Plane's frontend calls getFileMetaDataForUpload() which uses the file-type
library to sniff MIME from magic bytes. For unsniffable formats (plain text,
.json, .csv, etc.) it returns "" — and that empty string was being threaded
through to S3Storage.generate_presigned_post(), signing the presigned URL
with `Content-Type=""`. Browsers can't reliably send an empty Content-Type
header, so the SigV4 signature never matched and R2 returned 403
SignatureDoesNotMatch. UI showed an opaque upload error.
Two-sided fix:
* apps/api/plane/settings/storage.py — default file_type to
"application/octet-stream" when empty/None. The signed URL now always has
a non-empty Content-Type the browser can match.
* packages/services/src/file/helper.ts — generateFileUploadPayload now
prefers the signed Content-Type from upload_data.fields["Content-Type"]
over file.type. The browser must send EXACTLY the signed value, not its
own MIME guess from extension. Belt-and-suspenders defense alongside the
backend default.
Reproduced empirically against R2 with the new keys 2026-05-01: empty
Content-Type signs, then PUT with `Content-Type: text/plain` returns 403
SignatureDoesNotMatch. With this patch, signing "application/octet-stream"
+ sending it back verbatim returns 200.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
== WHY (KEEP THIS — IT'S WHY THE FORK EXISTS) ==
Vanilla Plane's upload flow uses AWS S3 PostObject (presigned POST +
multipart/form-data + signed-policy-document). Cloudflare R2 AND
Backblaze B2 — the two most common self-host S3-compatible backends —
both return HTTP 501 NotImplemented for PostObject. Empirically verified
2026-04-30 against B2 s3.us-west-004.backblazeb2.com from inside Plane's
own prod api container, replicating Plane's exact boto3 call:
PUT against B2: 200 OK
POST against B2: 501 NotImplemented "This API call is not supported."
POST against R2: 501 NotImplemented (failure that started this thread)
The error code is `NotImplemented` (not `SignatureDoesNotMatch` etc),
meaning the server rejects the verb itself — no boto3 config, addressing-
style flag, or signature variant fixes it. Tested both path-style and
virtual-hosted-style URLs against B2; both fail identically for POST.
This patch rewrites the upload flow to use presigned PUT, which is
universally supported (R2, B2, AWS S3 native, MinIO, Wasabi, etc).
== WHAT (FIVE-FILE BACKEND, FIVE-FILE FRONTEND) ==
Backend:
* apps/api/plane/settings/storage.py — S3Storage.generate_presigned_post
now mints a presigned PUT URL via generate_presigned_url(HttpMethod="PUT").
Method name kept for caller compat. Response shape:
{url, method: "PUT", fields: {Content-Type, key}}.
* apps/api/plane/utils/openapi/responses.py — example response updated.
* apps/api/plane/tests/unit/settings/test_storage.py — 2 tests updated to
assert the new boto3 call.
Frontend:
* packages/types/src/file.ts — TFileSignedURLResponse.upload_data adds
optional method?: "PUT" | "POST"; drops AWS POST-form-data fields.
* packages/services/src/file/helper.ts — generateFileUploadPayload now
returns a TFileUploadRequest descriptor (url+method+body+headers) that
dispatches on method. POST branch kept for upstream parity but the
fork backend never emits POST.
* packages/services/src/file/file-upload.service.ts +
apps/web/core/services/file-upload.service.ts — uploadFile signature
changes from (url, FormData, progress?) to (payload, progress?).
* 5 caller sites updated (apps/web/core/services/file.service.ts x3,
issue_attachment.service.ts x1, sites-file.service.ts x1).
== TRADEOFFS ACCEPTED ==
* Lost: signed `content-length-range` enforcement at the storage layer.
Server-side validation in the API view still rejects oversized requests
with 413 before minting the URL, so a determined client could only
over-upload by misreporting size, capped at the bucket's own size limit.
* Different request shape on the wire (PUT with raw binary body vs POST
with multipart form). Externally invisible to users.
== ROLLBACK ==
If this becomes a maintenance nightmare:
git revert <this-commit-sha>
# rebuild + push images, swap compose tags, redeploy
After revert, uploads will only work against backends that implement
PostObject (MinIO, AWS S3 native). R2 and B2 will return 501 again.
== FULL DECISION RECORD ==
binarybeachio repo: docs/features/storage-upload-flow.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Refactored file upload utilities to use async functions for better handling of file metadata.
- Introduced MIME type detection using the file-type library.
- Updated file service methods to await metadata retrieval.
- Added new dependencies for file-type and updated package.json accordingly.
- Removed deprecated file handling code from utils and adjusted imports across services.
* fix(lint): get ci passing again
* chore(ci): run lint before build
* chore(ci): exclude web app from build check for now
The web app takes too long and causes CI to timeout. Once we
improve we will reintroduce.
* fix: formating of files
* fix: adding format to ci
---------
Co-authored-by: sriramveeraghanta <veeraghanta.sriram@gmail.com>
* chore: fix lint
* fix: constants check:lint command
* chore(lint): permit unused vars which begin w/ _
* chore: rm dead code
* fix(lint): more lint fixes to constants pkg
* fix(lint): lint the live server
- fix lint issues
* chore: improve clean script
* fix(lint): more lint
* chore: set live server process title
* chore(deps): update to turbo@2.5.5
* chore(live): target node22
* fix(dev): add missing ui pkg dependency
* fix(dev): lint decorators
* fix(dev): lint space app
* fix(dev): address lint issues in types pkg
* fix(dev): lint editor pkg
* chore(dev): moar lint
* fix(dev): live server exit code
* chore: address PR feedback
* fix(lint): better TPageExtended type
* chore: refactor
* chore: revert most live server changes
* fix: few more lint issues
* chore: enable ci checks
Ensure we can build + confirm that lint is not getting worse.
* chore: address PR feedback
* fix: web lint warning added to package.json
* fix: ci:lint command
---------
Co-authored-by: sriram veeraghanta <veeraghanta.sriram@gmail.com>
* chore: improved pat permissions
* fix: err message
* fix: removed permission from backend
* [WEB-4330] refactor: update API token endpoints to use user context instead of workspace slug
- Changed URL patterns for API token endpoints to use "users/api-tokens/" instead of "workspaces/<str:slug>/api-tokens/".
- Refactored ApiTokenEndpoint methods to remove workspace slug parameter and adjust database queries accordingly.
- Added new test cases for API token creation, retrieval, deletion, and updates, including support for bot users and minimal data submissions.
* fix: removed workspace slug from api-tokens
* fix: refactor
* chore: url.py code rabbit suggestion
* fix: APITokenService moved to package
---------
Co-authored-by: Dheeraj Kumar Ketireddy <dheeru0198@gmail.com>
Co-authored-by: sriramveeraghanta <veeraghanta.sriram@gmail.com>
* chore: added code split for the analytics store
* chore: done some refactor
* refactor: update entity keys in analytics and translations
* chore: updated the translations
* refactor: simplify AnalyticsStoreV2 class by removing unnecessary constructor
* feat: add AnalyticsStoreV2 class and interface for enhanced analytics functionality
* feat: enhance WorkItemsModal and analytics store with isEpic functionality
* feat: integrate isEpic state into TotalInsights and WorkItemsModal components
* refactor: remove isEpic state from WorkItemsModalMainContent component
* refactor: removed old analytics components and related services
* refactor: new analytics
* refactor: removed all nivo chart dependencies
* chore: resolved coderabbit comments
* fix: update processUrl to handle custom-work-items in peek view
* feat: implement CSV export functionality in InsightTable component
* feat: enhance analytics service with filter parameters and improve data handling in InsightTable
* feat: add new translation keys for various statuses across multiple languages
* [WEB-4246] fix: enhance analytics components to include 'isEpic' parameter for improved data fetching
* chore: update yarn.lock to remove deprecated @nivo packages and clean up unused dependencies
