From ab982d931a27ac7656090f2610f03eb264131de4 Mon Sep 17 00:00:00 2001 From: Monibee-Fudgekins Date: Sun, 3 May 2026 00:43:15 -0400 Subject: [PATCH 1/2] docs: explain private S3/RustFS bucket behavior (closes #91) Add a note under the File Storage configuration table explaining: - Why the bucket is private by default - How file access works (authenticated proxy through the RustChat backend) - Warning against setting the bucket to public, including CDN guidance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- docs/admin/configuration.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/admin/configuration.md b/docs/admin/configuration.md index ebe44cc1..be25fdcd 100644 --- a/docs/admin/configuration.md +++ b/docs/admin/configuration.md @@ -50,6 +50,20 @@ RUSTCHAT_REDIS_URL=redis://localhost:6379/ | `RUSTCHAT_S3_REGION` | No | `us-east-1` | S3 region | | `RUSTCHAT_S3_PUBLIC_URL` | No | - | Public URL for file access | +> **Private bucket by design** +> +> RustChat stores uploaded files in a **private** S3/RustFS bucket by default. Uploaded objects are not +> accessible via direct object-store URLs — attempting to fetch them without authentication will return a +> `403 Forbidden` response. This is intentional: all file access is proxied through the RustChat backend, +> which validates the requester's session before serving the object. This design keeps files scoped to +> their workspace and prevents unauthorised access. +> +> **Do not change the bucket to public.** Making the bucket public removes this protection and exposes all +> uploaded files — including attachments in private channels — to anyone who knows or guesses an object URL. +> +> If you need to serve files via a CDN or reverse-proxy, configure it to authenticate with your RustChat +> backend rather than bypassing it by pointing directly at the object store. + ### CORS | Variable | Required | Default | Description | From 93d72070ab684a9e1a87ed753c6372123dd80f23 Mon Sep 17 00:00:00 2001 From: Monibee-Fudgekins <148405685+Monibee-Fudgekins@users.noreply.github.com> Date: Sun, 31 May 2026 23:17:51 -0400 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/admin/configuration.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/admin/configuration.md b/docs/admin/configuration.md index be25fdcd..11185bab 100644 --- a/docs/admin/configuration.md +++ b/docs/admin/configuration.md @@ -53,16 +53,18 @@ RUSTCHAT_REDIS_URL=redis://localhost:6379/ > **Private bucket by design** > > RustChat stores uploaded files in a **private** S3/RustFS bucket by default. Uploaded objects are not -> accessible via direct object-store URLs — attempting to fetch them without authentication will return a -> `403 Forbidden` response. This is intentional: all file access is proxied through the RustChat backend, -> which validates the requester's session before serving the object. This design keeps files scoped to -> their workspace and prevents unauthorised access. +> accessible via unsigned direct object-store URLs — attempting to fetch them without a valid signature or +> presigned URL should return a `403 Forbidden` response. This is intentional: access to files is mediated +> by RustChat, either through authenticated RustChat endpoints or through time-limited presigned URLs that +> RustChat generates after authorising the requester. This design keeps files scoped to their workspace and +> prevents unauthorised access. > > **Do not change the bucket to public.** Making the bucket public removes this protection and exposes all > uploaded files — including attachments in private channels — to anyone who knows or guesses an object URL. > -> If you need to serve files via a CDN or reverse-proxy, configure it to authenticate with your RustChat -> backend rather than bypassing it by pointing directly at the object store. +> If you need to serve files via a CDN or reverse-proxy, configure it to work with authenticated RustChat +> endpoints or RustChat-generated presigned URLs rather than bypassing RustChat by pointing directly at the +> object store. ### CORS