diff --git a/README.md b/README.md index 1dcc9da..e86f802 100644 --- a/README.md +++ b/README.md @@ -84,3 +84,15 @@ volumes: | `FORWARDED_ALLOW_IPS` | The list of reverse proxy IPs to trust. See [Uvicorn docs](https://www.uvicorn.org/settings/#http) | * | `127.0.0.1` | | `LOG_LEVEL` | The log level to use. One of `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`. | `INFO` | `INFO` | | `LOG_DEBUG_TIDY` | When `LOG_LEVEL` is `DEBUG`, silences some really noisy loggers (like HTTP request loggers) to help you debug this program, not a dependency). | `true` | `false` | + +## How does it work? + +Given that this server is meant to be a drop-in solution, there's a few differences to how you would expect +something this deeply integrated with a homeserver to work. + +Here is a basic flow for how a preview request goes: + +1. The user's client sends a request for a preview +2. The server will take the provided access token, and checks that it is valid with the homeserver. +3. If the token is invalid, M_INVALID_TOKEN is returned. +4. The server then checks if it has a cached entry diff --git a/src/server.py b/src/server.py index 463b786..44eec8e 100644 --- a/src/server.py +++ b/src/server.py @@ -260,6 +260,8 @@ def preview_url( description="Access token to use for the request." ), ): + domain = os.environ.get("PREVIEW_HOMESERVER", "https://" + req.url.hostname) + if ts: ts = round(ts / 1000) if access_token_qs is not None: @@ -269,6 +271,13 @@ def preview_url( else: return MISSING_TOKEN + response = httpx.get( + domain + "/_matrix/client/r0/account/whoami", + headers={"Authorization": f"Bearer {access_token}"} + ) + if response.status_code != 200: + return INVALID_TOKEN + results = db.CachedURLs.select().where(db.CachedURLs.url == url) if results: for result in results: @@ -296,7 +305,6 @@ def preview_url( logging.debug("Full cache miss for %r", url) res.headers["X-Cache"] = "full-miss" - domain = os.environ.get("PREVIEW_HOMESERVER", "https://" + req.url.hostname) with lock: with httpx.Client( headers={