🛂 Authorized required to access large file

pkg/internal/server/api/attachments_api.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/samber/lo"
 	"github.com/spf13/viper"
 
 	"git.solsynth.dev/hypernet/nexus/pkg/nex/sec"
@@ -40,10 +41,21 @@ func openAttachment(c *fiber.Ctx) error {
 
 	var err error
 	var url, mimetype string
+	var filesize int64
+	size := lo.Ternary(c.QueryBool("preview", true), 1024, -1)
 	if len(region) > 0 {
-		url, mimetype, err = services.OpenAttachmentByRID(id, c.QueryBool("preview", true), region)
+		url, filesize, mimetype, err = services.OpenAttachmentByRID(id, size, region)
 	} else {
-		url, mimetype, err = services.OpenAttachmentByRID(id, c.QueryBool("preview", true))
+		url, filesize, mimetype, err = services.OpenAttachmentByRID(id, size)
+	}
+
+	authenticated := false
+	if err := sec.EnsureAuthenticated(c); err == nil {
+		authenticated = true
+	}
+
+	if filesize > viper.GetInt64("traffic.maximum_size") && !authenticated {
+		return fiber.NewError(fiber.StatusForbidden, "file is too large, you need authorized to access")
 	}
 
 	if err != nil {

pkg/internal/server/api/stickers_api.go

@@ -43,9 +43,9 @@ func openStickerByAlias(c *fiber.Ctx) error {
 
 	var url, mimetype string
 	if len(region) > 0 {
-		url, mimetype, err = services.OpenAttachmentByRID(sticker.Attachment.Rid, true, region)
+		url, _, mimetype, err = services.OpenAttachmentByRID(sticker.Attachment.Rid, 256, region)
 	} else {
-		url, mimetype, err = services.OpenAttachmentByRID(sticker.Attachment.Rid, true)
+		url, _, mimetype, err = services.OpenAttachmentByRID(sticker.Attachment.Rid, 288)
 	}
 
 	if err != nil {

pkg/internal/services/opener.go

@@ -7,6 +7,7 @@ import (
 	"math/rand/v2"
 	nurl "net/url"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"git.solsynth.dev/hypernet/nexus/pkg/nex/cachekit"
@@ -28,7 +29,7 @@ func KgAttachmentOpenCache(rid string) string {
 	return fmt.Sprintf("attachment-open#%s", rid)
 }
 
-func OpenAttachmentByRID(rid string, preview bool, region ...string) (url string, mimetype string, err error) {
+func OpenAttachmentByRID(rid string, preferredSize int, region ...string) (url string, filesize int64, mimetype string, err error) {
 	var result *openAttachmentResult
 	if val, err := cachekit.Get[openAttachmentResult](
 		gap.Ca,
@@ -65,6 +66,8 @@ func OpenAttachmentByRID(rid string, preview bool, region ...string) (url string
 		mimetype = result.Attachment.MimeType
 	}
 
+	filesize = result.Attachment.Size
+
 	var dest models.BaseDestination
 	var rawDest []byte
 
@@ -138,15 +141,17 @@ func OpenAttachmentByRID(rid string, preview bool, region ...string) (url string
 				nurl.QueryEscape(filepath.Join(destConfigured.Path, result.Attachment.Uuid)),
 			)
 		}
-		if len(destConfigured.ImageProxyURL) > 0 && preview {
-			size := viper.GetInt("imageproxy.size")
-			url = fmt.Sprintf(
-				"%s/%dx%d,fit/%s",
-				destConfigured.ImageProxyURL,
-				size,
-				size,
-				url,
-			)
+		if strings.HasPrefix(mimetype, "image") && filesize >= viper.GetInt64("traffic.minimum_size") {
+			if len(destConfigured.ImageProxyURL) > 0 && preferredSize > 0 {
+				url = fmt.Sprintf(
+					"%s/%dx%d,fit/%s",
+					destConfigured.ImageProxyURL,
+					preferredSize,
+					preferredSize,
+					url,
+				)
+				filesize = int64(preferredSize * preferredSize)
+			}
 		}
 		return
 	default:

settings.toml

@@ -27,8 +27,9 @@ path = "uploads/permanent"
 access_baseurl = "http://192.168.50.133:8004"
 image_proxy_baseurl = "https://io.sn.solsynth.dev"
 
-[imageproxy]
-size = 1024
+[traffic]
+maximum_size = 20971520
+minimum_size = 1048576
 
 [security]
 internal_public_key = "keys/internal_public_key.pem"