Allow OEmbed to bypass file protection

lib/fileUpload.coffee

@@ -52,7 +52,14 @@ if UploadFS?
 					uid = cookie.get('rc_uid', rawCookies) if rawCookies?
 					token = cookie.get('rc_token', rawCookies) if rawCookies?
 
-					unless uid and token and RocketChat.models.Users.findOneByIdAndLoginToken(uid, token)
+					if not uid or not token
+						throw new Meteor.Error 403, 'Not Allowed'
+
+					if uid is OEmbed.rc_uid
+						if token isnt OEmbed.rc_token
+							throw new Meteor.Error 403, 'Not Allowed'
+
+					else if not RocketChat.models.Users.findOneByIdAndLoginToken(uid, token)
 						throw new Meteor.Error 403, 'Not Allowed'
 
 				res.setHeader 'content-disposition', "attachment; filename=\"#{ encodeURIComponent(file.name) }\""

packages/rocketchat-oembed/package.js

@@ -12,6 +12,7 @@ Package.onUse(function(api) {
 		'templating',
 		'coffeescript',
 		'underscore',
+		'random',
 		'konecty:change-case',
 		'rocketchat:lib@0.0.1'
 	]);

packages/rocketchat-oembed/server/server.coffee

@@ -7,7 +7,10 @@ querystring = Npm.require('querystring')
 gunzipSync = Meteor.wrapAsync zlib.gunzip.bind(zlib)
 inflateSync = Meteor.wrapAsync zlib.inflate.bind(zlib)
 
-OEmbed = {}
+OEmbed = {
+	rc_uid: 'OEmbed'
+	rc_token: Random.id()
+}
 
 getUrlContent = (urlObj, redirectCount = 5, callback) ->
 	if _.isString(urlObj)
@@ -21,6 +24,7 @@ getUrlContent = (urlObj, redirectCount = 5, callback) ->
 		rejectUnauthorized: !RocketChat.settings.get 'Allow_Invalid_SelfSigned_Certs'
 		headers:
 			'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36'
+			'Cookie': "rc_uid=#{OEmbed.rc_uid}; rc_token=#{OEmbed.rc_token}"
 
 	httpOrHttps = if urlObj.protocol is 'https:' then https else http