Add MediaProxy support to serve authenticated Matrix media

Author: tadzik

config/config.sample.yaml

@@ -55,6 +55,17 @@ db:
   #key_file: /path/to/tls.key
   #crt_file: /path/to/tls.crt
 
+mediaProxy:
+  # To generate a .jwk file:
+  # $ node src/generate-signing-key.js > signingkey.jwk
+  signingKeyPath: "signingkey.jwk"
+  # How long should the generated URLs be valid for
+  ttlSeconds: 3600
+  # The port for the media proxy to listen on
+  bindPort: 11111
+  # The publically accessible URL to the media proxy
+  publicUrl: "https://slack.bridge/media"
+
 # Real Time Messaging API (RTM)
 # Optional if slack_hook_port and inbound_uri_prefix are defined, required otherwise.
 #

config/slack-config-schema.yaml

@@ -34,6 +34,18 @@ properties:
         type: number
       inactive_after_days:
         type: number
+  mediaProxy:
+    type: "object"
+    properties:
+      signingKeyPath:
+        type: "string"
+      ttlSeconds:
+        type: "integer"
+      bindPort:
+        type: "integer"
+      publicUrl:
+        type: "string"
+    required: ["signingKeyPath", "ttlSeconds", "bindPort", "publicUrl"]
   rtm:
     type: object
     required: ["enable"]

package.json

@@ -43,10 +43,11 @@
     "axios": "^0.27.2",
     "classnames": "^2.3.2",
     "escape-string-regexp": "^4.0.0",
-    "https-proxy-agent": "^5.0.1",
-    "matrix-appservice-bridge": "^8.1.2",
-    "matrix-widget-api": "^1.1.1",
-    "minimist": "^1.2.6",
+    "https-proxy-agent": "^7.0.4",
+    "matrix-appservice-bridge": "^10.3.1",
+    "matrix-bot-sdk": "^0.7.1",
+    "matrix-widget-api": "^1.6.0",
+    "minimist": "^1.2.8",
     "nedb": "^1.8.0",
     "node-emoji": "^1.10.0",
     "nunjucks": "^3.2.4",

src/IConfig.ts

@@ -109,4 +109,11 @@ export interface IConfig {
         onboard_users?: boolean;
         direct_messages?: AllowDenyConfig;
     }
+
+    mediaProxy: {
+        signingKeyPath: string;
+        ttlSeconds: number;
+        bindPort: number;
+        publicUrl: string;
+    }
 }

src/Main.ts

@@ -15,13 +15,16 @@ limitations under the License.
 */
 
 import {
-    Bridge, BridgeBlocker, PrometheusMetrics, StateLookup,
+    Bridge, BridgeBlocker, PrometheusMetrics, StateLookup, MediaProxy,
     Logger, Intent, UserMembership, WeakEvent, PresenceEvent,
     AppService, AppServiceRegistration, UserActivityState, UserActivityTracker,
-    UserActivityTrackerConfig, MembershipQueue, PowerLevelContent, StateLookupEvent } from "matrix-appservice-bridge";
+    UserActivityTrackerConfig, MembershipQueue, PowerLevelContent, StateLookupEvent,
+} from "matrix-appservice-bridge";
 import { Gauge, Counter } from "prom-client";
 import * as path from "path";
+import * as fs from "fs";
 import * as randomstring from "randomstring";
+import { webcrypto } from "node:crypto";
 import { WebClient } from "@slack/web-api";
 import { IConfig, CACHING_DEFAULTS } from "./IConfig";
 import { OAuth2 } from "./OAuth2";
@@ -148,6 +151,8 @@ export class Main {
     public slackRtm?: SlackRTMHandler;
     private slackHookHandler?: SlackHookHandler;
 
+    public mediaProxy?: MediaProxy;
+
     private provisioner: Provisioner;
 
     private bridgeBlocker?: BridgeBlocker;
@@ -333,6 +338,22 @@ export class Main {
         );
     }
 
+    private async initialiseMediaProxy(config: IConfig['mediaProxy']): Promise<void> {
+        const jwk = JSON.parse(fs.readFileSync(config.signingKeyPath, "utf8").toString());
+        const signingKey = await webcrypto.subtle.importKey('jwk', jwk, {
+            name: 'HMAC',
+            hash: 'SHA-512',
+        }, true, ['sign', 'verify']);
+        const publicUrl = new URL(config.publicUrl);
+
+        this.mediaProxy = new MediaProxy({
+            publicUrl,
+            signingKey,
+            ttl: config.ttlSeconds * 1000
+        }, this.bridge.getIntent().matrixClient);
+        await this.mediaProxy.start(config.bindPort);
+    }
+
     public teamIsUsingRtm(teamId: string): boolean {
         return (this.slackRtm !== undefined) && this.slackRtm.teamIsUsingRtm(teamId);
     }
@@ -1142,6 +1163,14 @@ export class Main {
             path: "/ready",
         });
 
+        if (this.config.mediaProxy) {
+            await this.initialiseMediaProxy(this.config.mediaProxy).catch(err => {
+                throw Error(`Failed to start Media Proxy: ${err}`);
+            });
+        } else {
+            log.warn("Media Proxy not configured: media bridging to Slack won't work on servers requiring authenticated media (default since Synapse v1.120.0)");
+        }
+
 
         await this.pingBridge();
 

src/generate-signing-key.js

@@ -0,0 +1,11 @@
+const webcrypto = require('node:crypto');
+
+async function main() {
+    const key = await webcrypto.subtle.generateKey({
+        name: 'HMAC',
+        hash: 'SHA-512',
+    }, true, ['sign', 'verify']);
+    console.log(JSON.stringify(await webcrypto.subtle.exportKey('jwk', key), undefined, 4));
+}
+
+main().then(() => process.exit(0)).catch(err => { throw err });

src/substitutions.ts

@@ -181,7 +181,12 @@ class Substitutions {
             // in this case.
             return null;
         }
-        const url = main.getUrlForMxc(event.content.url, main.encryptRoom);
+        let url: string;
+        if (main.mediaProxy) {
+            url = await main.mediaProxy.generateMediaUrl(event.content.url).then(url => url.toString());
+        } else {
+            url = main.getUrlForMxc(event.content.url, main.encryptRoom);
+        }
         if (main.encryptRoom) {
             return {
                 encrypted_file: url,

yarn.lock

@@ -1169,6 +1169,11 @@ agent-base@6:
   dependencies:
     debug "4"
 
+agent-base@^7.1.2:
+  version "7.1.3"
+  resolved "https://registry.yarnpkg.com/agent-base/-/agent-base-7.1.3.tgz#29435eb821bc4194633a5b89e5bc4703bafc25a1"
+  integrity sha512-jRR5wdylq8CkOe6hei19GGZnxM6rBGwFl3Bg0YItGDimvjGtAvdZk4Pu6Cl4u4Igsws4a1fd1Vq3ezrhn4KmFw==
+
 aggregate-error@^3.0.0:
   version "3.1.0"
   resolved "https://registry.yarnpkg.com/aggregate-error/-/aggregate-error-3.1.0.tgz#92670ff50f5359bdb7a3e0d40d0ec30c5737687a"
@@ -3008,6 +3013,22 @@ https-proxy-agent@^5.0.1:
     agent-base "6"
     debug "4"
 
+https-proxy-agent@^7.0.4, https-proxy-agent@^7.0.5:
+  version "7.0.6"
+  resolved "https://registry.yarnpkg.com/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz#da8dfeac7da130b05c2ba4b59c9b6cd66611a6b9"
+  integrity sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw==
+  dependencies:
+    agent-base "^7.1.2"
+    debug "4"
+
+https-proxy-agent@^7.0.5:
+  version "7.0.6"
+  resolved "https://registry.yarnpkg.com/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz#da8dfeac7da130b05c2ba4b59c9b6cd66611a6b9"
+  integrity sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw==
+  dependencies:
+    agent-base "^7.1.2"
+    debug "4"
+
 [email protected]:
   version "0.4.24"
   resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.24.tgz#2022b4b25fbddc21d2f524974a474aafe733908b"
@@ -3612,10 +3633,15 @@ make-error@^1.1.1:
   resolved "https://registry.yarnpkg.com/make-error/-/make-error-1.3.6.tgz#2eb2e37ea9b67c4891f684a1394799af484cf7a2"
   integrity sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==
 
-matrix-appservice-bridge@^8.1.2:
-  version "8.1.2"
-  resolved "https://registry.yarnpkg.com/matrix-appservice-bridge/-/matrix-appservice-bridge-8.1.2.tgz#30953a4599533fe61a0c37bd5500b654cd236e30"
-  integrity sha512-OTQVEuYgsnlg7fBFASCaiYHgwi5+I/+vxwjOmR4y9n5ESKXoqI465bN+6zvW8MazdNfBl6NgZVWSm4DZohz8Zw==
+math-intrinsics@^1.0.0, math-intrinsics@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz#a0dd74be81e2aa5c2f27e65ce283605ee4e2b7f9"
+  integrity sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==
+
+matrix-appservice-bridge@^10.3.1:
+  version "10.3.1"
+  resolved "https://registry.yarnpkg.com/matrix-appservice-bridge/-/matrix-appservice-bridge-10.3.1.tgz#8f45b616a69ddd599bc8e4fb9b60c950cce10550"
+  integrity sha512-umBLAqLUdm6TefEdQuHUE0QfSmbtJf+LnHDYRM5XwpMjScIXQ/5pI6559gVQrxVVT5T58jbNuoJCz2+8+XLr3Q==
   dependencies:
     "@alloc/quick-lru" "^5.2.0"
     "@types/pkginfo" "^0.4.0"