Enhance media URL signature verification with configurable signing key

This commit is contained in:
vvzvlad
2025-02-07 01:45:39 +03:00
parent 20e975fce8
commit cd277e0937
2 changed files with 12 additions and 9 deletions
+1 -1
View File
@@ -219,7 +219,7 @@ async def remove_old_cached_files(media_files: list, cache_dir: str) -> tuple[li
if os.path.exists(cache_path):
try:
os.remove(cache_path)
# Попробуем удалить пустые родительские директории
# try to remove empty parent directories
post_dir = os.path.dirname(cache_path)
channel_dir = os.path.dirname(post_dir)
if not os.listdir(post_dir):
+11 -8
View File
@@ -2,6 +2,9 @@ import hashlib
import hmac
import secrets
import os
from config import get_settings
Config = get_settings()
SECRET_FILE = "data/media_digest.key"
_signing_key = None
@@ -41,12 +44,12 @@ def generate_media_digest(url: str) -> str:
return signature.hexdigest()[:8]
def verify_media_digest(url: str, digest: str | None) -> bool:
"""
Verify HMAC digest for media URL
Returns True if digest is valid
"""
if not digest:
return False
"""Verify media URL signature"""
if not Config["media_url_signing_key"]:
return True # If no key configured, accept all requests
expected = generate_media_digest(url)
return hmac.compare_digest(expected, digest)
if digest is None:
return True # Accept requests without digest if signing is not enforced
expected_digest = generate_media_digest(url)
return hmac.compare_digest(digest, expected_digest)