A while ago I’ve switched from Synapse to conduwuit due to database corruption and general slowdowns. After setting up Mautrix-Telegram, it seems that images from Matrix cannot be bridged to Telegram anymore. And due to some spec change or Synapse update, legacy media endpoint cannot download authenticated media from other homeservers. But that’s another thing we’ll resolve today.

First, let’s look at the logs using journalctl:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Nov 18 14:09:14 python[1260525]: [2024-11-18 14:09:14,138] [ERROR@mau.portal.6541444394<->5358679268] Failed to bridge $someEvent
Nov 18 14:09:14 python[1260525]: Traceback (most recent call last):
Nov 18 14:09:14 python[1260525]:   File "/usr/lib/python3.12/site-packages/mautrix_telegram/portal.py", line 2190, in handle_matrix_message
Nov 18 14:09:14 python[1260525]:     await self._handle_matrix_message(sender, content, event_id)
Nov 18 14:09:14 python[1260525]:   File "/usr/lib/python3.12/site-packages/mautrix_telegram/portal.py", line 2355, in _handle_matrix_message
Nov 18 14:09:14 python[1260525]:     await self._handle_matrix_file(
Nov 18 14:09:14 python[1260525]:   File "/usr/lib/python3.12/site-packages/mautrix_telegram/portal.py", line 1874, in _handle_matrix_file
Nov 18 14:09:14 python[1260525]:     file = await self.main_intent.download_media(content.url)
Nov 18 14:09:14 python[1260525]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Nov 18 14:09:14 python[1260525]:   File "/usr/lib/python3.12/site-packages/mautrix/client/api/modules/media_repository.py", line 198, in download_media
Nov 18 14:09:14 python[1260525]:     response.raise_for_status()
Nov 18 14:09:14 python[1260525]:   File "/usr/lib/python3.12/site-packages/aiohttp/client_reqrep.py", line 1093, in raise_for_status
Nov 18 14:09:14 python[1260525]:     raise ClientResponseError(
Nov 18 14:09:14 python[1260525]: aiohttp.client_exceptions.ClientResponseError: 403, message='Forbidden', url='https://tether.kimiblock.top/_matrix/client/v1/media/download/someservers/someMediaID?allow_redirect=true'

Although according to the spec, there probably shouldn’t be a 403 response and it looks like Mautrix Telegram is indeed using authenticated media endpoint, using Mautrix’s token to get a media fails anyways. Instead waiting for confirmation on whether AS-tokens are allowed to download authenticated media, we’ll workaround this along with allowing legacy clients to work. Assuming your server is behind Nginx reverse proxy, simply register a downloader account on your server and get an access token from it, then add locations to Nginx (remember to replace these tokens):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
location /_matrix/client/v1/media {
	proxy_pass		http://unix:/path/to/unix/socket:/_matrix/client/v1/media;
	proxy_set_header	Authorization				"Bearer arandomtoken";
	proxy_buffering		off;
	proxy_set_header	Host					$host;
	proxy_set_header	X-Forwarded-For				$proxy_add_x_forwarded_for;
}
location /_matrix/media/v3/download {
	proxy_pass		http://unix:/path/to/unix/socket:/_matrix/client/v1/media/download;
	proxy_set_header	Authorization				"Bearer arandomtoken";
	proxy_buffering		off;
	proxy_set_header	Host					$host;
	proxy_set_header	X-Forwarded-For				$proxy_add_x_forwarded_for;
}

And we’re done. Mautrix Telegram and legacy clients work again.