Conversation

Notices

1. Embed this notice
   silverpill (silverpill@mitra.social)'s status on Friday, 06-Dec-2024 21:48:35 JST silverpill

   @helge Apparently Streams has some mechanism for protecting attachments. Media URLs in non-public posts look like this:

   https://{domain}/photo/{filename}.jpg?token={token}

   I don't know how exactly it works, but I assume this token somehow encodes post's audience and the server verifies that HTTP signature on GET request is created by an actor who is part of that audience.

   • Embed this notice
     silverpill (silverpill@mitra.social)'s status on Saturday, 07-Dec-2024 02:55:43 JST silverpill

     in reply to

     • Alexandre Hannud Abdo

     @aleabdo I came up with the theory about audience when I noticed that URLs of public images (like profile pictures) don't have a token. But maybe this is due to some other reason.

   • Embed this notice
     Alexandre Hannud Abdo (aleabdo@hubzilla.com.br)'s status on Saturday, 07-Dec-2024 02:56:16 JST Alexandre Hannud Abdo

     in reply to
     @silverpill IIRR at least in Hubzilla that token is just part of OpenWebAuth's "magic authentication". Where I guess the token contains info about which instance(s?) to contact in order to verify your identity. The audience is kept in the media server(s) database and sync'ed between clones.