From 9756ed227b26926d5a2206cce1acd91ee5824317 Mon Sep 17 00:00:00 2001
From: "Emma [it/its]@Rory&" <root@rory.gay>
Date: Thu, 3 Jul 2025 10:34:20 +0200
Subject: [PATCH] sign urls in gateway

---
 src/gateway/events/Connection.ts |  2 ++
 src/gateway/listener/listener.ts | 14 +++++++++++++-
 src/gateway/util/WebSocket.ts    |  6 ++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/gateway/events/Connection.ts b/src/gateway/events/Connection.ts
index acec90ad..e0c82426 100644
--- a/src/gateway/events/Connection.ts
+++ b/src/gateway/events/Connection.ts
@@ -28,6 +28,7 @@ import { Message } from "./Message";
 import { Deflate, Inflate } from "fast-zlib";
 import { URL } from "url";
 import { Config, ErlpackType } from "@spacebar/util";
+import { Request } from "express";
 
 let erlpack: ErlpackType | null = null;
 try {
@@ -51,6 +52,7 @@ export async function Connection(
 		: request.socket.remoteAddress;
 
 	socket.ipAddress = ipAddress;
+	socket.request = request as unknown as Request;
 
 	//Create session ID when the connection is opened. This allows gateway dump to group the initial websocket messages with the rest of the conversation.
 	const session_id = genSessionId();
diff --git a/src/gateway/listener/listener.ts b/src/gateway/listener/listener.ts
index 55578a84..86f50e39 100644
--- a/src/gateway/listener/listener.ts
+++ b/src/gateway/listener/listener.ts
@@ -27,6 +27,7 @@ import {
 	EVENTEnum,
 	Relationship,
 	RelationshipType,
+	Message,
 } from "@spacebar/util";
 import { OPCODES } from "../util/Constants";
 import { Send } from "../util/Send";
@@ -160,7 +161,7 @@ export async function setupListener(this: WebSocket) {
 
 // TODO: only subscribe for events that are in the connection intents
 async function consume(this: WebSocket, opts: EventOpts) {
-	const { data, event } = opts;
+	let { data, event } = opts;
 	const id = data.id as string;
 	const permission = this.permissions[id] || new Permissions("ADMINISTRATOR"); // default permission for dm
 
@@ -285,6 +286,17 @@ async function consume(this: WebSocket, opts: EventOpts) {
 			break;
 	}
 
+	// data rewrites, e.g. signed attachment URLs
+	switch (event) {
+		case "MESSAGE_CREATE":
+		case "MESSAGE_UPDATE":
+			if(data["attachments"])
+				data["attachments"] = Message.prototype.withSignedAttachments.call(data, this.request).attachments;
+			break;
+		default:
+			break;
+	}
+
 	await Send(this, {
 		op: OPCODES.Dispatch,
 		t: event,
diff --git a/src/gateway/util/WebSocket.ts b/src/gateway/util/WebSocket.ts
index 5c110840..a1e9c0b0 100644
--- a/src/gateway/util/WebSocket.ts
+++ b/src/gateway/util/WebSocket.ts
@@ -20,6 +20,7 @@ import { Intents, ListenEventOpts, Permissions } from "@spacebar/util";
 import WS from "ws";
 import { Deflate, Inflate } from "fast-zlib";
 import { Capabilities } from "./Capabilities";
+import { Request } from "express";
 
 export interface WebSocket extends WS {
 	version: number;
@@ -42,4 +43,9 @@ export interface WebSocket extends WS {
 	listen_options: ListenEventOpts;
 	capabilities?: Capabilities;
 	large_threshold: number;
+	/**
+	 * The request object for the WebSocket connection.
+	 * WARNING: This is not a proper Express Request object, it may be missing expected properties.
+	 */
+	request: Request; // For signed attachment URLs
 }