Fix 401 error on Reverse Share uploads for files ≥100MB

[Copilot]

📝 Description

Reverse Share uploads fail with 401 "Token inválido ou ausente" for large files (≥100MB) requiring multipart uploads. The /api/files/multipart/* endpoints enforce JWT authentication, incompatible with unauthenticated external users accessing via reverse share links.

Changes

Backend (apps/server)

• Added validateReverseShareAccessByAlias() helper to validate password/expiration/status
• Added 4 multipart endpoints under /reverse-shares/alias/:alias/multipart/*:
  • POST /create - Initialize upload, returns uploadId and objectName
  • GET /part-url - Generate presigned URL for part upload
  • POST /complete - Finalize multipart upload
  • POST /abort - Cancel upload and cleanup

Frontend (apps/web)

• Extended useUppyUpload hook with optional customMultipartFunctions parameter
• Added HTTP client functions for reverse share multipart operations
• Updated FileUploadSection component to inject custom functions when uploading to reverse shares

Example

External users uploading via reverse share now use password-authenticated endpoints:

// Frontend: Inject custom multipart functions for reverse shares
const { addFiles, startUpload } = useUppyUpload({
  customMultipartFunctions: {
    createMultipartUpload: async (filename, extension) => {
      const response = await createMultipartUploadByAlias(
        alias,
        { filename, extension },
        { password }  // Password instead of JWT
      );
      return response.data;
    },
    // ... other multipart operations
  }
});

// Backend: Validate access via password, not JWT
async createMultipartUploadByAlias(alias, filename, extension, password) {
  await this.validateReverseShareAccessByAlias(alias, password);
  const objectName = `reverse-shares/${alias}/${Date.now()}-${filename}.${extension}`;
  const uploadId = await this.fileService.createMultipartUpload(objectName);
  return { uploadId, objectName };
}

🔗 Related Issue(s)

This PR addresses the reverse share upload failure issue.

💡 Motivation and Context

Reverse shares enable external users to upload files without authentication. Small files (<100MB) use simple PUT uploads and work correctly. Large files require multipart uploads, which were hardcoded to use JWT-protected endpoints, breaking the unauthenticated workflow.

🤖 Use of Artificial Intelligence (AI)

• Yes, AI tools assisted in the development of this PR:
  • Tool(s) used: GitHub Copilot
  • Brief description: Code generation, refactoring, and pattern matching
• No

🧪 How Has This Been Tested?

• Validated TypeScript compilation across all apps
• Verified ESLint passes on modified files
• Tested code follows existing patterns for reverse share endpoints
• Confirmed multipart methods mirror structure of authenticated file uploads

📸 Screenshots (if appropriate)

The error shown in the original issue:

🔄 Types of Changes

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)
• 📚 Documentation update

✅ Checklist

• My code follows the code style of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)
• I have rebased and/or merged on top of the latest next branch

---

🙏 Thank you for your contribution!

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkpoint.prisma.io
  • Triggering command: /usr/local/bin/node /usr/local/bin/node /home/REDACTED/work/Palmr/Palmr/apps/server/node_modules/.pnpm/prisma@6.11.1_typescript@5.8.3/node_modules/prisma/build/child {"product":"prisma","version":"6.11.1","cli_install_type":"local","information":"","local_timestamp":"2025-12-08T13:21:16Z","project_hash":"91d7cb56","cli_path":"/home/REDACTED/work/Palmr/Palmr/apps/server/node_modules/prisma/build/index.js","cli_path_hash" sh cal/�� tsc --noEmit src/modules/reverse-share/service.ts src/modules/reOUTPUT (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Bug Report: Reverse Share Upload Fails with 401 "Token inválido ou ausente</issue_title>
<issue_description>## Description

When attempting to upload files using the Reverse Share feature, the upload fails with a 401 Unauthorized error. The API returns an error indicating an invalid or missing token.

Environment

• Palmr Version: v3.3.1-beta
• Deployment: Self-hosted (Docker)
• Browser: Chrome

Steps to Reproduce

1. Create a Reverse Share link
2. Open the Reverse Share URL (as an external user in incognito)
3. Attempt to upload a file
4. Upload fails immediately

Expected Behavior

Files should upload successfully via the Reverse Share link without requiring authentication (since Reverse Share is designed for external users).

Actual Behavior

The upload fails with a 401 error.

API Request (from Chrome DevTools)

Endpoint:

POST https://mydomain.com/api/files/multipart/create

Response:

{
  "error": "Token inválido ou ausente."
}

HTTP Status: 401 Unauthorized

Additional Context

• The Reverse Share link is accessible and the upload UI loads correctly
• The error occurs when the actual file upload is initiated

Possible Cause

The /api/files/multipart/create endpoint appears to require authentication that isn't being passed or recognized when accessed via a Reverse Share session. The Reverse Share token might not be included in the multipart upload request headers.

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Bug Report: Reverse Share Upload Fails with 401 "Token inválido ou ausente #366

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.