Authentication / permissions is enforced as follows:

• The client requests /api/v1/listen/uuid
• Funkwhale checks permissions / authentication
• A 302 response containaing a signed url to the bucket file is returned to the client
• the client load the audio from this URL

The signed URL is valid only for one hour to limit potential abuse.

To enable this, simply set PROXY_MEDIA=false in your .env file.

This works in the web UI, but not for subsonic clients (because they don't necessarily follow 302 redirections, so we continue to proxy S3 files through Funkwhale in the Subsonic API.