README typos

Co-authored-by: aider (gemini/gemini-2.5-pro) <aider@aider.chat>

.env.example

@@ -9,10 +9,11 @@ TIMEZONE=America/Edmonton
 PUBLIC_UPLOAD_PAGE_ENABLED=true
 
 # Local dedupe cache (SQLite)
-STATE_DB=./data/state.db
+#STATE_DB=./data/state.db
 
-# Base URL for generating absolute invite links (recommended for production)
-# e.g., PUBLIC_BASE_URL=https://photos.example.com
+# Base URL for generating absolute invite links
+# Recommended for production, also sets CORS headers
+# e.g., PUBLIC_BASE_URL=https://upload.example.com
 #PUBLIC_BASE_URL=
 
 LOG_LEVEL=INFO
@@ -27,5 +28,8 @@ CHUNK_SIZE_MB=50
 # create a bot using @BotFather then copy the API key here
 # get your account's ID by messaging https://t.me/userinfobot
 # Leave these blank to disable
+# Example:
+#     TELEGRAM_BOT_API_KEY=1234567890:ABCDefghIjKlmnOPQRsT-UVWXyzABCdefGH
+#     TELEGRAM_BOT_OWNER_ID=12345678
 TELEGRAM_BOT_API_KEY=
 TELEGRAM_BOT_OWNER_ID=

Dockerfile

@@ -8,8 +8,7 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 
 # Install Python deps
 COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt \
-    && pip install --no-cache-dir python-multipart
+RUN pip install --no-cache-dir -r requirements.txt
 
 # Copy app code
 COPY . /file_drop

README.md

@@ -1,18 +1,19 @@
 # File Drop Uploader
 
-A tiny web app for collecting files and media and saving them to the local filesystem.
-Admin users log in to create public invite links; invite links are always public-by-URL. A public uploader page is optional and enabled by default.
+A self-hosted web app for uploading files and media and saving them to the filesystem on your server.
+Useful for letting people upload vacation photos, etc. just by sending them a link.
 
-Forked from "Immich Drop Uploader": https://github.com/Nasogaa/immich-drop
+Admin user can create invite links with optional limits and password protection. A public uploader page is optional and enabled by default.
 
-![File Drop Uploader Dark Mode UI](./screenshot.png)
+[View Screenshots](screenshots.md)
 
 ## Features
 
-- **Local Saving:** All uploaded files are saved to the local filesystem.
-- **Invite Links:** Create public-by-URL links for uploads; one-time or multi-use.
+- **Local Saving:** All uploaded files are saved to the server's local filesystem.
+- **Drag and Drop:** Upload multiple files and folders by dragging them onto the page.
+- **Invite Links:** Create sharable links for uploads; one-time or multi-use.
 - **Manage Links:** Search/sort, enable/disable, delete, edit name/expiry.
-- **Passwords (optional):** Protect invites with a password gate.
+- **Passwords (optional):** Protect invite links with a password.
 - **Albums:** Upload into a specific folder (auto-create supported). Preserves client-side folder structure on upload.
 - **Duplicate Prevention:** Local SHA‑1 cache prevents re-uploading the same file.
 - **Telegram Notifications (optional):** Get notified via Telegram when upload batches are complete.
@@ -26,7 +27,9 @@ Clone the repo.
 
 Copy `.env.example` to `.env` and edit.
 
-### docker-compose.yml
+### Docker Compose
+
+Create `docker-compose.yml` and edit:
 
 ```yaml
 services:
@@ -49,17 +52,87 @@ services:
       start_period: 10s
 ```
 
+Start the service:
+
 ```bash
 $ sudo docker compose up --build -d
 ```
 
+Set up nginx / a reverse proxy and point it to the web app.
+
+Make sure it allows WebSocket connections through, for example:
+
+```
+server {
+    root /var/www/html;
+    index index.html index.htm;
+    server_name upload.example.com;
+
+    listen 80;
+
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://127.0.0.1:8080/;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+		# websockets
+		proxy_http_version 1.1;
+		proxy_set_header   Upgrade    $http_upgrade;
+		proxy_set_header   Connection "upgrade";
+		proxy_redirect     off;
+    }
+}
+```
+
+Then restart nginx and set up HTTPS:
+
+```
+$ sudo service nginx restart
+$ sudo certbot --nginx
+```
+
+
+### Config Changes
+
+If you change the `.env` file config, simply run:
+
+```bash
+$ sudo docker compose down
+$ sudo docker compose up --build -d
+```
+
+### Updating
+
+To update the code:
+
+```bash
+$ sudo docker compose down
+$ git pull --rebase
+$ sudo docker compose up --build -d
+```
+
+### Telegram Bot
+
+An optional Telegram bot can send you notifications when uploads complete. This is useful to see if random people are filling your disk up.
+
+To create a bot, message @BotFather on Telegram. Come up with a name and username. Botfather will then send you an API key you can paste into the `.env` config directly.
+
+Next you'll need to find your own Telegram user ID. You can message @userinfobot and it will reply with your ID. Beware of impersonator bots (they have the name "userinfobot" but a different username).
+
+Then message the bot you just created "/start" so that it's able to interact with you.
+
+
 ### Chunked Uploads
 
 - Chunked uploads are enabled by default. Uses setting `CHUNKED_UPLOADS_ENABLED=true`.
 - Configure chunk size with `CHUNK_SIZE_MB` (default: `50`). The client only uses chunked mode for files larger than this.
 - Intended to bypass upstream proxy limits (e.g., 100MB) while preserving duplicate checks, EXIF timestamps, album add, and per‑item progress via WebSocket.
 
-## Developtment
+## Development
 
 ### Architecture
 
@@ -70,11 +143,22 @@ $ sudo docker compose up --build -d
   - WebSocket `/ws` pushes per‑item progress to the current browser session only.
 - **Persistence:** A local SQLite database (`state.db`) prevents re‑uploads across sessions. Uploaded files are stored in `/data/uploads`.
 
-### Requirements
+### Setup
 
-- **Python** 3.11
+Requires Python 3.11+.
 
-### Local dev quickstart
+Create a venv, activate it, and install:
+
+```text
+$ virtualenv -p python3 env
+$ source env/bin/activate
+(env) $ pip install -r requirements.txt
+```
+
+```text
+(env) $ cp .env.example .env
+(env) $ vim .env
+```
 
 Run with live reload:
 
@@ -82,54 +166,30 @@ Run with live reload:
 python main.py
 ```
 
-The backend contains docstrings so you can generate docs later if desired.
-
-### Dev Configuration (.env)
-
-```ini
-# Server (dev only)
-HOST=0.0.0.0
-PORT=8080
-
-# Public uploader page (optional) — disabled by default
-PUBLIC_UPLOAD_PAGE_ENABLED=TRUE
-
-# Local dedupe cache (SQLite)
-STATE_DB=./data/state.db
-
-# Telegram Bot for notifications (optional)
-#TELEGRAM_BOT_API_KEY=
-#TELEGRAM_BOT_OWNER_ID=
-
-# Base URL for generating absolute invite links (recommended for production)
-# e.g., PUBLIC_BASE_URL=https://photos.example.com
-#PUBLIC_BASE_URL=
-
-# Session and security
-SESSION_SECRET=SET-A-STRONG-RANDOM-VALUE
-LOG_LEVEL=DEBUG
-
-# Chunked uploads (optional)
-CHUNKED_UPLOADS_ENABLED=true
-CHUNK_SIZE_MB=95
-
-```
-
-You can keep a checked‑in `/.env.example` with the keys above for onboarding.
-
 ### How it works
 
-1. **Queue** – Files selected in the browser are queued; each gets a client-side ID.
-2. **De-dupe (local)** – Server computes **SHA‑1** and checks `state.db`. If seen, marks as **duplicate**.
-3. **Save** – The file is saved to the local filesystem under `./data/uploads`.
-4. **Album** – If an album is specified via an invite link, or a folder name is provided on the public page, the file is saved into a corresponding subdirectory. Client-side folder structure is also preserved.
-5. **Progress** – Backend streams progress via WebSocket to the same session.
-6. **Privacy** – The UI shows only the current session's items. It does not provide a way to browse saved files.
+1. **Queue** - Files selected in the browser are queued; each gets a client-side ID.
+2. **De-dupe (local)** - Server computes **SHA‑1** and checks `state.db`. If seen, marks as **duplicate**.
+3. **Save** - The file is saved to the local filesystem under `./data/uploads`.
+4. **Album** - If an album is specified via an invite link, or a folder name is provided on the public page, the file is saved into a corresponding subdirectory. Client-side folder structure is also preserved.
+5. **Progress** - Backend streams progress via WebSocket to the same session.
+6. **Privacy** - The UI shows only the current session's items. It does not provide a way to browse saved files.
 
 ### Security notes
 
 - The menu and invite creation are behind login. Logout clears the session.
 - Invite links are public by URL; share only with intended recipients.
-- The default uploader page at `/` is disabled unless `PUBLIC_UPLOAD_PAGE_ENABLED=true`.
+- The public uploader page at `/` is enabled unless disabled with `PUBLIC_UPLOAD_PAGE_ENABLED=false`.
 - No browsing of uploaded media; only ephemeral session state is shown.
 - Run behind HTTPS with a reverse proxy and restrict CORS to your domain(s).
+
+## License
+
+This program is free and open-source software licensed under the MIT License. Please see the `LICENSE` file for details.
+
+That means you have the right to study, change, and distribute the software and source code to anyone and for any purpose. You deserve these rights.
+
+## Acknowledgements
+
+This project was forked from "Immich Drop Uploader" by Simon Adams: https://github.com/Nasogaa/immich-drop
+

app/app.py

@@ -41,16 +41,20 @@ from app.config import Settings, load_settings
 
 # ---- App & static ----
 app = FastAPI(title="Immich Drop Uploader (Python)")
+# Global settings (read-only at runtime)
+SETTINGS: Settings = load_settings()
+
+# CORS
+origins = ["*"]
+if SETTINGS.public_base_url:
+    origins = [SETTINGS.public_base_url.strip().rstrip('/')]
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
 )
-
-# Global settings (read-only at runtime)
-SETTINGS: Settings = load_settings()
 _public_uploads_enabled_runtime = SETTINGS.public_upload_page_enabled
 
 

app/config.py

@@ -17,13 +17,13 @@ class Settings:
     """App settings loaded from environment variables (.env)."""
     admin_password: str
     max_concurrent: int
-    public_upload_page_enabled: bool = False
+    public_upload_page_enabled: bool = True
     public_base_url: str = ""
     state_db: str = ""
     session_secret: str = ""
     log_level: str = "INFO"
-    chunked_uploads_enabled: bool = False
-    chunk_size_mb: int = 95
+    chunked_uploads_enabled: bool = True
+    chunk_size_mb: int = 50
     timezone: str = "UTC"
     telegram_bot_api_key: str = ""
     telegram_bot_owner_id: str = ""
@@ -48,7 +48,8 @@ def load_settings() -> Settings:
         load_dotenv()
     except Exception:
         pass
-    admin_password = os.getenv("ADMIN_PASSWORD", "admin") # Default for convenience, should be changed
+
+    admin_password = os.getenv("ADMIN_PASSWORD", "test123") # Default for convenience, should be changed
     if not admin_password.startswith("pbkdf2_sha256-"):
         print("="*60)
         print("WARNING: ADMIN_PASSWORD is in plaintext.")
@@ -57,27 +58,34 @@ def load_settings() -> Settings:
         if hashed_pw:
             print(f"ADMIN_PASSWORD={hashed_pw}")
         print("="*60)
-    # Safe defaults: disable public uploader and invites unless explicitly enabled
+
     def as_bool(v: str, default: bool = False) -> bool:
         if v is None:
             return default
         return str(v).strip().lower() in {"1","true","yes","on"}
-    public_upload = as_bool(os.getenv("PUBLIC_UPLOAD_PAGE_ENABLED", "false"), False)
+
+    public_upload = as_bool(os.getenv("PUBLIC_UPLOAD_PAGE_ENABLED", "false"), True)
+
     try:
         maxc = int(os.getenv("MAX_CONCURRENT", "3"))
     except ValueError:
         maxc = 3
-    state_db = os.getenv("STATE_DB", "/data/state.db")
+
+    state_db = os.getenv("STATE_DB", "./data/state.db")
     session_secret = os.getenv("SESSION_SECRET") or secrets.token_hex(32)
     log_level = os.getenv("LOG_LEVEL", "INFO").upper()
-    chunked_uploads_enabled = as_bool(os.getenv("CHUNKED_UPLOADS_ENABLED", "false"), False)
+
+    chunked_uploads_enabled = as_bool(os.getenv("CHUNKED_UPLOADS_ENABLED", "false"), True)
     try:
-        chunk_size_mb = int(os.getenv("CHUNK_SIZE_MB", "95"))
+        chunk_size_mb = int(os.getenv("CHUNK_SIZE_MB", "50"))
     except ValueError:
-        chunk_size_mb = 95
+        chunk_size_mb = 50
+
     timezone = os.getenv("TIMEZONE", "UTC")
+
     telegram_bot_api_key = os.getenv("TELEGRAM_BOT_API_KEY", "")
     telegram_bot_owner_id = os.getenv("TELEGRAM_BOT_OWNER_ID", "")
+
     return Settings(
         admin_password=admin_password,
         max_concurrent=maxc,

screenshots.md

@@ -0,0 +1,21 @@
+# Screenshots
+
+## Public upload page
+
+![](media/public-uploader.png)
+
+## After uploading files
+
+![](media/after-uploading.png)
+
+## Admin page
+
+![](media/admin-page.png)
+
+## Invite link (with password)
+
+![](media/invite-page.png)
+
+## Telegram bot
+
+![](media/telegram-bot.png)