Direct upload via public API with hidden share (Alternative 1 of 2)

[Kharonus]

As a developer integrating a Web application with Nextcloud
I want to offer direct file uploads to specific folders in Nextcloud right from my application's frontend
so that I don't need to use my backend as a proxy and save resources (connections, band-width, ...)

Alternative to: #35262

Description

• It has a similar workflow like the direct download feature.
  • From any authorized instance (e.g. backend server with OAuth 2 connection to NC) fetch a token or URL.
    • create a share on the folder that only allows uploading
    • the share is hidden from the Nextcloud frontend
    • the share has a default expiration date (configurable)
    • allows sharing the root folder of the user (currently creating shares on root folders is not allowed)
  • Give that to another, not authorized client (e.g. some frontend application running in a browser).
  • Execute upload from that client:
    • e.g. pick a file from within the browser's file picker
    • put file blob as raw data in request body
    • send request to given URL containing shared token

Requirements

• There is a private endpoint that can get requested to provide an upload URL of any file to a specific location as a authenticated user.
• There is a public endpoint behind the provided upload URL, that can get requested without authorization header.
• The upload URL must expire per default.
• The upload URL must not allow the user to change the upload location nor the uploading user id.

Known advantages over alternative #35262

• close to existing public shares functionality
• no exposure of any user credentials to unauthorized clients

Known disadvantages regarding alternative #35262

• Currently the public API does not support chunked uploads, which limits the file size by any means (i.e. request body size limit, web server timeout, reverse proxy body size limits, ...)

for the attention of

@julien-nc
@PVince81

How to use GitHub

• Please use the 👍 reaction to show that you are interested into the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

[julien-nc]

@PVince81 One idea was to add a new share type which has those restrictions and extends the public share type, right?

[PVince81]

@PVince81 One idea was to add a new share type which has those restrictions and extends the public share type, right?

yes, in general that would make it invisible already to users.
might need to add it in many places where the share type public link is visible

also: make sure the regular OCS Sharing API does not allow creating/managing it, only PHP level

[solonovamax]

I'd like to mention: this is similar to a feature that exists in ownCloud Infinite Scale called "Secret File Drop"

it is described as "Anyone with the link can upload, existing content is not revealed"

so, an example usecase of this would be:

A teacher wants to allow their students to upload their essays to Nextcloud. However, the teacher does not want each student to be able to see other students' files.
So, they could create a "secret file drop" share, which would allow students to upload their essays, but would not let them see the other students' essays. Once a file is uploaded, the student would be able to see it in the UI until the page is refreshed. (alternatively: add a session cookie, so that the student can still see the file they uploaded even if they refresh, but still cannot see other files)