From b2ce3dc144e522d074f6636001232d96b26c1b5e Mon Sep 17 00:00:00 2001
From: Christophe Jossart <christophe.jossart@amazeelabs.com>
Date: Wed, 1 Nov 2023 12:25:10 +0100
Subject: [PATCH] chore: prevent access to keys using the private scheme

---
 packages/drupal/custom/custom.module | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/packages/drupal/custom/custom.module b/packages/drupal/custom/custom.module
index 9d84cafdf..030c5f087 100644
--- a/packages/drupal/custom/custom.module
+++ b/packages/drupal/custom/custom.module
@@ -12,6 +12,7 @@ use Drupal\media\Entity\Media;
 use Drupal\silverback_gutenberg\LinkProcessor;
 use Drupal\user\Entity\Role;
 use Drupal\user\UserInterface;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 /**
  * Implements hook_default_content_exported_fields_alter().
@@ -180,3 +181,14 @@ function _custom_key_auth_form_access(UserInterface $user): AccessResult {
   $access->addCacheableDependency($user);
   return $access;
 }
+
+/**
+ * Implements hook_file_download().
+ *
+ * Prevent any access to keys.
+ */
+function custom_file_download($uri) {
+  if (str_starts_with($uri, 'private://') && str_ends_with($uri, '.key')) {
+    throw new AccessDeniedHttpException();
+  }
+}