release(v1.7.3): lightweight boot pipeline, dramatically faster first paint, deduped /api writes, sturdier uploads/auth

2025-10-31 17:34:25 -04:00
parent a18a8df7af
commit d664a2f5d8
21 changed files with 2272 additions and 967 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,89 @@
 # Changelog
 ## Changes 10/31/2025 (v1.7.3)
 release(v1.7.3): lightweight boot pipeline, dramatically faster first paint, deduped /api writes, sturdier uploads/auth
 ### 🎃 Highlights (advantages) 👻 🦇
 - ⚡ Faster, cleaner boot: a lightweight **main.js** decides auth/setup before painting, avoids flicker, and wires modules exactly once.
 - ♻️ Fewer duplicate actions: **request coalescer** dedupes POST/PUT/PATCH/DELETE to /api/* .
 - ✅ Truthy UX: global **toast bridge** queues early toasts and normalizes misleading “not found/already exists” messages after success.
 - 🔐 Smoother auth: CSRF priming/rotation + **TOTP step-up detection** across JSON & redirect paths; “Welcome back, `user`” toast once per tab.
 - 🌓 Polished UI: **dark-mode persistence with system fallback**, live siteConfig title application, higher-z modals, drag auto-scroll.
 - 🚀 Faster first paint & interactions: defer CodeMirror/Fuse/Resumable, promote preloaded CSS, and coalesce duplicate requests → snappier UI.
 - 🧭 Admin polish: live header title preview, masked OIDC fields with **Replace** flow, and a **read-only Sponsors/Donations** section.
 - 🧱 Safer & cache-smarter: opinionated .htaccess (CSP/HSTS/MIME/compression) + `?v={{APP_QVER}}` for versioned immutable assets.
 ### Core bootstrap (main.js) overhaul
 - Early **toast bridge** (queues until domUtils is ready); expose `window.__FR_TOAST_FILTER__` for centralized rewrites/suppression.
 - **Result guard + request coalescer** wrapping `fetch`:
  - Dedupes same-origin `/api/*` mutating requests for ~800ms using a stable key (method + path + normalized body).
  - Tracks “last OK” JSON (`success|status|result=ok`) to suppress false-negative error toasts after success.
 - **Boot orchestrator** with hard guards:
  - `__FR_FLAGS` (`booted`, `initialized`, `wired.*`, `bootPromise`, `entryStarted`) to prevent double init/leaks.
  - **No-flicker login**: resolve `checkAuth()` + `setup` before showing UI; show login only when truly unauthenticated.
  - **Heavy boot** for authed users: load i18n, `appCore.loadCsrfToken/initializeApp`, first file list, then light UI wiring.
 - **Auth flow**:
  - `primeCsrf()` + `<meta name="csrf-token">` management; persist token in localStorage.
  - **TOTP** detection via header (`X-TOTP-Required`) & JSON (`totp_required` / `TOTP_REQUIRED`); calls `openTOTPLoginModal()`.
  - **Welcome toast** once per tab via `sessionStorage.__fr_welcomed`.
 - **UI/UX niceties**:
  - `applySiteConfig()` updates header title & login method visibility on both login & authed screens.
  - Dark-mode persistence with system fallback, proper a11y labels/icons.
  - Create dropdown/menu wiring with capture-phase outside-click + ESC close; modal cancel safeties.
  - Lift modals above cards (z-index), **drag auto-scroll** near viewport edges.
  - Dispatch legacy `DOMContentLoaded`/`load` **once** (supports older inline handlers).
  - Username label refresh for existing `.user-name-label` without injecting new DOM.
 ### Performance & UX changes
 - CSS/first paint:
  - Preload Bootstrap & app CSS; promote at DOMContentLoaded; keep inline CSS minimal.
  - Add `width/height/decoding/fetchpriority` to logo to reduce layout shift.
 - Search/editor/uploads:
  - **fileListView.js**: lazy-load Fuse with instant substring fallback; `warmUpSearch()` hook.
  - **fileEditor.js**: lazy-load CodeMirror core/theme/modes; start plain then upgrade; guard very large files gracefully.
  - **upload.js**: lazy-load Resumable; resilient init; background warm-up; smarter addFile/submit; clearer toasts.
 - Toast/UX:
  - Install early toast bridge; queue & normalize messages; neutral “Done.” when server returns misleading errors after success.
 ### Correctness: uploads, paths, ACLs
 - **UploadController/UploadModel**: normalize folders via `ACL::normalizeFolder(rawurldecode())`; stricter segment checks; consistent base paths; safer metadata writes; proper chunk presence/merge & temp cleanup.
 ### Auth hardening & resilience
 - **auth.js/main.js/appCore.js**: CSRF rotate/retry (JSON then x-www-form-urlencoded fallback); robust login handling; fewer misleading error toasts.
 - **AuthController**: OIDC username fallback to `email` or `sub` when `preferred_username` missing.
 ### Admin panel
 - **adminPanel.js**:
  - Live header title preview (instant update without reload).
  - Masked OIDC client fields with **Replace** button; saved-value hints; only send secrets when replacing.
  - **New “Sponsor / Donations” section (read-only)**:
    - GitHub Sponsors → `https://github.com/sponsors/error311`
    - Ko-fi → `https://ko-fi.com/error311`
    - Includes **Copy** and **Open** buttons; values are fixed.
 - **AdminController**: boolean for `oidc.hasClientId/hasClientSecret` to drive masked inputs.
 ### Security & caching (.htaccess)
 - Consolidated security headers (CSP, CORP, HSTS on HTTPS), MIME types, compression (Brotli/Deflate), TRACE disable.
 - Caching rules:
  - HTML/version.js: no-cache; unversioned JS/CSS: 1h; unversioned static: 7d; **versioned assets `?v=`: 1y `immutable`**.
 - **config.php**: remove duplicate runtime headers (now via Apache) to avoid proxy/CDN conflicts.
 ### Upgrade notes
 - No schema changes.
 - Ensure Apache modules (`headers`, `rewrite`, `brotli`/`deflate`) are available for the new .htaccess rules (fallbacks included).
 - Versioned assets mean users shouldn’t need a hard refresh; `?v={{APP_QVER}}` busts caches automatically.
 ---
 ## Changes 10/29/2025 (v1.7.0 & v1.7.1 & v1.7.2)
 release(v1.7.0): asset cache-busting pipeline, public siteConfig cache, JS core split, and caching/security polish
--- a/config/config.php
+++ b/config/config.php
@@ -1,22 +1,6 @@
 <?php
 // config.php
 // Prevent caching
 header("Cache-Control: no-cache, must-revalidate");
 header("Pragma: no-cache");
 header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
 header("Expires: 0");
 // Security headers
 header('X-Content-Type-Options: nosniff');
 header("X-Frame-Options: SAMEORIGIN");
 header("Referrer-Policy: no-referrer-when-downgrade");
 header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
 header("X-XSS-Protection: 1; mode=block");
 if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
    header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
 }
 // Define constants
 define('PROJECT_ROOT', dirname(__DIR__));
 define('UPLOAD_DIR',    '/var/www/uploads/');
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -11,11 +11,25 @@ DirectoryIndex index.html
 </IfModule>
 RewriteEngine On
-# If you want forced HTTPS behind a proxy, keep this off here and do it at the proxy
+
 # --- HTTPS redirect ---
 # Use ONE of these blocks.
 # A) Direct TLS on this server (enable this if Apache terminates HTTPS here)
 #RewriteCond %{HTTPS} off
 #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
-# MIME types (fonts/SVG/ESM)
+# B) Behind a reverse proxy/CDN that sets X-Forwarded-Proto
 #RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
 #RewriteCond %{HTTP:X-Forwarded-Proto} ^$
 #RewriteCond %{HTTPS} !=on
 #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 # Don't interfere with ACME/http-01 if you do your own certs
 #RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge/
 #RewriteRule - - [L]
 # --- MIME types (fonts/SVG/ESM) ---
 <IfModule mod_mime.c>
  AddType font/woff2 .woff2
  AddType font/woff  .woff
@@ -23,58 +37,57 @@ RewriteEngine On
  AddType application/javascript .mjs
 </IfModule>
-# Security headers
+# --- Security headers ---
 <IfModule mod_headers.c>
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-XSS-Protection "1; mode=block"
  Header always set X-Content-Type-Options "nosniff"
  # HSTS: only if HTTPS (prevents mixed local dev warnings)
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
  Header always set X-Download-Options "noopen"
  Header always set Expect-CT "max-age=86400, enforce"
  # Nice extra hardening (same-origin resource sharing)
  Header always set Cross-Origin-Resource-Policy "same-origin"
  Header always set X-Permitted-Cross-Domain-Policies "none"
  # HSTS only when actually on HTTPS
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
-  # CSP (modules, workers, blobs already accounted for)
+  # CSP (modules, blobs, workers, etc.)
-  Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; form-action 'self'"
+  Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'"
 </IfModule>
-# Caching
+# --- Caching (query-string based, no env vars needed) ---
 SetEnvIfNoCase QUERY_STRING "(^|&)v=" has_version_param=1
 <IfModule mod_headers.c>
-  # HTML/PHP: no cache (app shell)
+  # HTML/PHP: no cache (only if PHP didn’t already set it)
  <FilesMatch "\.(html?|php)$">
-    Header set Cache-Control "no-cache, no-store, must-revalidate"
+    Header setifempty Cache-Control "no-cache, no-store, must-revalidate"
-    Header set Pragma "no-cache"
+    Header setifempty Pragma "no-cache"
-    Header set Expires "0"
+    Header setifempty Expires "0"
  </FilesMatch>
-  # version.js is your source-of-truth; keep it non-cacheable so dev/CI flips show up
+  # version.js: always non-cacheable
  <FilesMatch "^js/version\.js$">
    Header set Cache-Control "no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "0"
  </FilesMatch>
-# Unversioned JS/CSS (dev): 1 hour
+  # Unversioned JS/CSS: 1 hour
  <FilesMatch "\.(?:m?js|css)$">
-  Header set Cache-Control "public, max-age=3600, must-revalidate" env=!has_version_param
+    Header set Cache-Control "public, max-age=3600, must-revalidate" "expr=%{QUERY_STRING} !~ /(^|&)v=/"
  </FilesMatch>
-# Unversioned static assets (dev): 7 days
+  # Unversioned static (images/fonts): 7 days
  <FilesMatch "\.(?:png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-  Header set Cache-Control "public, max-age=604800" env=!has_version_param
+    Header set Cache-Control "public, max-age=604800" "expr=%{QUERY_STRING} !~ /(^|&)v=/"
  </FilesMatch>
  # Versioned assets (?v=...): 1 year + immutable
  <FilesMatch "\.(?:m?js|css|png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-  Header set Cache-Control "public, max-age=31536000, immutable" env=has_version_param
+    Header setifempty Cache-Control "public, max-age=31536000, immutable" "expr=%{QUERY_STRING} =~ /(^|&)v=/"
  </FilesMatch>
 </IfModule>
-# Compression (if modules exist)
+# --- Compression ---
 <IfModule mod_brotli.c>
  BrotliCompressionQuality 5
  AddOutputFilterByType BROTLI_COMPRESS text/html text/css application/javascript application/json image/svg+xml
@@ -83,6 +96,6 @@ SetEnvIfNoCase QUERY_STRING "(^|&)v=" has_version_param=1
  AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json image/svg+xml
 </IfModule>
-# Disable TRACE
+# --- Disable TRACE ---
 RewriteCond %{REQUEST_METHOD} ^TRACE
 RewriteRule .* - [F]
--- a/public/css/styles.css
+++ b/public/css/styles.css
@@ -37,7 +37,11 @@ body {
  /************************************************************/
  /* FLEXBOX HEADER: LOGO, TITLE, BUTTONS FIXED               */
  /************************************************************/
-  .header-logo .logo { height: 50px; width: auto; display: block; }
+  .header-logo .logo {
    display:block;
    max-width:100%;
    height:auto;         /* keep aspect ratio; HTML attrs set the intrinsic box */
  }
  .btn-login {
  margin-top: 10px;
  }/* Color overrides */
@@ -1598,7 +1602,7 @@ body {
  #removeUserModal {
  z-index: 5000 !important;
  }#customConfirmModal {
-  z-index: 6000 !important;
+  z-index: 12000 !important;
  }.admin-panel-content {
  background: #fff;
    color: #000;
@@ -1868,3 +1872,4 @@ body {
  background: #fafafa;
    border-color: #e2e2e2;
  }
--- a/public/css/vendor/material-icons.css
+++ b/public/css/vendor/material-icons.css
@@ -4,7 +4,7 @@
  font-style: normal;
  font-weight: 400;
  font-display: swap;
-  src: url(/fonts/material-icons/flUhRq6tzZclQEJ-Vdg-IuiaDsNcIhQ8tQ.woff2) format('woff2');
+  src: url('/fonts/material-icons/flUhRq6tzZclQEJ-Vdg-IuiaDsNcIhQ8tQ.woff2?v={{APP_QVER}}') format('woff2');
 }
 .material-icons {
--- a/public/css/vendor/roboto.css
+++ b/public/css/vendor/roboto.css
@@ -4,7 +4,7 @@
  font-style:normal;
  font-weight:400;
  font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}') format('woff2');
  unicode-range:U+0100-02BA,U+02BD-02C5,U+02C7-02CC,U+02CE-02D7,U+02DD-02FF,U+0304,U+0308,U+0329,U+1D00-1DBF,U+1E00-1E9F,U+1EF2-1EFF,U+2020,U+20A0-20AB,U+20AD-20C0,U+2113,U+2C60-2C7F,U+A720-A7FF;
 }
 /* Roboto Regular 400 — latin */
@@ -13,7 +13,7 @@
  font-style:normal;
  font-weight:400;
  font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}') format('woff2');
  unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
 /* Roboto Medium 500 — latin-ext */
@@ -22,7 +22,7 @@
  font-style:normal;
  font-weight:500;
  font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}') format('woff2');
  unicode-range:U+0100-02BA,U+02BD-02C5,U+02C7-02CC,U+02CE-02D7,U+02DD-02FF,U+0304,U+0308,U+0329,U+1D00-1DBF,U+1E00-1E9F,U+1EF2-1EFF,U+2020,U+20A0-20AB,U+20AD-20C0,U+2113,U+2C60-2C7F,U+A720-A7FF;
 }
 /* Roboto Medium 500 — latin */
@@ -31,7 +31,7 @@
  font-style:normal;
  font-weight:500;
  font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}') format('woff2');
  unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
--- a/public/index.html
+++ b/public/index.html
@@ -5,38 +5,58 @@
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>FileRise</title>
  <!-- Icons -->
  <link rel="icon" type="image/png" href="/assets/logo.png">
  <link rel="icon" type="image/svg+xml" href="/assets/logo.svg">
  <!-- App meta -->
  <meta name="description" content="FileRise is a fast, self-hosted file manager with granular per-folder ACLs, drag-and-drop folder moves, WebDAV, tagging, and a clean UI.">
  <meta name="csrf-token" content="">
  <meta name="share-url" content="">
  <meta name="theme-color" content="#0b5ed7">
-  <style>.main-wrapper{display:none}#loadingOverlay{position:fixed;inset:0;background:var(--bg-color,#fff);z-index:9999;display:flex;align-items:center;justify-content:center}</style>
+  <!-- Minimal critical CSS only (keeps CSP clean, no inline JS) -->
-  <link rel="stylesheet" href="/css/vendor/roboto.css?v={{APP_QVER}}">
+  <style>
-  <link rel="stylesheet" href="/css/vendor/material-icons.css?v={{APP_QVER}}">
+    .main-wrapper{display:none}
    #loadingOverlay{position:fixed;inset:0;background:var(--bg-color,#fff);z-index:9999;display:flex;align-items:center;justify-content:center}
  </style>
-  <!-- Bootstrap CSS (local) -->
+  <!-- CSS: preload, then promote via tiny external JS (no inline onload) -->
  <link rel="preload" as="style" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v={{APP_QVER}}">
  <link rel="preload" as="style" href="/css/styles.css?v={{APP_QVER}}">
  <!-- Fonts: preload only those used above the fold -->
  <link rel="preload" href="/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}" as="font" type="font/woff2" crossorigin>
  <link rel="preload" href="/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}" as="font" type="font/woff2" crossorigin>
  <!-- Do NOT preload material icons unless needed above the fold -->
  <!-- Non-blocking stylesheet promotion (external to satisfy CSP) -->
  <script src="/js/defer-css.js?v={{APP_QVER}}" defer></script>
  <!-- Base CSS as a fallback if JS is disabled -->
  <noscript>
    <link rel="stylesheet" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v={{APP_QVER}}">
  <!-- CodeMirror CSS (local) -->
  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/codemirror.min.css?v={{APP_QVER}}">
  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/theme/material-darker.min.css?v={{APP_QVER}}">
  <!-- app CSS -->
    <link rel="stylesheet" href="/css/styles.css?v={{APP_QVER}}">
  </noscript>
-  <!-- Libraries (JS) -->
+  <!-- Preload font CSS (non-blocking) -->
-  <script src="/vendor/dompurify/2.4.0/purify.min.js?v={{APP_QVER}}"></script>
+  <link rel="preload" as="style" href="/css/vendor/roboto.css?v={{APP_QVER}}">
-  <script src="/vendor/fuse/6.6.2/fuse.min.js?v={{APP_QVER}}"></script>
+  <link rel="preload" as="style" href="/css/vendor/material-icons.css?v={{APP_QVER}}">
  <script src="/vendor/resumable/1.1.0/resumable.min.js?v={{APP_QVER}}"></script>
-  <!-- CodeMirror core FIRST -->
+  <!-- Vendor JS (keep defer; they’re not modules) -->
-  <script src="/vendor/codemirror/5.65.5/codemirror.min.js?v={{APP_QVER}}"></script>
+  <script src="/vendor/dompurify/2.4.0/purify.min.js?v={{APP_QVER}}" defer></script>
-  <script src="/js/version.js?v={{APP_QVER}}"></script>
+  <!-- IMPORTANT: Remove CodeMirror here; lazy-load it inside your editor route/module. -->
  <!-- Version marker (non-blocking) -->
  <script src="/js/version.js?v={{APP_QVER}}" defer></script>
  <!-- App entry: start fetching early, execute after parse -->
  <link rel="modulepreload" href="/js/main.js?v={{APP_QVER}}">
  <script type="module" src="/js/main.js?v={{APP_QVER}}"></script>
 </head>
 <body>
@@ -44,7 +64,14 @@
    <div class="header-left">
      <a href="index.html">
        <div class="header-logo">
-          <img src="/assets/logo.svg?v={{APP_QVER}}" alt="FileRise" class="logo" />
+          <img
  src="/assets/logo.svg?v={{APP_QVER}}"
  alt="FileRise"
  class="logo"
  width="50" height="50"
  decoding="async"
  fetchpriority="low"
 />
        </div>
      </a>
    </div>
@@ -103,7 +130,7 @@
  <!-- Custom Toast Container -->
  <div id="customToast"></div>
  <div id="hiddenCardsContainer" style="display:none;"></div>
-
+  <main id="main">
  <div class="row mt-4" id="loginForm">
    <div class="col-12">
      <form id="authForm" method="post">
@@ -115,7 +142,7 @@
          <label for="loginPassword" data-i18n-key="password">Password:</label>
          <input type="password" class="form-control" id="loginPassword" name="password" required />
        </div>
-        <button type="submit" class="btn btn-primary btn-block btn-login" data-i18n-key="login">Login</button>
+        <button type="submit" class="btn btn-primary btn-block btn-login" data-i18n-key="login" data-default>Login</button>
        <div class="form-group remember-me-container">
          <input type="checkbox" id="rememberMeCheckbox" name="remember_me" />
          <label for="rememberMeCheckbox" data-i18n-key="remember_me">Remember me</label>
@@ -133,6 +160,8 @@
      </div>
    </div>
  </div>
 </main>
  <!-- Main Wrapper: Hidden by default; remove "display: none;" after login -->
  <div class="main-wrapper">
@@ -215,7 +244,7 @@
                          <div class="modal-footer" style="margin-top:15px; text-align:right;">
                            <button id="cancelMoveFolder" class="btn btn-secondary"
                              data-i18n-key="cancel">Cancel</button>
-                            <button id="confirmMoveFolder" class="btn btn-primary" data-i18n-key="move">Move</button>
+                            <button id="confirmMoveFolder" class="btn btn-primary" data-i18n-key="move" data-default>Move</button>
                          </div>
                        </div>
                      </div>
@@ -233,7 +262,7 @@
                            <button id="cancelRenameFolder" class="btn btn-secondary"
                              data-i18n-key="cancel">Cancel</button>
                            <button id="submitRenameFolder" class="btn btn-primary"
-                              data-i18n-key="rename">Rename</button>
+                              data-i18n-key="rename" data-default>Rename</button>
                          </div>
                        </div>
                      </div>
@@ -253,7 +282,7 @@
                            <button id="cancelDeleteFolder" class="btn btn-secondary"
                              data-i18n-key="cancel">Cancel</button>
                            <button id="confirmDeleteFolder" class="btn btn-danger"
-                              data-i18n-key="delete">Delete</button>
+                              data-i18n-key="delete" data-default>Delete</button>
                          </div>
                        </div>
                      </div>
@@ -289,7 +318,7 @@
                  selected files?</p>
                <div class="modal-footer">
                  <button id="cancelDeleteFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmDeleteFiles" class="btn btn-danger" data-i18n-key="delete">Delete</button>
+                  <button id="confirmDeleteFiles" class="btn btn-danger" data-i18n-key="delete" data-default>Delete</button>
                </div>
              </div>
            </div>
@@ -303,7 +332,7 @@
                <select id="copyTargetFolder" class="form-control modal-input"></select>
                <div class="modal-footer">
                  <button id="cancelCopyFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmCopyFiles" class="btn btn-primary" data-i18n-key="copy">Copy</button>
+                  <button id="confirmCopyFiles" class="btn btn-primary" data-i18n-key="copy" data-default>Copy</button>
                </div>
              </div>
            </div>
@@ -317,7 +346,7 @@
                <select id="moveTargetFolder" class="form-control modal-input"></select>
                <div class="modal-footer">
                  <button id="cancelMoveFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmMoveFiles" class="btn btn-primary" data-i18n-key="move">Move</button>
+                  <button id="confirmMoveFiles" class="btn btn-primary" data-i18n-key="move" data-default>Move</button>
                </div>
              </div>
            </div>
@@ -326,31 +355,16 @@
            <button id="extractZipBtn" class="btn action-btn btn-sm btn-info"  style="display: none;" disabled
              data-i18n-key="extract_zip_button">Extract Zip</button>
              <div id="createDropdown" class="dropdown-container" style="position:relative; display:inline-block;">
-              <button id="createBtn" class="btn action-btn" style="display: none;" data-i18n-key="create">
+                <button id="createBtn" class="btn action-btn" type="button" style="display:none;" aria-haspopup="true" aria-expanded="false">
-                ${t('create')} <span class="material-icons"
+                  <span data-i18n-key="create">Create</span>
-                  style="font-size:16px;vertical-align:middle;">arrow_drop_down</span>
+                  <span class="material-icons" style="font-size:16px;vertical-align:middle;">arrow_drop_down</span>
                </button>
-              <ul id="createMenu" class="dropdown-menu" style="
+                <ul id="createMenu" class="dropdown-menu" style="display:none; position:absolute; top:100%; left:0; margin:4px 0 0; padding:0; list-style:none; background:#fff; border:1px solid #ccc; box-shadow:0 2px 6px rgba(0,0,0,0.2); z-index:10010; min-width:160px;">
-                    display: none;
+                  <li id="createFileOption" class="dropdown-item" style="padding:8px 12px; cursor:pointer;">
-                    position: absolute;
+                    <span data-i18n-key="create_file">Create file</span>
                    top: 100%;
                    left: 0;
                    margin: 4px 0 0;
                    padding: 0;
                    list-style: none;
                    background: #fff;
                    border: 1px solid #ccc;
                    box-shadow: 0 2px 6px rgba(0,0,0,0.2);
                    z-index: 1000;
                    min-width: 140px;
                  ">
                <li id="createFileOption" class="dropdown-item" data-i18n-key="create_file"
                  style="padding:8px 12px; cursor:pointer;">
                  ${t('create_file')}
                  </li>
-                <li id="createFolderOption" class="dropdown-item" data-i18n-key="create_folder"
+                  <li id="createFolderOption" class="dropdown-item" style="padding:8px 12px; cursor:pointer;">
-                  style="padding:8px 12px; cursor:pointer;">
+                    <span data-i18n-key="create_folder">Create folder</span>
                  ${t('create_folder')}
                  </li>
                </ul>
              </div>
@@ -362,7 +376,7 @@
                  data-i18n-placeholder="newfile_placeholder" />
                <div class="modal-footer" style="margin-top:1rem; text-align:right;">
                  <button id="cancelCreateFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmCreateFile" class="btn btn-primary" data-i18n-key="create">Create</button>
+                  <button id="confirmCreateFile" class="btn btn-primary" data-i18n-key="create" data-default>Create</button>
                </div>
              </div>
            </div>
@@ -374,7 +388,7 @@
                  placeholder="files.zip" />
                <div class="modal-footer" style="margin-top:15px; text-align:right;">
                  <button id="cancelDownloadZip" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmDownloadZip" class="btn btn-primary" data-i18n-key="download">Download</button>
+                  <button id="confirmDownloadZip" class="btn btn-primary" data-i18n-key="download" data-default>Download</button>
                </div>
              </div>
            </div>
@@ -412,14 +426,14 @@
        placeholder="Filename" />
      <div style="margin-top: 15px; text-align: right;">
        <button id="cancelDownloadFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-        <button id="confirmSingleDownloadButton" class="btn btn-primary" data-i18n-key="download">Download</button>
+        <button id="confirmSingleDownloadButton" class="btn btn-primary" data-i18n-key="download" data-default>Download</button>
      </div>
    </div>
  </div>
  <!-- Change Password, Add User, Remove User, Rename File, and Custom Confirm Modals (unchanged) -->
  <div id="changePasswordModal" class="modal" style="display:none;">
-    <div class="modal-content" style="max-width:400px; margin:auto;">
+    <div class="modal-content" style="text-align: center; padding: 20px;">
      <span id="closeChangePasswordModal" class="editor-close-btn">&times;</span>
      <h3 data-i18n-key="change_password_title">Change Password</h3>
      <input type="password" id="oldPassword" class="form-control" data-i18n-placeholder="old_password"
@@ -428,7 +442,7 @@
        placeholder="New Password" style="width:100%; margin: 5px 0;" />
      <input type="password" id="confirmPassword" class="form-control" data-i18n-placeholder="confirm_new_password"
        placeholder="Confirm New Password" style="width:100%; margin: 5px 0;" />
-      <button id="saveNewPasswordBtn" class="btn btn-primary" data-i18n-key="save" style="width:100%;">Save</button>
+      <button id="saveNewPasswordBtn" class="btn btn-primary" data-i18n-key="save" style="width:100%;" data-default>Save</button>
    </div>
  </div>
  <div id="addUserModal" class="modal" style="display:none;">
@@ -453,7 +467,7 @@
            Cancel
          </button>
          <!-- Save becomes type="submit" -->
-          <button type="submit" id="saveUserBtn" class="btn btn-primary" data-i18n-key="save_user">
+          <button type="submit" id="saveUserBtn" class="btn btn-primary" data-i18n-key="save_user" data-default>
            Save User
          </button>
        </div>
@@ -478,7 +492,7 @@
        placeholder="Enter new file name" style="margin-top:10px;" />
      <div style="margin-top:15px; text-align:right;">
        <button id="cancelRenameFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-        <button id="submitRenameFile" class="btn btn-primary" data-i18n-key="rename">Rename</button>
+        <button id="submitRenameFile" class="btn btn-primary" data-i18n-key="rename" data-default>Rename</button>
      </div>
    </div>
  </div>
@@ -486,7 +500,7 @@
    <div class="modal-content">
      <p id="confirmMessage"></p>
      <div class="modal-actions">
-        <button id="confirmYesBtn" class="btn btn-primary" data-i18n-key="yes">Yes</button>
+        <button id="confirmYesBtn" class="btn btn-primary" data-i18n-key="yes" data-default>Yes</button>
        <button id="confirmNoBtn" class="btn btn-secondary" data-i18n-key="no">No</button>
      </div>
    </div>
--- a/public/js/adminPanel.js
+++ b/public/js/adminPanel.js
@@ -37,6 +37,66 @@ function enforceShareFolderRule(row) {
  }
 }
 function wireHeaderTitleLive() {
  const input = document.getElementById('headerTitle');
  if (!input || input.__live) return;
  input.__live = true;
  const apply = (val) => {
    const title = (val || '').trim() || 'FileRise';
    const h1 = document.querySelector('.header-title h1');
    if (h1) h1.textContent = title;
    document.title = title;
    window.headerTitle = val || ''; // preserve raw value user typed
    try { localStorage.setItem('headerTitle', title); } catch { }
  };
  // apply current value immediately + on each keystroke
  apply(input.value);
  input.addEventListener('input', (e) => apply(e.target.value));
 }
 function renderMaskedInput({ id, label, hasValue, isSecret = false }) {
  const type = isSecret ? 'password' : 'text';
  const disabled = hasValue ? 'disabled data-replace="0" placeholder="•••••• (saved)"' : '';
  const replaceBtn = hasValue
    ? `<button type="button" class="btn btn-sm btn-outline-secondary" data-replace-for="${id}">Replace</button>`
    : '';
  const note = hasValue
    ? `<small class="text-success" style="margin-left:4px;">Saved — leave blank to keep</small>`
    : '';
  return `
    <div class="form-group">
      <label for="${id}">${label}:</label>
      <div style="display:flex; gap:8px; align-items:center;">
        <input type="${type}" id="${id}" class="form-control" ${disabled} />
        ${replaceBtn}
      </div>
      ${note}
    </div>
  `;
 }
 function wireReplaceButtons(scope = document) {
  scope.querySelectorAll('[data-replace-for]').forEach(btn => {
    if (btn.__wired) return;
    btn.__wired = true;
    btn.addEventListener('click', () => {
      const id = btn.getAttribute('data-replace-for');
      const inp = scope.querySelector('#' + id);
      if (!inp) return;
      inp.disabled = false;
      inp.dataset.replace = '1';
      inp.placeholder = '';
      inp.value = '';
      btn.textContent = 'Keep saved value';
      btn.removeAttribute('data-replace-for');
      btn.addEventListener('click', () => { /* no-op after first toggle */ }, { once: true });
    }, { once: true });
  });
 }
 function onShareFolderToggle(row, checked) {
  const manage = qs(row, 'input[data-cap="manage"]');
  const viewAll = qs(row, 'input[data-cap="view"]');
@@ -433,7 +493,8 @@ export function openAdminPanel() {
            { id: "webdav", label: "WebDAV Access" },
            { id: "upload", label: t("shared_max_upload_size_bytes_title") },
            { id: "oidc", label: t("oidc_configuration") + " & TOTP" },
-                { id: "shareLinks", label: t("manage_shared_links") }
+            { id: "shareLinks", label: t("manage_shared_links") },
            { id: "sponsor", label: (typeof tf === 'function' ? tf("sponsor_donations", "Sponsor / Donations") : "Sponsor / Donations") }
          ].map(sec => `
              <div id="${sec.id}Header" class="section-header collapsed">
                ${sec.label} <i class="material-icons">expand_more</i>
@@ -453,7 +514,7 @@ export function openAdminPanel() {
        document.getElementById("closeAdminPanel").addEventListener("click", closeAdminPanel);
        document.getElementById("cancelAdminSettings").addEventListener("click", closeAdminPanel);
-        ["userManagement", "headerSettings", "loginOptions", "webdav", "upload", "oidc", "shareLinks"]
+        ["userManagement", "headerSettings", "loginOptions", "webdav", "upload", "oidc", "shareLinks", "sponsor"]
          .forEach(id => {
            document.getElementById(id + "Header")
              .addEventListener("click", () => toggleSection(id));
@@ -485,6 +546,7 @@ export function openAdminPanel() {
            <input type="text" id="headerTitle" class="form-control" value="${window.headerTitle || ""}" />
          </div>
        `;
        wireHeaderTitleLive();
        document.getElementById("loginOptionsContent").innerHTML = `
          <div class="form-group"><input type="checkbox" id="disableFormLogin" /> <label for="disableFormLogin">${t("disable_login_form")}</label></div>
@@ -512,17 +574,35 @@ export function openAdminPanel() {
          </div>
        `;
        const hasId = !!(config.oidc && config.oidc.hasClientId);
        const hasSecret = !!(config.oidc && config.oidc.hasClientSecret);
        document.getElementById("oidcContent").innerHTML = `
  <div class="form-text text-muted" style="margin-top:8px;">
-            <small>Note: OIDC credentials (Client ID/Secret) will show blank here after saving, but remain unchanged until you explicitly edit and save them.</small>
+    <small>Client ID/Secret are never shown after saving. A green note indicates a value is saved. Click “Replace” to overwrite.</small>
  </div>
  <div class="form-group">
    <label for="oidcProviderUrl">${t("oidc_provider_url")}:</label>
    <input type="text" id="oidcProviderUrl" class="form-control" value="${(window.currentOIDCConfig?.providerUrl || "")}" />
  </div>
  ${renderMaskedInput({ id: "oidcClientId", label: t("oidc_client_id"), hasValue: hasId })}
  ${renderMaskedInput({ id: "oidcClientSecret", label: t("oidc_client_secret"), hasValue: hasSecret, isSecret: true })}
  <div class="form-group">
    <label for="oidcRedirectUri">${t("oidc_redirect_uri")}:</label>
    <input type="text" id="oidcRedirectUri" class="form-control" value="${(window.currentOIDCConfig?.redirectUri || "")}" />
  </div>
  <div class="form-group">
    <label for="globalOtpauthUrl">${t("global_otpauth_url")}:</label>
    <input type="text" id="globalOtpauthUrl" class="form-control" value="${window.currentOIDCConfig?.globalOtpauthUrl || 'otpauth://totp/{label}?secret={secret}&issuer=FileRise'}" />
  </div>
          <div class="form-group"><label for="oidcProviderUrl">${t("oidc_provider_url")}:</label><input type="text" id="oidcProviderUrl" class="form-control" value="${window.currentOIDCConfig?.providerUrl || ""}" /></div>
          <div class="form-group"><label for="oidcClientId">${t("oidc_client_id")}:</label><input type="text" id="oidcClientId" class="form-control" value="${window.currentOIDCConfig?.clientId || ""}" /></div>
          <div class="form-group"><label for="oidcClientSecret">${t("oidc_client_secret")}:</label><input type="text" id="oidcClientSecret" class="form-control" value="${window.currentOIDCConfig?.clientSecret || ""}" /></div>
          <div class="form-group"><label for="oidcRedirectUri">${t("oidc_redirect_uri")}:</label><input type="text" id="oidcRedirectUri" class="form-control" value="${window.currentOIDCConfig?.redirectUri || ""}" /></div>
          <div class="form-group"><label for="globalOtpauthUrl">${t("global_otpauth_url")}:</label><input type="text" id="globalOtpauthUrl" class="form-control" value="${window.currentOIDCConfig?.globalOtpauthUrl || 'otpauth://totp/{label}?secret={secret}&issuer=FileRise'}" /></div>
 `;
        wireReplaceButtons(document.getElementById("oidcContent"));
        document.getElementById("shareLinksContent").textContent = t("loading") + "…";
        document.getElementById("saveAdminSettings")
@@ -545,6 +625,60 @@ export function openAdminPanel() {
          }
        });
        // --- Sponsor (fixed, non-editable) ---
        const SPONSOR_GH = "https://github.com/sponsors/error311";
        const SPONSOR_KOFI = "https://ko-fi.com/error311";
        document.getElementById("sponsorContent").innerHTML = `
  <div class="form-group" style="margin-bottom:12px;">
    <label for="sponsorGitHub">${(typeof tf === 'function' ? tf("github_sponsors_url", "GitHub Sponsors URL") : "GitHub Sponsors URL")}:</label>
    <div class="input-group">
      <input type="url"
             id="sponsorGitHub"
             class="form-control"
             value="${SPONSOR_GH}"
             readonly
             data-ignore-dirty="1" />
      <button type="button" id="copySponsorGitHub" class="btn btn-outline-primary">Copy</button>
      <a class="btn btn-outline-secondary" id="openSponsorGitHub" target="_blank" rel="noopener">Open</a>
    </div>
  </div>
  <div class="form-group" style="margin-bottom:12px;">
    <label for="sponsorKoFi">${(typeof tf === 'function' ? tf("ko_fi_url", "Ko-fi URL") : "Ko-fi URL")}:</label>
    <div class="input-group">
      <input type="url"
             id="sponsorKoFi"
             class="form-control"
             value="${SPONSOR_KOFI}"
             readonly
             data-ignore-dirty="1" />
      <button type="button" id="copySponsorKoFi" class="btn btn-outline-primary">Copy</button>
      <a class="btn btn-outline-secondary" id="openSponsorKoFi" target="_blank" rel="noopener">Open</a>
    </div>
  </div>
  <small class="text-muted">${(typeof tf === 'function'
            ? tf("sponsor_note_fixed", "Please consider supporting ongoing development.")
            : "Please consider supporting ongoing development.")}</small>
 `;
        // Wire copy + open (no changes tracked)
        const ghInput = document.getElementById("sponsorGitHub");
        const kfInput = document.getElementById("sponsorKoFi");
        document.getElementById("copySponsorGitHub").addEventListener("click", async () => {
          try { await navigator.clipboard.writeText(ghInput.value); } catch { }
          showToast(typeof tf === 'function' ? tf("copied", "Copied!") : "Copied!");
        });
        document.getElementById("copySponsorKoFi").addEventListener("click", async () => {
          try { await navigator.clipboard.writeText(kfInput.value); } catch { }
          showToast(typeof tf === 'function' ? tf("copied", "Copied!") : "Copied!");
        });
        document.getElementById("openSponsorGitHub").href = SPONSOR_GH;
        document.getElementById("openSponsorKoFi").href = SPONSOR_KOFI;
        const userMgmt = document.getElementById("userManagementContent");
        userMgmt?.removeEventListener("click", window.__userMgmtDelegatedClick);
        window.__userMgmtDelegatedClick = (e) => {
@@ -574,7 +708,11 @@ export function openAdminPanel() {
        document.getElementById("enableWebDAV").checked = config.enableWebDAV === true;
        document.getElementById("sharedMaxUploadSize").value = config.sharedMaxUploadSize || "";
        document.getElementById("oidcProviderUrl").value = window.currentOIDCConfig?.providerUrl || "";
-        document.getElementById("oidcClientId").value = window.currentOIDCConfig?.clientId || "";
+        const idEl = document.getElementById("oidcClientId");
        const secEl = document.getElementById("oidcClientSecret");
        if (!hasId) idEl.value = window.currentOIDCConfig?.clientId || "";
        if (!hasSecret) secEl.value = window.currentOIDCConfig?.clientSecret || "";
        wireReplaceButtons(document.getElementById("oidcContent"));
        document.getElementById("oidcClientSecret").value = window.currentOIDCConfig?.clientSecret || "";
        document.getElementById("oidcRedirectUri").value = window.currentOIDCConfig?.redirectUri || "";
        document.getElementById("globalOtpauthUrl").value = window.currentOIDCConfig?.globalOtpauthUrl || '';
@@ -585,57 +723,57 @@ export function openAdminPanel() {
 }
 function handleSave() {
-  const dFL = !!document.getElementById("disableFormLogin")?.checked;
+  const payload = {
-  const dBA = !!document.getElementById("disableBasicAuth")?.checked;
+    header_title: document.getElementById("headerTitle")?.value || "",
  const dOIDC = !!document.getElementById("disableOIDCLogin")?.checked;
  const aBypass = !!document.getElementById("authBypass")?.checked;
  const aHeader = (document.getElementById("authHeaderName")?.value || "X-Remote-User").trim();
  const eWD = !!document.getElementById("enableWebDAV")?.checked;
  const sMax = parseInt(document.getElementById("sharedMaxUploadSize")?.value || "0", 10) || 0;
  const nHT = (document.getElementById("headerTitle")?.value || "").trim();
  const nOIDC = {
    providerUrl: (document.getElementById("oidcProviderUrl")?.value || "").trim(),
    clientId: (document.getElementById("oidcClientId")?.value || "").trim(),
    clientSecret: (document.getElementById("oidcClientSecret")?.value || "").trim(),
    redirectUri: (document.getElementById("oidcRedirectUri")?.value || "").trim()
  };
  const gURL = (document.getElementById("globalOtpauthUrl")?.value || "").trim();
  if ([dFL, dBA, dOIDC].filter(x => x).length === 3) {
    showToast(t("at_least_one_login_method"));
    return;
  }
  sendRequest("/api/admin/updateConfig.php", "POST", {
    header_title: nHT,
    oidc: nOIDC,
    loginOptions: {
-      disableFormLogin: dFL,
+      disableFormLogin: document.getElementById("disableFormLogin").checked,
-      disableBasicAuth: dBA,
+      disableBasicAuth: document.getElementById("disableBasicAuth").checked,
-      disableOIDCLogin: dOIDC,
+      disableOIDCLogin: document.getElementById("disableOIDCLogin").checked,
-      authBypass: aBypass,
+      authBypass: document.getElementById("authBypass").checked,
-      authHeaderName: aHeader
+      authHeaderName: document.getElementById("authHeaderName").value.trim() || "X-Remote-User",
    },
-    enableWebDAV: eWD,
+    enableWebDAV: document.getElementById("enableWebDAV").checked,
-    sharedMaxUploadSize: sMax,
+    sharedMaxUploadSize: parseInt(document.getElementById("sharedMaxUploadSize").value || "0", 10) || 0,
-    globalOtpauthUrl: gURL
+    oidc: {
-  }, { "X-CSRF-Token": window.csrfToken })
+      providerUrl: document.getElementById("oidcProviderUrl").value.trim(),
-    .then(res => {
+      redirectUri: document.getElementById("oidcRedirectUri").value.trim(),
-      if (res.success) {
+      // clientId/clientSecret: only include when replacing
-        showToast(t("settings_updated_successfully"), "success");
+    },
-        captureInitialAdminConfig();
+    globalOtpauthUrl: document.getElementById("globalOtpauthUrl").value.trim(),
-        closeAdminPanel();
+  };
-        loadAdminConfigFunc();
+
-      } else {
+  const idEl = document.getElementById("oidcClientId");
-        showToast(t("error_updating_settings") + ": " + (res.error || t("unknown_error")), "error");
+  const scEl = document.getElementById("oidcClientSecret");
  if (idEl?.dataset.replace === '1' && idEl.value.trim() !== '') {
    payload.oidc.clientId = idEl.value.trim();
  }
-    }).catch(() => {/*noop*/ });
+  if (scEl?.dataset.replace === '1' && scEl.value.trim() !== '') {
    payload.oidc.clientSecret = scEl.value.trim();
  }
  fetch('/api/admin/updateConfig.php', {
    method: 'POST',
    credentials: 'include',
    headers: {
      'Content-Type': 'application/json',
      'X-CSRF-Token': (document.querySelector('meta[name="csrf-token"]')?.content || '')
    },
    body: JSON.stringify(payload)
  })
    .then(r => r.json())
    .then(j => {
      if (j.error) { showToast('Error: ' + j.error); return; }
      showToast('Settings saved.');
      closeAdminPanel();
    })
    .catch(() => showToast('Save failed.'));
 }
 export async function closeAdminPanel() {
  if (hasUnsavedChanges()) {
-    const ok = await showCustomConfirmModal(t("unsaved_changes_confirm"));
+    //const ok = await showCustomConfirmModal(t("unsaved_changes_confirm"));
-    if (!ok) return;
+    //if (!ok) return;
  }
  const m = document.getElementById("adminPanelModal");
  if (m) m.style.display = "none";
--- a/public/js/appCore.js
+++ b/public/js/appCore.js
@@ -136,13 +136,30 @@ export function initializeApp() {
   LOGOUT (shared)
   ========================= */
 export function triggerLogout() {
  const clearWelcomeFlags = () => {
    try {
      // one-per-tab toast guard
      sessionStorage.removeItem('__fr_welcomed');
      // if you also used the per-user (all-tabs) guard, clear that too:
      const u = localStorage.getItem('username') || '';
      if (u) localStorage.removeItem(`__fr_welcomed_${u}`);
    } catch { }
  };
  _nativeFetch("/api/auth/logout.php", {
    method: "POST",
    credentials: "include",
    headers: { "X-CSRF-Token": getCsrfToken() }
  })
-    .then(() => window.location.reload(true))
+    .then(() => {
-    .catch(() => { /* no-op */ });
+      clearWelcomeFlags();
      window.location.reload(true);
    })
    .catch(() => {
      // even if the request fails, clear the flags so the next login can toast
      clearWelcomeFlags();
      window.location.reload(true);
    });
 }
 /* =========================
--- a/public/js/auth.js
+++ b/public/js/auth.js
@@ -31,6 +31,49 @@ const currentOIDCConfig = {
 };
 window.currentOIDCConfig = currentOIDCConfig;
 (function installToastFilter() {
  const isDemoHost = location.hostname.toLowerCase() === 'demo.filerise.net';
  window.__FR_TOAST_FILTER__ = function (msgKeyOrText) {
    // Suppress the nag while doing TOTP step-up
    if (window.pendingTOTP && (msgKeyOrText === 'please_log_in_to_continue' ||
      /please log in/i.test(String(msgKeyOrText)))) {
      return null; // suppress
    }
    // Demo host
    if (isDemoHost && (msgKeyOrText === 'please_log_in_to_continue' ||
      /please log in/i.test(String(msgKeyOrText)))) {
      return "Demo site — use:\nUsername: demo\nPassword: demo";
    }
    // Try to translate keys; pass through plain text
    try {
      const maybe = t(msgKeyOrText);
      if (typeof maybe === 'string' && maybe !== msgKeyOrText) return maybe;
    } catch { }
    return msgKeyOrText;
  };
 })();
 function queueWelcomeToast(name) {
  const uname = String(name || '').trim().slice(0, 80);
  if (!uname) return;
  // show immediately (if we don’t reload instantly)
  try {
    window.dispatchEvent(new CustomEvent('filerise:toast', {
      detail: { message: `Welcome back, ${uname}!`, duration: 2000 }
    }));
  } catch { }
  // and persist for after-reload (flushed by main.js on boot)
  try {
    sessionStorage.setItem('welcomeMessage', `Welcome back, ${uname}!`);
  } catch { }
 }
 /* ----------------- TOTP & Toast Overrides ----------------- */
 // detect if we’re in a pending‑TOTP state
 window.pendingTOTP = new URLSearchParams(window.location.search).get('totp_required') === '1';
@@ -72,45 +115,51 @@ const originalFetch = window.fetch;
 * @param {object} options
 * @returns {Promise<Response>}
 */
 export async function fetchWithCsrf(url, options = {}) {
-  // 1) Merge in credentials + header
+  const original = window.fetch.bind(window);
-  options = {
+  const wantJson = (options.headers && /json/i.test(options.headers['Content-Type'] || '')) || typeof options.body === 'string' && options.body.trim().startsWith('{');
-    credentials: 'include',
+
-    ...options,
+  options = { credentials: 'include', ...options };
  };
  options.headers = {
-    ...(options.headers || {}),
+    'Accept': 'application/json',
-    'X-CSRF-Token': window.csrfToken,
+    ...(options.headers || {})
  };
  if (window.csrfToken) {
    options.headers['X-CSRF-Token'] = window.csrfToken;
  }
-  // 2) First attempt
+  async function retryWithFreshCsrf(asFormFallback = false) {
-  let res = await originalFetch(url, options);
+    const tokRes = await original('/api/auth/token.php', { credentials: 'include' });
  // 3) If we got a 403, try to refresh token & retry
  if (res.status === 403) {
    // 3a) See if the server gave us a new token header
    let newToken = res.headers.get('X-CSRF-Token');
    // 3b) Otherwise fall back to the /api/auth/token endpoint
    if (!newToken) {
      const tokRes = await originalFetch('/api/auth/token.php', { credentials: 'include' });
    if (tokRes.ok) {
-        const body = await tokRes.json();
+      const body = await tokRes.json().catch(() => ({}));
-        newToken = body.csrf_token;
+      if (body?.csrf_token) {
-      }
+        window.csrfToken = body.csrf_token;
    }
    if (newToken) {
      // 3c) Update global + meta
      window.csrfToken = newToken;
        const meta = document.querySelector('meta[name="csrf-token"]');
-      if (meta) meta.content = newToken;
+        if (meta) meta.content = body.csrf_token;
-
+        options.headers['X-CSRF-Token'] = body.csrf_token;
      // 3d) Retry the original request with the new token
      options.headers['X-CSRF-Token'] = newToken;
      res = await originalFetch(url, options);
      }
    }
    if (asFormFallback && wantJson) {
      // convert JSON body into x-www-form-urlencoded
      const orig = options.body && typeof options.body === 'string' ? JSON.parse(options.body) : {};
      options.body = toFormBody(orig);
      options.headers['Content-Type'] = 'application/x-www-form-urlencoded';
    }
    return original(url, options);
  }
-  // 4) Return the real Response—no body peeking here!
+  let res = await original(url, options);
  // If API doesn’t like JSON or token is stale
  if (res.status === 400 || res.status === 403 || res.status === 415) {
    // 1) retry with fresh CSRF keeping same encoding
    res = await retryWithFreshCsrf(false);
    if (!res.ok && wantJson) {
      // 2) retry again as form-encoded
      res = await retryWithFreshCsrf(true);
    }
  }
  return res;
 }
@@ -464,6 +513,14 @@ function checkAuthentication(showLoginToast = true) {
        }
        updateAuthenticatedUI(data);
        return data;
        // at the end of updateAuthenticatedUI(data)
        if (!window.__FR_FLAGS?.initialized && typeof initializeApp === 'function') {
          initializeApp();
          window.__FR_FLAGS.initialized = true;
        }
        if (typeof applyTranslations === 'function') applyTranslations();
        if (typeof updateLoginOptionsUIFromStorage === 'function') updateLoginOptionsUIFromStorage();
      } else {
        const overlay = document.getElementById('loadingOverlay');
        if (overlay) overlay.remove();
@@ -484,53 +541,162 @@ function checkAuthentication(showLoginToast = true) {
 }
 /* ----------------- Authentication Submission ----------------- */
-async function submitLogin(data) {
+async function primeCsrfStrict() {
-  setLastLoginData(data);
+  const r = await fetch('/api/auth/token.php', { credentials: 'include' });
-  window.__lastLoginData = data;
+  const j = await r.json().catch(() => ({}));
-
+  if (!r.ok || !j.csrf_token) throw new Error('CSRF missing');
-  try {
+  window.csrfToken = j.csrf_token;
-    // ─── 1) Get CSRF for the initial auth call ───
+  const m = document.querySelector('meta[name="csrf-token"]');
-    let res = await fetch("/api/auth/token.php", { credentials: "include" });
+  if (m) m.content = j.csrf_token;
    if (!res.ok) throw new Error("Could not fetch CSRF token");
    window.csrfToken = (await res.json()).csrf_token;
    // ─── 2) Send credentials ───
    const response = await sendRequest(
      "/api/auth/auth.php",
      "POST",
      data,
      { "X-CSRF-Token": window.csrfToken }
    );
    // ─── 3a) Full login (no TOTP) ───
    if (response.success || response.status === "ok") {
      sessionStorage.setItem("welcomeMessage", "Welcome back, " + data.username + "!");
      // … fetch permissions & reload …
      try {
        const perm = await sendRequest("/api/getUserPermissions.php", "GET");
        if (perm && typeof perm === "object") {
          localStorage.setItem("folderOnly", perm.folderOnly ? "true" : "false");
          localStorage.setItem("readOnly", perm.readOnly ? "true" : "false");
          localStorage.setItem("disableUpload", perm.disableUpload ? "true" : "false");
 }
 function toFormBody(obj) {
  const p = new URLSearchParams();
  for (const [k, v] of Object.entries(obj || {})) p.set(k, v == null ? '' : String(v));
  return p.toString();
 }
 async function safeJson(res) {
  const ct = res.headers.get('content-type') || '';
  if (!/application\/json/i.test(ct)) return null;
  try { return await res.clone().json(); } catch { return null; }
 }
 async function sniffTOTP(res, bodyMaybe) {
  if (res.headers.get('X-TOTP-Required') === '1') return true;
  if (res.redirected && /[?&]totp_required=1\b/.test(res.url)) return true;
  const body = bodyMaybe ?? await safeJson(res);
  if (body && (body.totp_required || body.error === 'TOTP_REQUIRED')) return true;
  try {
    const txt = await res.clone().text();
    if (/\btotp_required\s*=\s*1\b/i.test(txt)) return true;
  } catch { }
-      return window.location.reload();
+  return false;
 }
-    // ─── 3b) TOTP required ───
+async function isAuthedNow() {
-    if (response.totp_required) {
+  try {
-      // **Refresh** CSRF before the TOTP verify call
+    const r = await fetch('/api/auth/checkAuth.php', { credentials: 'include' });
-      res = await fetch("/api/auth/token.php", { credentials: "include" });
+    const j = await r.json().catch(() => ({}));
-      if (res.ok) {
+    return !!j.authenticated;
-        window.csrfToken = (await res.json()).csrf_token;
+  } catch { return false; }
      }
      // now open the modal—any totp_verify fetch from here on will use the new token
      return openTOTPLoginModal();
 }
-    // ─── 3c) Too many attempts ───
+function rafTick(times = 2) {
-    if (response.error && response.error.includes("Too many failed login attempts")) {
+  return new Promise(res => {
-      showToast(response.error);
+    const step = () => { if (--times <= 0) res(); else requestAnimationFrame(step); };
    requestAnimationFrame(step);
  });
 }
 async function fetchAuthSnapshot() {
  try {
    const r = await fetch('/api/auth/checkAuth.php', { credentials: 'include' });
    return await r.json();
  } catch { return {}; }
 }
 async function syncPermissionsToLocalStorage() {
  try {
    const r = await fetch('/api/getUserPermissions.php', { credentials: 'include' });
    const perm = await r.json();
    if (perm && typeof perm === 'object') {
      localStorage.setItem('folderOnly', perm.folderOnly ? 'true' : 'false');
      localStorage.setItem('readOnly', perm.readOnly ? 'true' : 'false');
      localStorage.setItem('disableUpload', perm.disableUpload ? 'true' : 'false');
    }
  } catch { /* non-fatal */ }
 }
 // ——— main ———
 let __loginInFlight = false;
 async function submitLogin(data) {
  if (__loginInFlight) return;
  __loginInFlight = true;
  const payload = {
    username: String(data.username || '').trim(),
    password: String(data.password || '').trim(),
    remember_me: data.remember_me ? 1 : 0
  };
  setLastLoginData(payload);
  window.__lastLoginData = payload;
  try {
    await primeCsrfStrict();
    // Attempt #1 — JSON
    let res = await fetchWithCsrf('/api/auth/auth.php', {
      method: 'POST',
      credentials: 'include',
      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json' },
      body: JSON.stringify(payload)
    });
    let body = await safeJson(res);
    // TOTP requested?
    if (await sniffTOTP(res, body)) {
      try { await primeCsrfStrict(); } catch { }
      window.pendingTOTP = true;
      try {
        const auth = await import('/js/auth.js?v={{APP_QVER}}');
        if (typeof auth.openTOTPLoginModal === 'function') auth.openTOTPLoginModal();
      } catch { }
      return;
    }
    // Full success (no TOTP)
    if (body && (body.success || body.status === 'ok' || body.authenticated)) {
      await syncPermissionsToLocalStorage();
      return afterLogin();
    }
    // Cookie set but non-JSON body — double check session
    if (!body && await isAuthedNow()) {
      await syncPermissionsToLocalStorage();
      return afterLogin();
    }
    // Attempt #2 — form fallback
    res = await fetchWithCsrf('/api/auth/auth.php', {
      method: 'POST',
      credentials: 'include',
      headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json' },
      body: toFormBody(payload)
    });
    body = await safeJson(res);
    if (await sniffTOTP(res, body)) {
      try { await primeCsrfStrict(); } catch { }
      window.pendingTOTP = true;
      try {
        const auth = await import('/js/auth.js?v={{APP_QVER}}');
        if (typeof auth.openTOTPLoginModal === 'function') auth.openTOTPLoginModal();
      } catch { }
      return;
    }
    if (body && (body.success || body.status === 'ok' || body.authenticated)) {
      await syncPermissionsToLocalStorage();
      return afterLogin();
    }
    if (!body && await isAuthedNow()) {
      await syncPermissionsToLocalStorage();
      return afterLogin();
    }
    // Rate limit still respected
    if (body?.error && /Too many failed login attempts/i.test(body.error)) {
      showToast(body.error);
      const btn = document.querySelector("#authForm button[type='submit']");
      if (btn) {
        btn.disabled = true;
@@ -542,12 +708,12 @@ async function submitLogin(data) {
      return;
    }
-    // ─── 3d) Other failures ───
+    showToast('Login failed' + (body?.error ? `: ${body.error}` : ''));
    showToast("Login failed: " + (response.error || "Unknown error"));
-  } catch (err) {
+  } catch (e) {
-    const msg = err.message || err.error || "Unknown error";
+    showToast('Login failed: ' + (e.message || 'Unknown error'));
-    showToast(`Login failed: ${msg}`);
+  } finally {
    __loginInFlight = false;
  }
 }
@@ -763,4 +929,4 @@ document.addEventListener("DOMContentLoaded", function () {
  }
 });
-export { initAuth, checkAuthentication };
+export { initAuth, checkAuthentication, openTOTPLoginModal };
--- a/public/js/defer-css.js
+++ b/public/js/defer-css.js
@@ -0,0 +1,20 @@
 // Promote any preloaded styles to real stylesheets without inline handlers (CSP-safe)
 document.addEventListener('DOMContentLoaded', () => {
  // Promote any preloaded core CSS
  document.querySelectorAll('link[rel="preload"][as="style"][href]').forEach(link => {
    const href = link.getAttribute('href');
    if ([...document.querySelectorAll('link[rel="stylesheet"]')]
          .some(s => s.getAttribute('href') === href)) return;
    const sheet = document.createElement('link');
    sheet.rel = 'stylesheet';
    sheet.href = href;
    document.head.appendChild(sheet);
  });
  // Optionally load non-critical icon/extra font CSS after first paint:
  const extra = document.createElement('link');
  extra.rel = 'stylesheet';
  extra.href = '/css/vendor/material-icons.css?v={{APP_QVER}}';
  document.head.appendChild(extra);
 });
--- a/public/js/fileActions.js
+++ b/public/js/fileActions.js
@@ -31,6 +31,7 @@ document.addEventListener("DOMContentLoaded", function () {
  const confirmDelete = document.getElementById("confirmDeleteFiles");
  if (confirmDelete) {
    confirmDelete.setAttribute("data-default", "");
    confirmDelete.addEventListener("click", function () {
      fetch("/api/file/deleteFiles.php", {
        method: "POST",
@@ -316,6 +317,7 @@ document.addEventListener("DOMContentLoaded", () => {
  // 2) Confirm button kicks off the zip+download
  if (confirmZipBtn) {
    confirmZipBtn.setAttribute("data-default", "");
    confirmZipBtn.addEventListener("click", async () => {
      // a) Validate ZIP filename
      let zipName = document.getElementById("zipFileNameInput").value.trim();
@@ -478,6 +480,7 @@ document.addEventListener("DOMContentLoaded", function () {
  }
  const confirmCopy = document.getElementById("confirmCopyFiles");
  if (confirmCopy) {
    confirmCopy.setAttribute("data-default", "");
    confirmCopy.addEventListener("click", function () {
      const targetFolder = document.getElementById("copyTargetFolder").value;
      if (!targetFolder) {
@@ -529,6 +532,7 @@ document.addEventListener("DOMContentLoaded", function () {
  }
  const confirmMove = document.getElementById("confirmMoveFiles");
  if (confirmMove) {
    confirmMove.setAttribute("data-default", "");
    confirmMove.addEventListener("click", function () {
      const targetFolder = document.getElementById("moveTargetFolder").value;
      if (!targetFolder) {
@@ -598,6 +602,7 @@ document.addEventListener("DOMContentLoaded", () => {
  const submitBtn = document.getElementById("submitRenameFile");
  if (submitBtn) {
    submitBtn.setAttribute("data-default", "");
    submitBtn.addEventListener("click", function () {
      const newName = document.getElementById("newFileName").value.trim();
      if (!newName || newName === window.fileToRename) {
--- a/public/js/fileEditor.js
+++ b/public/js/fileEditor.js
@@ -7,9 +7,17 @@ import { t } from './i18n.js?v={{APP_QVER}}';
 const EDITOR_PLAIN_THRESHOLD = 5 * 1024 * 1024;  // >5 MiB => force plain text, lighter settings
 const EDITOR_BLOCK_THRESHOLD = 10 * 1024 * 1024; // >10 MiB => block editing
-// Lazy-load CodeMirror modes on demand
+// ==== CodeMirror lazy loader ===============================================
-//const CM_CDN = "https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.65.5/";
+const CM_BASE = "/vendor/codemirror/5.65.5/";
-const CM_LOCAL = "/vendor/codemirror/5.65.5/";
+
 // Stamp-friendly helpers (the stamper will replace {{APP_QVER}})
 const coreUrl = (p) => `${CM_BASE}${p}?v={{APP_QVER}}`;
 const CORE = {
  js:  coreUrl("codemirror.min.js"),
  css: coreUrl("codemirror.min.css"),
  themeCss: coreUrl("theme/material-darker.min.css"),
 };
 // Which mode file to load for a given name/mime
 const MODE_URL = {
@@ -40,6 +48,13 @@ const MODE_URL = {
  "text/x-kotlin":  "mode/clike/clike.min.js?v={{APP_QVER}}"
 };
 // Mode dependency graph
 const MODE_DEPS = {
  "htmlmixed": ["xml", "javascript", "css"],
  "application/x-httpd-php": ["htmlmixed", "text/x-csrc"], // php overlays + clike bits
  "markdown": ["xml"]
 };
 // Map any mime/alias to the key we use in MODE_URL
 function normalizeModeName(modeOption) {
  const name = typeof modeOption === "string" ? modeOption : (modeOption && modeOption.name);
@@ -49,61 +64,77 @@ function normalizeModeName(modeOption) {
  return name;
 }
-const MODE_LOAD_TIMEOUT_MS = 2500; // allow closing immediately; don't wait forever
+const _loadedScripts = new Set();
 const _loadedCss = new Set();
 let _corePromise = null;
 function loadScriptOnce(url) {
  return new Promise((resolve, reject) => {
-    const ver = (window.APP_VERSION ?? 'dev').replace(/^v/, ''); // "v1.6.9" -> "1.6.9"
+    if (_loadedScripts.has(url)) return resolve();
-    const withQS = url; //+ '?v=' + ver;
+    const s = document.createElement("script");
-
+    s.src = url;
    const key = `cm:${withQS}`;
    let s = document.querySelector(`script[data-key="${key}"]`);
    if (s) {
      if (s.dataset.loaded === "1") return resolve();
      s.addEventListener("load", resolve);
      s.addEventListener("error", () => reject(new Error(`Load failed: ${withQS}`)));
      return;
    }
    s = document.createElement("script");
    s.src = withQS;
    s.async = true;
-    s.dataset.key = key;
+    s.onload = () => { _loadedScripts.add(url); resolve(); };
-    s.addEventListener("load", () => { s.dataset.loaded = "1"; resolve(); });
+    s.onerror = () => reject(new Error(`Load failed: ${url}`));
    s.addEventListener("error", () => reject(new Error(`Load failed: ${withQS}`)));
    document.head.appendChild(s);
  });
 }
 function loadCssOnce(href) {
  return new Promise((resolve, reject) => {
    if (_loadedCss.has(href)) return resolve();
    const l = document.createElement("link");
    l.rel = "stylesheet";
    l.href = href;
    l.onload = () => { _loadedCss.add(href); resolve(); };
    l.onerror = () => reject(new Error(`Load failed: ${href}`));
    document.head.appendChild(l);
  });
 }
 async function ensureCore() {
  if (_corePromise) return _corePromise;
  _corePromise = (async () => {
    // load CSS first to avoid FOUC
    await loadCssOnce(CORE.css);
    await loadCssOnce(CORE.themeCss);
    if (!window.CodeMirror) {
      await loadScriptOnce(CORE.js);
    }
  })();
  return _corePromise;
 }
 async function loadSingleMode(name) {
  const rel = MODE_URL[name];
  if (!rel) return;
  // prepend base if needed
  const url = rel.startsWith("http") ? rel : (rel.startsWith("/") ? rel : (CM_BASE + rel));
  await loadScriptOnce(url);
 }
 function isModeRegistered(name) {
  return !!(
    (window.CodeMirror?.modes && window.CodeMirror.modes[name]) ||
    (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[name])
  );
 }
 async function ensureModeLoaded(modeOption) {
-  if (!window.CodeMirror) return;
+  await ensureCore();
  const name = normalizeModeName(modeOption);
  if (!name) return;
-
+  if (isModeRegistered(name)) return;
-  const isRegistered = () =>
+  const deps = MODE_DEPS[name] || [];
-    (window.CodeMirror?.modes && window.CodeMirror.modes[name]) ||
+  for (const d of deps) {
-    (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[name]);
+    if (!isModeRegistered(d)) await loadSingleMode(d);
  if (isRegistered()) return;
  const url = MODE_URL[name];
  if (!url) return; // unknown -> stay in text/plain
  // Dependencies
  if (name === "htmlmixed") {
    await Promise.all([
      ensureModeLoaded("xml"),
      ensureModeLoaded("css"),
      ensureModeLoaded("javascript")
    ]);
  }
-  if (name === "application/x-httpd-php") {
+  await loadSingleMode(name);
    await ensureModeLoaded("htmlmixed");
 }
-  await loadScriptOnce(CM_LOCAL + url);
+// Public helper for callers (we keep your existing function name in use):
-}
+const MODE_LOAD_TIMEOUT_MS = 2500; // allow closing immediately; don't wait forever
 // ==== /CodeMirror lazy loader ===============================================
 function getModeForFile(fileName) {
  const dot = fileName.lastIndexOf(".");
@@ -215,7 +246,7 @@ export function editFile(fileName, folder) {
        </div>
        <textarea id="fileEditor" class="editor-textarea">${escapeHTML(content)}</textarea>
        <div class="editor-footer">
-          <button id="saveBtn" class="btn btn-primary" disabled>${t("save")}</button>
+          <button id="saveBtn" class="btn btn-primary" data-default disabled>${t("save")} </button>
          <button id="closeBtn" class="btn btn-secondary">${t("close")}</button>
        </div>
      `;
@@ -246,20 +277,20 @@ export function editFile(fileName, folder) {
      const theme = isDarkMode ? "material-darker" : "default";
      const desiredMode = forcePlainText ? "text/plain" : getModeForFile(fileName);
-      // Helper to check whether a mode is currently registered
+      // Start core+mode loading (don’t block closing)
-      const modeName = typeof desiredMode === "string" ? desiredMode : (desiredMode && desiredMode.name);
+      const modePromise = (async () => {
-      const isModeRegistered = () =>
+        await ensureCore();                 // load CM core + CSS
-        (window.CodeMirror?.modes && window.CodeMirror.modes[modeName]) ||
+        if (!forcePlainText) {
-        (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[modeName]);
+          await ensureModeLoaded(desiredMode); // then load the needed mode + deps
-
+        }
-      // Start mode loading (don’t block closing)
+      })();
      const modePromise = ensureModeLoaded(desiredMode);
      // Wait up to MODE_LOAD_TIMEOUT_MS; then proceed with whatever is available
      const timeout = new Promise((res) => setTimeout(res, MODE_LOAD_TIMEOUT_MS));
      Promise.race([modePromise, timeout]).then(() => {
        if (canceled) return;
        if (!window.CodeMirror) {
          // Core not present: keep plain <textarea>; enable Save and bail gracefully
          document.getElementById("saveBtn").disabled = false;
@@ -267,7 +298,9 @@ export function editFile(fileName, folder) {
          return;
        }
-        const initialMode = (forcePlainText || !isModeRegistered()) ? "text/plain" : desiredMode;
+        const normName = normalizeModeName(desiredMode) || "text/plain";
        const initialMode = (forcePlainText || !isModeRegistered(normName)) ? "text/plain" : desiredMode;
        const cmOptions = {
          lineNumbers: !forcePlainText,
          mode: initialMode,
@@ -319,9 +352,12 @@ export function editFile(fileName, folder) {
        // If we started in plain text due to timeout, flip to the real mode once it arrives
        modePromise.then(() => {
-          if (!canceled && !forcePlainText && isModeRegistered()) {
+          if (!canceled && !forcePlainText) {
            const nn = normalizeModeName(desiredMode);
            if (nn && isModeRegistered(nn)) {
              editor.setOption("mode", desiredMode);
            }
          }
        }).catch(() => {
          // If the mode truly fails to load, we just stay in plain text
        });
--- a/public/js/fileListView.js
+++ b/public/js/fileListView.js
@@ -205,28 +205,83 @@ function wireSelectAll(fileListContent) {
  /**
   * Fuse.js fuzzy search helper
   */
  // --- Lazy Fuse loader (drop-in, CSP-safe, no inline) ---
 const FUSE_SRC = '/vendor/fuse/6.6.2/fuse.min.js?v={{APP_QVER}}';
 let _fuseLoadingPromise = null;
 function loadScriptOnce(src) {
  // cache by src so we don't append multiple <script> tags
  if (loadScriptOnce._cache?.has(src)) return loadScriptOnce._cache.get(src);
  loadScriptOnce._cache = loadScriptOnce._cache || new Map();
  const p = new Promise((resolve, reject) => {
    const s = document.createElement('script');
    s.src = src;
    s.async = true;
    s.onload = resolve;
    s.onerror = () => reject(new Error(`Failed to load ${src}`));
    document.head.appendChild(s);
  });
  loadScriptOnce._cache.set(src, p);
  return p;
 }
 function lazyLoadFuse() {
  if (window.Fuse) return Promise.resolve(window.Fuse);
  if (!_fuseLoadingPromise) {
    _fuseLoadingPromise = loadScriptOnce(FUSE_SRC).then(() => window.Fuse);
  }
  return _fuseLoadingPromise;
 }
 // (Optional) warm-up call you can trigger from main.js after first render:
 //   import { warmUpSearch } from './fileListView.js?v={{APP_QVER}}';
 //   warmUpSearch();
 // This just starts fetching Fuse in the background.
 export function warmUpSearch() {
  lazyLoadFuse().catch(() => {/* ignore; we’ll fall back */});
 }
 // Lazy + backward-compatible search
 function searchFiles(searchTerm) {
  if (!searchTerm) return fileData;
-    let keys = [
+  // kick off Fuse load in the background, but don't await
  lazyLoadFuse().catch(() => { /* ignore */ });
  // keys config (matches your original)
  const fuseKeys = [
    { name: 'name',      weight: 0.1 },
    { name: 'uploader',  weight: 0.1 },
    { name: 'tags.name', weight: 0.1 }
  ];
  if (window.advancedSearchEnabled) {
-      keys.push({ name: 'content', weight: 0.7 });
+    fuseKeys.push({ name: 'content', weight: 0.7 });
  }
  // If Fuse is present, use it right away (synchronous API)
  if (window.Fuse) {
    const options = {
-      keys: keys,
+      keys: fuseKeys,
      threshold: 0.4,
      minMatchCharLength: 2,
      ignoreLocation: true
    };
    const fuse = new window.Fuse(fileData, options);
    const results = fuse.search(searchTerm);
    return results.map(r => r.item);
  }
-    const fuse = new Fuse(fileData, options);
+  // Fallback (first keystrokes before Fuse finishes loading):
-    let results = fuse.search(searchTerm);
+  // simple case-insensitive substring match on the same fields
-    return results.map(result => result.item);
+  const q = String(searchTerm).toLowerCase();
  const hay = (v) => (v == null ? '' : String(v)).toLowerCase();
  return fileData.filter(item => {
    if (hay(item.name).includes(q)) return true;
    if (hay(item.uploader).includes(q)) return true;
    if (Array.isArray(item.tags) && item.tags.some(t => hay(t?.name).includes(q))) return true;
    if (window.advancedSearchEnabled && hay(item.content).includes(q)) return true;
    return false;
  });
 }
  /**
--- a/public/js/i18n.js
+++ b/public/js/i18n.js
@@ -247,7 +247,7 @@ const translations = {
    "login_options": "Login Options",
    "disable_login_form": "Disable Login Form",
    "disable_basic_http_auth": "Disable Basic HTTP Auth",
-    "disable_oidc_login": "Disable OIDC Login",
+    "disable_oidc_login": "Disable OIDC Login (OIDC Config Required to enable)",
    "save_settings": "Save Settings",
    "at_least_one_login_method": "At least one login method must remain enabled.",
    "settings_updated_successfully": "Settings updated successfully.",
--- a/public/js/main.js
+++ b/public/js/main.js
--- a/public/js/upload.js
+++ b/public/js/upload.js
@@ -36,6 +36,38 @@ function traverseFileTreePromise(item, path = "") {
  });
 }
 // --- Lazy loader for Resumable.js (no CSP inline, cached, safe) ---
 const RESUMABLE_SRC = '/vendor/resumable/1.1.0/resumable.min.js?v={{APP_QVER}}';
 let _resumableLoadPromise = null;
 function loadScriptOnce(src) {
  if (loadScriptOnce._cache?.has(src)) return loadScriptOnce._cache.get(src);
  loadScriptOnce._cache = loadScriptOnce._cache || new Map();
  const p = new Promise((resolve, reject) => {
    const s = document.createElement('script');
    s.src = src;
    s.async = true;
    s.onload = resolve;
    s.onerror = () => reject(new Error(`Failed to load ${src}`));
    document.head.appendChild(s);
  });
  loadScriptOnce._cache.set(src, p);
  return p;
 }
 function lazyLoadResumable() {
  if (window.Resumable) return Promise.resolve(window.Resumable);
  if (!_resumableLoadPromise) {
    _resumableLoadPromise = loadScriptOnce(RESUMABLE_SRC).then(() => window.Resumable);
  }
  return _resumableLoadPromise;
 }
 // Optional: let main.js prefetch it in the background
 export function warmUpResumable() {
  lazyLoadResumable().catch(() => {/* ignore warm-up failure */});
 }
 // Recursively retrieve files from DataTransfer items.
 function getFilesFromDataTransferItems(items) {
  const promises = [];
@@ -401,10 +433,24 @@ function processFiles(filesInput) {
   Resumable.js Integration for File Picker Uploads
   (Only files chosen via file input use Resumable; folder uploads use original code.)
 ----------------------------------------------------- */
-const useResumable = true; // Enable resumable for file picker uploads
+const useResumable = true;
-let resumableInstance;
+let resumableInstance = null;
-function initResumableUpload() {
+let _pendingPickedFiles = [];   // files picked before library/instance ready
-  resumableInstance = new Resumable({
+let _resumableReady = false;
 // Make init async-safe; it resolves when Resumable is constructed
 async function initResumableUpload() {
  if (resumableInstance) return;
  // Load the library if needed
  const ResumableCtor = await lazyLoadResumable().catch(err => {
    console.error('Failed to load Resumable.js:', err);
    return null;
  });
  if (!ResumableCtor) return;
  // Construct the instance once
  if (!resumableInstance) {
    resumableInstance = new ResumableCtor({
      target: "/api/upload/upload.php",
      chunkSize: 1.5 * 1024 * 1024,
      simultaneousUploads: 3,
@@ -417,20 +463,19 @@ function initResumableUpload() {
        upload_token: window.csrfToken
      })
    });
  }
  // keep query fresh when folder changes (call this from your folder nav code)
  function updateResumableQuery() {
    if (!resumableInstance) return;
    resumableInstance.opts.headers['X-CSRF-Token'] = window.csrfToken;
    // if you're not using a function for query, do:
    resumableInstance.opts.query.folder = window.currentFolder || 'root';
    resumableInstance.opts.query.upload_token = window.csrfToken;
  }
  const fileInput = document.getElementById("file");
  if (fileInput) {
-    // Assign Resumable to file input for file picker uploads.
+    
    resumableInstance.assignBrowse(fileInput);
    fileInput.addEventListener("change", function () {
      for (let i = 0; i < fileInput.files.length; i++) {
        resumableInstance.addFile(fileInput.files[i]);
@@ -587,13 +632,24 @@ function initResumableUpload() {
      showToast("Some files failed to upload. Please check the list.");
    }
  });
  _resumableReady = true;
  if (_pendingPickedFiles.length) {
    updateResumableQuery();
    for (const f of _pendingPickedFiles) resumableInstance.addFile(f);
    _pendingPickedFiles = [];
  }
 }
 /* -----------------------------------------------------
   XHR-based submitFiles for Drag–and–Drop (Folder) Uploads
 ----------------------------------------------------- */
 function submitFiles(allFiles) {
-  const folderToUse = window.currentFolder || "root";
+  const folderToUse = (() => {
    const f = window.currentFolder || "root";
    try { return decodeURIComponent(f); } catch { return f; }
  })();
  const progressContainer = document.getElementById("uploadProgressContainer");
  const fileInput = document.getElementById("file");
@@ -857,32 +913,48 @@ function initUpload() {
  }
  if (fileInput) {
-    fileInput.addEventListener("change", function () {
+    fileInput.addEventListener("change", async function () {
      const files = Array.from(fileInput.files || []);
      if (!files.length) return;
      if (useResumable) {
-        // For file picker, if resumable is enabled, let it handle the files.
+        // Ensure the lib/instance exists
-        for (let i = 0; i < fileInput.files.length; i++) {
+        if (!_resumableReady) await initResumableUpload();
-          resumableInstance.addFile(fileInput.files[i]);
+        if (resumableInstance) {
          for (const f of files) resumableInstance.addFile(f);
        } else {
          // If still not ready (load error), fall back to your XHR path
          processFiles(files);
        }
      } else {
-        processFiles(fileInput.files);
+        processFiles(files);
      }
    });
  }
  if (uploadForm) {
-    uploadForm.addEventListener("submit", function (e) {
+    uploadForm.addEventListener("submit", async function (e) {
      e.preventDefault();
      const files = window.selectedFiles || (fileInput ? fileInput.files : []);
-      if (!files || files.length === 0) {
+      if (!files || !files.length) {
        showToast("No files selected.");
        return;
      }
-      // If files come from file picker (no relative path), use Resumable.
+  
-      if (useResumable && (!files[0].customRelativePath || files[0].customRelativePath === "")) {
+      // Resumable path (only for picked files, not folder uploads)
-        // Ensure current folder is updated.
+      const first = files[0];
      const isFolderish = !!(first.customRelativePath || first.webkitRelativePath);
      if (useResumable && !isFolderish) {
        if (!_resumableReady) await initResumableUpload();
        if (resumableInstance) {
          // ensure folder/token fresh
          resumableInstance.opts.query.folder = window.currentFolder || "root";
          resumableInstance.upload();
          showToast("Resumable upload started...");
        } else {
          // fallback
          submitFiles(files);
        }
      } else {
        submitFiles(files);
      }
--- a/src/controllers/AdminController.php
+++ b/src/controllers/AdminController.php
@@ -8,52 +8,57 @@ class AdminController
 { 
    public function getConfig(): void
    {
-    header('Content-Type: application/json');
+        header('Content-Type: application/json; charset=utf-8');
    // Load raw config (no disclosure yet)
        $config = AdminModel::getConfig();
        if (isset($config['error'])) {
            http_response_code(500);
-        echo json_encode(['error' => $config['error']]);
+            header('Cache-Control: no-store');
-        exit;
+            echo json_encode(['error' => $config['error']], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
            return;
        }
-    // Minimal, safe subset for all callers (unauth users and regular users)
+        // Whitelisted public subset only
        $public = [
-        'header_title'        => $config['header_title'] ?? 'FileRise',
+            'header_title'        => (string)($config['header_title'] ?? 'FileRise'),
            'loginOptions'        => [
            // expose only what the login page / header needs
                'disableFormLogin' => (bool)($config['loginOptions']['disableFormLogin'] ?? false),
                'disableBasicAuth' => (bool)($config['loginOptions']['disableBasicAuth'] ?? false),
                'disableOIDCLogin' => (bool)($config['loginOptions']['disableOIDCLogin'] ?? false),
            ],
-        'globalOtpauthUrl'    => $config['globalOtpauthUrl'] ?? '',
+            'globalOtpauthUrl'    => (string)($config['globalOtpauthUrl'] ?? ''),
            'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
            'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
            'oidc' => [
                'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
                'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
-            // never expose clientId / clientSecret
+                // never include clientId/clientSecret
            ],
        ];
        $isAdmin = !empty($_SESSION['authenticated']) && !empty($_SESSION['isAdmin']);
        if ($isAdmin) {
-        // Add admin-only fields (used by Admin Panel UI)
+            // admin-only extras: presence flags + proxy options
            $adminExtra = [
                'loginOptions' => array_merge($public['loginOptions'], [
                    'authBypass'     => (bool)($config['loginOptions']['authBypass'] ?? false),
                    'authHeaderName' => (string)($config['loginOptions']['authHeaderName'] ?? 'X-Remote-User'),
                ]),
                'oidc' => array_merge($public['oidc'], [
                    'hasClientId'     => !empty($config['oidc']['clientId']),
                    'hasClientSecret' => !empty($config['oidc']['clientSecret']),
                ]),
            ];
-        echo json_encode(array_merge($public, $adminExtra));
+            header('Cache-Control: no-store'); // don’t cache admin config
            echo json_encode(array_merge($public, $adminExtra), JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
            return;
        }
        // Non-admins / unauthenticated: only the public subset
-    echo json_encode($public);
+        header('Cache-Control: no-store');
        echo json_encode($public, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
        return;
    }
    public function updateConfig(): void
--- a/src/controllers/AuthController.php
+++ b/src/controllers/AuthController.php
@@ -70,7 +70,10 @@ class AuthController
            if ($oidcAction === 'callback') {
                try {
                    $oidc->authenticate();
-                    $username = $oidc->requestUserInfo('preferred_username');
+                    $username =
    $oidc->requestUserInfo('preferred_username')
    ?: $oidc->requestUserInfo('email')
    ?: $oidc->requestUserInfo('sub');
                    // check if this user has a TOTP secret
                    $totp_secret = null;
--- a/src/controllers/UploadController.php
+++ b/src/controllers/UploadController.php
@@ -53,28 +53,39 @@ class UploadController {
        // ---- 3) Folder-level WRITE permission (ACL) ----
    // Always require client to send the folder; fall back to GET if needed.
-        $folderParam   = isset($_POST['folder']) ? (string)$_POST['folder'] : (isset($_GET['folder']) ? (string)$_GET['folder'] : 'root');
+    $folderParam = isset($_POST['folder'])
        ? (string)$_POST['folder']
        : (isset($_GET['folder']) ? (string)$_GET['folder'] : 'root');
    // Decode %xx (e.g., "test%20folder") then normalize
    $folderParam  = rawurldecode($folderParam);
    $targetFolder = ACL::normalizeFolder($folderParam);
    // Admins bypass folder canWrite checks
    $username  = (string)($_SESSION['username'] ?? '');
    $userPerms = loadUserPermissions($username) ?: [];
    $isAdmin   = ACL::isAdmin($userPerms);
    if (!$isAdmin && !ACL::canUpload($username, $userPerms, $targetFolder)) {
        http_response_code(403);
        echo json_encode(['error' => 'Forbidden: no write access to folder "'.$targetFolder.'".']);
        return;
    }
-        // ---- 4) Delegate to model (actual file/chunk processing) ----
+    // ---- 4) Delegate to model (force the sanitized folder) ----
-        // (Optionally re-check in UploadModel before finalizing.)
+    $_POST['folder'] = $targetFolder; // in case model reads superglobal
-        $result = UploadModel::handleUpload($_POST, $_FILES);
+    $post = $_POST;
    $post['folder'] = $targetFolder;
-        // ---- 5) Response ----
+    $result = UploadModel::handleUpload($post, $_FILES);
    // ---- 5) Response (unchanged) ----
    if (isset($result['error'])) {
        http_response_code(400);
        echo json_encode($result);
        return;
    }
    if (isset($result['status'])) {
            // e.g., {"status":"chunk uploaded"}
        echo json_encode($result);
        return;
    }
@@ -101,8 +112,9 @@ class UploadController {
        return;
    }
-        $folder = (string)$_POST['folder'];
+    $folderRaw = (string)$_POST['folder'];
-        $result = UploadModel::removeChunks($folder);
+    $folder    = ACL::normalizeFolder(rawurldecode($folderRaw));
-        echo json_encode($result);
+
    echo json_encode(UploadModel::removeChunks($folder));
 }
 }
--- a/src/models/UploadModel.php
+++ b/src/models/UploadModel.php
@@ -6,54 +6,58 @@ require_once PROJECT_ROOT . '/config/config.php';
 class UploadModel {
    private static function sanitizeFolder(string $folder): string {
-                $folder = trim($folder);
+        // decode "%20", normalise slashes & trim via ACL helper
-                if ($folder === '' || strtolower($folder) === 'root') return '';
+        $f = ACL::normalizeFolder(rawurldecode($folder));
-                // no traversal
+
-                if (strpos($folder, '..') !== false) return '';
+        // model uses '' to represent root
-                // only safe chars + forward slashes
+        if ($f === 'root') return '';
-                if (!preg_match('/^[A-Za-z0-9_\-\/]+$/', $folder)) return '';
+
-                // normalize: strip leading slashes
+        // forbid dot segments / empty parts
-                return ltrim($folder, '/');
+        foreach (explode('/', $f) as $seg) {
            if ($seg === '' || $seg === '.' || $seg === '..') {
                return '';
            }
        }
        // allow spaces & unicode via your global regex
        // (REGEX_FOLDER_NAME validates a path "seg(/seg)*")
        if (!preg_match(REGEX_FOLDER_NAME, $f)) {
            return '';
        }
        return $f; // safe, normalised, with spaces allowed
    }
    /**
     * Handles file uploads – supports both chunked uploads and full (non-chunked) uploads.
     *
     * @param array $post The $_POST array.
     * @param array $files The $_FILES array.
     * @return array Returns an associative array with "success" on success or "error" on failure.
     */
    public static function handleUpload(array $post, array $files): array {
-        // If this is a GET request for testing chunk existence.
+        // --- GET resumable test (make folder handling consistent)
        if ($_SERVER['REQUEST_METHOD'] === 'GET' && isset($post['resumableTest'])) {
-            $chunkNumber = intval($post['resumableChunkNumber']);
+            $chunkNumber         = (int)($post['resumableChunkNumber'] ?? 0);
            $resumableIdentifier = $post['resumableIdentifier'] ?? '';
-            $folder = isset($post['folder']) ? trim($post['folder']) : 'root';
+            $folderSan           = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
            $baseUploadDir = UPLOAD_DIR;
-            if ($folder !== 'root') {
+            if ($folderSan !== '') {
-                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . $folder . DIRECTORY_SEPARATOR;
+                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
            }
            $tempDir  = $baseUploadDir . 'resumable_' . $resumableIdentifier . DIRECTORY_SEPARATOR;
            $chunkFile = $tempDir . $chunkNumber;
            return ["status" => file_exists($chunkFile) ? "found" : "not found"];
        }
-        // Handle chunked uploads.
+        // --- CHUNKED ---
        if (isset($post['resumableChunkNumber'])) {
-            $chunkNumber         = intval($post['resumableChunkNumber']);
+            $chunkNumber         = (int)$post['resumableChunkNumber'];
-            $totalChunks         = intval($post['resumableTotalChunks']);
+            $totalChunks         = (int)$post['resumableTotalChunks'];
            $resumableIdentifier = $post['resumableIdentifier'] ?? '';
-            $resumableFilename   = urldecode(basename($post['resumableFilename']));
+            $resumableFilename   = urldecode(basename($post['resumableFilename'] ?? ''));
            // Validate file name.
            if (!preg_match(REGEX_FILE_NAME, $resumableFilename)) {
                return ["error" => "Invalid file name: $resumableFilename"];
            }
-            $folderRaw = $post['folder'] ?? 'root';
+            $folderSan = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
            $folderSan = self::sanitizeFolder((string)$folderRaw);
            if (empty($files['file']) || !isset($files['file']['name'])) {
                return ["error" => "No files received"];
@@ -84,79 +88,49 @@ class UploadModel {
                return ["error" => "Failed to move uploaded chunk $chunkNumber"];
            }
-            // Check if all chunks are present.
+            // all chunks present?
            $allChunksPresent = true;
            for ($i = 1; $i <= $totalChunks; $i++) {
                if (!file_exists($tempDir . $i)) {
                    $allChunksPresent = false;
                    break;
                }
            }
            if (!$allChunksPresent) {
                    return ["status" => "chunk uploaded"];
                }
            }
-            // Merge chunks.
+            // merge
            $targetPath = $baseUploadDir . $resumableFilename;
            if (!$out = fopen($targetPath, "wb")) {
                return ["error" => "Failed to open target file for writing"];
            }
            for ($i = 1; $i <= $totalChunks; $i++) {
                $chunkPath = $tempDir . $i;
-                if (!file_exists($chunkPath)) {
+                if (!file_exists($chunkPath)) { fclose($out); return ["error" => "Chunk $i missing during merge"]; }
-                    fclose($out);
+                if (!$in = fopen($chunkPath, "rb")) { fclose($out); return ["error" => "Failed to open chunk $i"]; }
-                    return ["error" => "Chunk $i missing during merge"];
+                while ($buff = fread($in, 4096)) { fwrite($out, $buff); }
                }
                if (!$in = fopen($chunkPath, "rb")) {
                    fclose($out);
                    return ["error" => "Failed to open chunk $i"];
                }
                while ($buff = fread($in, 4096)) {
                    fwrite($out, $buff);
                }
                fclose($in);
            }
            fclose($out);
-            // Update metadata.
+            // metadata
            $metadataKey      = ($folderSan === '') ? "root" : $folderSan;
            $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
            $metadataFile     = META_DIR . $metadataFileName;
            $uploadedDate     = date(DATE_TIME_FORMAT);
            $uploader         = $_SESSION['username'] ?? "Unknown";
-            $metadataCollection = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
+            $collection       = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
-            if (!is_array($metadataCollection)) {
+            if (!is_array($collection)) $collection = [];
-                $metadataCollection = [];
+            if (!isset($collection[$resumableFilename])) {
-            }
+                $collection[$resumableFilename] = ["uploaded" => $uploadedDate, "uploader" => $uploader];
-            if (!isset($metadataCollection[$resumableFilename])) {
+                file_put_contents($metadataFile, json_encode($collection, JSON_PRETTY_PRINT));
                $metadataCollection[$resumableFilename] = [
                    "uploaded" => $uploadedDate,
                    "uploader" => $uploader
                ];
                file_put_contents($metadataFile, json_encode($metadataCollection, JSON_PRETTY_PRINT));
            }
-            // Cleanup temporary directory.
+            // cleanup temp
-            $rrmdir = function($dir) use (&$rrmdir) {
+            self::rrmdir($tempDir);
                if (!is_dir($dir)) return;
                $iterator = new RecursiveIteratorIterator(
                    new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS),
                    RecursiveIteratorIterator::CHILD_FIRST
                );
                foreach ($iterator as $item) {
                    $item->isDir() ? rmdir($item->getRealPath()) : unlink($item->getRealPath());
                }
                rmdir($dir);
            };
            $rrmdir($tempDir);
            return ["success" => "File uploaded successfully"];
        } else {
                        // Handle full upload (non-chunked)
                        $folderRaw = $post['folder'] ?? 'root';
                        $folderSan = self::sanitizeFolder((string)$folderRaw);
        }
        // --- NON-CHUNKED ---
        $folderSan = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
        $baseUploadDir = UPLOAD_DIR;
        if ($folderSan !== '') {
            $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
@@ -171,64 +145,65 @@ class UploadModel {
        $metadataChanged     = [];
        foreach ($files["file"]["name"] as $index => $fileName) {
                // Basic PHP upload error check per file
            if (($files['file']['error'][$index] ?? UPLOAD_ERR_OK) !== UPLOAD_ERR_OK) {
                return ["error" => "Error uploading file"];
            }
            $safeFileName = trim(urldecode(basename($fileName)));
            if (!preg_match($safeFileNamePattern, $safeFileName)) {
                return ["error" => "Invalid file name: " . $fileName];
            }
            $relativePath = '';
            if (isset($post['relativePath'])) {
-                    $relativePath = is_array($post['relativePath']) ? $post['relativePath'][$index] ?? '' : $post['relativePath'];
+                $relativePath = is_array($post['relativePath']) ? ($post['relativePath'][$index] ?? '') : $post['relativePath'];
            }
            $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR;
            if (!empty($relativePath)) {
                $subDir = dirname($relativePath);
                if ($subDir !== '.' && $subDir !== '') {
-                      // IMPORTANT: build the subfolder under the *current* base folder
+                    $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR
-                        $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR .
+                               . str_replace('/', DIRECTORY_SEPARATOR, $subDir) . DIRECTORY_SEPARATOR;
                                     str_replace('/', DIRECTORY_SEPARATOR, $subDir) . DIRECTORY_SEPARATOR;
                }
                $safeFileName = basename($relativePath);
            }
            if (!is_dir($uploadDir) && !@mkdir($uploadDir, 0775, true)) {
                return ["error" => "Failed to create subfolder: " . $uploadDir];
            }
            $targetPath = $uploadDir . $safeFileName;
-                if (move_uploaded_file($files["file"]["tmp_name"][$index], $targetPath)) {
+            if (!move_uploaded_file($files["file"]["tmp_name"][$index], $targetPath)) {
                return ["error" => "Error uploading file"];
            }
            $metadataKey      = ($folderSan === '') ? "root" : $folderSan;
            $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
            $metadataFile     = META_DIR . $metadataFileName;
            if (!isset($metadataCollection[$metadataKey])) {
                $metadataCollection[$metadataKey] = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
-                        if (!is_array($metadataCollection[$metadataKey])) {
+                if (!is_array($metadataCollection[$metadataKey])) $metadataCollection[$metadataKey] = [];
                            $metadataCollection[$metadataKey] = [];
                        }
                $metadataChanged[$metadataKey] = false;
            }
            if (!isset($metadataCollection[$metadataKey][$safeFileName])) {
                $uploadedDate = date(DATE_TIME_FORMAT);
                $uploader     = $_SESSION['username'] ?? "Unknown";
-                        $metadataCollection[$metadataKey][$safeFileName] = [
+                $metadataCollection[$metadataKey][$safeFileName] = ["uploaded" => $uploadedDate, "uploader" => $uploader];
                            "uploaded" => $uploadedDate,
                            "uploader" => $uploader
                        ];
                $metadataChanged[$metadataKey] = true;
            }
                } else {
                    return ["error" => "Error uploading file"];
                }
        }
        foreach ($metadataCollection as $folderKey => $data) {
-                if ($metadataChanged[$folderKey]) {
+            if (!empty($metadataChanged[$folderKey])) {
                $metadataFileName = str_replace(['/', '\\', ' '], '-', $folderKey) . '_metadata.json';
                $metadataFile     = META_DIR . $metadataFileName;
                file_put_contents($metadataFile, json_encode($data, JSON_PRETTY_PRINT));
            }
        }
        return ["success" => "Files uploaded successfully"];
    }