3 files changed, 49 insertions, 14 deletions
diff --git a/data.c b/data.c
index c119360..d42f9c8 100644
--- a/data.c
+++ b/data.c
@@ -12,6 +12,7 @@
 #include "xs_regex.h"
 #include "xs_match.h"
 #include "xs_unicode.h"
+#include "xs_random.h"
 #include "snac.h"
@@ -164,6 +165,23 @@ int srv_open(const char *basedir, int auto_upgrade)
        write_default_css();
    }
+    /* if proxy_media is set but there is no token seed, create one */
+    if (xs_is_true(xs_dict_get(srv_config, "proxy_media")) &&
+        xs_is_null(xs_dict_get(srv_config, "proxy_token_seed"))) {
+        char rnd[16];
+        xs_rnd_buf(rnd, sizeof(rnd));
+        xs *pts = xs_hex_enc(rnd, sizeof(rnd));
+        xs_dict_set(srv_config, "proxy_token_seed", pts);
+        if ((f = fopen(cfg_file, "w")) != NULL) {
+            xs_json_dump(srv_config, 4, f);
+            fclose(f);
+            srv_log(xs_fmt("Created proxy_token_seed"));
+        }
+    }
    return ret;
 }
@@ -3652,13 +3670,13 @@ t_announcement *announcement(const double after)
 }
-xs_str *make_url(const char *href, const char *proxy)
+xs_str *make_url(const char *href, const char *proxy, int by_token)
 /* makes an URL, possibly including proxying */
 {
    xs_str *url = NULL;
    if (proxy && !xs_startswith(href, srv_baseurl)) {
-        xs *p = xs_str_cat(xs_dup(proxy), "/proxy/");
+        xs *p = xs_str_cat(xs_dup(proxy), "/x/");
        url = xs_replace(href, "https:/" "/", p);
    }
    else
diff --git a/html.c b/html.c
index dbe8ae2..ce4c0a8 100644
--- a/html.c
+++ b/html.c
@@ -70,7 +70,7 @@ xs_str *replace_shortnames(xs_str *s, const xs_list *tag, int ems, const char *p
                if (n && i) {
                    const char *u = xs_dict_get(i, "url");
-                    xs *url = make_url(u, proxy);
+                    xs *url = make_url(u, proxy, 0);
                    xs_html *img = xs_html_sctag("img",
                        xs_html_attr("loading", "lazy"),
@@ -122,7 +122,7 @@ xs_html *html_actor_icon(snac *user, xs_dict *actor, const char *date,
            v = xs_list_get(v, 0);
        if ((v = xs_dict_get(v, "url")) != NULL)
-            avatar = make_url(v, proxy);
+            avatar = make_url(v, proxy, 0);
    }
    if (avatar == NULL)
@@ -1973,7 +1973,7 @@ xs_html *html_entry(snac *user, xs_dict *msg, int read_only,
            if (content && xs_str_in(content, o_href) != -1)
                continue;
-            xs *href = make_url(o_href, proxy);
+            xs *href = make_url(o_href, proxy, 0);
            if (xs_startswith(type, "image/") || strcmp(type, "Image") == 0) {
                xs_html_add(content_attachments,
@@ -2788,7 +2788,7 @@ int html_get_handler(const xs_dict *req, const char *q_path,
    const char *p_path;
    int cache = 1;
    int save = 1;
-    const char *proxy = NULL;
+    int proxy = 0;
    const char *v;
    xs *l = xs_split_n(q_path, "/", 2);
@@ -2816,7 +2816,7 @@ int html_get_handler(const xs_dict *req, const char *q_path,
    }
    if (xs_is_true(xs_dict_get(srv_config, "proxy_media")))
-        proxy = snac.actor;
+        proxy = 1;
    /* return the RSS if requested by Accept header */
    if (accept != NULL) {
@@ -3194,19 +3194,36 @@ int html_get_handler(const xs_dict *req, const char *q_path,
        snac_debug(&snac, 1, xs_fmt("serving RSS"));
    }
    else
-    if (xs_startswith(p_path, "proxy/") && proxy) { /** remote media by proxy **/
+    if (proxy && (xs_startswith(p_path, "x/") || xs_startswith(p_path, "y/"))) { /** remote media by proxy **/
-        if (!login(&snac, req)) {
+        xs *proxy_prefix = NULL;
-            *body  = xs_dup(uid);
-            status = HTTP_STATUS_UNAUTHORIZED;
+        if (xs_startswith(p_path, "x/")) {
+            /* proxy usage authorized by http basic auth */
+            if (login(&snac, req))
+                proxy_prefix = xs_str_new("x/");
+            else {
+                *body  = xs_dup(uid);
+                status = HTTP_STATUS_UNAUTHORIZED;
+            }
        }
        else {
+            /* proxy usage authorized by proxy_token */
+            xs *tks = xs_fmt("%s:%s", xs_dict_get(srv_config, "proxy_token_seed"), snac.actor);
+            xs *tk = xs_md5_hex(tks, strlen(tks));
+            xs *p = xs_fmt("y/%s/", tk);
+            if (xs_startswith(p_path, p))
+                proxy_prefix = xs_dup(p);
+        }
+        if (proxy_prefix) {
            /* pick the raw path (including optional ? arguments) */
            const char *raw_path = xs_dict_get(req, "raw_path");
            /* skip to where the proxy/ string starts */
-            raw_path += xs_str_in(raw_path, "proxy/");
+            raw_path += xs_str_in(raw_path, proxy_prefix);
-            xs *url = xs_replace(raw_path, "proxy/", "https:/" "/");
+            xs *url = xs_replace(raw_path, proxy_prefix, "https:/" "/");
            xs *hdrs = xs_dict_new();
            hdrs = xs_dict_append(hdrs, "user-agent", USER_AGENT);
diff --git a/snac.h b/snac.h
index d893863..9658fc9 100644
--- a/snac.h
+++ b/snac.h
@@ -411,4 +411,4 @@ typedef struct {
 } t_announcement;
 t_announcement *announcement(double after);
-xs_str *make_url(const char *href, const char *proxy);
+xs_str *make_url(const char *href, const char *proxy, int by_token);

diff --git a/data.c b/data.c index c119360..d42f9c8 100644 --- a/data.c +++ b/data.c
@@ -12,6 +12,7 @@
12	#include "xs_regex.h"	12	#include "xs_regex.h"
13	#include "xs_match.h"	13	#include "xs_match.h"
14	#include "xs_unicode.h"	14	#include "xs_unicode.h"
		15	#include "xs_random.h"
15		16
16	#include "snac.h"	17	#include "snac.h"
17		18
@@ -164,6 +165,23 @@ int srv_open(const char *basedir, int auto_upgrade)
164	write_default_css();	165	write_default_css();
165	}	166	}
166		167
		168	/* if proxy_media is set but there is no token seed, create one */
		169	if (xs_is_true(xs_dict_get(srv_config, "proxy_media")) &&
		170	xs_is_null(xs_dict_get(srv_config, "proxy_token_seed"))) {
		171	char rnd[16];
		172	xs_rnd_buf(rnd, sizeof(rnd));
		173	xs *pts = xs_hex_enc(rnd, sizeof(rnd));
		174
		175	xs_dict_set(srv_config, "proxy_token_seed", pts);
		176
		177	if ((f = fopen(cfg_file, "w")) != NULL) {
		178	xs_json_dump(srv_config, 4, f);
		179	fclose(f);
		180
		181	srv_log(xs_fmt("Created proxy_token_seed"));
		182	}
		183	}
		184
167	return ret;	185	return ret;
168	}	186	}
169		187
@@ -3652,13 +3670,13 @@ t_announcement *announcement(const double after)
3652	}	3670	}
3653		3671
3654		3672
3655	xs_str make_url(const char href, const char *proxy)	3673	xs_str make_url(const char href, const char *proxy, int by_token)
3656	/* makes an URL, possibly including proxying */	3674	/* makes an URL, possibly including proxying */
3657	{	3675	{
3658	xs_str *url = NULL;	3676	xs_str *url = NULL;
3659		3677
3660	if (proxy && !xs_startswith(href, srv_baseurl)) {	3678	if (proxy && !xs_startswith(href, srv_baseurl)) {
3661	xs *p = xs_str_cat(xs_dup(proxy), "/proxy/");	3679	xs *p = xs_str_cat(xs_dup(proxy), "/x/");
3662	url = xs_replace(href, "https:/" "/", p);	3680	url = xs_replace(href, "https:/" "/", p);
3663	}	3681	}
3664	else	3682	else


diff --git a/html.c b/html.c index dbe8ae2..ce4c0a8 100644 --- a/html.c +++ b/html.c
@@ -70,7 +70,7 @@ xs_str replace_shortnames(xs_str s, const xs_list tag, int ems, const char p
70		70
71	if (n && i) {	71	if (n && i) {
72	const char *u = xs_dict_get(i, "url");	72	const char *u = xs_dict_get(i, "url");
73	xs *url = make_url(u, proxy);	73	xs *url = make_url(u, proxy, 0);
74		74
75	xs_html *img = xs_html_sctag("img",	75	xs_html *img = xs_html_sctag("img",
76	xs_html_attr("loading", "lazy"),	76	xs_html_attr("loading", "lazy"),
@@ -122,7 +122,7 @@ xs_html html_actor_icon(snac user, xs_dict actor, const char date,
122	v = xs_list_get(v, 0);	122	v = xs_list_get(v, 0);
123		123
124	if ((v = xs_dict_get(v, "url")) != NULL)	124	if ((v = xs_dict_get(v, "url")) != NULL)
125	avatar = make_url(v, proxy);	125	avatar = make_url(v, proxy, 0);
126	}	126	}
127		127
128	if (avatar == NULL)	128	if (avatar == NULL)
@@ -1973,7 +1973,7 @@ xs_html html_entry(snac user, xs_dict *msg, int read_only,
1973	if (content && xs_str_in(content, o_href) != -1)	1973	if (content && xs_str_in(content, o_href) != -1)
1974	continue;	1974	continue;
1975		1975
1976	xs *href = make_url(o_href, proxy);	1976	xs *href = make_url(o_href, proxy, 0);
1977		1977
1978	if (xs_startswith(type, "image/") \|\| strcmp(type, "Image") == 0) {	1978	if (xs_startswith(type, "image/") \|\| strcmp(type, "Image") == 0) {
1979	xs_html_add(content_attachments,	1979	xs_html_add(content_attachments,
@@ -2788,7 +2788,7 @@ int html_get_handler(const xs_dict req, const char q_path,
2788	const char *p_path;	2788	const char *p_path;
2789	int cache = 1;	2789	int cache = 1;
2790	int save = 1;	2790	int save = 1;
2791	const char *proxy = NULL;	2791	int proxy = 0;
2792	const char *v;	2792	const char *v;
2793		2793
2794	xs *l = xs_split_n(q_path, "/", 2);	2794	xs *l = xs_split_n(q_path, "/", 2);
@@ -2816,7 +2816,7 @@ int html_get_handler(const xs_dict req, const char q_path,
2816	}	2816	}
2817		2817
2818	if (xs_is_true(xs_dict_get(srv_config, "proxy_media")))	2818	if (xs_is_true(xs_dict_get(srv_config, "proxy_media")))
2819	proxy = snac.actor;	2819	proxy = 1;
2820		2820
2821	/* return the RSS if requested by Accept header */	2821	/* return the RSS if requested by Accept header */
2822	if (accept != NULL) {	2822	if (accept != NULL) {
@@ -3194,19 +3194,36 @@ int html_get_handler(const xs_dict req, const char q_path,
3194	snac_debug(&snac, 1, xs_fmt("serving RSS"));	3194	snac_debug(&snac, 1, xs_fmt("serving RSS"));
3195	}	3195	}
3196	else	3196	else
3197	if (xs_startswith(p_path, "proxy/") && proxy) { / remote media by proxy /	3197	if (proxy && (xs_startswith(p_path, "x/") \|\| xs_startswith(p_path, "y/"))) { / remote media by proxy /
3198	if (!login(&snac, req)) {	3198	xs *proxy_prefix = NULL;
3199	*body = xs_dup(uid);	3199
3200	status = HTTP_STATUS_UNAUTHORIZED;	3200	if (xs_startswith(p_path, "x/")) {
		3201	/* proxy usage authorized by http basic auth */
		3202	if (login(&snac, req))
		3203	proxy_prefix = xs_str_new("x/");
		3204	else {
		3205	*body = xs_dup(uid);
		3206	status = HTTP_STATUS_UNAUTHORIZED;
		3207	}
3201	}	3208	}
3202	else {	3209	else {
		3210	/* proxy usage authorized by proxy_token */
		3211	xs *tks = xs_fmt("%s:%s", xs_dict_get(srv_config, "proxy_token_seed"), snac.actor);
		3212	xs *tk = xs_md5_hex(tks, strlen(tks));
		3213	xs *p = xs_fmt("y/%s/", tk);
		3214
		3215	if (xs_startswith(p_path, p))
		3216	proxy_prefix = xs_dup(p);
		3217	}
		3218
		3219	if (proxy_prefix) {
3203	/* pick the raw path (including optional ? arguments) */	3220	/* pick the raw path (including optional ? arguments) */
3204	const char *raw_path = xs_dict_get(req, "raw_path");	3221	const char *raw_path = xs_dict_get(req, "raw_path");
3205		3222
3206	/* skip to where the proxy/ string starts */	3223	/* skip to where the proxy/ string starts */
3207	raw_path += xs_str_in(raw_path, "proxy/");	3224	raw_path += xs_str_in(raw_path, proxy_prefix);
3208		3225
3209	xs *url = xs_replace(raw_path, "proxy/", "https:/" "/");	3226	xs *url = xs_replace(raw_path, proxy_prefix, "https:/" "/");
3210	xs *hdrs = xs_dict_new();	3227	xs *hdrs = xs_dict_new();
3211		3228
3212	hdrs = xs_dict_append(hdrs, "user-agent", USER_AGENT);	3229	hdrs = xs_dict_append(hdrs, "user-agent", USER_AGENT);


diff --git a/snac.h b/snac.h index d893863..9658fc9 100644 --- a/snac.h +++ b/snac.h
@@ -411,4 +411,4 @@ typedef struct {
411	} t_announcement;	411	} t_announcement;
412	t_announcement *announcement(double after);	412	t_announcement *announcement(double after);
413		413
414	xs_str make_url(const char href, const char *proxy);	414	xs_str make_url(const char href, const char *proxy, int by_token);