Enabled authenticated media by default

CHANGELOG.md

@@ -7,6 +7,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased]
 
+### Changed
+
+* The global `repo.freezeUnauthenticatedMedia` option now defaults to `true`, enabling authenticated media by default. A future release will remove this option, requiring the freeze behaviour. See `config.sample.yaml` for details.
+
 ### Fixed
 
 * Return a 404 instead of 500 when clients access media which is frozen.

common/config/conf_main.go

@@ -32,7 +32,7 @@ func NewDefaultMainConfig() MainRepoConfig {
 			LogLevel:                   "info",
 			TrustAnyForward:            false,
 			UseForwardedHost:           true,
-			FreezeUnauthenticatedMedia: false,
+			FreezeUnauthenticatedMedia: true,
 		},
 		Database: DatabaseConfig{
 			Postgres: "postgres://your_username:your_password@localhost/database_name?sslmode=disable",

config.sample.yaml

@@ -40,10 +40,10 @@ repo:
   # only be accessible over authenticated endpoints, though future media will be accessible on both
   # authenticated and unauthenticated media.
   #
-  # This flag currently defaults to false. A future release, likely in August 2024, will remove this flag
-  # and have the same effect as it being true (always on). This flag is primarily intended for servers to
-  # opt-in to the behaviour early.
-  freezeUnauthenticatedMedia: false
+  # This flag defaults to true. Previously it defauled to false. A future release, likely in 2025, will
+  # remove this flag and have the same effect as it being true (always on). This flag is primarily
+  # intended for servers to opt-out of the behaviour while they are still testing compatibility.
+  freezeUnauthenticatedMedia: true
 
 # Options for dealing with federation
 federation: