Comparison

mod_http_upload_external/README.markdown @ 2334:c728b2f77c7c

mod_http_upload_external: Add README
author Matthew Wild <mwild1@gmail.com>
date Thu, 13 Oct 2016 18:58:53 +0100
child 2823:f14bea5da323
comparison
equal deleted inserted replaced
2333:f86478a02b25 2334:c728b2f77c7c
1 ---
2 description: HTTP File Upload (external service)
3 labels: 'Stage-Alpha'
4 ---
5
6 Introduction
7 ============
8
9 This module implements [XEP-0363], which lets clients upload files
10 over HTTP to an external web server.
11
12 This module generates URLs that are signed using a HMAC. Any web service that can authenticate
13 these URLs can be used. There is a PHP implementation available
14 [here](https://hg.prosody.im/prosody-modules/raw-file/tip/mod_http_upload_external/share.php). To
15 implement your own service compatible with this module, check out the implementation notes below (and if you
16 publish your implementation - let us know!).
17
18 Configuration
19 =============
20
21 Add `"http_upload_external"` to modules_enabled in your global section, or under the host(s) you wish
22 to use it on.
23
24 External URL
25 ------------
26
27 You need to provide the path to the external service. Ensure it ends with '/'.
28
29 For example, to use the PHP implementation linked above, you might set it to:
30
31 ``` {.lua}
32 http_upload_external_base_url = "https://your.example.com/path/to/share.php/"
33 ```
34
35 Secret
36 ------
37
38 Set a long and unpredictable string as your secret. This is so the upload service can verify that
39 the upload comes from mod_http_upload_external, and random strangers can't upload to your server.
40
41 ``` {.lua}
42 http_upload_external_secret = "this is a secret string!"
43 ```
44
45 You need to set exactly the same secret string in your external service.
46
47 Limits
48 ------
49
50 A maximum file size can be set by:
51
52 ``` {.lua}
53 http_upload_external_file_size_limit = 123 -- bytes
54 ```
55
56 Default is 100MB (100\*1024\*1024).
57
58 Compatibility
59 =============
60
61 Works with Prosody 0.9.x and later.
62
63 Implementation
64 ==============
65
66 To implement your own external service that is compatible with this module, you need to expose a
67 simple API that allows the HTTP GET, HEAD and PUT methods on arbitrary URLs located on your service.
68
69 For example, if http_upload_external_base_url is set to `https://example.com/upload/` then your service
70 might receive the following requests:
71
72 Upload a new file:
73
74 ```
75 PUT https://example.com/upload/foo/bar.jpg?v=49e9309ff543ace93d25be90635ba8e9965c4f23fc885b2d86c947a5d59e55b2
76 ```
77
78 Recipient checks the file size and other headers:
79
80 ```
81 HEAD https://example.com/upload/foo/bar.jpg
82 ```
83
84 Recipient downloads the file:
85
86 ```
87 GET https://example.com/upload/foo/bar.jpg
88 ```
89
90 The only tricky logic is in validation of the PUT request. Firstly, don't overwrite existing files (return 409 Conflict).
91
92 Then you need to validate the auth token. This will be in the URL query parameter 'v'. If it is absent, fail with 403 Forbidden.
93
94 Calculate the expected auth token by reading the value of the Content-Length header of the PUT request. E.g. for a 1MB file
95 will have a Content-Length of '1048576'. Append this to the uploaded file name, separated by a space (0x20) character.
96
97 For the above example, you would end up with the following string: "foo/bar.jpg 1048576"
98
99 The auth token is a SHA256 HMAC of this string, using the configured secret as the key. E.g.
100
101 ```
102 calculated_auth_token = hmac_sha256("foo/bar.jpg 1048576", "secret string")
103 ```
104
105 If this is not equal to the 'v' parameter provided in the upload URL, reject the upload with 403 Forbidden.
106
107 Note: your language/environment may provide a function for doing a constant-time comparison of these, to guard against
108 timing attacks that may be used to discover the secret key.