.co.uknex (she/it)
In reply to @tulir:maunium.net
why don't you just add the header in the send function that makes the http request, rather than immediately making breaking changes and refactoring all methods to return a map of headers?
As in, to all requests? 		13:52:36
@nex:nexy7574.co.uknex (she/it)afaik the access token is only added to requests that actually need it13:52:54
@tulir:maunium.nettulir
In reply to @nex:nexy7574.co.uk
afaik the access token is only added to requests that actually need it
there are only a couple of requests that don't need it, but if you wanted to be correct, you could have the send method move the access token from query to header 		13:55:16
@tulir:maunium.nettulirmy libraries just send access token always if they have it, no reason not to13:55:52
@nex:nexy7574.co.uknex (she/it)I figured that explicitly sending it for specific endpoints was a deliberate choice but honestly if there's only a few endpoints that don't actually need it I can't see it doing any harm13:56:49
@timegrid:matrix.c3s.ccAlexeven then one could probably hardcode a small list of endpoints to exclude14:00:56
@timegrid:matrix.c3s.ccAlex

but i can't think of any concerns against it either

14:02:09
@tulir:maunium.nettulirI think the list of endpoints is basically anything related to login and register (including things like forgetting passwords), but generally you don't have an access token at all when calling those14:04:17
@tulir:maunium.nettulirpreviously media and /_matrix/client/versions didn't need access tokens, but now media requires them and /versions optionally accepts them (servers can enable features per user)14:04:45
@tulir:maunium.nettulirresolving room aliases, querying user profiles and viewing room directory is marked as not requiring auth in the spec, but that's just the spec lying, because in practice some servers do require auth (the spec is missing a concept of "doesn't require auth by default, but the server can choose to require auth")14:06:13
@timegrid:matrix.c3s.ccAlex

but servers wouldn't deny a request with an unspecified auth header present, would they?

14:14:23
@tulir:maunium.nettulirfor login and register they might deny it (because appservices do actually login/register with a token)14:16:12
@tulir:maunium.nettulirbut for calling those it's probably better to just make a new nio client instance that doesn't have a token14:16:48
@nex:nexy7574.co.uknex (she/it)I don't think nio supports appservices anyway14:17:20
@nex:nexy7574.co.uknex (she/it)Might be mistaken though, never really looked into them14:17:39
@timegrid:matrix.c3s.ccAlex

actually, patching AsyncClient._send() seems to work out of the box for moment. no problems with logins / media (on first sight at least).
the poc based on the current pull request:

diff --git a/src/nio/client/async_client.py b/src/nio/client/async_client.py
index 712f17e..e2da743 100644
--- a/src/nio/client/async_client.py
+++ b/src/nio/client/async_client.py
@@ -799,6 +799,18 @@ class AsyncClient(Client):
             if content_type
             else {"Content-Type": "application/json"}
         )
+        if self.access_token:
+            # add header
+            headers['Authorization'] = f"Bearer {self.access_token}"
+            # remove access token in query string
+            from urllib.parse import urlencode, urlunparse, parse_qs
+            url = list(urlparse(path))
+            qs = parse_qs(url[4])
+            if "access_token" in qs:
+                del(qs["access_token"])
+            url[4] = urlencode(qs, doseq=True)
+            path = urlunparse(url)
+        print(f"{method}: {path}")

         if content_length is not None:
             headers["Content-Length"] = str(content_length)
15:58:51
@nex:nexy7574.co.uknex (she/it)I'll test that with my client to double check but I can't forsee there being any issues17:00:08
@timegrid:matrix.c3s.ccAlex

also added the patch to my normal client i'm using now. so far no problems/errors (beyond broken avatars due to old servers not supporting the authenticated media api yet, but that's not resolvable without adding complexity like e.g. a retry with the old api on fail)

17:09:31
@nex:nexy7574.co.uknex (she/it)I actually had an idea at one point to query /_matrix/client/versions before using authed media to see if >1.11 was supported, but I couldn't figure out how to do that without requiring another network request (aside from caching it on first sync or something like that)17:22:09
@tulir:maunium.nettulir
In reply to @nex:nexy7574.co.uk
I actually had an idea at one point to query /_matrix/client/versions before using authed media to see if >1.11 was supported, but I couldn't figure out how to do that without requiring another network request (aside from caching it on first sync or something like that)
are there any benefits to the sans-io architecture or does it just make everything harder? :P 		17:26:11
@timegrid:matrix.c3s.ccAlexsorry, i was confused. maybe the client-server api is not the reason, but the server-server api. or maybe the errors are totally unrelated17:32:20
@timegrid:matrix.c3s.ccAlex

i don't know enough about what happens under the hood to resolve this confusion, probably it does not matter anyway, but i'm refering to those messages:

GET: /_matrix/client/v1/media/thumbnail/<OTHERSERVER>/<ID>?width=14&height=14&method=scale&allow_remote=true
~ 18:28:33 | Error retrieving mxc://<OTHERSERVER>/<ID> (user_<USERID>): MatrixError 404,,invalid content type: application/json,{"errcode":"M_UNRECOGNIZED","error":"Unrecognized request"}

i assume, that using the new api, the server also tries to request the thumbnail from the other server and fails

17:41:05

Show newer messages

Back to Room ListRoom Version: 4