pass upload auth params as GET-like ones to avoid authentication error when exceeding post_max_size, log upload auth error

Signed-off-by: Julien Veyssier <eneiluj@posteo.net>

2 files changed, 10 insertions, 5 deletions

diff --git a/lib/Controller/AttachmentController.php b/lib/Controller/AttachmentController.php
index cbe983cfa..df028e93e 100644
--- a/lib/Controller/AttachmentController.php
+++ b/lib/Controller/AttachmentController.php
@@ -116,7 +116,12 @@ class AttachmentController extends Controller {
 	 */
 	public function uploadAttachment(int $documentId, int $sessionId, string $sessionToken, ?string $shareToken = null): DataResponse {
 		if (!$this->sessionService->isValidSession($documentId, $sessionId, $sessionToken)) {
-			return new DataResponse([], Http::STATUS_FORBIDDEN);
+			$this->logger->debug('Invalid session found when uploading', [
+				'documentId' => $documentId,
+				'sessionId' => $sessionId,
+				'sessionToken' => $sessionToken
+			]);
+			return new DataResponse(['error' => 'Upload error, unauthorized action'], Http::STATUS_FORBIDDEN);
 		}
 
 		try {
diff --git a/src/services/SyncService.js b/src/services/SyncService.js
index c8dc3d8d3..57b669f8a 100644
--- a/src/services/SyncService.js
+++ b/src/services/SyncService.js
@@ -272,11 +272,11 @@ class SyncService {
 	uploadAttachment(file) {
 		const formData = new FormData()
 		formData.append('file', file)
-		formData.append('documentId', this.document.id)
-		formData.append('sessionId', this.session.id)
-		formData.append('sessionToken', this.session.token)
-		formData.append('shareToken', this.options.shareToken || '')
 		const url = endpointUrl('attachment/upload')
+			+ '?documentId=' + encodeURIComponent(this.document.id)
+			+ '&sessionId=' + encodeURIComponent(this.session.id)
+			+ '&sessionToken=' + encodeURIComponent(this.session.token)
+			+ '&shareToken=' + encodeURIComponent(this.options.shareToken || '')
 		return axios.post(url, formData, {
 			headers: {
 				'Content-Type': 'multipart/form-data',