chore(release): set APP_VERSION to v1.8.12 [skip ci]

.github/workflows/release-on-version.yml

@@ -9,39 +9,157 @@ on:
   workflow_run:
     workflows: ["Bump version and sync Changelog to Docker Repo"]
     types: [completed]
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Ref (branch or SHA) to build from (default: origin/master)"
+        required: false
+      version:
+        description: "Explicit version tag to release (e.g., v1.8.6). If empty, auto-detect."
+        required: false
 
 permissions:
   contents: write
 
 jobs:
-  release:
+  delay:
     runs-on: ubuntu-latest
+    steps:
+      - name: Delay 10 minutes
+        run: sleep 600
+
+  release:
+    needs: delay
+    runs-on: ubuntu-latest
+
+    # Guard: Only run on trusted workflow_run events (pushes from this repo)
+    if: >
+      github.event_name == 'push' ||
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'workflow_run' &&
+       github.event.workflow_run.event == 'push' &&
+       github.event.workflow_run.head_repository.full_name == github.repository)
+
+    # Use run_id for a stable, unique key
     concurrency:
-      group: release-${{ github.ref }}-${{ github.sha }}
+      group: release-${{ github.run_id }}
       cancel-in-progress: false
 
     steps:
-      - name: Checkout
+      - name: Checkout (fetch all)
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Ensure tags available
+      - name: Ensure tags + master available
+        shell: bash
         run: |
           git fetch --tags --force --prune --quiet
+          git fetch origin master --quiet
 
-      - name: Read version from version.js
+      - name: Resolve source ref + (maybe) version
+        id: pickref
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          # Defaults
+          REF=""
+          VER=""
+          SRC=""
+
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            # manual run
+            REF_IN="${{ github.event.inputs.ref }}"
+            VER_IN="${{ github.event.inputs.version }}"
+            if [[ -n "$REF_IN" ]]; then
+              # Try branch/sha; fetch branch if needed
+              git fetch origin "$REF_IN" --quiet || true
+              if REF_SHA="$(git rev-parse --verify --quiet "$REF_IN")"; then
+                REF="$REF_SHA"
+              else
+                echo "Provided ref '$REF_IN' not found" >&2
+                exit 1
+              fi
+            else
+              REF="$(git rev-parse origin/master)"
+            fi
+            if [[ -n "$VER_IN" ]]; then
+              VER="$VER_IN"
+              SRC="manual-version"
+            fi
+          elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            REF="${{ github.event.workflow_run.head_sha }}"
+          else
+            REF="${{ github.sha }}"
+          fi
+
+          # If no explicit version, try to find the latest bot bump reachable from REF
+          if [[ -z "$VER" ]]; then
+            # Search recent history reachable from REF
+            BOT_SHA="$(git log "$REF" -n 200 --author='github-actions[bot]' --grep='set APP_VERSION to v' --pretty=%H | head -n1 || true)"
+            if [[ -n "$BOT_SHA" ]]; then
+              SUBJ="$(git log -n1 --pretty=%s "$BOT_SHA")"
+              BOT_VER="$(sed -n 's/.*set APP_VERSION to \(v[^ ]*\).*/\1/p' <<<"${SUBJ}")"
+              if [[ -n "$BOT_VER" ]]; then
+                VER="$BOT_VER"
+                REF="$BOT_SHA"   # build/tag from the bump commit
+                SRC="bot-commit"
+              fi
+            fi
+          fi
+
+          # Output
+          REF_SHA="$(git rev-parse "$REF")"
+          echo "ref=$REF_SHA"           >> "$GITHUB_OUTPUT"
+          echo "source=${SRC:-event-ref}" >> "$GITHUB_OUTPUT"
+          echo "preversion=${VER}"      >> "$GITHUB_OUTPUT"
+          echo "Using source=${SRC:-event-ref} ref=$REF_SHA"
+          if [[ -n "$VER" ]]; then echo "Pre-resolved version=$VER"; fi
+
+      - name: Checkout chosen ref
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ steps.pickref.outputs.ref }}
+
+      - name: Assert ref is on master
+        shell: bash
+        run: |
+          set -euo pipefail
+          REF="${{ steps.pickref.outputs.ref }}"
+          git fetch origin master --quiet
+          if ! git merge-base --is-ancestor "$REF" origin/master; then
+            echo "Ref $REF is not on master; refusing to release."
+            exit 78
+          fi
+
+      - name: Debug version.js provenance
+        shell: bash
+        run: |
+          echo "version.js last-change commit: $(git log -n1 --pretty='%h %s' -- public/js/version.js || echo 'none')"
+          sed -n '1,20p' public/js/version.js || true
+
+      - name: Determine version
         id: ver
         shell: bash
         run: |
           set -euo pipefail
-          VER=$(grep -Eo "APP_VERSION\s*=\s*['\"]v[^'\"]+['\"]" public/js/version.js | sed -E "s/.*['\"](v[^'\"]+)['\"].*/\1/")
+          # Prefer pre-resolved version (manual input or bot commit)
+          if [[ -n "${{ steps.pickref.outputs.preversion }}" ]]; then
+            VER="${{ steps.pickref.outputs.preversion }}"
+            echo "version=$VER" >> "$GITHUB_OUTPUT"
+            echo "Parsed version (pre-resolved): $VER"
+            exit 0
+          fi
+          # Fallback to version.js
+          VER="$(grep -Eo "APP_VERSION\s*=\s*['\"]v[^'\"]+['\"]" public/js/version.js | sed -E "s/.*['\"](v[^'\"]+)['\"].*/\1/")"
           if [[ -z "$VER" ]]; then
             echo "Could not parse APP_VERSION from version.js" >&2
             exit 1
           fi
           echo "version=$VER" >> "$GITHUB_OUTPUT"
-          echo "Parsed version: $VER"
+          echo "Parsed version (file): $VER"
 
       - name: Skip if tag already exists
         id: tagcheck
@@ -55,7 +173,6 @@ jobs:
             echo "exists=false" >> "$GITHUB_OUTPUT"
           fi
 
-      # Ensure the stamper is executable and has LF endings (helps if edited on Windows)
       - name: Prep stamper script
         if: steps.tagcheck.outputs.exists == 'false'
         shell: bash
@@ -69,18 +186,13 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          VER="${{ steps.ver.outputs.version }}"  # e.g. v1.6.12
-          ZIP="FileRise-${VER}.zip"
-
-          # Clean staging copy (exclude dotfiles you don’t want)
+          VER="${{ steps.ver.outputs.version }}"
           rm -rf staging
           rsync -a \
             --exclude '.git' --exclude '.github' \
             --exclude 'resources' \
             --exclude '.dockerignore' --exclude '.gitattributes' --exclude '.gitignore' \
             ./ staging/
-
-          # Stamp IN THE STAGING COPY (invoke via bash to avoid exec-bit issues)
           bash ./scripts/stamp-assets.sh "${VER}" "$(pwd)/staging"
 
       - name: Verify placeholders are gone (staging)
@@ -109,8 +221,7 @@ jobs:
         run: |
           set -euo pipefail
           VER="${{ steps.ver.outputs.version }}"
-          ZIP="FileRise-${VER}.zip"
-          (cd staging && zip -r "../$ZIP" . >/dev/null)
+          (cd staging && zip -r "../FileRise-${VER}.zip" . >/dev/null)
 
       - name: Compute SHA-256 checksum
         if: steps.tagcheck.outputs.exists == 'false'
@@ -170,7 +281,6 @@ jobs:
           COMPARE_URL="https://github.com/${REPO}/compare/${PREV}...${VER}"
           ZIP="FileRise-${VER}.zip"
           SHA="${{ steps.sum.outputs.sha }}"
-
           {
             echo
             if [[ -s CHANGELOG_SNIPPET.md ]]; then
@@ -186,8 +296,6 @@ jobs:
             echo "${SHA}  ${ZIP}"
             echo '```'
           } > RELEASE_BODY.md
-
-          echo "Release body:"
           sed -n '1,200p' RELEASE_BODY.md
 
       - name: Create GitHub Release
@@ -195,7 +303,7 @@ jobs:
         uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ steps.ver.outputs.version }}
-          target_commitish: ${{ github.sha }}
+          target_commitish: ${{ steps.pickref.outputs.ref }}
           name: ${{ steps.ver.outputs.version }}
           body_path: RELEASE_BODY.md
           generate_release_notes: false

CHANGELOG.md

@@ -1,5 +1,264 @@
 # Changelog
 
+## Changes 11/8/2025 (v1.8.12)
+
+release(v1.8.12): auth UI & DnD polish — show OIDC, auto-SSO, right-aligned header icons
+
+- auth (public/js/main.js)
+  - Robust login options: tolerate key variants (disableFormLogin/disable_form_login, etc.).
+  - Correctly show/hide wrapper + individual methods (form/OIDC/basic).
+  - Auto-SSO when OIDC is the only enabled method; add opt-out with `?noauto=1`.
+  - Minor cleanup (SW register catch spacing).
+
+- drag & drop (public/js/dragAndDrop.js)
+  - Reworked zones model: Sidebar / Top (left/right) / Header (icon+modal).
+  - Persist user layout with `userZonesSnapshot.v2` and responsive stash for small screens.
+  - Live UI sync: toggle icon (`material-icons`) updates immediately after moves.
+  - Smarter small-screen behavior: lift sidebar cards ephemerally; restore only what belonged to sidebar.
+  - Cleaner header icon modal plumbing; remove legacy/dead code.
+
+- styles (public/css/styles.css)
+  - Header drop zone fills remaining space and right-aligns its icons.
+
+UX:
+
+- OIDC button reliably appears when form/basic are disabled.
+- If OIDC is the sole method, users are taken straight to the provider (unless `?noauto=1`).
+- Header icons sit with the other header actions (right-aligned), and the toggle icon reflects layout changes instantly.
+
+---
+
+## Changes 11/8/2025 (v1.8.11)
+
+release(v1.8.11): fix(oidc): always send PKCE (S256) and treat empty secret as public client
+
+- Force PKCE via setCodeChallengeMethod('S256') so Authelia’s public-client policy is satisfied.
+- Convert empty OIDC client secret to null to correctly signal a public client.
+- Optional commented hook to switch token endpoint auth to client_secret_post if desired.
+- OIDC_TOKEN_ENDPOINT_AUTH_METHOD added to config.php
+
+---
+
+## Changes 11/8/2025 (v1.8.10)
+
+release(v1.8.10): theme-aware media modal, stronger file drag-and-drop, unified progress color, and favicon overhaul
+
+UI/UX — Media modal
+
+- Add fixed top bar to avoid filename/controls overlapping native media chrome; keep hover-on-stage look.
+- Show a Material icon by file type next to the filename (image/video/pdf/code/arch/txt, with fallback).
+- Restore “X” behavior and make hover theme-aware (red pill + white ‘X’ in light, red pill + black ‘X’ in dark).
+
+Video/Image controls
+
+- Top-right action icons use theme-aware styles and align with the filename row.
+- Prev/Next paddles remain high-contrast and vertically centered within the stage.
+
+Progress badges (list & modal)
+
+- Standardize “in-progress” to darker orange (#ea580c) for better contrast in light/dark; update CSS and list badge rendering.
+
+Drag & drop
+
+- Support multi-select drags with a clean JSON payload + text fallback; nicer drag ghost.
+- More resilient drops: accept data-dest-folder, safer JSON parse, early guards, and better toasts.
+- POST move now sends Accept header, uses global CSRF, and refreshes the active view on success.
+
+Editor & ONLYOFFICE
+
+- Full-screen OO modal with preconnect, optional hidden warm-up to reduce first-open latency, and live theme sync.
+- CodeMirror path: fix theme/mode setters (use `cm`) and tighten dynamic mode loading.
+
+Assets & polish
+
+- Swap in full favicon stack (SVG + PNG 512/32/16 + ICO) and set theme-color; cache-busted via `{{APP_QVER}}`.
+- Refresh `logo.svg` (accessibility, cleaner handles/gradients).
+
+Also added: refreshed resource images and new logo sizes (logo-16, logo-32, logo-64, etc.) for crisper favicons and embeds.
+
+---
+
+## Changes 11/7/2025 (v1.8.9)
+
+release(v1.8.9): fix(oidc, admin): first-save Client ID/Secret (closes #64)
+
+- adminPanel.js:
+  - Masked inputs without a saved value now start with data-replace="1".
+  - handleSave() now sends oidc.clientId / oidc.clientSecret on first save (no longer requires clicking “Replace” first).
+
+---
+
+## Changes 11/7/2025 (v1.8.8)
+
+release(v1.8.8): background ZIP jobs w/ tokenized download + in‑modal progress bar; robust finalize; janitor cleanup — closes #60
+
+**Summary**
+This release moves ZIP creation off the request thread into a **background worker** and switches the client to a **queue > poll > tokenized GET** download flow. It fixes large multi‑GB ZIP failures caused by request timeouts or cross‑device renames, and provides a resilient in‑modal progress experience. It also adds a 6‑hour janitor for temporary tokens/logs.
+
+**Backend** changes:
+
+- Add **zip status** endpoint that returns progress and readiness, and **tokenized download** endpoint for one‑shot downloads.
+- Update `FileController::downloadZip()` to enqueue a job and return `{ token, statusUrl, downloadUrl }` instead of streaming a blob in the POST response.
+- Implement `spawnZipWorker()` to find a working PHP CLI, set `TMPDIR` on the same filesystem as the final ZIP, spawn with `nohup`, and persist PID/log metadata for diagnostics.
+- Serve finished ZIPs via `downloadZipFile()` with strict token/user checks and streaming headers; unlink the ZIP after successful read.
+
+New **Worker**:
+
+- New `src/cli/zip_worker.php` builds the archive in the background.
+- Writes progress fields (`pct`, `filesDone`, `filesTotal`, `bytesDone`, `bytesTotal`, `current`, `phase`, `startedAt`, `finalizeAt`) to the per‑token JSON.
+- During **finalizing**, publishes `selectedFiles`/`selectedBytes` and clears incremental counters to avoid the confusing “N/N files” display before `close()` returns.
+- Adds a **janitor**: purge `.tokens/*.json` and `.logs/WORKER-*.log` older than **6 hours** on each run.
+
+New **API/Status Payload**:
+
+- `zipStatus()` exposes `ready` (derived from `status=done` + existing `zipPath`), and includes `startedAt`/`finalizeAt` for UI timers.
+- Returns a prebuilt `downloadUrl` for a direct handoff once the ZIP is ready.
+
+**Frontend (UX)** changes:
+
+- Replace blob POST download with **enqueue → poll → tokenized GET** flow.
+- Native `<progress>` bar now renders **inside the modal** (no overflow/jitter).
+- Shows determinate **0–98%** during enumeration, then **locks at 100%** with **“Finalizing… mm:ss — N files, ~Size”** until the download starts.
+- Modal closes just before download; UI resets for the next operation.
+
+Added **CSS**:
+
+- Ensure the progress modal has a minimum height and hidden overflow; ellipsize the status line to prevent scrollbars.
+
+**Why this closes #60**?
+
+- ZIP creation no longer depends on the request lifetime (avoids proxy/Apache timeouts).
+- Temporary files and final ZIP are created on the **same filesystem** (prevents “rename temp file failed” during `ZipArchive::close()`).
+- Users get continuous, truthful feedback for large multi‑GB archives.
+
+Additional **Notes**
+
+- Download tokens are **one‑shot** and are deleted after the GET completes.
+- Temporary artifacts (`META_DIR/ziptmp/.tokens`, `.logs`, and old ZIPs) are cleaned up automatically (≥6h).
+
+---
+
+## Changes 11/5/2025 (v1.8.7)
+
+release(v1.8.7): fix(zip-download): stream clean ZIP response and purge stale temp archives
+
+- FileController::downloadZip
+  - Remove _jsonStart/_jsonEnd and JSON wrappers; send a pure binary ZIP
+  - Close session locks, disable gzip/output buffering, set Content-Length when known
+  - Stream in 1MiB chunks; proper HTTP codes/messages on errors
+  - Unlink the temp ZIP after successful send
+  - Preserves all auth/ACL/ownership checks
+
+- FileModel::createZipArchive
+  - Purge META_DIR/ziptmp/download-*.zip older than 6h before creating a new ZIP
+
+Result: fixes “failed to fetch / load failed” with fetch>blob flow and reduces leftover tmp ZIPs.
+
+---
+
+## Changes 11/4/2025 (v1.8.6)
+
+release(v1.8.6): fix large ZIP downloads + safer extract; close #60
+
+- Zip creation
+  - Write archives to META_DIR/ziptmp (on large/writable disk) instead of system tmp.
+  - Auto-create ziptmp (0775) and verify writability.
+  - Free-space sanity check (~files total +5% +20MB); clearer error on low space.
+  - Normalize/validate folder segments; include only regular files.
+  - set_time_limit(0); use CREATE|OVERWRITE; improved error handling.
+
+- Zip extraction
+  - New: stamp metadata for files in nested subfolders (per-folder metadata.json).
+  - Skip hidden “dot” paths (files/dirs with any segment starting with “.”) by default
+    via SKIP_DOTFILES_ON_EXTRACT=true; only extract allow-listed entries.
+  - Hardenings: zip-slip guard, reject symlinks (external_attributes), zip-bomb limits
+    (MAX_UNZIP_BYTES default 200GiB, MAX_UNZIP_FILES default 20k).
+  - Persist metadata for all touched folders; keep extractedFiles list for top-level names.
+
+Ops note: ensure /var/www/metadata/ziptmp exists & is writable (or mount META_DIR to a large volume).
+
+Closes #60.
+
+---
+
+## Changes 11/4/2025 (v1.8.5)
+
+release(v1.8.5): ci: reduce pre-run delay to 2-min and add missing `needs: delay`, final test
+
+- No change release just testing
+
+---
+
+## Changes 11/4/2025 (v1.8.4)
+
+release(v1.8.4): ci: add 3-min pre-run delay to avoid workflow_run races
+
+- No change release just testing
+
+---
+
+## Changes 11/4/2025 (v1.8.3)
+
+release(v1.8.3): feat(mobile+ci): harden Capacitor switcher & make release-on-version robust
+
+- switcher.js: allow running inside Capacitor; remove innerHTML usage; build nodes safely; normalize/strip creds from URLs; add withParam() for ?frapp=1; drop inline handlers; clamp rename length; minor UX polish.
+- CI: cancel superseded runs per ref; checkout triggering commit (workflow_run head_sha); improve APP_VERSION parsing; point tag to checked-out commit; add recent-tag debug.
+
+---
+
+## Changes 11/4/2025 (v1.8.2)
+
+release(v1.8.2): media progress tracking + watched badges; PWA scaffolding; mobile switcher (closes #37)
+
+- **Highlights**
+  - Video: auto-save playback progress and mark “Watched”, with resume-on-open and inline status chips on list/gallery.
+  - Mobile: introduced FileRise Mobile (Capacitor) companion repo + in-app server switcher and PWA bits.
+
+- **Details**
+  - API (new):
+    - POST /api/media/updateProgress.php — persist per-user progress (seconds/duration/completed).
+    - GET  /api/media/getProgress.php — fetch per-file progress.
+    - GET  /api/media/getViewedMap.php — folder map for badges.
+
+- **Frontend (media):**
+  - Video previews now resume from last position, periodically save progress, and mark completed on end, with toasts.
+  - Added status badges (“Watched” / %-complete) in table & gallery; CSS polish for badges.
+  - Badges render during list/gallery refresh; safer filename wrapping for badge injection.
+
+- **Mobile & PWA:**
+  - New in-app server switcher (Capacitor-aware) loaded only in app/standalone contexts.
+  - Service Worker + manifest added (root scope via /public/sw.js; worker body in /js/pwa/sw.js; manifest icons).
+  - main.js conditionally imports the mobile switcher and registers the SW on web origins only.
+
+- **Notes**
+  - Companion repo: **filerise-mobile** (Capacitor app shell) created for iOS/Android distribution.
+  - No breaking changes expected; endpoints are additive.
+
+Closes #37.
+
+---
+
+## Changes 11/3/2025 (V1.8.1)
+
+release(v1.8.1): fix(security,onlyoffice): sanitize DS origin; safe api.js/iframe probes; better UX placeholder
+
+- Add ONLYOFFICE URL sanitizers:
+  - getTrustedDocsOrigin(): enforce http/https, strip creds, normalize to origin
+  - buildOnlyOfficeApiUrl(): construct fixed /web-apps/.../api.js via URL()
+- Probe hardening (addresses CodeQL js/xss-through-dom):
+  - ooProbeScript/ooProbeFrame now use sanitized origins and fixed paths
+  - optional CSP nonce support for injected script
+  - optional iframe sandbox; robust cleanup/timeout handling
+- CSP helper now renders lines based on validated origin (fallback to raw for visibility)
+- Admin UI UX: placeholder switched to HTTPS example (`https://docs.example.com`)
+- Comments added to justify safety to static analyzers
+
+Files: public/js/adminPanel.js
+
+Refs: #37
+
+---
+
 ## Changes 11/3/2025 (v1.8.0)
 
 release(v1.8.0): feat(onlyoffice): first-class ONLYOFFICE integration (view/edit), admin UI, API, CSP helpers

README.md

@@ -29,8 +29,7 @@ New: Open and edit Office documents — **Word (DOCX)**, **Excel (XLSX)**, **Pow
 
 <https://github.com/user-attachments/assets/a2240300-6348-4de7-b72f-1b85b7da3a08>
 
-**Dark mode:**
-![Dark Header](https://raw.githubusercontent.com/error311/FileRise/refs/heads/master/resources/dark-header.png)
+![filerise-v1 8 10-latest](https://github.com/user-attachments/assets/f966d66b-b13b-473b-b266-3ab316740a84)
 
 ---
 
@@ -76,7 +75,7 @@ New: Open and edit Office documents — **Word (DOCX)**, **Excel (XLSX)**, **Pow
 
 - 📝 **Built-in Editor & Preview:** Inline preview for images, video, audio, and PDFs. CodeMirror-based editor for text/code with syntax highlighting and line numbers.
 
-- - 🧩 **Office Docs (ONLYOFFICE, optional):** View/edit DOCX, XLSX, PPTX (and ODT/ODS/ODP, PDF view) using your self-hosted ONLYOFFICE Document Server. Enforced by the same ACLs as the web UI & WebDAV.
+- 🧩 **Office Docs (ONLYOFFICE, optional):** View/edit DOCX, XLSX, PPTX (and ODT/ODS/ODP, PDF view) using your self-hosted ONLYOFFICE Document Server. Enforced by the same ACLs as the web UI & WebDAV.
 
 - 🏷️ **Tags & Search:** Add color-coded tags and search by name, tag, uploader, or content. Advanced fuzzy search indexes metadata and file contents.
 
@@ -369,12 +368,13 @@ FileRise can open & edit office docs using your **self-hosted ONLYOFFICE Documen
    **Apache**
 
    ```apache
-   Header always set Content-Security-Policy "default-src 'self'; frame-src 'self' https://docs.example.com; script-src 'self' https://docs.example.com https://docs.example.com/web-apps/apps/api/documents/api.js; connect-src 'self' https://docs.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'"
+   Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'sha256-ajmGY+5VJOY6+8JHgzCqsqI8w9dCQfAmqIkFesOKItM=' https://your-onlyoffice-server.example.com https://your-onlyoffice-server.example.com/web-apps/apps/api/documents/api.js; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self' https://your-onlyoffice-server.example.com; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'; frame-src 'self' https://your-onlyoffice-server.example.com"
    ```
 
    **Nginx**
 
-   ```add_header Content-Security-Policy "default-src 'self'; frame-src 'self' https://docs.example.com; script-src 'self' https://docs.example.com https://docs.example.com/web-apps/apps/api/documents/api.js; connect-src 'self' https://docs.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'" always;
+   ```nginx
+   add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'sha256-ajmGY+5VJOY6+8JHgzCqsqI8w9dCQfAmqIkFesOKItM=' https://your-onlyoffice-server.example.com https://your-onlyoffice-server.example.com/web-apps/apps/api/documents/api.js; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self' https://your-onlyoffice-server.example.com; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'; frame-src 'self' https://your-onlyoffice-server.example.com" always;
    ```
 
    **Notes**

config/config.php

@@ -33,6 +33,10 @@ define('ONLYOFFICE_DOCS_ORIGIN', 'http://192.168.1.61'); // your Document Server
 define('ONLYOFFICE_DEBUG', true);
 */
 
+if (!defined('OIDC_TOKEN_ENDPOINT_AUTH_METHOD')) {
+    define('OIDC_TOKEN_ENDPOINT_AUTH_METHOD', 'client_secret_basic'); // default
+}
+
 // Encryption helpers
 function encryptData($data, $encryptionKey)
 {

public/.htaccess

@@ -1,12 +1,13 @@
 # --------------------------------
 # FileRise portable .htaccess
 # --------------------------------
-Options -Indexes
+Options -Indexes -Multiviews
 DirectoryIndex index.html
 
+# ---------------- Security: dotfiles ----------------
 <IfModule mod_authz_core.c>
-  # Block dotfiles like .env, .git, etc., but allow ACME under .well-known
-  <FilesMatch "^\.(?!well-known(?:/|$))">
+  # Block direct access to dotfiles like .env, .gitignore, etc.
+  <FilesMatch "^\..*">
     Require all denied
   </FilesMatch>
 </IfModule>
@@ -15,15 +16,24 @@ DirectoryIndex index.html
 <IfModule mod_rewrite.c>
 RewriteEngine On
 
-# Never redirect local/dev hosts
-RewriteCond %{HTTP_HOST} ^(localhost|127\.0\.0\.1|fr\.local|192\.168\.[0-9]+\.[0-9]+)$ [NC]
-RewriteRule ^ - [L]
-
-# Let ACME http-01 pass BEFORE any redirect (needed for auto-renew)
+# 0) Let ACME http-01 pass BEFORE any other rule (needed for auto-renew)
 RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge/
 RewriteRule - - [L]
 
-# HTTPS redirect (enable ONE of these, comment the other)
+# 1) Block hidden files/dirs anywhere EXCEPT .well-known (path-aware)
+#    Prevents requests like /.env, /.git/config, /.ssh/id_rsa, etc.
+RewriteRule "(^|/)\.(?!well-known/)" - [F]
+
+# 2) Deny direct access to PHP outside /api/
+#    This stops scanners from hitting /index.php, /admin.php, /wso.php, etc.
+RewriteCond %{REQUEST_URI} !^/api/
+RewriteRule \.php$ - [F]
+
+# 3) Never redirect local/dev hosts
+RewriteCond %{HTTP_HOST} ^(localhost|127\.0\.0\.1|fr\.local|192\.168\.[0-9]+\.[0-9]+)$ [NC]
+RewriteRule ^ - [L]
+
+# 4) HTTPS redirect (enable ONE of these, comment the other)
 
 # A) Direct TLS on this server
 #RewriteCond %{HTTPS} !=on
@@ -35,7 +45,7 @@ RewriteRule - - [L]
 #RewriteCond %{HTTPS} !=on
 #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 
-# Mark versioned assets (?v=...) with env flag for caching rules below
+# 5) Mark versioned assets (?v=...) with env flag for caching rules below
 RewriteCond %{QUERY_STRING} (^|&)v= [NC]
 RewriteRule ^ - [E=IS_VER:1]
 </IfModule>
@@ -98,7 +108,6 @@ RewriteRule ^ - [E=IS_VER:1]
 
 # ---------------- Compression ----------------
 <IfModule mod_brotli.c>
-  # Do NOT set BrotliCompressionQuality in .htaccess (vhost/server only)
   AddOutputFilterByType BROTLI_COMPRESS text/html text/css application/javascript application/json image/svg+xml
 </IfModule>
 <IfModule mod_deflate.c>

public/api/file/downloadZipFile.php

@@ -0,0 +1,24 @@
+<?php
+// public/api/file/downloadZipFile.php
+
+/**
+ * @OA\Get(
+ *   path="/api/file/downloadZipFile.php",
+ *   summary="Download a finished ZIP by token",
+ *   description="Streams the zip once; token is one-shot.",
+ *   operationId="downloadZipFile",
+ *   tags={"Files"},
+ *   security={{"cookieAuth": {}}},
+ *   @OA\Parameter(name="k", in="query", required=true, @OA\Schema(type="string"), description="Job token"),
+ *   @OA\Parameter(name="name", in="query", required=false, @OA\Schema(type="string"), description="Suggested filename"),
+ *   @OA\Response(response=200, description="ZIP stream"),
+ *   @OA\Response(response=401, description="Unauthorized"),
+ *   @OA\Response(response=404, description="Not found")
+ * )
+ */
+
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/FileController.php';
+
+$controller = new FileController();
+$controller->downloadZipFile();

public/api/file/zipStatus.php

@@ -0,0 +1,23 @@
+<?php
+// public/api/file/zipStatus.php
+
+/**
+ * @OA\Get(
+ *   path="/api/file/zipStatus.php",
+ *   summary="Check status of a background ZIP build",
+ *   description="Returns status for the authenticated user's token.",
+ *   operationId="zipStatus",
+ *   tags={"Files"},
+ *   security={{"cookieAuth": {}}},
+ *   @OA\Parameter(name="k", in="query", required=true, @OA\Schema(type="string"), description="Job token"),
+ *   @OA\Response(response=200, description="Status payload"),
+ *   @OA\Response(response=401, description="Unauthorized"),
+ *   @OA\Response(response=404, description="Not found")
+ * )
+ */
+
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/FileController.php';
+
+$controller = new FileController();
+$controller->zipStatus();

public/api/media/getProgress.php

@@ -0,0 +1,7 @@
+<?php
+// public/api/media/getProgress.php
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/MediaController.php';
+
+$ctl = new MediaController();
+$ctl->getProgress();

public/api/media/getViewedMap.php

@@ -0,0 +1,7 @@
+<?php
+// public/api/media/getViewedMap.php
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/MediaController.php';
+
+$ctl = new MediaController();
+$ctl->getViewedMap();

public/api/media/updateProgress.php

@@ -0,0 +1,7 @@
+<?php
+// public/api/media/updateProgress.php
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/MediaController.php';
+
+$ctl = new MediaController();
+$ctl->updateProgress();

public/css/styles.css

@@ -141,7 +141,15 @@ body {
   }#userDropdownToggle {
   border-radius: 4px !important;
     padding: 6px 10px !important;
-  }.header-buttons button:hover {
+  }
+  /* make the drop zone fill leftover space and right-align its own icons */
+#headerDropArea.header-drop-zone{
+  display: flex;
+    justify-content: flex-end;
+    min-width: 100px;
+
+}
+  .header-buttons button:hover {
   background-color: rgba(255, 255, 255, 0.2);
     box-shadow: 0 2px 4px rgba(0, 0, 0, 0.3);
     color: #fff;
@@ -1900,4 +1908,43 @@ body {
   background: #fafafa;
     border-color: #e2e2e2;
   }
-  
+  /* media modal polish */
+.media-modal { background: var(--panel-bg, #121212); }
+.media-header-bar .btn { padding: 6px 10px; }
+.gallery-nav-btn { color: #fff; opacity: 0.85; }
+.gallery-nav-btn:hover { opacity: 1; transform: scale(1.05); }
+
+/* badges */
+.status-badge {
+  display: inline-block;
+  margin-left: 6px;
+  padding: 2px 6px;
+  font-size: 11px;
+  line-height: 1.3;
+  border-radius: 999px;
+  border: 1px solid rgba(255,255,255,.15);
+  background: rgba(255,255,255,.08);
+  color: #fff;
+}
+.status-badge.watched {
+  border-color: rgba(34,197,94,.45);      /* green-ish */
+  background: rgba(34,197,94,.15);
+}
+.status-badge.progress {
+  border-color: rgba(234,88,12,.55);     /* amber-ish */
+  background: rgba(234,88,12,.18);
+}
+#downloadProgressModal .modal-body,
+#downloadProgressModal .rise-modal-body,
+#downloadProgressModal .modal-content {
+  min-height: 88px;
+  overflow: hidden;
+}
+
+#downloadProgressText {
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+}
+
+#downloadProgressBarOuter { height: 10px; }

public/index.html

@@ -3,16 +3,24 @@
 
 <head>
   <meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><title>FileRise</title>
+  <meta name="theme-color" content="#0b5ed7">
   <script>(function(){try{var s=localStorage.getItem('darkMode');var isDark=(s===null)?(window.matchMedia&&window.matchMedia('(prefers-color-scheme: dark)').matches):(s==='1'||s==='true');var root=document.documentElement;root.setAttribute('data-theme',isDark?'dark':'light');root.classList.toggle('dark-mode',isDark);var bg=isDark?'#121212':'#ffffff';root.style.backgroundColor=bg;root.style.colorScheme=isDark?'dark':'light';root.style.setProperty('--pre-bg',bg);var m=document.querySelector('meta[name="theme-color"]');if(m)m.setAttribute('content',bg);}catch(e){}})();</script>
   <style id="pretheme-css">
     html,body,#loadingOverlay{background:var(--pre-bg,#ffffff) !important;}
   </style>
-  <link rel="icon" type="image/png" href="/assets/logo.png"><link rel="icon" type="image/svg+xml" href="/assets/logo.svg">
-  <meta name="description" content="FileRise is a fast, self-hosted file manager with granular per-folder ACLs, drag-and-drop folder moves, WebDAV, tagging, and a clean UI.">
-  <meta name="csrf-token" content=""><meta name="share-url" content=""><meta name="theme-color" content="#0b5ed7"><meta name="color-scheme" content="light dark">
-
+  <!-- Favicons (ordered: SVG -> PNGs -> ICO) -->
+  <link rel="icon" href="/assets/logo.svg?v={{APP_QVER}}" type="image/svg+xml" sizes="any">
+  <link rel="icon" href="/assets/logo.png?v={{APP_QVER}}" type="image/png" sizes="512x512">
+  <link rel="icon" href="/assets/logo-32.png?v={{APP_QVER}}" type="image/png" sizes="32x32">
+  <link rel="icon" href="/assets/logo-16.png?v={{APP_QVER}}" type="image/png" sizes="16x16">
+  <link rel="shortcut icon" href="/assets/favicon.ico?v={{APP_QVER}}">
   
-<!-- Critical CSS -->
+  <meta name="description" content="FileRise is a fast, self-hosted file manager with granular per-folder ACLs, drag-and-drop folder moves, WebDAV, tagging, and a clean UI.">
+  <meta name="csrf-token" content=""><meta name="share-url" content=""><meta name="color-scheme" content="light dark">
+  <link rel="manifest" href="/manifest.webmanifest?v={{APP_QVER}}">
+  <link rel="apple-touch-icon" href="/assets/icons/icon-192.png?v={{APP_QVER}}">
+  
+  <!-- Critical CSS -->
   <link rel="stylesheet" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v={{APP_QVER}}">
   <link rel="stylesheet" href="/css/styles.css?v={{APP_QVER}}">
   <link rel="stylesheet" href="/css/vendor/roboto.css?v={{APP_QVER}}">
@@ -27,8 +35,8 @@
   
   <!-- App entry -->
   <link rel="modulepreload" href="/js/main.js?v={{APP_QVER}}"><script type="module" src="/js/main.js?v={{APP_QVER}}"></script>
-  </head>
-
+  
+</head>
 <body>
   <div id="appRoot" style="visibility:hidden">
   <header class="header-container">
@@ -73,7 +81,7 @@
                 <!-- Trash items will be loaded here -->
               </div>
               <div style="text-align: right;">
-                <button id="restoreSelectedBtn" class="btn btn-primary" data-i18n-key="restore_selected"  style="display: none;">Restore
+                <button id="restoreSelectedBtn" class="btn btn-primary" data-i18n-key="restore_selected">Restore
                   Selected</button>
                 <button id="restoreAllBtn" class="btn btn-secondary" data-i18n-key="restore_all">Restore All</button>
                 <button id="deleteTrashSelectedBtn" class="btn btn-warning" data-i18n-key="delete_selected_trash">Delete
@@ -485,5 +493,4 @@
   </div>
 </div>
 </body>
-
 </html>

public/js/adminPanel.js

@@ -58,7 +58,7 @@ function wireHeaderTitleLive() {
 
 function renderMaskedInput({ id, label, hasValue, isSecret = false }) {
   const type = isSecret ? 'password' : 'text';
-  const disabled = hasValue ? 'disabled data-replace="0" placeholder="•••••• (saved)"' : '';
+  const disabled = hasValue ? 'disabled data-replace="0" placeholder="•••••• (saved)"' : 'data-replace="1"';
   const replaceBtn = hasValue
     ? `<button type="button" class="btn btn-sm btn-outline-secondary" data-replace-for="${id}">Replace</button>`
     : '';
@@ -586,7 +586,7 @@ export function openAdminPanel() {
 
   <div class="form-group">
     <label for="ooDocsOrigin">Document Server Origin:</label>
-    <input type="url" id="ooDocsOrigin" class="form-control" placeholder="e.g. http://192.168.1.61" />
+    <input type="url" id="ooDocsOrigin" class="form-control" placeholder="e.g. https://docs.example.com" />
     <small class="text-muted">Must be reachable by your browser (for API.js) and by FileRise (for callbacks). Avoid “localhost”.</small>
   </div>
 
@@ -625,34 +625,77 @@ export function openAdminPanel() {
                  return li;
                }
                function ooClear(el) { while (el.firstChild) el.removeChild(el.firstChild); }
+
+               // --- ONLYOFFICE URL sanitizers ---
+function getTrustedDocsOrigin(raw) {
+  try {
+    const u = new URL(String(raw || "").trim());
+    if (!/^https?:$/.test(u.protocol)) return null;     // only http/https
+    if (u.username || u.password) return null;          // no creds in URL
+    return u.origin;                                    // scheme://host[:port]
+  } catch {
+    return null;
+  }
+}
+
+function buildOnlyOfficeApiUrl(origin) {
+  // fixed path; caller already validated/normalized origin
+  const u = new URL('/web-apps/apps/api/documents/api.js', origin);
+  u.searchParams.set('probe', String(Date.now()));
+  return u.toString();
+}
        
-               // Probes that don’t explode your state
-               async function ooProbeScript(docsOrigin) {
-                 return new Promise(resolve => {
-                   const src = docsOrigin.replace(/\/$/, '') + '/web-apps/apps/api/documents/api.js?probe=' + Date.now();
-                   const s = document.createElement('script');
-                   s.id = 'ooProbeScript';
-                   s.async = true;
-                   s.src = src;
-                   s.onload = () => { resolve({ ok: true }); setTimeout(() => s.remove(), 0); };
-                   s.onerror = () => { resolve({ ok: false }); setTimeout(() => s.remove(), 0); };
-                   document.head.appendChild(s);
-                 });
-               }
-               async function ooProbeFrame(docsOrigin, timeoutMs = 4000) {
-                 return new Promise(resolve => {
-                   const f = document.createElement('iframe');
-                   f.id = 'ooProbeFrame';
-                   f.src = docsOrigin;
-                   f.style.display = 'none';
-                   let t = setTimeout(() => { cleanup(); resolve({ ok: false, timeout: true }); }, timeoutMs);
-                   function cleanup() { try { f.remove(); } catch { } clearTimeout(t); }
-                   f.onload = () => { cleanup(); resolve({ ok: true }); };
-                   f.onerror = () => { cleanup(); resolve({ ok: false }); };
-                   document.body.appendChild(f);
-                 });
-               }
-       
+              
+              // Probes that don’t explode your state
+async function ooProbeScript(docsOrigin) {
+  return new Promise(resolve => {
+    const base = getTrustedDocsOrigin(docsOrigin);
+    if (!base) { resolve({ ok: false }); return; }
+
+    const src = buildOnlyOfficeApiUrl(base);
+    const s = document.createElement('script');
+    s.id = 'ooProbeScript';
+    s.async = true;
+    s.src = src;
+
+    // If you set a CSP nonce in a <meta name="csp-nonce" content="...">, attach it:
+    const nonce = document.querySelector('meta[name="csp-nonce"]')?.content;
+    if (nonce) s.setAttribute('nonce', nonce);
+
+    const cleanup = () => { try { s.remove(); } catch {} };
+
+    s.onload  = () => { cleanup(); resolve({ ok: true  }); };
+    s.onerror = () => { cleanup(); resolve({ ok: false }); };
+
+    // codeql[js/xss-through-dom]: the origin is validated (http/https, no creds),
+    // and the path is fixed to ONLYOFFICE api.js via URL(), so this is safe.
+    document.head.appendChild(s);
+  });
+}
+async function ooProbeFrame(docsOrigin, timeoutMs = 4000) {
+  return new Promise(resolve => {
+    const base = getTrustedDocsOrigin(docsOrigin);
+    if (!base) { resolve({ ok: false }); return; }
+
+    const f = document.createElement('iframe');
+    f.id = 'ooProbeFrame';
+    f.src = base;                 // only the sanitized origin
+    f.style.display = 'none';
+
+    // Optional: keep it extra constrained while probing.
+    // If your DS needs broader privileges, you can drop sandbox.
+    // f.sandbox = 'allow-same-origin allow-scripts';
+
+    const cleanup = () => { try { f.remove(); } catch {} };
+    const t = setTimeout(() => { cleanup(); resolve({ ok: false, timeout: true }); }, timeoutMs);
+
+    f.onload  = () => { clearTimeout(t); cleanup(); resolve({ ok: true  }); };
+    f.onerror = () => { clearTimeout(t); cleanup(); resolve({ ok: false }); };
+
+    // codeql[js/xss-through-dom]: src is constrained to a validated http/https origin.
+    document.body.appendChild(f);
+  });
+}
                // Main test runner
                async function runOnlyOfficeTests() {
                  const spinner = document.getElementById('ooTestSpinner');
@@ -778,9 +821,10 @@ export function openAdminPanel() {
         const cspPreNgx = document.getElementById("ooCspSnippetNginx");
 
         function refreshCsp() {
-          const val = (ooDocsInput?.value || "").trim();
-          cspPre.textContent = buildCspApache(val);
-          cspPreNgx.textContent = buildCspNginx(val);
+          const raw = (ooDocsInput?.value || "").trim();
+          const base = getTrustedDocsOrigin(raw) || raw; // fall back to raw so users see their input
+          cspPre.textContent    = buildCspApache(base);
+          cspPreNgx.textContent = buildCspNginx(base);
         }
         ooDocsInput?.addEventListener("input", refreshCsp);
         refreshCsp();
@@ -1026,11 +1070,15 @@ function handleSave() {
   const idEl = document.getElementById("oidcClientId");
   const scEl = document.getElementById("oidcClientSecret");
 
-  if (idEl?.dataset.replace === '1' && idEl.value.trim() !== '') {
-    payload.oidc.clientId = idEl.value.trim();
+  const idVal = idEl?.value.trim() || '';
+  const secVal = scEl?.value.trim() || '';
+  const idFirstTime  = idEl && !idEl.hasAttribute('data-replace');   // no saved value yet
+  const secFirstTime = scEl && !scEl.hasAttribute('data-replace');   // no saved value yet
+  if ((idEl?.dataset.replace === '1' || idFirstTime) && idVal !== '') {
+    payload.oidc.clientId = idVal;
   }
-  if (scEl?.dataset.replace === '1' && scEl.value.trim() !== '') {
-    payload.oidc.clientSecret = scEl.value.trim();
+  if ((scEl?.dataset.replace === '1' || secFirstTime) && secVal !== '') {
+    payload.oidc.clientSecret = secVal;
   }
 
   const ooSecretEl = document.getElementById("ooJwtSecret");

public/js/fileActions.js

@@ -119,7 +119,7 @@ export async function handleCreateFile(e) {
       method: 'POST',
       credentials: 'include',
       headers: {
-        'Content-Type':'application/json',
+        'Content-Type': 'application/json',
         'X-CSRF-Token': window.csrfToken
       },
       // ⚠️ must send `name`, not `filename`
@@ -139,7 +139,7 @@ export async function handleCreateFile(e) {
 document.addEventListener('DOMContentLoaded', () => {
   const cancel = document.getElementById('cancelCreateFile');
   const confirm = document.getElementById('confirmCreateFile');
-  if (cancel)  cancel.addEventListener('click', () => document.getElementById('createFileModal').style.display = 'none');
+  if (cancel) cancel.addEventListener('click', () => document.getElementById('createFileModal').style.display = 'none');
   if (confirm) confirm.addEventListener('click', handleCreateFile);
 });
 
@@ -265,7 +265,7 @@ document.addEventListener("DOMContentLoaded", () => {
   const cancelZipBtn = document.getElementById("cancelDownloadZip");
   const confirmZipBtn = document.getElementById("confirmDownloadZip");
   const cancelCreate = document.getElementById('cancelCreateFile');
-  
+
   if (cancelCreate) {
     cancelCreate.addEventListener('click', () => {
       document.getElementById('createFileModal').style.display = 'none';
@@ -305,7 +305,7 @@ document.addEventListener("DOMContentLoaded", () => {
         showToast(err.message || t('error_creating_file'));
       }
     });
-    attachEnterKeyListener('createFileModal','confirmCreateFile');
+    attachEnterKeyListener('createFileModal', 'confirmCreateFile');
   }
 
   // 1) Cancel button hides the name modal
@@ -321,63 +321,187 @@ document.addEventListener("DOMContentLoaded", () => {
     confirmZipBtn.addEventListener("click", async () => {
       // a) Validate ZIP filename
       let zipName = document.getElementById("zipFileNameInput").value.trim();
-      if (!zipName) {
-        showToast("Please enter a name for the zip file.");
-        return;
-      }
-      if (!zipName.toLowerCase().endsWith(".zip")) {
-        zipName += ".zip";
-      }
+      if (!zipName) { showToast("Please enter a name for the zip file."); return; }
+      if (!zipName.toLowerCase().endsWith(".zip")) zipName += ".zip";
 
-      // b) Hide the name‐input modal, show the spinner modal
+      // b) Hide the name‐input modal, show the progress modal
       zipNameModal.style.display = "none";
       progressModal.style.display = "block";
 
-      // c) (Optional) update the “Preparing…” text if you gave it an ID
+      // c) Title text (optional)
       const titleEl = document.getElementById("downloadProgressTitle");
       if (titleEl) titleEl.textContent = `Preparing ${zipName}…`;
 
-      try {
-        // d) POST and await the ZIP blob
-        const res = await fetch("/api/file/downloadZip.php", {
-          method: "POST",
-          credentials: "include",
-          headers: {
-            "Content-Type": "application/json",
-            "X-CSRF-Token": window.csrfToken
-          },
-          body: JSON.stringify({
-            folder: window.currentFolder || "root",
-            files: window.filesToDownload
-          })
-        });
-        if (!res.ok) {
-          const txt = await res.text();
-          throw new Error(txt || `Status ${res.status}`);
-        }
-
-        const blob = await res.blob();
-        if (!blob || blob.size === 0) {
-          throw new Error("Received empty ZIP file.");
-        }
-
-        // e) Hand off to the browser’s download manager
-        const url = URL.createObjectURL(blob);
-        const a = document.createElement("a");
-        a.href = url;
-        a.download = zipName;
-        document.body.appendChild(a);
-        a.click();
-        URL.revokeObjectURL(url);
-        a.remove();
-
-      } catch (err) {
-        console.error("Error downloading ZIP:", err);
-        showToast("Error: " + err.message);
-      } finally {
-        // f) Always hide spinner modal
-        progressModal.style.display = "none";
+      // d) Queue the job
+      const res = await fetch("/api/file/downloadZip.php", {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json", "X-CSRF-Token": window.csrfToken },
+        body: JSON.stringify({ folder: window.currentFolder || "root", files: window.filesToDownload })
+      });
+      const jsr = await res.json().catch(() => ({}));
+      if (!res.ok || !jsr.ok) {
+        const msg = (jsr && jsr.error) ? jsr.error : `Status ${res.status}`;
+        throw new Error(msg);
       }
+      const token = jsr.token;
+      const statusUrl = jsr.statusUrl;
+      const downloadUrl = jsr.downloadUrl + "&name=" + encodeURIComponent(zipName);
+
+      // Ensure a progress UI exists in the modal
+      function ensureZipProgressUI() {
+        const modalEl = document.getElementById("downloadProgressModal");
+        if (!modalEl) {
+          // really shouldn't happen, but fall back to body
+          console.warn("downloadProgressModal not found; falling back to document.body");
+        }
+        // Prefer a dedicated content node inside the modal
+        let host =
+          (modalEl && modalEl.querySelector("#downloadProgressContent")) ||
+          (modalEl && modalEl.querySelector(".modal-body")) ||
+          (modalEl && modalEl.querySelector(".rise-modal-body")) ||
+          (modalEl && modalEl.querySelector(".modal-content")) ||
+          (modalEl && modalEl.querySelector(".content")) ||
+          null;
+
+        // If no suitable container, create one inside the modal
+        if (!host) {
+          host = document.createElement("div");
+          host.id = "downloadProgressContent";
+          (modalEl || document.body).appendChild(host);
+        }
+
+        // Helper: ensure/move an element with given id into host
+        function ensureInHost(id, tag, init) {
+          let el = document.getElementById(id);
+          if (el && el.parentElement !== host) host.appendChild(el); // move if it exists elsewhere
+          if (!el) {
+            el = document.createElement(tag);
+            el.id = id;
+            if (typeof init === "function") init(el);
+            host.appendChild(el);
+          }
+          return el;
+        }
+
+        // Title
+        const title = ensureInHost("downloadProgressTitle", "div", (el) => {
+          el.style.marginBottom = "8px";
+          el.textContent = "Preparing…";
+        });
+
+        // Progress bar (native <progress>)
+        const bar = (function () {
+          let el = document.getElementById("downloadProgressBar");
+          if (el && el.parentElement !== host) host.appendChild(el); // move into modal
+          if (!el) {
+            el = document.createElement("progress");
+            el.id = "downloadProgressBar";
+            host.appendChild(el);
+          }
+          el.max = 100;
+          el.value = 0;
+          el.style.display = "";     // override any inline display:none
+          el.style.width = "100%";
+          el.style.height = "1.1em";
+          return el;
+        })();
+
+        // Text line
+        const text = ensureInHost("downloadProgressText", "div", (el) => {
+          el.style.marginTop = "8px";
+          el.style.fontSize = "0.9rem";
+          el.style.whiteSpace = "nowrap";
+          el.style.overflow = "hidden";
+          el.style.textOverflow = "ellipsis";
+        });
+
+        // Optional spinner hider
+        const hideSpinner = () => {
+          const sp = document.getElementById("downloadSpinner");
+          if (sp) sp.style.display = "none";
+        };
+
+        return { bar, text, title, hideSpinner };
+      }
+
+      function humanBytes(n) {
+        if (!Number.isFinite(n) || n < 0) return "";
+        const u = ["B", "KB", "MB", "GB", "TB"]; let i = 0, x = n;
+        while (x >= 1024 && i < u.length - 1) { x /= 1024; i++; }
+        return x.toFixed(x >= 10 || i === 0 ? 0 : 1) + " " + u[i];
+      }
+      function mmss(sec) {
+        sec = Math.max(0, sec | 0);
+        const m = (sec / 60) | 0, s = sec % 60;
+        return `${m}:${s.toString().padStart(2, '0')}`;
+      }
+
+      const ui = ensureZipProgressUI();
+      const t0 = Date.now();
+
+      // e) Poll until ready
+      while (true) {
+        await new Promise(r => setTimeout(r, 1200));
+        const s = await fetch(`${statusUrl}&_=${Date.now()}`, {
+          credentials: "include", cache: "no-store",
+        }).then(r => r.json());
+
+        if (s.error) throw new Error(s.error);
+        if (ui.title) ui.title.textContent = `Preparing ${zipName}…`;
+
+        // --- RENDER PROGRESS ---
+        if (typeof s.pct === "number" && ui.bar && ui.text) {
+          if ((s.phase !== 'finalizing') && (s.pct < 99)) {
+            ui.hideSpinner && ui.hideSpinner();
+            const filesDone = s.filesDone ?? 0;
+            const filesTotal = s.filesTotal ?? 0;
+            const bytesDone = s.bytesDone ?? 0;
+            const bytesTotal = s.bytesTotal ?? 0;
+
+            // Determinate 0–98% while enumerating
+            const pct = Math.max(0, Math.min(98, s.pct | 0));
+            if (!ui.bar.hasAttribute("value")) ui.bar.value = 0;
+            ui.bar.value = pct;
+            ui.text.textContent =
+              `${pct}% — ${filesDone}/${filesTotal} files, ${humanBytes(bytesDone)} / ${humanBytes(bytesTotal)}`;
+          } else {
+            // FINALIZING: keep progress at 100% and show timer + selected totals
+            if (!ui.bar.hasAttribute("value")) ui.bar.value = 100;
+            ui.bar.value = 100; // lock at 100 during finalizing
+            const since = s.finalizeAt ? Math.max(0, (Date.now() / 1000 | 0) - (s.finalizeAt | 0)) : 0;
+            const selF = s.selectedFiles ?? s.filesTotal ?? 0;
+            const selB = s.selectedBytes ?? s.bytesTotal ?? 0;
+            ui.text.textContent = `Finalizing… ${mmss(since)} — ${selF} file${selF === 1 ? '' : 's'}, ~${humanBytes(selB)}`;
+          }
+        } else if (ui.text) {
+          ui.text.textContent = "Still preparing…";
+        }
+        // --- /RENDER ---
+
+        if (s.ready) {
+          // Snap to 100 and close modal just before download
+          if (ui.bar) { ui.bar.max = 100; ui.bar.value = 100; }
+          progressModal.style.display = "none";
+          await new Promise(r => setTimeout(r, 0));
+          break;
+        }
+        if (Date.now() - t0 > 15 * 60 * 1000) throw new Error("Timed out preparing ZIP");
+      }
+
+      // f) Trigger download
+      const a = document.createElement("a");
+      a.href = downloadUrl;
+      a.download = zipName;
+      a.style.display = "none";
+      document.body.appendChild(a);
+      a.click();
+      a.remove();
+
+      // g) Reset for next time
+      if (ui.bar) ui.bar.value = 0;
+      if (ui.text) ui.text.textContent = "";
+      if (Array.isArray(window.filesToDownload)) window.filesToDownload = [];
     });
   }
 });
@@ -694,10 +818,10 @@ document.addEventListener("DOMContentLoaded", () => {
 });
 
 document.addEventListener('DOMContentLoaded', () => {
-  const btn      = document.getElementById('createBtn');
-  const menu     = document.getElementById('createMenu');
-  const fileOpt  = document.getElementById('createFileOption');
-  const folderOpt= document.getElementById('createFolderOption');
+  const btn = document.getElementById('createBtn');
+  const menu = document.getElementById('createMenu');
+  const fileOpt = document.getElementById('createFileOption');
+  const folderOpt = document.getElementById('createFolderOption');
 
   // Toggle dropdown on click
   btn.addEventListener('click', (e) => {

public/js/fileDragDrop.js

@@ -2,124 +2,163 @@
 import { showToast } from './domUtils.js?v={{APP_QVER}}';
 import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
 
-export function fileDragStartHandler(event) {
-  const row = event.currentTarget;
-  let fileNames = [];
-
-  const selectedCheckboxes = document.querySelectorAll("#fileList .file-checkbox:checked");
-  if (selectedCheckboxes.length > 1) {
-    selectedCheckboxes.forEach(chk => {
-      const parentRow = chk.closest("tr");
-      if (parentRow) {
-        const cell = parentRow.querySelector("td:nth-child(2)");
-        if (cell) {
-          let rawName = cell.textContent.trim();
-          const tagContainer = cell.querySelector(".tag-badges");
-          if (tagContainer) {
-            const tagText = tagContainer.innerText.trim();
-            if (rawName.endsWith(tagText)) {
-              rawName = rawName.slice(0, -tagText.length).trim();
-            }
-          }
-          fileNames.push(rawName);
-        }
-      }
-    });
-  } else {
-    const fileNameCell = row.querySelector("td:nth-child(2)");
-    if (fileNameCell) {
-      let rawName = fileNameCell.textContent.trim();
-      const tagContainer = fileNameCell.querySelector(".tag-badges");
-      if (tagContainer) {
-        const tagText = tagContainer.innerText.trim();
-        if (rawName.endsWith(tagText)) {
-          rawName = rawName.slice(0, -tagText.length).trim();
-        }
-      }
-      fileNames.push(rawName);
-    }
-  }
-
-  if (fileNames.length === 0) return;
-
-  const dragData = fileNames.length === 1 
-    ? { fileName: fileNames[0], sourceFolder: window.currentFolder || "root" }
-    : { files: fileNames, sourceFolder: window.currentFolder || "root" };
-
-  event.dataTransfer.setData("application/json", JSON.stringify(dragData));
-
-  let dragImage = document.createElement("div");
-  dragImage.style.display = "inline-flex";
-  dragImage.style.width = "auto";
-  dragImage.style.maxWidth = "fit-content";
-  dragImage.style.padding = "6px 10px";
-  dragImage.style.backgroundColor = "#333";
-  dragImage.style.color = "#fff";
-  dragImage.style.border = "1px solid #555";
-  dragImage.style.borderRadius = "4px";
-  dragImage.style.alignItems = "center";
-  dragImage.style.boxShadow = "2px 2px 6px rgba(0,0,0,0.3)";
-  const icon = document.createElement("span");
-  icon.className = "material-icons";
-  icon.textContent = "insert_drive_file";
-  icon.style.marginRight = "4px";
-  const label = document.createElement("span");
-  label.textContent = fileNames.length === 1 ? fileNames[0] : fileNames.length + " files";
-  dragImage.appendChild(icon);
-  dragImage.appendChild(label);
-  
-  document.body.appendChild(dragImage);
-  event.dataTransfer.setDragImage(dragImage, 5, 5);
-  setTimeout(() => {
-    document.body.removeChild(dragImage);
-  }, 0);
+/* ---------------- helpers ---------------- */
+function getRowEl(el) {
+  return el?.closest('tr[data-file-name], .gallery-card[data-file-name]') || null;
+}
+function getNameFromAny(el) {
+  const row = getRowEl(el);
+  if (!row) return null;
+  // 1) canonical
+  const n = row.getAttribute('data-file-name');
+  if (n) return n;
+  // 2) filename-only span
+  const span = row.querySelector('.filename-text');
+  if (span) return span.textContent.trim();
+  return null;
+}
+function getSelectedFileNames() {
+  const boxes = Array.from(document.querySelectorAll('#fileList .file-checkbox:checked'));
+  const names = boxes.map(cb => getNameFromAny(cb)).filter(Boolean);
+  // de-dup just in case
+  return Array.from(new Set(names));
+}
+function makeDragImage(labelText, iconName = 'insert_drive_file') {
+  const wrap = document.createElement('div');
+  Object.assign(wrap.style, {
+    display: 'inline-flex',
+    maxWidth: '420px',
+    padding: '6px 10px',
+    backgroundColor: '#333',
+    color: '#fff',
+    border: '1px solid #555',
+    borderRadius: '6px',
+    alignItems: 'center',
+    gap: '6px',
+    boxShadow: '2px 2px 6px rgba(0,0,0,0.3)',
+    fontSize: '12px',
+    pointerEvents: 'none'
+  });
+  const icon = document.createElement('span');
+  icon.className = 'material-icons';
+  icon.textContent = iconName;
+  const label = document.createElement('span');
+  // trim long single-name labels
+  const txt = String(labelText || '');
+  label.textContent = txt.length > 60 ? (txt.slice(0, 57) + '…') : txt;
+  wrap.appendChild(icon);
+  wrap.appendChild(label);
+  document.body.appendChild(wrap);
+  return wrap;
 }
 
+/* ---------------- drag start (rows/cards) ---------------- */
+export function fileDragStartHandler(event) {
+  const row = getRowEl(event.currentTarget);
+  if (!row) return;
+
+  // Use current selection if present; otherwise drag just this row’s file
+  let names = getSelectedFileNames();
+  if (names.length === 0) {
+    const single = getNameFromAny(row);
+    if (single) names = [single];
+  }
+  if (names.length === 0) return;
+
+  const sourceFolder = window.currentFolder || 'root';
+  const payload = { files: names, sourceFolder };
+
+  // primary payload
+  event.dataTransfer.setData('application/json', JSON.stringify(payload));
+  // fallback (lets some environments read something human)
+  event.dataTransfer.setData('text/plain', names.join('\n'));
+
+  // nicer drag image
+  const dragLabel = (names.length === 1) ? names[0] : `${names.length} files`;
+  const ghost = makeDragImage(dragLabel, names.length === 1 ? 'insert_drive_file' : 'folder');
+  event.dataTransfer.setDragImage(ghost, 6, 6);
+  // clean up the ghost as soon as the browser has captured it
+  setTimeout(() => { try { document.body.removeChild(ghost); } catch { } }, 0);
+}
+
+/* ---------------- folder targets ---------------- */
 export function folderDragOverHandler(event) {
   event.preventDefault();
-  event.currentTarget.classList.add("drop-hover");
+  event.currentTarget.classList.add('drop-hover');
 }
-
 export function folderDragLeaveHandler(event) {
-  event.currentTarget.classList.remove("drop-hover");
+  event.currentTarget.classList.remove('drop-hover');
 }
 
-export function folderDropHandler(event) {
+export async function folderDropHandler(event) {
   event.preventDefault();
-  event.currentTarget.classList.remove("drop-hover");
-  const dropFolder = event.currentTarget.getAttribute("data-folder");
-  let dragData;
+  event.currentTarget.classList.remove('drop-hover');
+
+  const dropFolder = event.currentTarget.getAttribute('data-folder')
+    || event.currentTarget.getAttribute('data-dest-folder')
+    || 'root';
+
+  // parse drag payload
+  let dragData = null;
   try {
-    dragData = JSON.parse(event.dataTransfer.getData("application/json"));
-  } catch (e) {
-    console.error("Invalid drag data");
+    const raw = event.dataTransfer.getData('application/json') || '{}';
+    dragData = JSON.parse(raw);
+  } catch {
+    // ignore
+  }
+  if (!dragData) {
+    showToast('Invalid drag data.');
     return;
   }
-  if (!dragData || !dragData.fileName) return;
-  fetch("/api/file/moveFiles.php", {
-    method: "POST",
-    credentials: "include",
-    headers: {
-      "Content-Type": "application/json",
-      "X-CSRF-Token": document.querySelector('meta[name="csrf-token"]').getAttribute("content")
-    },
-    body: JSON.stringify({
-      source: dragData.sourceFolder,
-      files: [dragData.fileName],
-      destination: dropFolder
-    })
-  })
-    .then(response => response.json())
-    .then(data => {
-      if (data.success) {
-        showToast(`File "${dragData.fileName}" moved successfully to ${dropFolder}!`);
-        loadFileList(dragData.sourceFolder);
-      } else {
-        showToast("Error moving file: " + (data.error || "Unknown error"));
-      }
-    })
-    .catch(error => {
-      console.error("Error moving file via drop:", error);
-      showToast("Error moving file.");
+
+  // normalize names
+  let names = Array.isArray(dragData.files) ? dragData.files.slice()
+    : dragData.fileName ? [dragData.fileName]
+      : [];
+  names = names.filter(v => typeof v === 'string' && v.length > 0);
+
+  if (names.length === 0) {
+    showToast('No files to move.');
+    return;
+  }
+
+  const sourceFolder = dragData.sourceFolder || (window.currentFolder || 'root');
+  if (dropFolder === sourceFolder) {
+    showToast('Source and destination are the same.');
+    return;
+  }
+
+  // POST move
+  try {
+    const res = await fetch('/api/file/moveFiles.php', {
+      method: 'POST',
+      credentials: 'include',
+      headers: {
+        'Content-Type': 'application/json',
+        'Accept': 'application/json',
+        'X-CSRF-Token': window.csrfToken
+      },
+      body: JSON.stringify({
+        source: sourceFolder,
+        files: names,
+        destination: dropFolder
+      })
     });
+    const data = await res.json().catch(() => ({}));
+
+    if (res.ok && data && data.success) {
+      const msg = (names.length === 1)
+        ? `Moved "${names[0]}" to ${dropFolder}.`
+        : `Moved ${names.length} files to ${dropFolder}.`;
+      showToast(msg);
+      // Refresh whatever view the user is currently looking at
+      loadFileList(window.currentFolder || sourceFolder);
+    } else {
+      const err = (data && (data.error || data.message)) || `HTTP ${res.status}`;
+      showToast('Error moving file(s): ' + err);
+    }
+  } catch (e) {
+    console.error('Error moving file(s):', e);
+    showToast('Error moving file(s).');
+  }
 }

public/js/fileEditor.js

@@ -70,7 +70,7 @@ function normalizeModeName(modeOption) {
 function getExt(name) { const i = name.lastIndexOf('.'); return i >= 0 ? name.slice(i + 1).toLowerCase() : ''; }
 
 // Cache OO capabilities (enabled flag + ext list) from /api/onlyoffice/status.php
-let __ooCaps = { enabled: false, exts: new Set(), fetched: false };
+let __ooCaps = { enabled: false, exts: new Set(), fetched: false, docsOrigin: null };
 
 async function fetchOnlyOfficeCapsOnce() {
   if (__ooCaps.fetched) return __ooCaps;
@@ -80,6 +80,7 @@ async function fetchOnlyOfficeCapsOnce() {
       const j = await r.json();
       __ooCaps.enabled = !!j.enabled;
       __ooCaps.exts = new Set(Array.isArray(j.exts) ? j.exts : []);
+      __ooCaps.docsOrigin = j.docsOrigin || null; // harmless if server doesn't send it
     }
   } catch { /* ignore; keep defaults */ }
   __ooCaps.fetched = true;
@@ -93,121 +94,23 @@ async function shouldUseOnlyOffice(fileName) {
 
 function isAbsoluteHttpUrl(u) { return /^https?:\/\//i.test(u || ''); }
 
-async function ensureOnlyOfficeApi(srcFromConfig, originFromConfig) {
-  let src =
-    srcFromConfig ||
-    (originFromConfig ? originFromConfig.replace(/\/$/, '') + '/web-apps/apps/api/documents/api.js'
-      : (window.ONLYOFFICE_API_SRC || '/onlyoffice/web-apps/apps/api/documents/api.js'));
-  if (window.DocsAPI && typeof window.DocsAPI.DocEditor === 'function') return;
-  await loadScriptOnce(src);
-}
-
-async function openOnlyOffice(fileName, folder) {
-  let editor; // make visible to the whole function
-
-  try {
-    const url = `/api/onlyoffice/config.php?folder=${encodeURIComponent(folder)}&file=${encodeURIComponent(fileName)}`;
-    const resp = await fetch(url, { credentials: 'include' });
-
-    const text = await resp.text();
-    let cfg;
-    try { cfg = JSON.parse(text); } catch {
-      throw new Error(`ONLYOFFICE config parse failed (HTTP ${resp.status}). First 120 chars: ${text.slice(0,120)}`);
-    }
-    if (!resp.ok) throw new Error(cfg.error || `ONLYOFFICE config HTTP ${resp.status}`);
-
-    // Must be absolute
-    const docUrl = cfg?.document?.url;
-    const cbUrl  = cfg?.editorConfig?.callbackUrl;
-    if (!/^https?:\/\//i.test(docUrl || '') || !/^https?:\/\//i.test(cbUrl || '')) {
-      throw new Error(`Config URLs must be absolute. document.url='${docUrl}', callbackUrl='${cbUrl}'`);
-    }
-
-    // Load DocsAPI if needed
-    await ensureOnlyOfficeApi(cfg.docs_api_js, cfg.documentServerOrigin);
-
-    // Modal
-    const modal = document.createElement('div');
-    modal.id = 'ooEditorModal';
-    modal.classList.add('modal', 'editor-modal');
-    modal.setAttribute('tabindex', '-1');
-    modal.innerHTML = `
-      <div class="editor-header">
-        <h3 class="editor-title">
-          ${t("editing")}: ${escapeHTML(fileName)}
-        </h3>
-        <button id="closeEditorX" class="editor-close-btn" aria-label="${t("close") || "Close"}">&times;</button>
-      </div>
-      <div class="editor-body" style="flex:1;min-height:200px">
-        <div id="oo-editor" style="width:100%;height:100%"></div>
-      </div>
-    `;
-    document.body.appendChild(modal);
-    modal.style.display = 'block';
-    modal.focus();
-
-    // We’ll fill this after wiring the toggle, so destroy() can unhook it
-    let removeThemeListener = () => {};
-
-    const destroy = () => {
-      try { editor?.destroyEditor?.(); } catch {}
-      try { removeThemeListener(); } catch {}
-      try { modal.remove(); } catch {}
-    };
-
-    modal.addEventListener('keydown', e => { if (e.key === 'Escape') destroy(); });
-    document.getElementById('closeEditorX')?.addEventListener('click', destroy);
-
-    // Let DS request closing
-    cfg.events = Object.assign({}, cfg.events, { onRequestClose: destroy });
-
-    // Initial theme
-    const isDark =
-    document.documentElement.classList.contains('dark-mode') ||
-    /^(1|true)$/i.test(localStorage.getItem('darkMode') || '');
-  
-  cfg.editorConfig = cfg.editorConfig || {};
-  cfg.editorConfig.customization = Object.assign(
-    {},
-    cfg.editorConfig.customization,
-    { uiTheme: isDark ? 'theme-dark' : 'theme-light' } // <- correct key/value
-  );
-
-    // Launch editor
-    editor = new window.DocsAPI.DocEditor('oo-editor', cfg);
-
-    // Live theme switching (ONLYOFFICE v7.2+ supports setTheme)
-    const darkToggle = document.getElementById('darkModeToggle');
-    const onDarkToggle = () => {
-      const nowDark = document.documentElement.classList.contains('dark-mode');
-      if (editor && typeof editor.setTheme === 'function') {
-        editor.setTheme(nowDark ? 'dark' : 'light');
-      }
-    };
-    if (darkToggle) {
-      darkToggle.addEventListener('click', onDarkToggle);
-      removeThemeListener = () => darkToggle.removeEventListener('click', onDarkToggle);
-    }
-  } catch (e) {
-    console.error('[ONLYOFFICE] failed to open:', e);
-    showToast((e && e.message) ? e.message : 'Unable to open ONLYOFFICE editor.');
-  }
-}
-// ---- /ONLYOFFICE integration ----------------------------------------------
-
-
+// ---- script/css single-load with timeout guards ----
 const _loadedScripts = new Set();
 const _loadedCss = new Set();
 let _corePromise = null;
 
-function loadScriptOnce(url) {
+function loadScriptOnce(url, timeoutMs = 12000) {
   return new Promise((resolve, reject) => {
     if (_loadedScripts.has(url)) return resolve();
     const s = document.createElement("script");
+    const timer = setTimeout(() => {
+      try { s.remove(); } catch { }
+      reject(new Error(`Timeout loading: ${url}`));
+    }, timeoutMs);
     s.src = url;
     s.async = true;
-    s.onload = () => { _loadedScripts.add(url); resolve(); };
-    s.onerror = () => reject(new Error(`Load failed: ${url}`));
+    s.onload = () => { clearTimeout(timer); _loadedScripts.add(url); resolve(); };
+    s.onerror = () => { clearTimeout(timer); reject(new Error(`Load failed: ${url}`)); };
     document.head.appendChild(s);
   });
 }
@@ -240,7 +143,6 @@ async function ensureCore() {
 async function loadSingleMode(name) {
   const rel = MODE_URL[name];
   if (!rel) return;
-  // prepend base if needed
   const url = rel.startsWith("http") ? rel : (rel.startsWith("/") ? rel : (CM_BASE + rel));
   await loadScriptOnce(url);
 }
@@ -265,9 +167,299 @@ async function ensureModeLoaded(modeOption) {
 }
 
 // Public helper for callers (we keep your existing function name in use):
-const MODE_LOAD_TIMEOUT_MS = 2500; // allow closing immediately; don't wait forever
+const MODE_LOAD_TIMEOUT_MS = 300; // allow closing immediately; don't wait forever
 // ==== /CodeMirror lazy loader ===============================================
 
+// ---- OO preconnect / prewarm ----
+function injectOOPreconnect(origin) {
+  try {
+    if (!origin || !isAbsoluteHttpUrl(origin)) return;
+    const make = (rel) => { const l = document.createElement('link'); l.rel = rel; l.href = origin; return l; };
+    document.head.appendChild(make('dns-prefetch'));
+    document.head.appendChild(make('preconnect'));
+  } catch { }
+}
+
+async function ensureOnlyOfficeApi(srcFromConfig, originFromConfig) {
+  // Prefer explicit src; else derive from origin; else fall back to window/global or default prefix path
+  let src = srcFromConfig;
+  if (!src) {
+    if (originFromConfig && isAbsoluteHttpUrl(originFromConfig)) {
+      src = originFromConfig.replace(/\/$/, '') + '/web-apps/apps/api/documents/api.js';
+    } else {
+      src = window.ONLYOFFICE_API_SRC || '/onlyoffice/web-apps/apps/api/documents/api.js';
+    }
+  }
+  if (window.DocsAPI && typeof window.DocsAPI.DocEditor === 'function') return;
+  // Try once; if it times out and we derived from origin, fall back to the default prefix path
+  try {
+    console.time('oo:api.js');
+    await loadScriptOnce(src);
+  } catch (e) {
+    if (src !== '/onlyoffice/web-apps/apps/api/documents/api.js') {
+      await loadScriptOnce('/onlyoffice/web-apps/apps/api/documents/api.js');
+    } else {
+      throw e;
+    }
+  } finally {
+    console.timeEnd('oo:api.js');
+  }
+}
+
+// ===== ONLYOFFICE: full-screen modal + warm on every click =====
+const ALWAYS_WARM_OO = true;      // warm EVERY time
+const OO_WARM_MS     = 300;
+
+function ensureOoModalCss() {
+  const prev = document.getElementById('ooEditorModalCss');
+  if (prev) return;
+
+  const style = document.createElement('style');
+  style.id = 'ooEditorModalCss';
+  style.textContent = `
+    #ooEditorModal{
+      --oo-header-h: 40px;
+      --oo-header-pad-v: 12px;
+      --oo-header-pad-h: 18px;
+      --oo-logo-h: 26px; /* tweak logo size */
+    }
+
+    #ooEditorModal{
+      position:fixed!important; inset:0!important; margin:0!important; padding:0!important;
+      display:flex!important; flex-direction:column!important; z-index:2147483646!important;
+      background:var(--oo-modal-bg,#111)!important;
+    }
+
+    /* Header: logo (left) + title (fill) + absolute close (right) */
+    #ooEditorModal .editor-header{
+      position:relative; display:flex; align-items:center; gap:12px;
+      min-height:var(--oo-header-h);
+      padding:var(--oo-header-pad-v) var(--oo-header-pad-h);
+      padding-right: calc(var(--oo-header-pad-h) + 64px); /* room for 32px round close */
+      border-bottom:1px solid rgba(0,0,0,.15);
+      box-sizing:border-box;
+    }
+
+    #ooEditorModal .editor-logo{
+      height:var(--oo-logo-h); width:auto; flex:0 0 auto;
+      display:block; user-select:none; -webkit-user-drag:none;
+    }
+
+    #ooEditorModal .editor-title{
+      margin:0; font-size:18px; font-weight:700; line-height:1.2;
+      overflow:hidden; white-space:nowrap; text-overflow:ellipsis;
+      flex:1 1 auto;
+    }
+
+    /* Your scoped close button style */
+    #ooEditorModal .editor-close-btn{
+      position:absolute; top:5px; right:10px;
+      display:flex; justify-content:center; align-items:center;
+      font-size:20px; font-weight:bold; cursor:pointer; z-index:1000;
+      width:32px; height:32px; border-radius:50%; text-align:center; line-height:30px;
+      color:#ff4d4d; background-color:rgba(255,255,255,.9); border:2px solid transparent;
+      transition:all .3s ease-in-out;
+    }
+    #ooEditorModal .editor-close-btn:hover{
+      color:#fff; background-color:#ff4d4d;
+      box-shadow:0 0 6px rgba(255,77,77,.8); transform:scale(1.05);
+    }
+    .dark-mode #ooEditorModal .editor-close-btn{ background-color:rgba(0,0,0,.7); color:#ff6666; }
+    .dark-mode #ooEditorModal .editor-close-btn:hover{ background-color:#ff6666; color:#000; }
+
+    #ooEditorModal .editor-body{
+      position:relative!important; flex:1 1 auto!important; min-height:0!important; overflow:hidden!important;
+    }
+    #ooEditorModal #oo-editor{ width:100%!important; height:100%!important; }
+
+    #ooEditorModal .oo-warm-overlay{
+      position:absolute; inset:0; display:flex; align-items:center; justify-content:center;
+      background:rgba(0,0,0,.14); z-index:5; font-weight:600; font-size:14px;
+    }
+
+    html.oo-lock, body.oo-lock{ height:100%!important; overflow:hidden!important; }
+  `;
+  document.head.appendChild(style);
+}
+
+// Theme-aware background so there’s no white/gray edge
+function applyModalBg(modal){
+  const isDark = document.documentElement.classList.contains('dark-mode')
+    || /^(1|true)$/i.test(localStorage.getItem('darkMode') || '');
+  const cs = getComputedStyle(document.documentElement);
+  const bg = (cs.getPropertyValue('--bg-color') || cs.getPropertyValue('--pre-bg') || '').trim()
+           || (isDark ? '#121212' : '#ffffff');
+  modal.style.setProperty('--oo-modal-bg', bg);
+}
+
+function lockPageScroll(on){
+  [document.documentElement, document.body].forEach(el => el.classList.toggle('oo-lock', !!on));
+}
+
+function ensureOoFullscreenModal(){
+  ensureOoModalCss();
+  let modal = document.getElementById('ooEditorModal');
+  if (!modal){
+    modal = document.createElement('div');
+    modal.id = 'ooEditorModal';
+    modal.innerHTML = `
+      <div class="editor-header">
+        <img class="editor-logo" src="/assets/logo.svg" alt="FileRise logo" />
+        <h3 class="editor-title"></h3>
+        <button id="closeEditorX" class="editor-close-btn" aria-label="${t("close") || "Close"}">&times;</button>
+      </div>
+      <div class="editor-body">
+        <div id="oo-editor"></div>
+      </div>
+    `;
+    document.body.appendChild(modal);
+  } else {
+    modal.querySelector('.editor-body').innerHTML = `<div id="oo-editor"></div>`;
+    // ensure logo exists and is placed before title when reusing
+    const header = modal.querySelector('.editor-header');
+    if (!header.querySelector('.editor-logo')){
+      const img = document.createElement('img');
+      img.className = 'editor-logo';
+      img.src = '/assets/logo.svg';
+      img.alt = 'FileRise logo';
+      header.insertBefore(img, header.querySelector('.editor-title'));
+    } else {
+      // make sure order is logo -> title
+      const logo = header.querySelector('.editor-logo');
+      const title = header.querySelector('.editor-title');
+      if (logo.nextElementSibling !== title){
+        header.insertBefore(logo, title);
+      }
+    }
+  }
+  applyModalBg(modal);
+  modal.style.display = 'flex';
+  modal.focus();
+  lockPageScroll(true);
+  return modal;
+}
+
+// Overlay lives INSIDE the modal body
+function setOoBusy(modal, on, label='Preparing editor…'){
+  if (!modal) return;
+  const body = modal.querySelector('.editor-body');
+  let ov = body.querySelector('.oo-warm-overlay');
+  if (on){
+    if (!ov){
+      ov = document.createElement('div');
+      ov.className = 'oo-warm-overlay';
+      ov.textContent = label;
+      body.appendChild(ov);
+    }
+  } else if (ov){
+    ov.remove();
+  }
+}
+
+// Hidden warm-up DocEditor (creates DS session/cache) then destroys
+async function warmDocServerOnce(cfg){
+  let host = null, warmEditor = null;
+  try{
+    host = document.createElement('div');
+    host.id = 'oo-warm-' + Math.random().toString(36).slice(2);
+    Object.assign(host.style, {
+      position:'absolute', left:'-99999px', top:'0', width:'2px', height:'2px', overflow:'hidden'
+    });
+    document.body.appendChild(host);
+
+    const warmCfg = JSON.parse(JSON.stringify(cfg));
+    warmCfg.events = Object.assign({}, warmCfg.events, { onAppReady(){}, onDocumentReady(){} });
+
+    warmEditor = new window.DocsAPI.DocEditor(host.id, warmCfg);
+    await new Promise(res => setTimeout(res, OO_WARM_MS));
+  }catch{} finally{
+    try{ warmEditor?.destroyEditor?.(); }catch{}
+    try{ host?.remove(); }catch{}
+  }
+}
+
+// Full-screen OO open with hidden warm-up EVERY click, then real editor
+async function openOnlyOffice(fileName, folder){
+  let editor = null;
+  let removeThemeListener = () => {};
+  let cfg = null;
+  let userClosed = false;
+
+  // Build our full-screen modal
+  const modal = ensureOoFullscreenModal();
+  const titleEl = modal.querySelector('.editor-title');
+  if (titleEl) titleEl.innerHTML = `${t("editing")}: ${escapeHTML(fileName)}`;
+
+  const destroy = (removeModal = true) => {
+    try { editor?.destroyEditor?.(); } catch {}
+    try { removeThemeListener(); } catch {}
+    if (removeModal) { try { modal.remove(); } catch {} }
+    lockPageScroll(false);
+  };
+  const onClose = () => { userClosed = true; destroy(true); };
+
+  modal.querySelector('#closeEditorX')?.addEventListener('click', onClose);
+  modal.addEventListener('keydown', (e) => { if (e.key === 'Escape') onClose(); });
+
+  try{
+    // 1) Fetch config
+    const url = `/api/onlyoffice/config.php?folder=${encodeURIComponent(folder)}&file=${encodeURIComponent(fileName)}`;
+    const resp = await fetch(url, { credentials: 'include' });
+    const text = await resp.text();
+
+    try { cfg = JSON.parse(text); } catch {
+      throw new Error(`ONLYOFFICE config parse failed (HTTP ${resp.status}). First 120 chars: ${text.slice(0,120)}`);
+    }
+    if (!resp.ok) throw new Error(cfg?.error || `ONLYOFFICE config HTTP ${resp.status}`);
+
+    // 2) Preconnect + load DocsAPI
+    injectOOPreconnect(cfg.documentServerOrigin || null);
+    await ensureOnlyOfficeApi(cfg.docs_api_js, cfg.documentServerOrigin);
+
+    // 3) Theme + base events
+    const isDark = document.documentElement.classList.contains('dark-mode')
+      || /^(1|true)$/i.test(localStorage.getItem('darkMode') || '');
+    cfg.events = (cfg.events && typeof cfg.events === 'object') ? cfg.events : {};
+    cfg.editorConfig = cfg.editorConfig || {};
+    cfg.editorConfig.customization = Object.assign(
+      {}, cfg.editorConfig.customization, { uiTheme: isDark ? 'theme-dark' : 'theme-light' }
+    );
+    cfg.events.onRequestClose = () => onClose();
+
+    // 4) Warm EVERY click 
+    if (ALWAYS_WARM_OO && !userClosed){
+      setOoBusy(modal, true);          // overlay INSIDE modal body
+      await warmDocServerOnce(cfg);
+      if (userClosed) return;
+    }
+
+    // 5) Launch visible editor in full-screen modal
+    cfg.events.onDocumentReady = () => { setOoBusy(modal, false); };
+    editor = new window.DocsAPI.DocEditor('oo-editor', cfg);
+
+    // Live theme switching + keep modal bg in sync
+    const darkToggle = document.getElementById('darkModeToggle');
+    const onDarkToggle = () => {
+      const nowDark = document.documentElement.classList.contains('dark-mode');
+      if (editor && typeof editor.setTheme === 'function') {
+        editor.setTheme(nowDark ? 'dark' : 'light');
+      }
+      applyModalBg(modal);
+    };
+    if (darkToggle) {
+      darkToggle.addEventListener('click', onDarkToggle);
+      removeThemeListener = () => darkToggle.removeEventListener('click', onDarkToggle);
+    }
+  }catch(e){
+    console.error('[ONLYOFFICE] failed to open:', e);
+    showToast((e && e.message) ? e.message : 'Unable to open ONLYOFFICE editor.');
+    destroy(true);
+  }
+}
+// ---- /ONLYOFFICE integration ----------------------------------------------
+
+// ==== Editor (CodeMirror) path =============================================
+
 function getModeForFile(fileName) {
   const dot = fileName.lastIndexOf(".");
   const ext = dot >= 0 ? fileName.slice(dot + 1).toLowerCase() : "";
@@ -452,38 +644,36 @@ export async function editFile(fileName, folder) {
         const normName = normalizeModeName(desiredMode) || "text/plain";
         const initialMode = (forcePlainText || !isModeRegistered(normName)) ? "text/plain" : desiredMode;
 
-        const cmOptions = {
-          lineNumbers: !forcePlainText,
-          mode: initialMode,
-          theme,
-          viewportMargin: forcePlainText ? 20 : Infinity,
-          lineWrapping: false
-        };
-
-        const editor = window.CodeMirror.fromTextArea(
+        const cm = window.CodeMirror.fromTextArea(
           document.getElementById("fileEditor"),
-          cmOptions
+          {
+            lineNumbers: !forcePlainText,
+            mode: initialMode,
+            theme,
+            viewportMargin: forcePlainText ? 20 : Infinity,
+            lineWrapping: false
+          }
         );
-        window.currentEditor = editor;
+        window.currentEditor = cm;
 
         setTimeout(adjustEditorSize, 50);
         observeModalResize(modal);
 
         // Font controls (now that editor exists)
         let currentFontSize = 14;
-        const wrapper = editor.getWrapperElement();
+        const wrapper = cm.getWrapperElement();
         wrapper.style.fontSize = currentFontSize + "px";
-        editor.refresh();
+        cm.refresh();
 
         decBtn.addEventListener("click", function () {
           currentFontSize = Math.max(8, currentFontSize - 2);
           wrapper.style.fontSize = currentFontSize + "px";
-          editor.refresh();
+          cm.refresh();
         });
         incBtn.addEventListener("click", function () {
           currentFontSize = Math.min(32, currentFontSize + 2);
           wrapper.style.fontSize = currentFontSize + "px";
-          editor.refresh();
+          cm.refresh();
         });
 
         // Save
@@ -496,7 +686,7 @@ export async function editFile(fileName, folder) {
         // Theme switch
         function updateEditorTheme() {
           const isDark = document.body.classList.contains("dark-mode");
-          editor.setOption("theme", isDark ? "material-darker" : "default");
+          cm.setOption("theme", isDark ? "material-darker" : "default");
         }
         const toggle = document.getElementById("darkModeToggle");
         if (toggle) toggle.addEventListener("click", updateEditorTheme);
@@ -506,12 +696,10 @@ export async function editFile(fileName, folder) {
           if (!canceled && !forcePlainText) {
             const nn = normalizeModeName(desiredMode);
             if (nn && isModeRegistered(nn)) {
-              editor.setOption("mode", desiredMode);
+              cm.setOption("mode", desiredMode);
             }
           }
-        }).catch(() => {
-          // If the mode truly fails to load, we just stay in plain text
-        });
+        }).catch(() => { /* stay in plain text */ });
       });
     })
     .catch(error => {

public/js/fileListView.js

@@ -157,7 +157,121 @@ function wireSelectAll(fileListContent) {
     }
     return body ?? {};
   }
-  
+  // ---- Viewed badges (table + gallery) ----
+// ---------- Badge factory (center text vertically) ----------
+function makeBadge(state) {
+  if (!state) return null;
+  const el = document.createElement('span');
+  el.className = 'status-badge';
+  el.style.cssText = [
+    'display:inline-flex',
+    'align-items:center',
+    'justify-content:center',
+    'vertical-align:middle',
+    'margin-left:6px',
+    'padding:2px 8px',
+    'min-height:18px',
+    'line-height:1',
+    'border-radius:999px',
+    'font-size:.78em',
+    'border:1px solid rgba(0,0,0,.2)',
+    'background:rgba(0,0,0,.06)'
+  ].join(';');
+
+  if (state.completed) {
+    el.classList.add('watched');
+    el.textContent = (t('watched') || t('viewed') || 'Watched');
+    el.style.borderColor = 'rgba(34,197,94,.45)';
+    el.style.background  = 'rgba(34,197,94,.15)';
+    el.style.color       = '#22c55e';
+    return el;
+  }
+
+  if (Number.isFinite(state.seconds) && Number.isFinite(state.duration) && state.duration > 0) {
+    const pct = Math.max(1, Math.min(99, Math.round((state.seconds / state.duration) * 100)));
+    el.classList.add('progress');
+    el.textContent = `${pct}%`;
+    el.style.borderColor = 'rgba(234,88,12,.55)';
+    el.style.background  = 'rgba(234,88,12,.18)';
+    el.style.color       = '#ea580c';
+    return el;
+  }
+
+  return null;
+}
+
+// ---------- Public: set/clear badges for one file (table + gallery) ----------
+function applyBadgeToDom(name, state) {
+  const safe = CSS.escape(name);
+
+  // Table
+  document.querySelectorAll(`tr[data-file-name="${safe}"] .name-cell, tr[data-file-name="${safe}"] .file-name-cell`)
+    .forEach(cell => {
+      cell.querySelector('.status-badge')?.remove();
+      const b = makeBadge(state);
+      if (b) cell.appendChild(b);
+    });
+
+  // Gallery
+  document.querySelectorAll(`.gallery-card[data-file-name="${safe}"] .gallery-file-name`)
+    .forEach(title => {
+      title.querySelector('.status-badge')?.remove();
+      const b = makeBadge(state);
+      if (b) title.appendChild(b);
+    });
+}
+
+export function setFileWatchedBadge(name, watched = true) {
+  applyBadgeToDom(name, watched ? { completed: true } : null);
+}
+
+export function setFileProgressBadge(name, seconds, duration) {
+  if (duration > 0 && seconds >= 0) {
+    applyBadgeToDom(name, { seconds, duration, completed: seconds >= duration - 1 });
+  } else {
+    applyBadgeToDom(name, null);
+  }
+}
+
+export async function refreshViewedBadges(folder) {
+  let map = null;
+  try {
+    const res = await fetch(`/api/media/getViewedMap.php?folder=${encodeURIComponent(folder)}&t=${Date.now()}`, { credentials: 'include' });
+    const j = await res.json();
+    map = j?.map || null;
+  } catch { /* ignore */ }
+
+  // Clear any existing badges
+  document.querySelectorAll(
+    '#fileList tr[data-file-name] .file-name-cell .status-badge, ' +
+    '#fileList tr[data-file-name] .name-cell .status-badge, ' +
+    '.gallery-card[data-file-name] .gallery-file-name .status-badge'
+  ).forEach(n => n.remove());
+
+  if (!map) return;
+
+  // Table rows
+  document.querySelectorAll('#fileList tr[data-file-name]').forEach(tr => {
+    const name = tr.getAttribute('data-file-name');
+    const state = map[name];
+    if (!state) return;
+    const cell = tr.querySelector('.name-cell, .file-name-cell');
+    if (!cell) return;
+    const badge = makeBadge(state);
+    if (badge) cell.appendChild(badge);
+  });
+
+  // Gallery cards
+  document.querySelectorAll('.gallery-card[data-file-name]').forEach(card => {
+    const name = card.getAttribute('data-file-name');
+    const state = map[name];
+    if (!state) return;
+    const title = card.querySelector('.gallery-file-name');
+    if (!title) return;
+    const badge = makeBadge(state);
+    if (badge) title.appendChild(badge);
+  });
+}
   /**
    * Convert a file size string (e.g. "456.9KB", "1.2 MB", "1024") into bytes.
    */
@@ -548,6 +662,7 @@ function searchFiles(searchTerm) {
       }
       updateFileActionButtons();
       fileListContainer.style.visibility = "visible";
+
   
       // ----- FOLDERS NEXT (populate strip when ready; doesn't block rows) -----
       try {
@@ -712,9 +827,14 @@ function searchFiles(searchTerm) {
     if (totalFiles > 0) {
       filteredFiles.slice(startIndex, endIndex).forEach((file, idx) => {
         // Build row with a neutral base, then correct the links/preview below.
-        let rowHTML = buildFileTableRow(file, fakeBase);
         // Give the row an ID so we can patch attributes safely
-        rowHTML = rowHTML.replace("<tr", `<tr id="file-row-${encodeURIComponent(file.name)}-${startIndex + idx}"`);
+        const idSafe = encodeURIComponent(file.name) + "-" + (startIndex + idx);
+        let rowHTML = buildFileTableRow(file, fakeBase);
+        
+        // add row id + data-file-name, and ensure the name cell also has "name-cell"
+        rowHTML = rowHTML
+  .replace("<tr", `<tr id="file-row-${idSafe}" data-file-name="${escapeHTML(file.name)}"`)
+  .replace('class="file-name-cell"', 'class="file-name-cell name-cell"');
   
         let tagBadgesHTML = "";
         if (file.tags && file.tags.length > 0) {
@@ -724,9 +844,13 @@ function searchFiles(searchTerm) {
           });
           tagBadgesHTML += "</div>";
         }
-        rowsHTML += rowHTML.replace(/(<td class="file-name-cell">)(.*?)(<\/td>)/, (match, p1, p2, p3) => {
-          return p1 + p2 + tagBadgesHTML + p3;
-        });
+        rowsHTML += rowHTML.replace(
+          /(<td\s+class="[^"]*\bfile-name-cell\b[^"]*">)([\s\S]*?)(<\/td>)/,
+          (m, open, inner, close) => {
+            // keep the original filename content, then add your tag badges, then close
+            return `${open}<span class="filename-text">${inner}</span>${tagBadgesHTML}${close}`;
+          }
+        );
       });
     } else {
       rowsHTML += `<tr><td colspan="8">No files found.</td></tr>`;
@@ -904,6 +1028,7 @@ function searchFiles(searchTerm) {
       });
     });
     updateFileActionButtons();
+    
     document.querySelectorAll("#fileList tbody tr").forEach(row => {
       row.setAttribute("draggable", "true");
       import('./fileDragDrop.js?v={{APP_QVER}}').then(module => {
@@ -914,6 +1039,7 @@ function searchFiles(searchTerm) {
       btn.addEventListener("click", e => e.stopPropagation());
     });
     bindFileListContextMenu();
+    refreshViewedBadges(folder).catch(() => {});
   }
   
   // A helper to compute the max image height based on the current column count.
@@ -1040,6 +1166,7 @@ function searchFiles(searchTerm) {
       // card with checkbox, preview, info, buttons
       galleryHTML += `
         <div class="gallery-card"
+             data-file-name="${escapeHTML(file.name)}"
              style="position:relative; border:1px solid #ccc; padding:5px; text-align:center;">
           <input type="checkbox"
                  class="file-checkbox"
@@ -1236,7 +1363,7 @@ function searchFiles(searchTerm) {
       if (window.viewMode === "gallery") renderGalleryView(folder);
       else renderFileTable(folder);
     };
-  
+    refreshViewedBadges(folder).catch(() => {});
     updateFileActionButtons();
     createViewToggleButton();
   }

public/js/i18n.js

@@ -302,7 +302,17 @@ const translations = {
     "acl_move_folder_info": "Moving folders is restricted to folder owners or managers. Destination folders must also allow moves in.",
     "context_move_folder": "Move Folder...",
     "context_move_here": "Move Here",
-    "context_move_cancel": "Cancel Move"
+    "context_move_cancel": "Cancel Move",
+    "mark_as_viewed": "Mark as viewed",
+    "viewed": "Viewed",
+    "resumed_from": "Resumed from",
+    "clear_progress": "Clear progress",
+    "marked_viewed": "Marked as viewed",
+    "progress_cleared": "Progress cleared",
+    "previous": "Previous",
+    "next": "Next",
+    "watched": "Watched",
+    "reset_progress": "Reset Progress"
   },
   es: {
     "please_log_in_to_continue": "Por favor, inicie sesión para continuar.",

public/js/main.js

@@ -403,39 +403,57 @@ function bindDarkMode() {
   function applySiteConfig(cfg, { phase = 'final' } = {}) {
     try {
       const title = (cfg && cfg.header_title) ? String(cfg.header_title) : 'FileRise';
-  
+
       // Always keep <title> correct early (no visual flicker)
       document.title = title;
-  
+
       // --- Login options (apply in BOTH phases so login page is correct) ---
       const lo = (cfg && cfg.loginOptions) ? cfg.loginOptions : {};
-      const disableForm  = !!lo.disableFormLogin;
-      const disableOIDC  = !!lo.disableOIDCLogin;
-      const disableBasic = !!lo.disableBasicAuth;
-  
-      const row = $('#loginForm');
-      if (row) {
-        if (disableForm) {
-          row.setAttribute('hidden', '');
-          row.style.display = ''; // don't leave display:none lying around
+
+
+      // be tolerant to key variants just in case
+      const disableForm = !!(lo.disableFormLogin ?? lo.disable_form_login ?? lo.disableForm);
+      const disableOIDC = !!(lo.disableOIDCLogin ?? lo.disable_oidc_login ?? lo.disableOIDC);
+      const disableBasic = !!(lo.disableBasicAuth ?? lo.disable_basic_auth ?? lo.disableBasic);
+
+      const showForm = !disableForm;
+      const showOIDC = !disableOIDC;
+      const showBasic = !disableBasic;
+
+      const loginWrap = $('#loginForm');         // outer wrapper that contains buttons + form
+      const authForm = $('#authForm');          // inner username/password form
+      const oidcBtn = $('#oidcLoginBtn');      // OIDC button
+      const basicLink = document.querySelector('a[href="/api/auth/login_basic.php"]');
+
+      // 1) Show the wrapper if ANY method is enabled (form OR OIDC OR basic)
+      if (loginWrap) {
+        const anyMethod = showForm || showOIDC || showBasic;
+        if (anyMethod) {
+          loginWrap.removeAttribute('hidden');   // remove [hidden], which beats display:
+          loginWrap.style.display = '';          // let CSS decide
         } else {
-          row.removeAttribute('hidden');
-          row.style.display = '';
+          loginWrap.setAttribute('hidden', '');
+          loginWrap.style.display = '';
         }
       }
-      const oidc  = $('#oidcLoginBtn'); if (oidc)  oidc.style.display  = disableOIDC ? 'none' : '';
+
+      // 2) Toggle the pieces inside the wrapper
+      if (authForm) authForm.style.display = showForm ? '' : 'none';
+      if (oidcBtn) oidcBtn.style.display = showOIDC ? '' : 'none';
+      if (basicLink) basicLink.style.display = showBasic ? '' : 'none';
+      const oidc = $('#oidcLoginBtn'); if (oidc) oidc.style.display = disableOIDC ? 'none' : '';
       const basic = document.querySelector('a[href="/api/auth/login_basic.php"]');
       if (basic) basic.style.display = disableBasic ? 'none' : '';
-  
+
       // --- Header <h1> only in the FINAL phase (prevents visible flips) ---
       if (phase === 'final') {
         const h1 = document.querySelector('.header-title h1');
         if (h1) {
           // prevent i18n or legacy from overwriting it
           if (h1.hasAttribute('data-i18n-key')) h1.removeAttribute('data-i18n-key');
-  
+
           if (h1.textContent !== title) h1.textContent = title;
-  
+
           // lock it so late code can't stomp it
           if (!h1.__titleLock) {
             const mo = new MutationObserver(() => {
@@ -1037,6 +1055,21 @@ function bindDarkMode() {
     if (login) login.style.display = '';
     // …wire stuff…
     applySiteConfig(window.__FR_SITE_CFG__ || {}, { phase: 'final' });
+    // Auto-SSO if OIDC is the only enabled method (add ?noauto=1 to skip)
+    (() => {
+      const lo = (window.__FR_SITE_CFG__ && window.__FR_SITE_CFG__.loginOptions) || {};
+      const disableForm = !!(lo.disableFormLogin ?? lo.disable_form_login ?? lo.disableForm);
+      const disableBasic = !!(lo.disableBasicAuth ?? lo.disable_basic_auth ?? lo.disableBasic);
+      const disableOIDC = !!(lo.disableOIDCLogin ?? lo.disable_oidc_login ?? lo.disableOIDC);
+
+      const onlyOIDC = disableForm && disableBasic && !disableOIDC;
+      const qp = new URLSearchParams(location.search);
+
+      if (onlyOIDC && qp.get('noauto') !== '1') {
+        const btn = document.getElementById('oidcLoginBtn');
+        if (btn) setTimeout(() => btn.click(), 250);
+      }
+    })();
     await revealAppAndHideOverlay();
     const hb = document.querySelector('.header-buttons');
     if (hb) hb.style.visibility = 'hidden';
@@ -1057,4 +1090,52 @@ function bindDarkMode() {
 
     if (overlay) overlay.style.display = 'none';
   }, { once: true });
+})();
+
+
+// --- Mobile switcher + PWA SW (mobile-only) ---
+(() => {
+  // keep it simple + robust
+  const qs = new URLSearchParams(location.search);
+  const hasFrAppHint = qs.get('frapp') === '1';
+
+  const isStandalone =
+    (window.matchMedia && window.matchMedia('(display-mode: standalone)').matches) ||
+    (typeof navigator.standalone === 'boolean' && navigator.standalone);
+
+  const isCapUA = /\bCapacitor\b/i.test(navigator.userAgent);
+  const hasCapBridge = !!(window.Capacitor && window.Capacitor.Plugins);
+
+  // “mobile-ish”: native mobile UAs OR touch + reasonably narrow viewport (covers iPad-on-Mac UA)
+  const isMobileish =
+    /Android|iPhone|iPad|iPod|Mobile|Silk|IEMobile|Opera Mini/i.test(navigator.userAgent) ||
+    (navigator.maxTouchPoints > 1 && Math.min(screen.width, screen.height) <= 900);
+
+  // load the switcher only in the mobile app, or mobile standalone PWA, or when explicitly hinted
+  const shouldLoadSwitcher =
+    hasCapBridge || isCapUA || (isStandalone && isMobileish) || (hasFrAppHint && isMobileish);
+
+  // expose a flag to inspect later
+  window.FR_APP = !!(hasCapBridge || isCapUA || (isStandalone && isMobileish));
+
+  const QVER = (window.APP_QVER && String(window.APP_QVER)) || '{{APP_QVER}}';
+
+  if (shouldLoadSwitcher) {
+    import(`/js/mobile/switcher.js?v=${encodeURIComponent(QVER)}`)
+      .then(() => {
+        if (hasFrAppHint && !sessionStorage.getItem('frx_opened_once')) {
+          sessionStorage.setItem('frx_opened_once', '1');
+          window.dispatchEvent(new CustomEvent('frx:openSwitcher'));
+        }
+      })
+      .catch(err => console.info('[FileRise] switcher import failed:', err));
+  }
+
+  // SW only for web (https or localhost), never in Capacitor
+  const onHttps = location.protocol === 'https:' || location.hostname === 'localhost';
+  if ('serviceWorker' in navigator && onHttps && !hasCapBridge && !isCapUA) {
+    window.addEventListener('load', () => {
+      navigator.serviceWorker.register(`/js/pwa/sw.js?v=${encodeURIComponent(QVER)}`).catch(() => { });
+    });
+  }
 })();

public/js/mobile/switcher.js

@@ -0,0 +1,365 @@
+(function(){
+  const isCap = !!window.Capacitor || /Capacitor/i.test(navigator.userAgent);
+  if (!isCap) return;
+  // NOTE: allow running inside Capacitor (origin "capacitor://localhost")
+
+  const Plugins = (window.Capacitor && window.Capacitor.Plugins) || {};
+  const Pref = Plugins.Preferences ? {
+    get:   ({key}) => Plugins.Preferences.get({key}),
+    set:   ({key,value}) => Plugins.Preferences.set({key,value}),
+    remove:({key}) => Plugins.Preferences.remove({key})
+  } : {
+    get:    async ({key}) => ({ value: localStorage.getItem(key) || null }),
+    set:    async ({key,value}) => localStorage.setItem(key, value),
+    remove: async ({key}) => localStorage.removeItem(key)
+  };
+  const Http = (Plugins.Http || Plugins.CapacitorHttp) || null;
+
+  const K_INST='fr_instances_v1', K_ACTIVE='fr_active_v1', K_STATUS='fr_status_v1';
+
+  const $ = s => document.querySelector(s);
+
+  // Safe element builder: attributes only, children as nodes/strings (no innerHTML)
+  const el = (tag, attrs = {}, children = []) => {
+    const n = document.createElement(tag);
+    for (const k in attrs) n.setAttribute(k, attrs[k]);
+    (Array.isArray(children) ? children : [children]).forEach(c => {
+      if (c == null) return;
+      n.appendChild(typeof c === 'string' ? document.createTextNode(c) : c);
+    });
+    return n;
+  };
+
+  // Normalize to http(s), strip creds, collapse trailing slashes
+  const normalize = (u) => {
+    if (!u) return '';
+    let v = u.trim();
+    if (!/^https?:\/\//i.test(v)) v = 'https://' + v;
+    try {
+      const url = new URL(v);
+      if (!/^https?:$/.test(url.protocol)) return '';
+      url.username = '';
+      url.password = '';
+      url.pathname = url.pathname.replace(/\/+$/,'');
+      return url.toString();
+    } catch { return ''; }
+  };
+
+  // Append/overwrite a query param safely on a normalized URL
+  const withParam = (base, k, v) => {
+    try {
+      const u = new URL(normalize(base));
+      u.searchParams.set(k, v);
+      return u.toString();
+    } catch { return ''; }
+  };
+
+  const host = u => {
+    try { return new URL(normalize(u)).hostname; } catch { return ''; }
+  };
+  const originOf = u => {
+    try { return new URL(normalize(u)).origin; } catch { return ''; }
+  };
+  const faviconUrl = u => {
+    try { const x = new URL(normalize(u)); return x.origin + '/favicon.ico'; } catch { return ''; }
+  };
+  const initialsIcon = (hn='FR') => {
+    const t=(hn||'FR').replace(/^www\./,'').slice(0,2).toUpperCase();
+    const svg=`<svg xmlns='http://www.w3.org/2000/svg' width='64' height='64'>
+      <rect width='100%' height='100%' rx='12' ry='12' fill='#2196F3'/>
+      <text x='50%' y='54%' text-anchor='middle' font-family='system-ui,-apple-system,Segoe UI,Roboto,sans-serif'
+            font-size='28' font-weight='700' fill='#fff'>${t}</text></svg>`;
+    return 'data:image/svg+xml;utf8,'+encodeURIComponent(svg);
+  };
+
+  async function getStatusCache(){
+    const raw=(await Pref.get({key:K_STATUS})).value;
+    try { return raw ? JSON.parse(raw) : {}; } catch { return {}; }
+  }
+  async function writeStatus(origin, ok){
+    const cache=await getStatusCache();
+    cache[origin]={ ok, ts: Date.now() };
+    await Pref.set({key:K_STATUS, value:JSON.stringify(cache)});
+  }
+
+  async function verifyFileRise(u, timeout=5000){
+    if (!u || !Http) return {ok:false};
+    const base = normalize(u), org = originOf(base);
+    const tryJson = async (url, validate) => {
+      try{
+        const r = await Http.get({ url, connectTimeout:timeout, readTimeout:timeout, headers:{'Accept':'application/json','Cache-Control':'no-cache'} });
+        if (r && r.data) {
+          const j = (typeof r.data === 'string') ? JSON.parse(r.data) : r.data;
+          return !!validate(j);
+        }
+      }catch(_){}
+      return false;
+    };
+    if (await tryJson(org + '/siteConfig.json', j => j && (j.appTitle || j.headerTitle || j.auth || j.oidc || j.basicAuth))) return {ok:true, origin:org};
+    if (await tryJson(org + '/api/ping.php',    j => j && (j.ok===true || j.status==='ok' || j.pong || j.app==='FileRise'))) return {ok:true, origin:org};
+    if (await tryJson(org + '/api/version.php', j => j && (j.version || j.app==='FileRise'))) return {ok:true, origin:org};
+    try{
+      const r = await Http.get({ url: org+'/', connectTimeout:timeout, readTimeout:timeout, headers:{'Cache-Control':'no-cache'} });
+      if (typeof r.data === 'string' && /FileRise/i.test(r.data)) return {ok:true, origin:org};
+    }catch(_){}
+    return {ok:false, origin:org};
+  }
+
+  async function probeReachable(u, timeout=3000){
+    try{
+      const base = new URL(normalize(u)).origin, ico=base+'/favicon.ico';
+      if (Http){
+        try{ const r=await Http.get({ url: ico, connectTimeout:timeout, readTimeout:timeout, headers:{'Cache-Control':'no-cache'} });
+             if (r && typeof r.status==='number' && r.status<500) return true; }catch(e){}
+        try{ const r2=await Http.get({ url: base+'/', connectTimeout:timeout, readTimeout:timeout, headers:{'Cache-Control':'no-cache'} });
+             if (r2 && typeof r2.status==='number' && r2.status<500) return true; }catch(e){}
+        return false;
+      }
+      return await new Promise(res=>{
+        const img=new Image(), t=setTimeout(()=>done(false), timeout);
+        function done(ok){ clearTimeout(t); img.onload=img.onerror=null; res(ok); }
+        img.onload=()=>done(true); img.onerror=()=>done(false);
+        img.src = ico + (ico.includes('?')?'&':'?') + '__fr=' + Date.now();
+      });
+    }catch{ return false; }
+  }
+
+  async function loadInstances(){
+    const raw=(await Pref.get({key:K_INST})).value;
+    try { return raw ? JSON.parse(raw) : []; } catch { return []; }
+  }
+  async function saveInstances(list){
+    await Pref.set({key:K_INST, value:JSON.stringify(list)});
+  }
+  async function getActive(){ return (await Pref.get({key:K_ACTIVE})).value }
+  async function setActive(id){ await Pref.set({key:K_ACTIVE, value:id||''}) }
+
+  // ---- Styles (slide-up sheet + disabled buttons + safe-area) ----
+  if (!$('#frx-mobile-style')) {
+    const css = `
+      .frx-fab { position:fixed; right:16px; bottom:calc(env(safe-area-inset-bottom,0px) + 18px); width:52px; height:52px; border-radius:26px;
+        background: linear-gradient(180deg,#64B5F6,#2196F3 65%,#1976D2); color:#fff; display:grid; place-items:center;
+        box-shadow:0 10px 22px rgba(33,150,243,.38); z-index:2147483647; cursor:pointer; user-select:none; }
+      .frx-fab:active { transform: translateY(1px) scale(.98); }
+      .frx-fab svg { width:26px; height:26px; fill:white }
+      .frx-scrim{position:fixed;inset:0;background:rgba(0,0,0,.45);z-index:2147483645;opacity:0;visibility:hidden;transition:opacity .24s ease}
+      .frx-scrim.show{opacity:1;visibility:visible}
+      .frx-sheet{position:fixed;left:0;right:0;bottom:0;background:#0f172a;color:#e5e7eb;
+        border-top-left-radius:16px;border-top-right-radius:16px;box-shadow:0 -10px 30px rgba(0,0,0,.3);
+        z-index:2147483646;transform:translateY(100%);opacity:0;visibility:hidden;
+        transition:transform .28s cubic-bezier(.2,.8,.2,1), opacity .28s ease; will-change:transform}
+      .frx-sheet.show{transform:translateY(0);opacity:1;visibility:visible}
+      .frx-sheet .hdr{display:flex;align-items:center;justify-content:space-between;padding:14px 16px;border-bottom:1px solid rgba(255,255,255,.08)}
+      .frx-title{display:flex;align-items:center;gap:10px;font-weight:800}
+      .frx-title img{width:22px;height:22px}
+      .frx-list{max-height:60vh;overflow:auto;padding:8px 12px}
+      .frx-chip{border:1px solid rgba(255,255,255,.08);border-radius:12px;padding:12px;margin:8px 4px;background:rgba(255,255,255,.04)}
+      .frx-chip.active{outline:3px solid rgba(33,150,243,.35); border-color:#2196F3}
+      .frx-top{display:flex;gap:10px;align-items:center;justify-content:space-between;margin-bottom:10px}
+      .frx-left{display:flex;gap:10px;align-items:center}
+      .frx-ico{width:20px;height:20px;border-radius:6px;overflow:hidden;background:#fff;display:grid;place-items:center}
+      .frx-ico img{width:100%;height:100%;object-fit:cover;display:block}
+      .frx-name{font-weight:800}
+      .frx-host{font-size:12px;opacity:.8;margin-top:2px}
+      .frx-status{display:flex;align-items:center;gap:6px;font-size:12px;opacity:.9}
+      .frx-dot{width:10px;height:10px;border-radius:50%;}
+      .frx-dot.on{background:#10B981;box-shadow:0 0 0 3px rgba(16,185,129,.18)}
+      .frx-dot.off{background:#ef4444;box-shadow:0 0 0 3px rgba(239,68,68,.18)}
+      .frx-actions{display:flex;gap:8px;flex-wrap:wrap}
+      .frx-btn{appearance:none;border:0;border-radius:10px;padding:10px 12px;font-weight:700;cursor:pointer;transition:.15s ease opacity, .15s ease filter}
+      .frx-btn[disabled]{opacity:.5;cursor:not-allowed;filter:grayscale(20%)}
+      .frx-primary{background:linear-gradient(180deg,#64B5F6,#2196F3);color:#fff}
+      .frx-ghost{background:transparent;color:#cbd5e1;border:1px solid rgba(255,255,255,.12)}
+      .frx-danger{background:transparent;color:#f44336;border:1px solid rgba(244,67,54,.45)}
+      .frx-row{display:flex;gap:8px;align-items:center}
+      .frx-field{display:grid;gap:6px;margin:8px 4px}
+      .frx-input{width:100%;padding:12px;border-radius:10px;border:1px solid rgba(255,255,255,.12);background:transparent;color:inherit}
+      .frx-footer{display:flex;justify-content:flex-end;gap:8px;padding:10px 12px;border-top:1px solid rgba(255,255,255,.08)}
+      @media (pointer:coarse) { .frx-fab { width:58px; height:58px; border-radius:29px; } }
+    `;
+    document.head.appendChild(el('style',{id:'frx-mobile-style'}, css));
+  }
+
+  // ---- DOM skeleton (no innerHTML) ----
+  const scrim = el('div',{class:'frx-scrim', id:'frx-scrim'});
+  const sheet = el('div',{class:'frx-sheet', id:'frx-sheet'});
+  const hdr = el('div',{class:'hdr'});
+  const title = el('div',{class:'frx-title'});
+  const logo = el('img',{src:'/assets/logo.svg', alt:'FileRise'});
+  // inline handler via property, not attribute
+  logo.onerror = function(){ this.style.display='none'; };
+  title.append(logo, el('span',{},'FileRise Switcher'));
+  const hdrBtns = el('div',{class:'frx-row'},[
+    el('button',{class:'frx-btn frx-ghost', id:'frx-home'},'Home'),
+    el('button',{class:'frx-btn frx-ghost', id:'frx-close'},'Close')
+  ]);
+  hdr.append(title, hdrBtns);
+
+  const list = el('div',{class:'frx-list', id:'frx-list'});
+  const formWrap = el('div',{style:'padding:10px 12px'},[
+    el('div',{class:'frx-field'},[
+      el('input',{class:'frx-input', id:'frx-name', placeholder:'Display name (optional)'}),
+      el('input',{class:'frx-input', id:'frx-url',  placeholder:'https://files.example.com'})
+    ])
+  ]);
+  const footer = el('div',{class:'frx-footer'},[
+    el('button',{class:'frx-btn frx-ghost', id:'frx-add-cancel'},'Close'),
+    el('button',{class:'frx-btn frx-primary', id:'frx-add-save'},'+ Add server')
+  ]);
+  sheet.append(hdr, list, formWrap, footer);
+
+  const fab = el('div',{class:'frx-fab', id:'frx-fab', title:'Switch server'},[
+    el('svg',{viewBox:'0 0 24 24'},[ el('path',{d:'M7 7h10v2H7V7zm0 4h10v2H7v-2zm0 4h10v2H7v-2z'}) ])
+  ]);
+
+  document.body.appendChild(scrim);
+  document.body.appendChild(sheet);
+  document.body.appendChild(fab);
+
+  function show(){ scrim.classList.add('show'); sheet.classList.add('show'); fab.style.display='none'; }
+  function hide(){ scrim.classList.remove('show'); sheet.classList.remove('show'); fab.style.display='grid'; }
+  $('#frx-close').addEventListener('click', hide);
+  $('#frx-add-cancel').addEventListener('click', hide);
+  $('#frx-home').addEventListener('click', ()=>{ try{ location.href='capacitor://localhost/index.html'; }catch{} });
+  scrim.addEventListener('click', hide);
+  document.addEventListener('keydown', e=>{ if(e.key==='Escape') hide(); });
+
+  function chipNode(item, isActive){
+    const hv = host(item.url);
+    const node = el('div',{class:'frx-chip'+(isActive?' active':''), 'data-id':item.id});
+
+    const top  = el('div',{class:'frx-top'});
+    const left = el('div',{class:'frx-left'});
+
+    const ico  = el('div',{class:'frx-ico'});
+    const img  = new Image();
+    img.alt=''; img.src=item.favicon||faviconUrl(item.url)||initialsIcon(hv);
+    img.onerror=()=>{ img.onerror=null; img.src=initialsIcon(hv); };
+    ico.appendChild(img);
+
+    const txt  = el('div',{},[
+      el('div',{class:'frx-name'}, (item.name || hv)),
+      el('div',{class:'frx-host'}, hv)
+    ]);
+
+    left.appendChild(ico);
+    left.appendChild(txt);
+
+    const dot = el('span',{class:'frx-dot', id:`frx-dot-${item.id}`});
+    const lbl = el('span',{id:`frx-lbl-${item.id}`}, 'Checking…');
+    const status = el('div',{class:'frx-status'}, [dot, lbl]);
+
+    top.appendChild(left);
+    top.appendChild(status);
+
+    const actions = el('div',{class:'frx-actions'});
+    const bOpen = el('button',{class:'frx-btn frx-primary', 'data-act':'open', disabled:true}, 'Open');
+    const bRen  = el('button',{class:'frx-btn frx-ghost',   'data-act':'rename'}, 'Rename');
+    const bDel  = el('button',{class:'frx-btn frx-danger',  'data-act':'remove'}, 'Remove');
+    actions.appendChild(bOpen); actions.appendChild(bRen); actions.appendChild(bDel);
+
+    node.appendChild(top);
+    node.appendChild(actions);
+    return node;
+  }
+
+  async function renderList(){
+    const listEl=$('#frx-list'); listEl.textContent='';
+    const list=await loadInstances(); const active=await getActive();
+    const cache=await getStatusCache();
+
+    list.sort((a,b)=>(b.lastUsed||0)-(a.lastUsed||0)).forEach(item=>{
+      const chip = chipNode(item, item.id===active);
+      const o = originOf(item.url), cached = cache[o];
+      const dot = chip.querySelector(`#frx-dot-${item.id}`);
+      const lbl = chip.querySelector(`#frx-lbl-${item.id}`);
+      const openBtn = chip.querySelector('[data-act="open"]');
+
+      if (cached){
+        dot.classList.add(cached.ok ? 'on':'off');
+        lbl.textContent = cached.ok ? 'Online' : 'Offline';
+        openBtn.disabled = !cached.ok;
+      } else {
+        lbl.textContent = 'Unknown';
+        openBtn.disabled = true;
+      }
+
+      chip.addEventListener('click', async (e)=>{
+        const act = e.target?.dataset?.act;
+        if (!act) return;
+
+        if (act==='open'){
+          if (openBtn.disabled) return;
+          await setActive(item.id);
+          const dest = withParam(item.url, 'frapp', '1');
+          if (dest) window.location.replace(dest);
+        } else if (act==='rename'){
+          const nn=prompt('New display name:', item.name || host(item.url));
+          if (nn!=null){
+            const L=await loadInstances(); const it=L.find(x=>x.id===item.id);
+            if (it){ it.name=nn.trim().slice(0,120); it.lastUsed=Date.now(); await saveInstances(L); renderList(); }
+          }
+        } else if (act==='remove'){
+          if (!confirm('Remove this server?')) return;
+          let L=await loadInstances(); L=L.filter(x=>x.id!==item.id); await saveInstances(L);
+          const a=await getActive(); if (a===item.id) await setActive(L[0]?.id||''); renderList();
+        }
+      });
+
+      listEl.appendChild(chip);
+
+      // Live refresh (best effort)
+      (async ()=>{
+        const ok = await probeReachable(item.url, 2500);
+        const d = document.getElementById(`frx-dot-${item.id}`);
+        const l = document.getElementById(`frx-lbl-${item.id}`);
+        const b = chip.querySelector('[data-act="open"]');
+        if (d && l && b){
+          d.classList.remove('on','off');
+          d.classList.add(ok?'on':'off');
+          l.textContent = ok ? 'Online' : 'Offline';
+          b.disabled = !ok;
+        }
+        const o2 = originOf(item.url); if (o2) writeStatus(o2, ok);
+      })();
+    });
+  }
+
+  $('#frx-add-save').addEventListener('click', async ()=>{
+    const name = $('#frx-name').value.trim();
+    const url  = $('#frx-url').value.trim();
+    if (!url) { alert('Enter a valid URL'); return; }
+
+    // Verify: must be FileRise
+    const vf = await verifyFileRise(url);
+    if (!vf.ok) { alert('That address does not look like a FileRise server.'); return; }
+
+    let L = await loadInstances();
+    const h  = host(url);
+    const dupe = L.find(i => host(i.url)===h);
+    const inst = dupe || { id:'i'+Math.random().toString(36).slice(2)+Date.now().toString(36) };
+    inst.name = name || inst.name || h;
+    inst.url  = normalize(url);
+    inst.favicon = faviconUrl(url);
+    inst.lastUsed = Date.now();
+    if (!dupe) L.push(inst);
+    await saveInstances(L);
+    await setActive(inst.id);
+
+    if (vf.origin) await writeStatus(vf.origin, true);
+
+    const dest = withParam(inst.url, 'frapp', '1');
+    if (dest) window.location.replace(dest);
+  });
+
+  fab.addEventListener('click', async ()=>{ await renderList(); show(); });
+
+  // Ensure zoom gestures work if the host page tried to disable them
+  (function ensureZoomable(){
+    let m = document.querySelector('meta[name=viewport]');
+    const desired = 'width=device-width, initial-scale=1, viewport-fit=cover, user-scalable=yes, minimum-scale=1, maximum-scale=5';
+    if (!m){ m = document.createElement('meta'); m.setAttribute('name','viewport'); document.head.appendChild(m); }
+    const c = m.getAttribute('content') || '';
+    if (/user-scalable=no|maximum-scale=1/.test(c)) m.setAttribute('content', desired);
+  })();
+})();

public/js/pwa/register-sw.js

@@ -0,0 +1,5 @@
+if ('serviceWorker' in navigator) {
+    window.addEventListener('load', () => {
+      navigator.serviceWorker.register('/sw.js?v={{APP_QVER}}').catch(() => {});
+    });
+  }

public/js/pwa/sw.js

@@ -0,0 +1,9 @@
+// public/js/pwa/sw.js
+const SW_VERSION = '{{APP_QVER}}';
+const STATIC_CACHE = `fr-static-${SW_VERSION}`;
+const STATIC_ASSETS = [
+  '/', '/index.html',
+  '/css/styles.css?v={{APP_QVER}}',
+  '/js/main.js?v={{APP_QVER}}',
+  '/assets/logo.svg?v={{APP_QVER}}'
+];

public/js/version.js

@@ -1,2 +1,2 @@
 // generated by CI
-window.APP_VERSION = 'v1.8.0';
+window.APP_VERSION = 'v1.8.12';

public/manifest.webmanifest

@@ -0,0 +1,14 @@
+{
+    "name": "FileRise",
+    "short_name": "FileRise",
+    "start_url": "/?pwa=1",
+    "scope": "/",
+    "display": "standalone",
+    "background_color": "#111111",
+    "theme_color": "#0b5ed7",
+    "icons": [
+      { "src": "/assets/icons/icon-192.png?v={{APP_QVER}}", "sizes": "192x192", "type": "image/png" },
+      { "src": "/assets/icons/icon-512.png?v={{APP_QVER}}", "sizes": "512x512", "type": "image/png" },
+      { "src": "/assets/icons/maskable-512.png?v={{APP_QVER}}", "sizes": "512x512", "type": "image/png", "purpose": "maskable" }
+    ]
+  }

public/sw.js

@@ -0,0 +1,6 @@
+// Root-scoped stub. Keeps the worker’s scope at “/” level
+try {
+  self.importScripts('/js/pwa/sw.js?v={{APP_QVER}}');
+} catch (_) {
+  // no-op
+}

src/cli/zip_worker.php

@@ -0,0 +1,179 @@
+#!/usr/bin/env php
+<?php
+declare(strict_types=1);
+
+require __DIR__ . '/../../config/config.php';
+require __DIR__ . '/../../src/models/FileModel.php';
+
+$token = $argv[1] ?? '';
+$token = preg_replace('/[^a-f0-9]/','',$token);
+if ($token === '') { fwrite(STDERR, "No token\n"); exit(1); }
+
+$root    = rtrim((string)META_DIR, '/\\') . '/ziptmp';
+$tokDir  = $root . '/.tokens';
+$logDir  = $root . '/.logs';
+@mkdir($tokDir, 0775, true);
+@mkdir($logDir, 0775, true);
+
+$tokFile = $tokDir . '/' . $token . '.json';
+$logFile = $logDir . '/WORKER-' . $token . '.log';
+
+file_put_contents($logFile, "[".date('c')."] worker start token={$token}\n", FILE_APPEND);
+
+// Keep libzip temp files on same FS as final zip (prevents cross-device rename failures)
+@mkdir($root, 0775, true);
+@putenv('TMPDIR='.$root);
+@ini_set('sys_temp_dir', $root);
+
+// Small janitor: purge old tokens/logs (> 6h)
+$now = time();
+foreach (glob($tokDir.'/*.json') ?: [] as $f) { if (is_file($f) && ($now - @filemtime($f)) > 21600) @unlink($f); }
+foreach (glob($logDir.'/WORKER-*.log') ?: [] as $f) { if (is_file($f) && ($now - @filemtime($f)) > 21600) @unlink($f); }
+
+// Helpers to read/write the token file safely
+$job = json_decode((string)@file_get_contents($tokFile), true) ?: [];
+
+$save = function() use (&$job, $tokFile) {
+    @file_put_contents($tokFile, json_encode($job, JSON_PRETTY_PRINT), LOCK_EX);
+    @clearstatcache(true, $tokFile);
+};
+
+$touchPhase = function(string $phase) use (&$job, $save) {
+    $job['phase'] = $phase;
+    $save();
+};
+
+// Init timing
+if (empty($job['startedAt'])) {
+    $job['startedAt'] = time();
+}
+$job['status'] = 'working';
+$job['error']  = null;
+$save();
+
+// Build the list of files to zip using the model (same validation FileRise uses)
+try {
+    // Reuse FileModel’s validation by calling it but not keeping the zip; we’ll enumerate sizes here.
+    $folder = (string)($job['folder'] ?? 'root');
+    $names  = (array)($job['files'] ?? []);
+
+    // Resolve folder path similarly to createZipArchive
+    $baseDir = realpath(UPLOAD_DIR);
+    if ($baseDir === false) {
+        throw new RuntimeException('Uploads directory not configured correctly.');
+    }
+    if (strtolower($folder) === 'root' || $folder === "") {
+        $folderPathReal = $baseDir;
+    } else {
+        if (strpos($folder, '..') !== false) throw new RuntimeException('Invalid folder name.');
+        $parts = explode('/', trim($folder, "/\\ "));
+        foreach ($parts as $part) {
+            if ($part === '' || !preg_match(REGEX_FOLDER_NAME, $part)) {
+                throw new RuntimeException('Invalid folder name.');
+            }
+        }
+        $folderPath = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . implode(DIRECTORY_SEPARATOR, $parts);
+        $folderPathReal = realpath($folderPath);
+        if ($folderPathReal === false || strpos($folderPathReal, $baseDir) !== 0) {
+            throw new RuntimeException('Folder not found.');
+        }
+    }
+
+    // Collect files (only regular files)
+    $filesToZip = [];
+    foreach ($names as $nm) {
+        $bn = basename(trim((string)$nm));
+        if (!preg_match(REGEX_FILE_NAME, $bn)) continue;
+        $fp = $folderPathReal . DIRECTORY_SEPARATOR . $bn;
+        if (is_file($fp)) $filesToZip[] = $fp;
+    }
+    if (!$filesToZip) throw new RuntimeException('No valid files to zip.');
+
+    // Totals for progress
+    $filesTotal = count($filesToZip);
+    $bytesTotal = 0;
+    foreach ($filesToZip as $fp) {
+        $sz = @filesize($fp);
+        if ($sz !== false) $bytesTotal += (int)$sz;
+    }
+
+    $job['filesTotal'] = $filesTotal;
+    $job['bytesTotal'] = $bytesTotal;
+    $job['filesDone']  = 0;
+    $job['bytesDone']  = 0;
+    $job['pct']        = 0;
+    $job['current']    = null;
+    $job['phase']      = 'zipping';
+    $save();
+
+    // Create final zip path in META_DIR/ziptmp
+    $zipName = 'download-' . date('Ymd-His') . '-' . bin2hex(random_bytes(4)) . '.zip';
+    $zipPath = $root . DIRECTORY_SEPARATOR . $zipName;
+
+    $zip = new ZipArchive();
+    if ($zip->open($zipPath, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== true) {
+        throw new RuntimeException('Could not create zip archive.');
+    }
+
+    // Enumerate files; report up to 98%
+    $bytesDone = 0;
+    $filesDone = 0;
+    foreach ($filesToZip as $fp) {
+        $bn = basename($fp);
+        $zip->addFile($fp, $bn);
+
+        $filesDone++;
+        $sz = @filesize($fp);
+        if ($sz !== false) $bytesDone += (int)$sz;
+
+        $job['filesDone'] = $filesDone;
+        $job['bytesDone'] = $bytesDone;
+        $job['current']   = $bn;
+
+        $pct = ($bytesTotal > 0) ? (int) floor(($bytesDone / $bytesTotal) * 98) : 0;
+        if ($pct < 0) $pct = 0;
+        if ($pct > 98) $pct = 98;
+        if ($pct > (int)($job['pct'] ?? 0)) $job['pct'] = $pct;
+
+        $save();
+    }
+
+    // Finalizing (this is where libzip writes & renames)
+$job['pct']           = max((int)($job['pct'] ?? 0), 99);
+$job['phase']         = 'finalizing';
+$job['finalizeAt']    = time();
+
+// Publish selected totals for a truthful UI during finalizing,
+// and clear incremental fields so the UI doesn't show "7/7 14 GB / 14 GB" prematurely.
+$job['selectedFiles'] = $filesTotal;
+$job['selectedBytes'] = $bytesTotal;
+$job['filesDone']     = null;
+$job['bytesDone']     = null;
+$job['current']       = null;
+
+$save();
+
+// ---- finalize the zip on disk ----
+$ok = $zip->close();
+$statusStr = method_exists($zip, 'getStatusString') ? $zip->getStatusString() : '';
+
+if (!$ok || !is_file($zipPath)) {
+    $job['status'] = 'error';
+    $job['error']  = 'Failed to finalize ZIP' . ($statusStr ? " ($statusStr)" : '');
+    $save();
+    file_put_contents($logFile, "[".date('c')."] error: ".$job['error']."\n", FILE_APPEND);
+    exit(0);
+}
+
+$job['status']  = 'done';
+$job['zipPath'] = $zipPath;
+$job['pct']     = 100;
+$job['phase']   = 'finalized';
+$save();
+file_put_contents($logFile, "[".date('c')."] done zip={$zipPath}\n", FILE_APPEND);
+} catch (Throwable $e) {
+    $job['status'] = 'error';
+    $job['error']  = 'Worker exception: '.$e->getMessage();
+    $save();
+    file_put_contents($logFile, "[".date('c')."] exception: ".$e->getMessage()."\n", FILE_APPEND);
+}

src/controllers/AuthController.php

@@ -57,12 +57,26 @@ class AuthController
             $oidcAction = 'callback';
         }
         if ($oidcAction) {
-            $cfg = AdminModel::getConfig();
+            $cfg          = AdminModel::getConfig();
+            $clientId     = $cfg['oidc']['clientId']     ?? null;
+            $clientSecret = $cfg['oidc']['clientSecret'] ?? null;
+            // When configured as a public client (no secret), pass null, not an empty string.
+            if ($clientSecret === '') { $clientSecret = null; }
+
             $oidc = new OpenIDConnectClient(
                 $cfg['oidc']['providerUrl'],
-                $cfg['oidc']['clientId'],
-                $cfg['oidc']['clientSecret']
+                $clientId ?: null,
+                $clientSecret
             );
+
+            // Always send PKCE (S256). Required by Authelia for public clients, safe for confidential ones.
+            if (method_exists($oidc, 'setCodeChallengeMethod')) {
+                $oidc->setCodeChallengeMethod('S256');
+            }
+            // client_secret_post with Authelia using config.php
+            if (method_exists($oidc, 'setTokenEndpointAuthMethod') && OIDC_TOKEN_ENDPOINT_AUTH_METHOD) {
+                $oidc->setTokenEndpointAuthMethod(OIDC_TOKEN_ENDPOINT_AUTH_METHOD);
+            }
             $oidc->setRedirectURL($cfg['oidc']['redirectUri']);
             $oidc->addScope(['openid','profile','email']);
 

src/controllers/FileController.php

@@ -190,6 +190,59 @@ class FileController
         return $ok ? null : "Forbidden: folder scope violation.";
     }
 
+    private function spawnZipWorker(string $token, string $tokFile, string $logDir): array
+    {
+        $worker = realpath(PROJECT_ROOT . '/src/cli/zip_worker.php');
+        if (!$worker || !is_file($worker)) {
+            return ['ok'=>false, 'error'=>'zip_worker.php not found'];
+        }
+    
+        // Find a PHP CLI binary that actually works
+        $candidates = array_values(array_filter([
+            PHP_BINARY ?: null,
+            '/usr/local/bin/php',
+            '/usr/bin/php',
+            '/bin/php'
+        ]));
+        $php = null;
+        foreach ($candidates as $bin) {
+            if (!$bin) continue;
+            $rc = 1;
+            @exec(escapeshellcmd($bin).' -v >/dev/null 2>&1', $o, $rc);
+            if ($rc === 0) { $php = $bin; break; }
+        }
+        if (!$php) {
+            return ['ok'=>false, 'error'=>'No working php CLI found'];
+        }
+    
+        $logFile = $logDir . DIRECTORY_SEPARATOR . 'WORKER-' . $token . '.log';
+    
+        // Ensure TMPDIR is on the same FS as the final zip; actually apply it to the child process.
+        $tmpDir = rtrim((string)META_DIR, '/\\') . '/ziptmp';
+        @mkdir($tmpDir, 0775, true);
+    
+        // Build one sh -c string so env + nohup + echo $! are in the same shell
+        $cmdStr =
+            'export TMPDIR=' . escapeshellarg($tmpDir) . ' ; ' .
+            'nohup ' . escapeshellcmd($php) . ' ' . escapeshellarg($worker) . ' ' . escapeshellarg($token) .
+            ' >> ' . escapeshellarg($logFile) . ' 2>&1 & echo $!';
+    
+        $pid = @shell_exec('/bin/sh -c ' . escapeshellarg($cmdStr));
+        $pid = is_string($pid) ? (int)trim($pid) : 0;
+    
+        // Persist spawn metadata into token (best-effort)
+        $job = json_decode((string)@file_get_contents($tokFile), true) ?: [];
+        $job['spawn'] = [
+            'ts'  => time(),
+            'php' => $php,
+            'pid' => $pid,
+            'log' => $logFile
+        ];
+        @file_put_contents($tokFile, json_encode($job, JSON_PRETTY_PRINT), LOCK_EX);
+    
+        return $pid > 0 ? ['ok'=>true] : ['ok'=>false, 'error'=>'spawn returned no PID'];
+    }
+
     // --- small helpers ---
     private function _jsonStart(): void {
         if (session_status() !== PHP_SESSION_ACTIVE) session_start();
@@ -665,78 +718,214 @@ public function deleteFiles()
         exit;
     }
 
-    public function downloadZip()
-    {
-        $this->_jsonStart();
-        try {
-            if (!$this->_checkCsrf()) return;
-            if (!$this->_requireAuth()) return;
+    public function zipStatus()
+{
+    if (!$this->_requireAuth()) { http_response_code(401); header('Content-Type: application/json'); echo json_encode(["error"=>"Unauthorized"]); return; }
+    $username = $_SESSION['username'] ?? '';
+    $token = isset($_GET['k']) ? preg_replace('/[^a-f0-9]/','',(string)$_GET['k']) : '';
+    if ($token === '' || strlen($token) < 8) { http_response_code(400); header('Content-Type: application/json'); echo json_encode(["error"=>"Bad token"]); return; }
 
-            $data = $this->_readJsonBody();
-            if (!is_array($data) || !isset($data['folder'], $data['files']) || !is_array($data['files'])) {
-                $this->_jsonOut(["error" => "Invalid input."], 400); return;
-            }
+    $tokFile = rtrim((string)META_DIR, '/\\') . '/ziptmp/.tokens/' . $token . '.json';
+    if (!is_file($tokFile)) { http_response_code(404); header('Content-Type: application/json'); echo json_encode(["error"=>"Not found"]); return; }
+    $job = json_decode((string)@file_get_contents($tokFile), true) ?: [];
+    if (($job['user'] ?? '') !== $username) { http_response_code(403); header('Content-Type: application/json'); echo json_encode(["error"=>"Forbidden"]); return; }
 
-            $folder = $this->_normalizeFolder($data['folder']);
-            $files  = $data['files'];
-            if (!$this->_validFolder($folder)) { $this->_jsonOut(["error"=>"Invalid folder name."], 400); return; }
+    $ready = (($job['status'] ?? '') === 'done') && !empty($job['zipPath']) && is_file($job['zipPath']);
 
-            $username = $_SESSION['username'] ?? '';
-            $perms    = $this->loadPerms($username);
+    $out = [
+        'status'      => $job['status']      ?? 'unknown',
+        'error'       => $job['error']       ?? null,
+        'ready'       => $ready,
+        // progress (if present)
+        'pct'         => $job['pct']         ?? null,
+        'filesDone'   => $job['filesDone']   ?? null,
+        'filesTotal'  => $job['filesTotal']  ?? null,
+        'bytesDone'   => $job['bytesDone']   ?? null,
+        'bytesTotal'  => $job['bytesTotal']  ?? null,
+        'current'     => $job['current']     ?? null,
+        'phase'       => $job['phase']       ?? null,
+        // timing (always include for UI)
+        'startedAt'   => $job['startedAt']   ?? null,
+        'finalizeAt'  => $job['finalizeAt']  ?? null,
+    ];
 
-            // Optional zip gate by account flag
-            if (!$this->isAdmin($perms) && !empty($perms['disableZip'])) {
-                $this->_jsonOut(["error" => "ZIP downloads are not allowed for your account."], 403); return;
-            }
+    if ($ready) {
+        $out['size']        = @filesize($job['zipPath']) ?: null;
+        $out['downloadUrl'] = '/api/file/downloadZipFile.php?k=' . urlencode($token);
+    }
 
-            $ignoreOwnership = $this->isAdmin($perms)
-                || ($perms['bypassOwnership'] ?? (defined('DEFAULT_BYPASS_OWNERSHIP') ? DEFAULT_BYPASS_OWNERSHIP : false));
+    header('Content-Type: application/json');
+    header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0');
+    header('Pragma: no-cache');
+    header('Expires: 0');
+    echo json_encode($out);
+}
 
-            // Ancestor-owner counts as full view
-            $fullView = $ignoreOwnership
-                || ACL::canRead($username, $perms, $folder)
-                || $this->ownsFolderOrAncestor($folder, $username, $perms);
-            $ownOnly  = !$fullView && ACL::hasGrant($username, $folder, 'read_own');
+public function downloadZipFile()
+{
+    if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) { http_response_code(401); echo "Unauthorized"; return; }
+    $username = $_SESSION['username'] ?? '';
+    $token = isset($_GET['k']) ? preg_replace('/[^a-f0-9]/','',(string)$_GET['k']) : '';
+    if ($token === '' || strlen($token) < 8) { http_response_code(400); echo "Bad token"; return; }
 
-            if (!$fullView && !$ownOnly) {
-                $this->_jsonOut(["error" => "Forbidden: no view access to this folder."], 403); return;
-            }
+    $tokFile = rtrim((string)META_DIR, '/\\') . '/ziptmp/.tokens/' . $token . '.json';
+    if (!is_file($tokFile)) { http_response_code(404); echo "Not found"; return; }
+    $job = json_decode((string)@file_get_contents($tokFile), true) ?: [];
+    @unlink($tokFile); // one-shot token
 
-            // If own-only, ensure all files are owned by the user
-            if ($ownOnly) {
-                $meta = $this->loadFolderMetadata($folder);
-                foreach ($files as $f) {
-                    $bn = basename((string)$f);
-                    if (!isset($meta[$bn]['uploader']) || strcasecmp((string)$meta[$bn]['uploader'], $username) !== 0) {
-                        $this->_jsonOut(["error" => "Forbidden: you are not the owner of '{$bn}'."], 403); return;
-                    }
+    if (($job['user'] ?? '') !== $username) { http_response_code(403); echo "Forbidden"; return; }
+    $zip = (string)($job['zipPath'] ?? '');
+    $zipReal = realpath($zip);
+    $root = realpath(rtrim((string)META_DIR, '/\\') . '/ziptmp');
+    if (!$zipReal || !$root || strpos($zipReal, $root) !== 0 || !is_file($zipReal)) { http_response_code(404); echo "Not found"; return; }
+
+    @session_write_close();
+    @set_time_limit(0);
+    @ignore_user_abort(true);
+    if (function_exists('apache_setenv')) @apache_setenv('no-gzip','1');
+    @ini_set('zlib.output_compression','0');
+    @ini_set('output_buffering','off');
+    while (ob_get_level()>0) @ob_end_clean();
+
+    @clearstatcache(true, $zipReal);
+    $name = isset($_GET['name']) ? preg_replace('/[^A-Za-z0-9._-]/','_', (string)$_GET['name']) : 'files.zip';
+    if ($name === '' || str_ends_with($name,'.')) $name = 'files.zip';
+    $size = (int)@filesize($zipReal);
+
+    header('X-Accel-Buffering: no');
+    header('X-Content-Type-Options: nosniff');
+    header('Content-Type: application/zip');
+    header('Content-Disposition: attachment; filename="'.$name.'"');
+    if ($size>0) header('Content-Length: '.$size);
+    header('Cache-Control: no-store, no-cache, must-revalidate');
+    header('Pragma: no-cache');
+
+    readfile($zipReal);
+    @unlink($zipReal);
+}
+
+public function downloadZip()
+{
+    try {
+        if (!$this->_checkCsrf()) { $this->_jsonOut(["error"=>"Bad CSRF"],400); return; }
+        if (!$this->_requireAuth()) { $this->_jsonOut(["error"=>"Unauthorized"],401); return; }
+
+        $data = $this->_readJsonBody();
+        if (!is_array($data) || !isset($data['folder'], $data['files']) || !is_array($data['files'])) {
+            $this->_jsonOut(["error" => "Invalid input."], 400); return;
+        }
+
+        $folder = $this->_normalizeFolder($data['folder']);
+        $files  = $data['files'];
+        if (!$this->_validFolder($folder)) { $this->_jsonOut(["error"=>"Invalid folder name."], 400); return; }
+
+        $username = $_SESSION['username'] ?? '';
+        $perms    = $this->loadPerms($username);
+
+        // Optional zip gate by account flag
+        if (!$this->isAdmin($perms) && !empty($perms['disableZip'])) {
+            $this->_jsonOut(["error" => "ZIP downloads are not allowed for your account."], 403); return;
+        }
+
+        $ignoreOwnership = $this->isAdmin($perms)
+            || ($perms['bypassOwnership'] ?? (defined('DEFAULT_BYPASS_OWNERSHIP') ? DEFAULT_BYPASS_OWNERSHIP : false));
+
+        // Ancestor-owner counts as full view
+        $fullView = $ignoreOwnership
+            || ACL::canRead($username, $perms, $folder)
+            || $this->ownsFolderOrAncestor($folder, $username, $perms);
+        $ownOnly  = !$fullView && ACL::hasGrant($username, $folder, 'read_own');
+
+        if (!$fullView && !$ownOnly) { $this->_jsonOut(["error" => "Forbidden: no view access to this folder."], 403); return; }
+
+        // If own-only, ensure all files are owned by the user
+        if ($ownOnly) {
+            $meta = $this->loadFolderMetadata($folder);
+            foreach ($files as $f) {
+                $bn = basename((string)$f);
+                if (!isset($meta[$bn]['uploader']) || strcasecmp((string)$meta[$bn]['uploader'], $username) !== 0) {
+                    $this->_jsonOut(["error" => "Forbidden: you are not the owner of '{$bn}'."], 403); return;
                 }
             }
+        }
 
-            $result = FileModel::createZipArchive($folder, $files);
-            if (isset($result['error'])) {
-                $this->_jsonOut(["error" => $result['error']], 400); return;
+        $root   = rtrim((string)META_DIR, '/\\') . DIRECTORY_SEPARATOR . 'ziptmp';
+        $tokDir = $root . DIRECTORY_SEPARATOR . '.tokens';
+        $logDir = $root . DIRECTORY_SEPARATOR . '.logs';
+        if (!is_dir($tokDir)) @mkdir($tokDir, 0700, true);
+        if (!is_dir($logDir)) @mkdir($logDir, 0700, true);
+        @chmod($tokDir, 0700);
+        @chmod($logDir, 0700);
+        if (!is_dir($tokDir) || !is_writable($tokDir)) {
+            $this->_jsonOut(["error"=>"ZIP token dir not writable."],500); return;
+        }
+
+        // Light janitor: purge old tokens/logs > 6h (best-effort)
+        $now = time();
+        foreach ((glob($tokDir . DIRECTORY_SEPARATOR . '*.json') ?: []) as $tf) {
+            if (is_file($tf) && ($now - (int)@filemtime($tf)) > 21600) { @unlink($tf); }
+        }
+        foreach ((glob($logDir . DIRECTORY_SEPARATOR . 'WORKER-*.log') ?: []) as $lf) {
+            if (is_file($lf) && ($now - (int)@filemtime($lf)) > 21600) { @unlink($lf); }
+        }
+
+        // Per-user and global caps (simple anti-DoS)
+        $perUserCap = 2;    // tweak if desired
+        $globalCap  = 8;    // tweak if desired
+
+        $tokens = glob($tokDir . DIRECTORY_SEPARATOR . '*.json') ?: [];
+        $mine   = 0; $all = 0;
+        foreach ($tokens as $tf) {
+            $job = json_decode((string)@file_get_contents($tf), true) ?: [];
+            $st  = $job['status'] ?? 'unknown';
+            if ($st === 'queued' || $st === 'working' || $st === 'finalizing') {
+                $all++;
+                if (($job['user'] ?? '') === $username) $mine++;
             }
+        }
+        if ($mine >= $perUserCap) { $this->_jsonOut(["error"=>"You already have ZIP jobs running. Try again shortly."], 429); return; }
+        if ($all  >= $globalCap)  { $this->_jsonOut(["error"=>"ZIP queue is busy. Try again shortly."], 429); return; }
 
-            $zipPath = $result['zipPath'] ?? null;
-            if (!$zipPath || !file_exists($zipPath)) { $this->_jsonOut(["error"=>"ZIP archive not found."], 500); return; }
+        // Create job token
+        $token   = bin2hex(random_bytes(16));
+        $tokFile = $tokDir . DIRECTORY_SEPARATOR . $token . '.json';
+        $job = [
+            'user'       => $username,
+            'folder'     => $folder,
+            'files'      => array_values($files),
+            'status'     => 'queued',
+            'ctime'      => time(),
+            'startedAt'  => null,
+            'finalizeAt' => null,
+            'zipPath'    => null,
+            'error'      => null
+        ];
+        if (file_put_contents($tokFile, json_encode($job, JSON_PRETTY_PRINT), LOCK_EX) === false) {
+            $this->_jsonOut(["error"=>"Failed to create zip job."],500); return;
+        }
 
-            // switch to file streaming
-            header_remove('Content-Type');
-            header('Content-Type: application/zip');
-            header('Content-Disposition: attachment; filename="files.zip"');
-            header('Content-Length: ' . filesize($zipPath));
-            header('Cache-Control: no-store, no-cache, must-revalidate');
-            header('Pragma: no-cache');
+        // Robust spawn (detect php CLI, log, record PID)
+        $spawn = $this->spawnZipWorker($token, $tokFile, $logDir);
+        if (!$spawn['ok']) {
+            $job['status'] = 'error';
+            $job['error']  = 'Spawn failed: '.$spawn['error'];
+            @file_put_contents($tokFile, json_encode($job, JSON_PRETTY_PRINT), LOCK_EX);
+            $this->_jsonOut(["error"=>"Failed to enqueue ZIP: ".$spawn['error']], 500);
+            return;
+        }
 
-            readfile($zipPath);
-            @unlink($zipPath);
-            exit;
-        } catch (Throwable $e) {
-            error_log('FileController::downloadZip error: '.$e->getMessage().' @ '.$e->getFile().':'.$e->getLine());
-            $this->_jsonOut(['error' => 'Internal server error while preparing ZIP.'], 500);
-        } finally { $this->_jsonEnd(); }
+        $this->_jsonOut([
+            'ok'          => true,
+            'token'       => $token,
+            'status'      => 'queued',
+            'statusUrl'   => '/api/file/zipStatus.php?k=' . urlencode($token),
+            'downloadUrl' => '/api/file/downloadZipFile.php?k=' . urlencode($token)
+        ]);
+    } catch (Throwable $e) {
+        error_log('FileController::downloadZip enqueue error: '.$e->getMessage().' @ '.$e->getFile().':'.$e->getLine());
+        $this->_jsonOut(['error' => 'Internal error while queuing ZIP.'], 500);
     }
+}
 
     public function extractZip()
     {

src/controllers/MediaController.php

@@ -0,0 +1,135 @@
+<?php
+// src/controllers/MediaController.php
+declare(strict_types=1);
+
+require_once PROJECT_ROOT . '/config/config.php';
+require_once PROJECT_ROOT . '/src/models/MediaModel.php';
+require_once PROJECT_ROOT . '/src/lib/ACL.php';
+
+class MediaController
+{
+    private function jsonStart(): void {
+        if (session_status() !== PHP_SESSION_ACTIVE) session_start();
+        header('Content-Type: application/json; charset=utf-8');
+        set_error_handler(function ($severity, $message, $file, $line) {
+            if (!(error_reporting() & $severity)) return;
+            throw new ErrorException($message, 0, $severity, $file, $line);
+        });
+    }
+    private function jsonEnd(): void { restore_error_handler(); }
+    private function out($payload, int $status=200): void {
+        http_response_code($status);
+        echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+    }
+    private function readJson(): array {
+        $raw = file_get_contents('php://input');
+        $data = json_decode($raw, true);
+        return is_array($data) ? $data : [];
+    }
+    private function requireAuth(): ?string {
+        if (empty($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
+            $this->out(['error'=>'Unauthorized'], 401); return 'no';
+        }
+        return null;
+    }
+    private function checkCsrf(): ?string {
+        $headers = function_exists('getallheaders') ? array_change_key_case(getallheaders(), CASE_LOWER) : [];
+        $received = $headers['x-csrf-token'] ?? '';
+        if (!isset($_SESSION['csrf_token']) || $received !== $_SESSION['csrf_token']) {
+            $this->out(['error'=>'Invalid CSRF token'], 403); return 'no';
+        }
+        return null;
+    }
+    private function normalizeFolder($f): string {
+        $f = trim((string)$f);
+        return ($f==='' || strtolower($f)==='root') ? 'root' : $f;
+    }
+    private function validFolder($f): bool {
+        return $f==='root' || (bool)preg_match(REGEX_FOLDER_NAME, $f);
+    }
+    private function validFile($f): bool {
+        $f = basename((string)$f);
+        return $f !== '' && (bool)preg_match(REGEX_FILE_NAME, $f);
+    }
+    private function enforceRead(string $folder, string $username): ?string {
+        $perms = loadUserPermissions($username) ?: [];
+        return ACL::canRead($username, $perms, $folder) ? null : "Forbidden";
+    }
+
+    /** POST /api/media/updateProgress.php */
+    public function updateProgress(): void {
+        $this->jsonStart();
+        try {
+            if ($this->requireAuth()) return;
+            if ($this->checkCsrf())    return;
+
+            $u = $_SESSION['username'] ?? '';
+            $d = $this->readJson();
+            $folder = $this->normalizeFolder($d['folder'] ?? 'root');
+            $file   = (string)($d['file'] ?? '');
+            $seconds   = isset($d['seconds'])  ? floatval($d['seconds'])  : 0.0;
+            $duration  = isset($d['duration']) ? floatval($d['duration']) : null;
+            $completed = isset($d['completed']) ? (bool)$d['completed'] : null;
+            $clear     = isset($d['clear']) ? (bool)$d['clear'] : false;
+
+            if (!$this->validFolder($folder) || !$this->validFile($file)) {
+                $this->out(['error'=>'Invalid folder/file'], 400); return;
+            }
+            if ($this->enforceRead($folder, $u)) { $this->out(['error'=>'Forbidden'], 403); return; }
+
+            if ($clear) {
+                $ok = MediaModel::clearProgress($u, $folder, $file);
+                $this->out(['success'=>$ok]); return;
+            }
+
+            $row = MediaModel::saveProgress($u, $folder, $file, $seconds, $duration, $completed);
+            $this->out(['success'=>true, 'state'=>$row]);
+        } catch (Throwable $e) {
+            error_log('MediaController::updateProgress: '.$e->getMessage());
+            $this->out(['error'=>'Internal server error'], 500);
+        } finally { $this->jsonEnd(); }
+    }
+
+    /** GET /api/media/getProgress.php?folder=…&file=… */
+    public function getProgress(): void {
+        $this->jsonStart();
+        try {
+            if ($this->requireAuth()) return;
+            $u = $_SESSION['username'] ?? '';
+            $folder = $this->normalizeFolder($_GET['folder'] ?? 'root');
+            $file   = (string)($_GET['file'] ?? '');
+
+            if (!$this->validFolder($folder) || !$this->validFile($file)) {
+                $this->out(['error'=>'Invalid folder/file'], 400); return;
+            }
+            if ($this->enforceRead($folder, $u)) { $this->out(['error'=>'Forbidden'], 403); return; }
+
+            $row = MediaModel::getProgress($u, $folder, $file);
+            $this->out(['state'=>$row]);
+        } catch (Throwable $e) {
+            error_log('MediaController::getProgress: '.$e->getMessage());
+            $this->out(['error'=>'Internal server error'], 500);
+        } finally { $this->jsonEnd(); }
+    }
+
+    /** GET /api/media/getViewedMap.php?folder=…  (optional, for badges) */
+    public function getViewedMap(): void {
+        $this->jsonStart();
+        try {
+            if ($this->requireAuth()) return;
+            $u = $_SESSION['username'] ?? '';
+            $folder = $this->normalizeFolder($_GET['folder'] ?? 'root');
+
+            if (!$this->validFolder($folder)) {
+                $this->out(['error'=>'Invalid folder'], 400); return;
+            }
+            if ($this->enforceRead($folder, $u)) { $this->out(['error'=>'Forbidden'], 403); return; }
+
+            $map = MediaModel::getFolderMap($u, $folder);
+            $this->out(['map'=>$map]);
+        } catch (Throwable $e) {
+            error_log('MediaController::getViewedMap: '.$e->getMessage());
+            $this->out(['error'=>'Internal server error'], 500);
+        } finally { $this->jsonEnd(); }
+    }
+}

src/controllers/OnlyOfficeController.php

@@ -16,6 +16,23 @@ private const OO_SUPPORTED_EXTS = [
     'ppt','pptx','odp',
     'pdf'
   ];
+
+/** Origin that the Document Server should use to reach FileRise fast (internal URL) */
+private function effectiveFileOriginForDocs(): string
+{
+    $cfg = AdminModel::getConfig();
+    $oo  = is_array($cfg['onlyoffice'] ?? null) ? $cfg['onlyoffice'] : [];
+
+    // 1) explicit constant
+    if (defined('ONLYOFFICE_FILE_ORIGIN_FOR_DOCS') && ONLYOFFICE_FILE_ORIGIN_FOR_DOCS !== '') {
+        return (string)ONLYOFFICE_FILE_ORIGIN_FOR_DOCS;
+    }
+    // 2) admin.json setting
+    if (!empty($oo['fileOriginForDocs'])) return (string)$oo['fileOriginForDocs'];
+
+    // 3) fallback: whatever the public sees (may hairpin, but still works)
+    return $this->effectivePublicOrigin();
+}
   
   // Never editable via OO (we’ll always set edit=false for these)
   private const OO_NEVER_EDIT = ['pdf'];
@@ -127,117 +144,119 @@ private function ooLog(string $level, string $msg): void
 
     /** GET /api/onlyoffice/status.php */
     public function status(): void
-    {
-        header('Content-Type: application/json; charset=utf-8');
-        header('Cache-Control: no-store');
+{
+    header('Content-Type: application/json; charset=utf-8');
+    header('Cache-Control: no-store');
 
-        $enabled   = $this->effectiveEnabled();
-        $docsOrig  = $this->effectiveDocsOrigin();
-        $secret    = $this->effectiveSecret();
+    $enabled   = $this->effectiveEnabled();
+    $docsOrig  = $this->effectiveDocsOrigin();
+    $secret    = $this->effectiveSecret();
 
-        // Must have docs origin and secret to actually function
-        $enabled = $enabled && ($docsOrig !== '') && ($secret !== '');
+    // Must have docs origin and secret to actually function
+    $enabled = $enabled && ($docsOrig !== '') && ($secret !== '');
 
-        $exts = self::OO_SUPPORTED_EXTS;
-        // If you want the extras:
-        $exts = array_values(array_unique(array_merge($exts, self::OO_VIEW_ONLY_EXTRAS)));
-        
-        echo json_encode(['enabled' => (bool)$enabled, 'exts' => $exts], JSON_UNESCAPED_SLASHES);
-    }
+    $exts = self::OO_SUPPORTED_EXTS;
+    $exts = array_values(array_unique(array_merge($exts, self::OO_VIEW_ONLY_EXTRAS)));
+
+    echo json_encode([
+        'enabled'      => (bool)$enabled,
+        'exts'         => $exts,
+        'docsOrigin'   => $docsOrig,                     // <-- for preconnect/api.js
+        'publicOrigin' => $this->effectivePublicOrigin() // <-- informational
+    ], JSON_UNESCAPED_SLASHES);
+}
 
     /** GET /api/onlyoffice/config.php?folder=...&file=... */
-    public function config(): void
-    {
-        header('Content-Type: application/json; charset=utf-8');
-        header('Cache-Control: no-store');
+    // --- config(): use the DocServer-facing origin for fileUrl & callbackUrl ---
+public function config(): void
+{
+    header('Content-Type: application/json; charset=utf-8');
+    header('Cache-Control: no-store');
 
-        @session_start();
-        $user   = $_SESSION['username'] ?? 'anonymous';
-        $perms  = [];
-        $isAdmin = \ACL::isAdmin($perms);
+    @session_start();
+    $user   = $_SESSION['username'] ?? 'anonymous';
+    $perms  = [];
+    $isAdmin = \ACL::isAdmin($perms);
 
-        // Effective toggles
-        $enabled    = $this->effectiveEnabled();
-        $docsOrigin = rtrim($this->effectiveDocsOrigin(), '/');
-        $secret     = $this->effectiveSecret();
-        if (!$enabled) { http_response_code(404); echo '{"error":"ONLYOFFICE disabled"}'; return; }
-        if ($secret === '') { http_response_code(500); echo '{"error":"ONLYOFFICE_JWT_SECRET not configured"}'; return; }
-        if ($docsOrigin === '') { http_response_code(500); echo '{"error":"ONLYOFFICE_DOCS_ORIGIN not configured"}'; return; }
-        if (!defined('UPLOAD_DIR')) { http_response_code(500); echo '{"error":"UPLOAD_DIR not defined"}'; return; }
+    $enabled     = $this->effectiveEnabled();
+    $docsOrigin  = rtrim($this->effectiveDocsOrigin(), '/');
+    $secret      = $this->effectiveSecret();
 
-        // Inputs
-        $folder = \ACL::normalizeFolder((string)($_GET['folder'] ?? 'root'));
-        $file   = basename((string)($_GET['file'] ?? ''));
-        if ($file === '') { http_response_code(400); echo '{"error":"Bad request"}'; return; }
+    if (!$enabled) { http_response_code(404); echo '{"error":"ONLYOFFICE disabled"}'; return; }
+    if ($secret === '') { http_response_code(500); echo '{"error":"ONLYOFFICE_JWT_SECRET not configured"}'; return; }
+    if ($docsOrigin === '') { http_response_code(500); echo '{"error":"ONLYOFFICE_DOCS_ORIGIN not configured"}'; return; }
+    if (!defined('UPLOAD_DIR')) { http_response_code(500); echo '{"error":"UPLOAD_DIR not defined"}'; return; }
 
-        // ACL
-        if (!\ACL::canRead($user, $perms, $folder)) { http_response_code(403); echo '{"error":"Forbidden"}'; return; }
-        $canEdit = \ACL::canEdit($user, $perms, $folder);
+    $folder = \ACL::normalizeFolder((string)($_GET['folder'] ?? 'root'));
+    $file   = basename((string)($_GET['file'] ?? ''));
+    if ($file === '') { http_response_code(400); echo '{"error":"Bad request"}'; return; }
 
-        // Path
-        $base = rtrim(UPLOAD_DIR, "/\\") . DIRECTORY_SEPARATOR;
-        $rel  = ($folder === 'root') ? '' : ($folder . '/');
-        $abs  = realpath($base . $rel . $file);
-        if (!$abs || !is_file($abs)) { http_response_code(404); echo '{"error":"Not found"}'; return; }
-        if (strpos($abs, realpath($base)) !== 0) { http_response_code(400); echo '{"error":"Invalid path"}'; return; }
+    if (!\ACL::canRead($user, $perms, $folder)) { http_response_code(403); echo '{"error":"Forbidden"}'; return; }
+    $canEdit = \ACL::canEdit($user, $perms, $folder);
 
-        // Public origin
-        $publicOrigin = $this->effectivePublicOrigin();
+    $base = rtrim(UPLOAD_DIR, "/\\") . DIRECTORY_SEPARATOR;
+    $rel  = ($folder === 'root') ? '' : ($folder . '/');
+    $abs  = realpath($base . $rel . $file);
+    if (!$abs || !is_file($abs)) { http_response_code(404); echo '{"error":"Not found"}'; return; }
+    if (strpos($abs, realpath($base)) !== 0) { http_response_code(400); echo '{"error":"Invalid path"}'; return; }
 
-        // Signed download
-        $exp  = time() + 10*60;
-        $data = json_encode(['f'=>$folder,'n'=>$file,'u'=>$user,'adm'=>$isAdmin,'exp'=>$exp], JSON_UNESCAPED_SLASHES);
-        $sig  = hash_hmac('sha256', $data, $secret, true);
-        $tok  = $this->b64uEnc($data) . '.' . $this->b64uEnc($sig);
-        $fileUrl = $publicOrigin . '/api/onlyoffice/signed-download.php?tok=' . rawurlencode($tok);
+    // IMPORTANT: use the internal/fast origin for DocServer fetch + callback
+    $fileOriginForDocs = rtrim($this->effectiveFileOriginForDocs(), '/');
 
-        // Callback
-        $cbExp = time() + 10*60;
-        $cbSig = hash_hmac('sha256', $folder.'|'.$file.'|'.$cbExp, $secret);
-        $callbackUrl = $publicOrigin . '/api/onlyoffice/callback.php'
-          . '?folder=' . rawurlencode($folder)
-          . '&file='   . rawurlencode($file)
-          . '&exp='    . $cbExp
-          . '&sig='    . $cbSig;
+    $exp  = time() + 10*60;
+    $data = json_encode(['f'=>$folder,'n'=>$file,'u'=>$user,'adm'=>$isAdmin,'exp'=>$exp], JSON_UNESCAPED_SLASHES);
+    $sig  = hash_hmac('sha256', $data, $secret, true);
+    $tok  = $this->b64uEnc($data) . '.' . $this->b64uEnc($sig);
+    $fileUrl = $fileOriginForDocs . '/api/onlyoffice/signed-download.php?tok=' . rawurlencode($tok);
 
-        // Doc type & key
-        $ext = strtolower(pathinfo($file, PATHINFO_EXTENSION) ?: 'docx');
-        $docType = in_array($ext, ['xls','xlsx','ods','csv'], true) ? 'cell'
-                : (in_array($ext, ['ppt','pptx','odp'], true) ? 'slide' : 'word');
-        $key = substr(sha1($abs . '|' . (string)filemtime($abs)), 0, 20);
+    $cbExp = time() + 10*60;
+    $cbSig = hash_hmac('sha256', $folder.'|'.$file.'|'.$cbExp, $secret);
+    $callbackUrl = $fileOriginForDocs . '/api/onlyoffice/callback.php'
+      . '?folder=' . rawurlencode($folder)
+      . '&file='   . rawurlencode($file)
+      . '&exp='    . $cbExp
+      . '&sig='    . $cbSig;
 
-        $docsApiJs  = $docsOrigin . '/web-apps/apps/api/documents/api.js';
+    $ext = strtolower(pathinfo($file, PATHINFO_EXTENSION) ?: 'docx');
+    $docType = in_array($ext, ['xls','xlsx','ods','csv'], true) ? 'cell'
+            : (in_array($ext, ['ppt','pptx','odp'], true) ? 'slide' : 'word');
+    $key = substr(sha1($abs . '|' . (string)filemtime($abs)), 0, 20);
 
-        $cfgOut = [
-          'document' => [
-            'fileType' => $ext,
-            'key'      => $key,
-            'title'    => $file,
-            'url'      => $fileUrl,
-            'permissions' => [
-              'download' => true,
-              'print'    => true,
-              'edit' => $canEdit && !in_array($ext, self::OO_NEVER_EDIT, true),
-            ],
-          ],
-          'documentType' => $docType,
-          'editorConfig' => [
-            'callbackUrl' => $callbackUrl,
-            'user'        => ['id'=>$user, 'name'=>$user],
-            'lang'        => 'en',
-          ],
-          'type' => 'desktop',
-        ];
+    $docsApiJs  = $docsOrigin . '/web-apps/apps/api/documents/api.js';
 
-        // JWT sign cfg
-        $h = $this->b64uEnc(json_encode(['alg'=>'HS256','typ'=>'JWT']));
-        $p = $this->b64uEnc(json_encode($cfgOut, JSON_UNESCAPED_SLASHES));
-        $s = $this->b64uEnc(hash_hmac('sha256', "$h.$p", $secret, true));
-        $cfgOut['token'] = "$h.$p.$s";
-        $cfgOut['docs_api_js'] = $docsApiJs;
+    $cfgOut = [
+      'document' => [
+        'fileType' => $ext,
+        'key'      => $key,
+        'title'    => $file,
+        'url'      => $fileUrl,
+        'permissions' => [
+          'download' => true,
+          'print'    => true,
+          'edit'     => $canEdit && !in_array($ext, self::OO_NEVER_EDIT, true),
+        ],
+      ],
+      'documentType' => $docType,
+      'editorConfig' => [
+        'callbackUrl' => $callbackUrl,
+        'user'        => ['id'=>$user, 'name'=>$user],
+        'lang'        => 'en',
+      ],
+      'type' => 'desktop',
+    ];
 
-        echo json_encode($cfgOut, JSON_UNESCAPED_SLASHES);
-    }
+    // JWT sign cfg
+    $h = $this->b64uEnc(json_encode(['alg'=>'HS256','typ'=>'JWT']));
+    $p = $this->b64uEnc(json_encode($cfgOut, JSON_UNESCAPED_SLASHES));
+    $s = $this->b64uEnc(hash_hmac('sha256', "$h.$p", $secret, true));
+    $cfgOut['token'] = "$h.$p.$s";
+
+    // expose to client for preconnect/script load
+    $cfgOut['docs_api_js']          = $docsApiJs;
+    $cfgOut['documentServerOrigin'] = $docsOrigin;
+
+    echo json_encode($cfgOut, JSON_UNESCAPED_SLASHES);
+}
 
     /** POST /api/onlyoffice/callback.php?folder=...&file=...&exp=...&sig=... */
     public function callback(): void
@@ -343,41 +362,52 @@ private function ooLog(string $level, string $msg): void
 
     /** GET /api/onlyoffice/signed-download.php?tok=... */
     public function signedDownload(): void
-    {
-        header('X-Content-Type-Options: nosniff');
-        header('Cache-Control: no-store');
+{
+    header('X-Content-Type-Options: nosniff');
+    header('Cache-Control: no-store');
 
-        $secret = $this->effectiveSecret();
-        if ($secret === '') { http_response_code(403); return; }
+    $secret = $this->effectiveSecret();
+    if ($secret === '') { http_response_code(403); return; }
 
-        $tok = $_GET['tok'] ?? '';
-        if (!$tok || strpos($tok, '.') === false) { http_response_code(400); return; }
-        [$b64data, $b64sig] = explode('.', $tok, 2);
-        $data = $this->b64uDec($b64data);
-        $sig  = $this->b64uDec($b64sig);
-        if ($data === false || $sig === false) { http_response_code(400); return; }
+    $tok = $_GET['tok'] ?? '';
+    if (!$tok || strpos($tok, '.') === false) { http_response_code(400); return; }
+    [$b64data, $b64sig] = explode('.', $tok, 2);
+    $data = $this->b64uDec($b64data);
+    $sig  = $this->b64uDec($b64sig);
+    if ($data === false || $sig === false) { http_response_code(400); return; }
 
-        $calc = hash_hmac('sha256', $data, $secret, true);
-        if (!hash_equals($calc, $sig)) { http_response_code(403); return; }
+    $calc = hash_hmac('sha256', $data, $secret, true);
+    if (!hash_equals($calc, $sig)) { http_response_code(403); return; }
 
-        $payload = json_decode($data, true);
-        if (!$payload || !isset($payload['f'],$payload['n'],$payload['exp'])) { http_response_code(400); return; }
-        if (time() > (int)$payload['exp']) { http_response_code(403); return; }
+    $payload = json_decode($data, true);
+    if (!$payload || !isset($payload['f'],$payload['n'],$payload['exp'])) { http_response_code(400); return; }
+    if (time() > (int)$payload['exp']) { http_response_code(403); return; }
 
-        $folder = trim(str_replace('\\','/',$payload['f']),"/ \t\r\n");
-        if ($folder === '' || $folder === 'root') $folder = 'root';
-        $file   = basename((string)$payload['n']);
+    $folder = trim(str_replace('\\','/',$payload['f']),"/ \t\r\n");
+    if ($folder === '' || $folder === 'root') $folder = 'root';
+    $file   = basename((string)$payload['n']);
 
-        $base = rtrim(UPLOAD_DIR, "/\\") . DIRECTORY_SEPARATOR;
-        $rel  = ($folder === 'root') ? '' : ($folder . '/');
-        $abs  = realpath($base . $rel . $file);
-        if (!$abs || !is_file($abs)) { http_response_code(404); return; }
-        if (strpos($abs, realpath($base)) !== 0) { http_response_code(400); return; }
+    $base = rtrim(UPLOAD_DIR, "/\\") . DIRECTORY_SEPARATOR;
+    $rel  = ($folder === 'root') ? '' : ($folder . '/');
+    $abs  = realpath($base . $rel . $file);
+    if (!$abs || !is_file($abs)) { http_response_code(404); return; }
+    if (strpos($abs, realpath($base)) !== 0) { http_response_code(400); return; }
 
-        $mime = mime_content_type($abs) ?: 'application/octet-stream';
-        header('Content-Type: '.$mime);
-        header('Content-Length: '.filesize($abs));
-        header('Content-Disposition: inline; filename="' . rawurlencode($file) . '"');
-        readfile($abs);
+    // Common headers
+    $mime = mime_content_type($abs) ?: 'application/octet-stream';
+    $len  = filesize($abs);
+    header('Content-Type: '.$mime);
+    header('Content-Length: '.$len);
+    header('Content-Disposition: inline; filename="' . rawurlencode($file) . '"');
+    header('Accept-Ranges: none'); // OO doesn’t require ranges; avoids partial edge-cases
+
+    // ---- Key change: for HEAD, do NOT read the file ----
+    if (($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'HEAD') {
+        // send headers only; no body
+        return;
     }
+
+    // GET → stream the file
+    readfile($abs);
+}
 }

src/models/FileModel.php

@@ -557,59 +557,104 @@ class FileModel {
      * @return array An associative array with either an "error" key or a "zipPath" key.
      */
     public static function createZipArchive($folder, $files) {
-        // Validate and build folder path.
-        $folder = trim($folder) ?: 'root';
+        // Purge old temp zips > 6h (best-effort)
+        $zipRoot = rtrim((string)META_DIR, '/\\') . DIRECTORY_SEPARATOR . 'ziptmp';
+        $now = time();
+        foreach ((glob($zipRoot . DIRECTORY_SEPARATOR . 'download-*.zip') ?: []) as $zp) {
+            if (is_file($zp) && ($now - (int)@filemtime($zp)) > 21600) { @unlink($zp); }
+        }
+    
+        // Normalize and validate target folder
+        $folder = trim((string)$folder) ?: 'root';
         $baseDir = realpath(UPLOAD_DIR);
         if ($baseDir === false) {
             return ["error" => "Uploads directory not configured correctly."];
         }
+    
         if (strtolower($folder) === 'root' || $folder === "") {
             $folderPathReal = $baseDir;
         } else {
-            // Prevent path traversal.
             if (strpos($folder, '..') !== false) {
                 return ["error" => "Invalid folder name."];
             }
-            $folderPath = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . trim($folder, "/\\ ");
+            $parts = explode('/', trim($folder, "/\\ "));
+            foreach ($parts as $part) {
+                if ($part === '' || !preg_match(REGEX_FOLDER_NAME, $part)) {
+                    return ["error" => "Invalid folder name."];
+                }
+            }
+            $folderPath = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . implode(DIRECTORY_SEPARATOR, $parts);
             $folderPathReal = realpath($folderPath);
             if ($folderPathReal === false || strpos($folderPathReal, $baseDir) !== 0) {
                 return ["error" => "Folder not found."];
             }
         }
-
-        // Validate each file and build an array of files to zip.
+    
+        // Collect files to zip (only regular files in the chosen folder)
         $filesToZip = [];
         foreach ($files as $fileName) {
-            // Validate file name using REGEX_FILE_NAME.
-            $fileName = basename(trim($fileName));
+            $fileName = basename(trim((string)$fileName));
             if (!preg_match(REGEX_FILE_NAME, $fileName)) {
                 continue;
             }
             $fullPath = $folderPathReal . DIRECTORY_SEPARATOR . $fileName;
-            if (file_exists($fullPath)) {
+            // Skip symlinks (avoid archiving outside targets via links)
+            if (is_link($fullPath)) {
+                continue;
+            }
+            if (is_file($fullPath)) {
                 $filesToZip[] = $fullPath;
             }
         }
         if (empty($filesToZip)) {
             return ["error" => "No valid files found to zip."];
         }
-
-        // Create a temporary ZIP file.
-        $tempZip = tempnam(sys_get_temp_dir(), 'zip');
-        unlink($tempZip); // Remove the temp file so that ZipArchive can create a new file.
-        $tempZip .= '.zip';
-
-        $zip = new ZipArchive();
-        if ($zip->open($tempZip, ZipArchive::CREATE) !== TRUE) {
+    
+        // Workspace on the big disk: META_DIR/ziptmp
+        $work = rtrim((string)META_DIR, '/\\') . DIRECTORY_SEPARATOR . 'ziptmp';
+        if (!is_dir($work)) { @mkdir($work, 0775, true); }
+        if (!is_dir($work) || !is_writable($work)) {
+            return ["error" => "ZIP temp dir not writable: " . $work];
+        }
+    
+        // Optional sanity: ensure there is roughly enough free space
+        $totalSize = 0;
+        foreach ($filesToZip as $fp) {
+            $sz = @filesize($fp);
+            if ($sz !== false) $totalSize += (int)$sz;
+        }
+        $free = @disk_free_space($work);
+        // Add ~20MB overhead and a 5% cushion
+        if ($free !== false && $totalSize > 0) {
+            $needed = (int)ceil($totalSize * 1.05) + (20 * 1024 * 1024);
+            if ($free < $needed) {
+                return ["error" => "Insufficient free space in ZIP workspace."];
+            }
+        }
+    
+        @set_time_limit(0);
+    
+        // Create the ZIP path inside META_DIR/ziptmp (libzip temp stays on same FS)
+        $zipName = 'download-' . date('Ymd-His') . '-' . bin2hex(random_bytes(4)) . '.zip';
+        $zipPath = $work . DIRECTORY_SEPARATOR . $zipName;
+    
+        $zip = new \ZipArchive();
+        if ($zip->open($zipPath, \ZipArchive::CREATE | \ZipArchive::OVERWRITE) !== true) {
             return ["error" => "Could not create zip archive."];
         }
-        // Add each file using its base name.
+    
         foreach ($filesToZip as $filePath) {
+            // Add using basename at the root of the zip (matches current behavior)
             $zip->addFile($filePath, basename($filePath));
         }
-        $zip->close();
-
-        return ["zipPath" => $tempZip];
+    
+        if (!$zip->close()) {
+            // Commonly indicates disk full at finalize
+            return ["error" => "Failed to finalize ZIP (disk full?)."];
+        }
+    
+        // Success: controller will readfile() and unlink()
+        return ["zipPath" => $zipPath];
     }
 
     /**
@@ -623,15 +668,23 @@ class FileModel {
         $errors = [];
         $allSuccess = true;
         $extractedFiles = [];
-
+    
+        // Config toggles
+        $SKIP_DOTFILES = defined('SKIP_DOTFILES_ON_EXTRACT') ? (bool)SKIP_DOTFILES_ON_EXTRACT : true;
+    
+        // Hard limits to mitigate zip-bombs (tweak via defines if you like)
+        $MAX_UNZIP_BYTES = defined('MAX_UNZIP_BYTES') ? (int)MAX_UNZIP_BYTES : (200 * 1024 * 1024 * 1024); // 200 GiB
+        $MAX_UNZIP_FILES = defined('MAX_UNZIP_FILES') ? (int)MAX_UNZIP_FILES : 20000;
+    
         $baseDir = realpath(UPLOAD_DIR);
         if ($baseDir === false) {
             return ["error" => "Uploads directory not configured correctly."];
         }
-
+    
         // Build target dir
         if (strtolower(trim($folder) ?: '') === "root") {
             $relativePath = "";
+            $folderNorm = "root";
         } else {
             $parts = explode('/', trim($folder, "/\\"));
             foreach ($parts as $part) {
@@ -640,9 +693,10 @@ class FileModel {
                 }
             }
             $relativePath = implode(DIRECTORY_SEPARATOR, $parts) . DIRECTORY_SEPARATOR;
+            $folderNorm   = implode('/', $parts); // normalized with forward slashes for metadata helpers
         }
-
-        $folderPath     = $baseDir . DIRECTORY_SEPARATOR . $relativePath;
+    
+        $folderPath = $baseDir . DIRECTORY_SEPARATOR . $relativePath;
         if (!is_dir($folderPath) && !mkdir($folderPath, 0775, true)) {
             return ["error" => "Folder not found and cannot be created."];
         }
@@ -650,17 +704,74 @@ class FileModel {
         if ($folderPathReal === false || strpos($folderPathReal, $baseDir) !== 0) {
             return ["error" => "Folder not found."];
         }
-
-        // Prepare metadata container
-        $metadataFile  = self::getMetadataFilePath($folder);
-        $destMetadata  = file_exists($metadataFile) ? (json_decode(file_get_contents($metadataFile), true) ?: []) : [];
-
+    
+        // Metadata cache per folder to avoid many reads/writes
+        $metaCache = [];
+        $getMeta = function(string $folderStr) use (&$metaCache) {
+            if (!isset($metaCache[$folderStr])) {
+                $mf = self::getMetadataFilePath($folderStr);
+                $metaCache[$folderStr] = file_exists($mf) ? (json_decode(file_get_contents($mf), true) ?: []) : [];
+            }
+            return $metaCache[$folderStr];
+        };
+        $putMeta = function(string $folderStr, array $meta) use (&$metaCache) {
+            $metaCache[$folderStr] = $meta;
+        };
+    
         $safeFileNamePattern = REGEX_FILE_NAME;
         $actor = $_SESSION['username'] ?? 'Unknown';
         $now   = date(DATE_TIME_FORMAT);
-
+    
+        // --- Helpers ---
+    
+        // Reject absolute paths, traversal, drive letters
+        $isUnsafeEntryPath = function(string $entry) : bool {
+            $e = str_replace('\\', '/', $entry);
+            if ($e === '' || str_contains($e, "\0")) return true;
+            if (str_starts_with($e, '/')) return true;                 // absolute nix path
+            if (preg_match('/^[A-Za-z]:[\\/]/', $e)) return true;      // Windows drive
+            if (str_contains($e, '../') || str_contains($e, '..\\')) return true;
+            return false;
+        };
+    
+        // Validate each subfolder name in the path using REGEX_FOLDER_NAME
+        $validEntrySubdirs = function(string $entry) : bool {
+            $e = trim(str_replace('\\', '/', $entry), '/');
+            if ($e === '') return true;
+            $dirs = explode('/', $e);
+            array_pop($dirs); // remove basename; we only validate directories here
+            foreach ($dirs as $d) {
+                if ($d === '' || !preg_match(REGEX_FOLDER_NAME, $d)) return false;
+            }
+            return true;
+        };
+    
+        // NEW: hidden path detector — true if ANY segment starts with '.'
+        $isHiddenDotPath = function(string $entry) : bool {
+            $e = trim(str_replace('\\', '/', $entry), '/');
+            if ($e === '') return false;
+            foreach (explode('/', $e) as $seg) {
+                if ($seg !== '' && $seg[0] === '.') return true;
+            }
+            return false;
+        };
+    
+        // Generalized metadata stamper: writes to the specified folder's metadata.json
+        $stampMeta = function(string $folderStr, string $basename) use (&$getMeta, &$putMeta, $actor, $now) {
+            $meta = $getMeta($folderStr);
+            $meta[$basename] = [
+                'uploaded' => $now,
+                'modified' => $now,
+                'uploader' => $actor,
+            ];
+            $putMeta($folderStr, $meta);
+        };
+    
+        // No PHP execution time limit during heavy work
+        @set_time_limit(0);
+    
         foreach ($files as $zipFileName) {
-            $zipBase = basename(trim($zipFileName));
+            $zipBase = basename(trim((string)$zipFileName));
             if (strtolower(substr($zipBase, -4)) !== '.zip') {
                 continue;
             }
@@ -669,76 +780,135 @@ class FileModel {
                 $allSuccess = false;
                 continue;
             }
-
+    
             $zipFilePath = $folderPathReal . DIRECTORY_SEPARATOR . $zipBase;
             if (!file_exists($zipFilePath)) {
                 $errors[] = "$zipBase does not exist in folder.";
                 $allSuccess = false;
                 continue;
             }
-
-            $zip = new ZipArchive();
-            if ($zip->open($zipFilePath) !== TRUE) {
+    
+            $zip = new \ZipArchive();
+            if ($zip->open($zipFilePath) !== true) {
                 $errors[] = "Could not open $zipBase as a zip file.";
                 $allSuccess = false;
                 continue;
             }
-
-            // Minimal Zip Slip guard: fail if any entry looks unsafe
+    
+            // ---- Pre-scan: safety and size limits + build allow-list (skip dotfiles) ----
             $unsafe = false;
+            $totalUncompressed = 0;
+            $fileCount = 0;
+            $allowedEntries = [];   // names to extract (files and/or directories)
+            $allowedFiles   = [];   // only files (for metadata stamping)
+    
             for ($i = 0; $i < $zip->numFiles; $i++) {
-                $entryName = $zip->getNameIndex($i);
-                if ($entryName === false) { $unsafe = true; break; }
-                // Absolute paths, parent traversal, or Windows drive paths
-                if (strpos($entryName, '../') !== false || strpos($entryName, '..\\') !== false ||
-                    str_starts_with($entryName, '/') || preg_match('/^[A-Za-z]:[\\\\\\/]/', $entryName)) {
+                $stat = $zip->statIndex($i);
+                $name = $zip->getNameIndex($i);
+                if ($name === false || !$stat) { $unsafe = true; break; }
+    
+                $isDir = str_ends_with($name, '/');
+    
+                // Basic path checks
+                if ($isUnsafeEntryPath($name) || !$validEntrySubdirs($name)) { $unsafe = true; break; }
+    
+                // Skip hidden entries (any segment starts with '.')
+                if ($SKIP_DOTFILES && $isHiddenDotPath($name)) {
+                    continue; // just ignore; do not treat as unsafe
+                }
+    
+                // Detect symlinks via external attributes (best-effort)
+                $mode = (isset($stat['external_attributes']) ? (($stat['external_attributes'] >> 16) & 0xF000) : 0);
+                if ($mode === 0120000) { // S_IFLNK
                     $unsafe = true; break;
                 }
+    
+                // Track limits only for files we're going to extract
+                if (!$isDir) {
+                    $fileCount++;
+                    $sz = isset($stat['size']) ? (int)$stat['size'] : 0;
+                    $totalUncompressed += $sz;
+                    if ($fileCount > $MAX_UNZIP_FILES || $totalUncompressed > $MAX_UNZIP_BYTES) {
+                        $unsafe = true; break;
+                    }
+                    $allowedFiles[] = $name;
+                }
+    
+                $allowedEntries[] = $name;
             }
+    
             if ($unsafe) {
                 $zip->close();
-                $errors[] = "$zipBase contains unsafe paths; extraction aborted.";
+                $errors[] = "$zipBase contains unsafe or oversized contents; extraction aborted.";
                 $allSuccess = false;
                 continue;
             }
-
-            // Extract safely (whole archive) after precheck
-            if (!$zip->extractTo($folderPathReal)) {
+    
+            // Nothing to extract after filtering?
+            if (empty($allowedEntries)) {
+                $zip->close();
+                // Treat as success (nothing visible to extract), but informatively note it
+                $errors[] = "$zipBase contained only hidden or unsupported entries.";
+                $allSuccess = false; // or keep true if you'd rather not mark as failure
+                continue;
+            }
+    
+            // ---- Extract ONLY the allowed entries ----
+            if (!$zip->extractTo($folderPathReal, $allowedEntries)) {
                 $errors[] = "Failed to extract $zipBase.";
                 $allSuccess = false;
                 $zip->close();
                 continue;
             }
-
-            // Stamp metadata for extracted regular files
-            for ($i = 0; $i < $zip->numFiles; $i++) {
-                $entryName = $zip->getNameIndex($i);
-                if ($entryName === false) continue;
-
-                $basename = basename($entryName);
+    
+            // ---- Stamp metadata for files in the target folder AND nested subfolders (allowed files only) ----
+            foreach ($allowedFiles as $entryName) {
+                // Normalize entry path for filesystem checks
+                $entryFsRel = str_replace(['\\'], '/', $entryName);
+                $entryFsRel = ltrim($entryFsRel, '/'); // ensure relative
+    
+                // Skip any directories (shouldn't be listed here, but defend anyway)
+                if ($entryFsRel === '' || str_ends_with($entryFsRel, '/')) continue;
+    
+                $basename = basename($entryFsRel);
                 if ($basename === '' || !preg_match($safeFileNamePattern, $basename)) continue;
-
-                // Only stamp files that actually exist after extraction
-                $target = $folderPathReal . DIRECTORY_SEPARATOR . $entryName;
-                $isDir  = str_ends_with($entryName, '/') || is_dir($target);
-                if ($isDir) continue;
-
-                $extractedFiles[] = $basename;
-                $destMetadata[$basename] = [
-                    'uploaded' => $now,
-                    'modified' => $now,
-                    'uploader' => $actor,
-                    // no tags by default
-                ];
+    
+                // Decide which folder's metadata to update:
+                // - top-level files -> $folderNorm
+                // - nested files    -> corresponding "<folderNorm>/<sub/dir>" (or "sub/dir" if folderNorm is 'root')
+                $relDir = str_replace('\\', '/', trim(dirname($entryFsRel), '.'));
+                $relDir = ($relDir === '.' ? '' : trim($relDir, '/'));
+    
+                $targetFolderNorm = ($relDir === '' || $relDir === '.')
+                    ? $folderNorm
+                    : (($folderNorm === 'root') ? $relDir : ($folderNorm . '/' . $relDir));
+    
+                // Only stamp if the file actually exists on disk after extraction
+                $targetAbs = $folderPathReal . DIRECTORY_SEPARATOR . str_replace('/', DIRECTORY_SEPARATOR, $entryFsRel);
+                if (is_file($targetAbs)) {
+                    // Preserve list behavior: only include top-level extracted names
+                    if ($relDir === '' || $relDir === '.') {
+                        $extractedFiles[] = $basename;
+                    }
+                    $stampMeta($targetFolderNorm, $basename);
+                }
             }
+    
             $zip->close();
         }
-
-        if (file_put_contents($metadataFile, json_encode($destMetadata, JSON_PRETTY_PRINT), LOCK_EX) === false) {
-            $errors[] = "Failed to update metadata.";
-            $allSuccess = false;
+    
+        // Persist metadata for any touched folder(s)
+        foreach ($metaCache as $folderStr => $meta) {
+            $metadataFile = self::getMetadataFilePath($folderStr);
+            if (!is_dir(dirname($metadataFile))) {
+                @mkdir(dirname($metadataFile), 0775, true);
+            }
+            if (file_put_contents($metadataFile, json_encode($meta, JSON_PRETTY_PRINT), LOCK_EX) === false) {
+                $errors[] = "Failed to update metadata for {$folderStr}.";
+                $allSuccess = false;
+            }
         }
-
+    
         return $allSuccess
             ? ["success" => true, "extractedFiles" => $extractedFiles]
             : ["success" => false, "error" => implode(" ", $errors)];

src/models/MediaModel.php

@@ -0,0 +1,94 @@
+<?php
+// src/models/MediaModel.php
+declare(strict_types=1);
+
+require_once PROJECT_ROOT . '/config/config.php';
+require_once PROJECT_ROOT . '/src/lib/ACL.php';
+
+class MediaModel
+{
+    private static function baseDir(): string {
+        $dir = rtrim(USERS_DIR, '/\\') . DIRECTORY_SEPARATOR . 'user_state';
+        if (!is_dir($dir)) @mkdir($dir, 0775, true);
+        return $dir . DIRECTORY_SEPARATOR;
+    }
+
+    private static function filePathFor(string $username): string {
+        // case-insensitive username file
+        $safe = strtolower(preg_replace('/[^a-z0-9_\-\.]/i', '_', $username));
+        return self::baseDir() . $safe . '_media.json';
+    }
+
+    private static function loadState(string $username): array {
+        $path = self::filePathFor($username);
+        if (!file_exists($path)) return ["version"=>1, "items"=>[]];
+        $json = file_get_contents($path);
+        $data = json_decode($json, true);
+        return (is_array($data) && isset($data['items'])) ? $data : ["version"=>1, "items"=>[]];
+    }
+
+    private static function saveState(string $username, array $state): bool {
+        $path = self::filePathFor($username);
+        $tmp  = $path . '.tmp';
+        $ok   = file_put_contents($tmp, json_encode($state, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT), LOCK_EX);
+        if ($ok === false) return false;
+        return @rename($tmp, $path);
+    }
+
+    /** Save/merge a single file progress record. */
+    public static function saveProgress(string $username, string $folder, string $file, float $seconds, ?float $duration, ?bool $completed): array {
+        $folderKey = ($folder === '' || strtolower($folder)==='root') ? 'root' : $folder;
+        $nowIso    = date('c');
+
+        $state = self::loadState($username);
+        if (!isset($state['items'][$folderKey])) $state['items'][$folderKey] = [];
+        if (!isset($state['items'][$folderKey][$file])) {
+            $state['items'][$folderKey][$file] = [
+                "seconds"   => 0,
+                "duration"  => $duration ?? 0,
+                "completed" => false,
+                "updatedAt" => $nowIso
+            ];
+        }
+
+        $row =& $state['items'][$folderKey][$file];
+        if ($duration !== null && $duration > 0) $row['duration'] = $duration;
+        if ($seconds >= 0) $row['seconds'] = $seconds;
+        if ($completed !== null) $row['completed'] = (bool)$completed;
+        // auto-complete if we’re basically done
+        if (!$row['completed'] && $row['duration'] > 0 && $row['seconds'] >= max(0, $row['duration'] * 0.95)) {
+            $row['completed'] = true;
+        }
+        $row['updatedAt'] = $nowIso;
+
+        self::saveState($username, $state);
+        return $row;
+    }
+
+    /** Get a single file progress record. */
+    public static function getProgress(string $username, string $folder, string $file): array {
+        $folderKey = ($folder === '' || strtolower($folder)==='root') ? 'root' : $folder;
+        $state = self::loadState($username);
+        $row   = $state['items'][$folderKey][$file] ?? null;
+        return is_array($row) ? $row : ["seconds"=>0,"duration"=>0,"completed"=>false,"updatedAt"=>null];
+    }
+
+    /** Folder map: filename => {seconds,duration,completed,updatedAt} */
+    public static function getFolderMap(string $username, string $folder): array {
+        $folderKey = ($folder === '' || strtolower($folder)==='root') ? 'root' : $folder;
+        $state = self::loadState($username);
+        $items = $state['items'][$folderKey] ?? [];
+        return is_array($items) ? $items : [];
+    }
+
+    /** Clear one file’s progress (e.g., “mark unviewed”). */
+    public static function clearProgress(string $username, string $folder, string $file): bool {
+        $folderKey = ($folder === '' || strtolower($folder)==='root') ? 'root' : $folder;
+        $state = self::loadState($username);
+        if (isset($state['items'][$folderKey][$file])) {
+            unset($state['items'][$folderKey][$file]);
+            return self::saveState($username, $state);
+        }
+        return true;
+    }
+}