fix: update changelog for v1.0.4 release, enhance public file viewing logic, and normalize file payload typing (an attempt to resolve the issue in issue#1), enforce anon from file settings, and clear lint warnings

Author: imthatdev

.gitignore

@@ -59,3 +59,4 @@ docs/
 coverage/
 x_cookies.txt
 *.pem
+/issues

CHANGELOG.md

@@ -11,6 +11,32 @@ This project follows [Semantic Versioning](https://iconical.dev/versioning).
 
 ---
 
+## v1.0.4 – Public View Route Fixes 🧩
+
+**Released: February 22, 2026**
+
+This patch fixes a regression where public files failed to open from the `/v/:slug` view route in some Docker/reverse-proxy setups.
+
+### 🔎 Root Cause
+
+- In `v1.0.3`, the `/v/:slug` page resolved file data via an internal server-side HTTP self-call to `/api/v1/files/:slug`.
+- In Docker/port-mapped deployments (for example, opening the app at `localhost:3419`), that host/port can be valid for the browser but not reachable from inside the container runtime.
+- When that self-call failed, `/v/:slug` incorrectly fell back to a missing/private state even for public files.
+- `/x/:slug` still worked because it does not rely on that same internal HTTP roundtrip path.
+
+### 🐛 Fixes
+
+- Fixed public file viewing through `/v/:slug` by removing the fragile internal HTTP self-call and resolving file access in-process.
+- Kept `/x/:slug` and `/v/:slug` behavior consistent for public file access checks.
+- Normalized file payload typing for `createdAt` in the `/v` page flow to prevent runtime-shape/TypeScript mismatch.
+- Fixed current blocking lint errors in dialog open-state reset flow and intersection observer fallback handling.
+- Hardened anonymous file behavior so `/v` anonymity is enforced by stored file settings/server logic instead of `?anon=1` URL parameters.
+- Added an `Anonymous share` toggle to file edit details and removed the legacy `Copy Anonymous URL` action.
+- Fixed an intermittent `/v/:slug` image preview state where media could remain blurred after load due to missed cached-load events.
+- Fixed the RemoteUploadDialog URLs input keeps overflowing when the URL is long.
+
+---
+
 ## v1.0.3 – CORS and Security Enhancements 🔐
 
 **Released: February 8, 2026**

package.json

@@ -1,6 +1,6 @@
 {
   "name": "swush",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "private": true,
   "description": "Swush; A secure, self-hosted file sharing app with privacy-first features.",
   "author": {

src/app/(files)/v/[slug]/page.tsx

@@ -19,55 +19,78 @@ import type { Metadata, Viewport } from "next";
 import { getDefaultMetadata } from "@/lib/head";
 import { notFound } from "next/navigation";
 import { headers, cookies } from "next/headers";
+import { NextRequest } from "next/server";
 import FileUnlockAndView, {
   FileDto,
 } from "@/components/Files/FileUnlockAndView";
 import ExternalLayout from "@/components/Common/ExternalLayout";
 import { getPublicRuntimeSettings } from "@/lib/server/runtime-settings";
 import { formatBytes, isSpoilerLabel } from "@/lib/helpers";
-import { apiV1Absolute } from "@/lib/api-path";
 import {
   applyEmbedTemplates,
   applyEmbedSettings,
   getEmbedSettingsByUserId,
   resolveEmbedThemeColor,
   resolveEmbedViewport,
 } from "@/lib/server/embed-settings";
+import { getFile as readFileBySlug } from "@/lib/api/files/read";
 
 export const dynamic = "force-dynamic";
 
 type Params = Promise<{ slug: string }>;
-type SearchParams = Promise<{ anon?: string }>;
+
+type FileDtoLike = Omit<FileDto, "createdAt"> & {
+  createdAt: string | Date | null;
+};
+
+async function buildFileReadRequest(slug: string) {
+  const h = await headers();
+  const host = h.get("x-forwarded-host") ?? h.get("host");
+  const proto = h.get("x-forwarded-proto") ?? "http";
+  const cookieHeader = (await cookies()).toString();
+
+  const base = `${proto}://${host ?? "localhost"}`;
+  const url = new URL(`/api/v1/files/${encodeURIComponent(slug)}`, base);
+  url.searchParams.set("include", "owner");
+
+  const requestHeaders = new Headers();
+  if (cookieHeader) requestHeaders.set("cookie", cookieHeader);
+
+  return new NextRequest(url, {
+    headers: requestHeaders,
+  });
+}
+
+function normalizeFileDto(file: FileDtoLike): FileDto {
+  return {
+    ...file,
+    createdAt:
+      file.createdAt instanceof Date
+        ? file.createdAt.toISOString()
+        : (file.createdAt ?? ""),
+  };
+}
+
+async function readFileDto(slug: string) {
+  const req = await buildFileReadRequest(slug);
+  const result = await readFileBySlug(req, slug);
+  if (result.status !== 200) return null;
+  return normalizeFileDto(result.body as FileDtoLike);
+}
 
 export async function generateMetadata({
   params,
-  searchParams,
 }: {
   params: Params;
-  searchParams: SearchParams;
+  searchParams: Promise<{ [key: string]: string | string[] | undefined }>;
 }): Promise<Metadata> {
   const { slug } = await params;
-  const { anon } = await searchParams;
-  const isAnonymous = ["1", "true", "yes"].includes((anon ?? "").toLowerCase());
   const { appName, appUrl } = await getPublicRuntimeSettings();
   const defaultMetadata = await getDefaultMetadata();
 
   let file: FileDto | null = null;
   try {
-    const query = new URLSearchParams();
-    if (!isAnonymous) query.set("include", "owner");
-    if (isAnonymous) query.set("anon", "1");
-    const res = await fetch(
-      apiV1Absolute(appUrl, `/files/${slug}?${query.toString()}`),
-      {
-        cache: "no-store",
-        headers: {
-          "x-no-audit": "1",
-          "x-audit-source": "metadata",
-        },
-      },
-    );
-    if (res.ok) file = (await res.json()) as FileDto;
+    file = await readFileDto(slug);
   } catch {}
 
   const sizeText = ` I just wasted ${formatBytes(
@@ -89,7 +112,7 @@ export async function generateMetadata({
     ogImage = `${appUrl}/x/${slug}.png`;
   }
 
-  const anonymousActive = isAnonymous || Boolean(file?.anonymousShareEnabled);
+  const anonymousActive = Boolean(file?.anonymousShareEnabled);
   const ownerUsername = anonymousActive ? undefined : file?.ownerUsername;
   const ownerDisplay = anonymousActive
     ? undefined
@@ -175,36 +198,18 @@ export async function generateMetadata({
 
 export async function generateViewport({
   params,
-  searchParams,
 }: {
   params: Params;
-  searchParams: SearchParams;
+  searchParams: Promise<{ [key: string]: string | string[] | undefined }>;
 }): Promise<Viewport> {
   const { slug } = await params;
-  const { anon } = await searchParams;
-
-  const isAnonymous = ["1", "true", "yes"].includes((anon ?? "").toLowerCase());
-  const { appUrl } = await getPublicRuntimeSettings();
 
   let file: FileDto | null = null;
   try {
-    const query = new URLSearchParams();
-    if (!isAnonymous) query.set("include", "owner");
-    if (isAnonymous) query.set("anon", "1");
-    const res = await fetch(
-      apiV1Absolute(appUrl, `/files/${slug}?${query.toString()}`),
-      {
-        cache: "no-store",
-        headers: {
-          "x-no-audit": "1",
-          "x-audit-source": "metadata",
-        },
-      },
-    );
-    if (res.ok) file = (await res.json()) as FileDto;
+    file = await readFileDto(slug);
   } catch {}
 
-  const anonymousActive = isAnonymous || Boolean(file?.anonymousShareEnabled);
+  const anonymousActive = Boolean(file?.anonymousShareEnabled);
   return resolveEmbedViewport(anonymousActive ? undefined : file?.userId);
 }
 
@@ -214,59 +219,37 @@ type FileFetch = {
   error?: string | null;
 };
 
-async function getFile(slug: string, anonymous: boolean): Promise<FileFetch> {
+async function getFile(slug: string): Promise<FileFetch> {
   try {
-    const h = await headers();
-    const host = h.get("x-forwarded-host") ?? h.get("host");
-    const proto = h.get("x-forwarded-proto") ?? "http";
-    if (!host) return { data: null, status: 500 };
-
-    const base = `${proto}://${host}`;
-    const cookieHeader = (await cookies()).toString();
-    const query = new URLSearchParams();
-    if (!anonymous) query.set("include", "owner");
-    if (anonymous) query.set("anon", "1");
-    const res = await fetch(
-      apiV1Absolute(base, `/files/${slug}?${query.toString()}`),
-      {
-        cache: "no-store",
-        headers: { cookie: cookieHeader },
-      },
-    );
-
-    if (!res.ok) {
-      let error: string | null = null;
-      try {
-        const body = (await res.json()) as { message?: string } | null;
-        error = body?.message ?? null;
-      } catch {}
-      return { data: null, status: res.status, error };
+    const req = await buildFileReadRequest(slug);
+    const result = await readFileBySlug(req, slug);
+    if (result.status !== 200) {
+      const body = result.body as { message?: string } | undefined;
+      return {
+        data: null,
+        status: result.status,
+        error: body?.message ?? null,
+      };
     }
 
-    const data = (await res.json()) as FileDto;
-    return { data, status: 200, error: null };
+    return {
+      data: normalizeFileDto(result.body as FileDtoLike),
+      status: 200,
+      error: null,
+    };
   } catch {
     return { data: null, status: 500, error: null };
   }
 }
 
 export default async function ViewFilePage({
   params,
-  searchParams,
 }: {
   params: Promise<{ slug: string }>;
-  searchParams?: Promise<{ anon?: string }>;
+  searchParams?: Promise<{ [key: string]: string | string[] | undefined }>;
 }) {
   const resolvedParams = await params;
-  const resolvedSearchParams = await searchParams;
-  const isAnonymous = ["1", "true", "yes"].includes(
-    (resolvedSearchParams?.anon ?? "").toLowerCase(),
-  );
-  const {
-    data: file,
-    status,
-    error,
-  } = await getFile(resolvedParams.slug, isAnonymous);
+  const { data: file, status, error } = await getFile(resolvedParams.slug);
 
   if (status === 404) {
     return notFound();
@@ -286,7 +269,7 @@ export default async function ViewFilePage({
 
   if (!file) notFound();
 
-  const anonymousActive = isAnonymous || Boolean(file?.anonymousShareEnabled);
+  const anonymousActive = Boolean(file?.anonymousShareEnabled);
   const embedAccent = resolveEmbedThemeColor(
     anonymousActive ? null : await getEmbedSettingsByUserId(file?.userId),
   );

src/app/api/v1/profile/api-keys/[id]/secret/route.ts

@@ -27,7 +27,10 @@ export const runtime = "nodejs";
 
 type Params = Promise<{ id: string }>;
 
-export const GET = withApiError(async function GET(req: NextRequest, { params }: { params: Params }) {
+export const GET = withApiError(async function GET(
+  req: NextRequest,
+  { params }: { params: Params },
+) {
   const session = await auth.api.getSession({ headers: req.headers });
   if (!session?.user?.id) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
@@ -37,7 +40,12 @@ export const GET = withApiError(async function GET(req: NextRequest, { params }:
   const [row] = await db
     .select()
     .from(apiKeySecrets)
-    .where(and(eq(apiKeySecrets.keyId, id), eq(apiKeySecrets.userId, session.user.id)))
+    .where(
+      and(
+        eq(apiKeySecrets.keyId, id),
+        eq(apiKeySecrets.userId, session.user.id),
+      ),
+    )
     .limit(1);
 
   if (!row) {
@@ -51,10 +59,10 @@ export const GET = withApiError(async function GET(req: NextRequest, { params }:
       tag: row.tag,
     });
     return NextResponse.json({ key });
-  } catch (err) {
+  } catch {
     return NextResponse.json(
       { error: "Failed to decrypt API key" },
-      { status: 500 }
+      { status: 500 },
     );
   }
 });