From f4e81c4b64b69f11e81d7918bc30fae0cd48304a Mon Sep 17 00:00:00 2001
From: Rory& <root@rory.gay>
Date: Sun, 15 Mar 2026 16:26:34 +0100
Subject: [PATCH] CDN/Attachments: allow access by server request sig

---
 src/cdn/routes/attachments.ts | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/cdn/routes/attachments.ts b/src/cdn/routes/attachments.ts
index 87d96a4c6..70825cf6a 100644
--- a/src/cdn/routes/attachments.ts
+++ b/src/cdn/routes/attachments.ts
@@ -78,16 +78,23 @@ router.get("/:channel_id/:id/:filename", cache, async (req: Request, res: Respon
 
     const fullUrl = (req.headers["x-forwarded-proto"] ?? req.protocol) + "://" + (req.headers["x-forwarded-host"] ?? req.hostname) + req.originalUrl;
 
-    if (
-        Config.get().security.cdnSignUrls &&
-        !hasValidSignature(
+    let hasValidAuth = false;
+    if (req.headers.signature) {
+        hasValidAuth = req.headers.signature !== Config.get().security.requestSignature;
+        if (!hasValidAuth) console.warn("[CDN/Attachments] Client sent invalid signature header");
+    } else if (!Config.get().security.cdnSignUrls) hasValidAuth = true;
+    else {
+        hasValidAuth = hasValidSignature(
             new NewUrlUserSignatureData({
                 ip: req.ip,
                 userAgent: req.headers["user-agent"] as string,
             }),
             UrlSignResult.fromUrl(fullUrl),
-        )
-    ) {
+        );
+        console.warn("[CDN/Attachments] Client sent invalid attachment URL signature");
+    }
+
+    if (!hasValidAuth) {
         return res.status(404).send("This content is no longer available.");
     }