[RELEASE] v3.2.3-beta #278

Co-authored-by: Tommy Johnston <tommy@timmygstudios.com>

.gitignore

@@ -30,6 +30,7 @@ apps/server/dist/*
 
 #DEFAULT
 .env
+.steering
 data/
 
 node_modules/

Dockerfile

@@ -82,7 +82,7 @@ RUN addgroup --system --gid ${PALMR_GID} nodejs
 RUN adduser --system --uid ${PALMR_UID} --ingroup nodejs palmr
 
 # Create application directories 
-RUN mkdir -p /app/palmr-app /app/web /home/palmr/.npm /home/palmr/.cache
+RUN mkdir -p /app/palmr-app /app/web /app/infra /home/palmr/.npm /home/palmr/.cache
 RUN chown -R palmr:nodejs /app /home/palmr
 
 # === Copy Server Files to /app/palmr-app (separate from /app/server for bind mounts) ===
@@ -117,10 +117,13 @@ WORKDIR /app
 # Create supervisor configuration
 RUN mkdir -p /etc/supervisor/conf.d
 
-# Copy server start script
+# Copy server start script and configuration files
 COPY infra/server-start.sh /app/server-start.sh
+COPY infra/configs.json /app/infra/configs.json
+COPY infra/providers.json /app/infra/providers.json
+COPY infra/check-missing.js /app/infra/check-missing.js
 RUN chmod +x /app/server-start.sh
-RUN chown palmr:nodejs /app/server-start.sh
+RUN chown -R palmr:nodejs /app/server-start.sh /app/infra
 
 # Copy supervisor configuration
 COPY infra/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
@@ -133,10 +136,12 @@ set -e
 echo "Starting Palmr Application..."
 echo "Storage Mode: \${ENABLE_S3:-false}"
 echo "Secure Site: \${SECURE_SITE:-false}"
+echo "Encryption: \${DISABLE_FILESYSTEM_ENCRYPTION:-true}"
 echo "Database: SQLite"
 
 # Set global environment variables
 export DATABASE_URL="file:/app/server/prisma/palmr.db"
+export NEXT_PUBLIC_DEFAULT_LANGUAGE=\${DEFAULT_LANGUAGE:-en-US}
 
 # Ensure /app/server directory exists for bind mounts
 mkdir -p /app/server/uploads /app/server/temp-uploads /app/server/prisma

LICENSE

@@ -1,40 +1,190 @@
-Kyantech-Permissive License (Based on BSD 2-Clause)
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-Copyright (c) 2025, Daniel Luiz Alves (danielalves96) - Kyantech Solutions
-All rights reserved.
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-Redistribution and use in source and binary forms, with or without
-modification, are permitted for any purpose — private, commercial,
-educational, governmental — **fully free and unrestricted**, provided
-that the following conditions are met:
+   1. Definitions.
 
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions, and the following disclaimer.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
 
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions, and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
 
-3. **If this software (or derivative works) is used in any public-facing
-   interface** — such as websites, apps, dashboards, admin panels, or
-   similar — a **simple credit** must appear in the footer or similar
-   location. The credit text should read:
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
 
-      > “Powered by Kyantech Solutions · https://kyantech.com.br”
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
 
-   This credit must be reasonably visible but **must not interfere** with
-   your UI, branding, or user experience. You may style it to match your
-   own design and choose its size, placement, or color.
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
 
----
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
 
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2025 Daniel Luiz Alves (danielalves96) - Kyantech Solutions, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -1,142 +1,154 @@
-# 🌴 Palmr. - Open-Source File Transfer
-
-<p align="center">
-  <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749825361/Group_47_1_bcx8gw.png" alt="Palmr Banner" style="width: 100%;"/>
-</p>
-
-**Palmr.** is a **flexible** and **open-source** alternative to file transfer services like **WeTransfer**, **SendGB**, **Send Anywhere**, and **Files.fm**.
-
-
-🔗 **For detailed documentation visit:** [Palmr. - Documentation](https://palmr.kyantech.com.br)
-
-## 📌 Why Choose Palmr.?
-
-- **Self-hosted** – Deploy on your own server or VPS.
-- **Full control** – No third-party dependencies, ensuring privacy and security.
-- **No artificial limits** – Share files without hidden restrictions or fees.
-- **Simple deployment** – SQLite database and filesystem storage for easy setup.
-- **Scalable storage** – Optional S3-compatible object storage for enterprise needs.
-
-## 🚀 Technologies Used
-
-### **Palmr.** is built with a focus on **performance**, **scalability**, and **security**.
-
-<div align="center">
-  <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1745548231/Palmr./Captura_de_Tela_2025-04-24_a%CC%80s_23.24.26_kr4hsl.png" style="width: 100%; border-radius: 15px;" />
-</div>
-
-
-### **Backend & API**
-- **Fastify (Node.js)** – High-performance API framework with built-in schema validation.
-- **SQLite** – Lightweight, reliable database with zero-configuration setup.
-- **Filesystem Storage** – Direct file storage with optional S3-compatible object storage.
-
-### **Frontend**
-- **NextJS 15 + TypeScript + Shadcn/ui** – Modern and fast web interface.
-
-
-## 🛠️ How It Works
-
-1. **Web Interface** → Built with Next, React and TypeScript for a seamless user experience.
-2. **Backend API** → Fastify handles requests and manages file operations.
-3. **Database** → SQLite stores metadata and transactional data with zero configuration.
-4. **Storage** → Filesystem storage ensures reliable file storage with optional S3-compatible object storage for scalability.
-
-## 📸 Screenshots
-
-<table>
-  <tr>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824929/Login_veq6e7.png" alt="Login Page" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Login Page</strong>
-    </td>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824929/Home_lzvfzu.png" alt="Home Page" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Home Page</strong>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Dashboard_uycmxb.png" alt="Dashboard" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Dashboard</strong>
-    </td>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824929/Profile_wvnlzw.png" alt="Profile Page" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Profile Page</strong>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Files_List_ztwr1e.png" alt="Files List View" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Files List View</strong>
-    </td>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Files_Cards_pwsh5e.png" alt="Files Card View" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Files Card View</strong>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824927/Shares_cgplgw.png" alt="Shares Management" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Shares Management</strong>
-    </td>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Reive_Files_uhkeyc.png" alt="Receive Files" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Receive Files</strong>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824927/Default_Reverse_xedmhw.png" alt="Reverse Share" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Reverse Share</strong>
-    </td>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Settings_oampxr.png" alt="Settings Panel" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Settings Panel</strong>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/User_Management_xjbfhn.png" alt="User Management" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>User Management</strong>
-    </td>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Forgot_Password_jcz9ad.png" alt="Forgot Password" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Forgot Password</strong>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/WeTransfer_Reverse_u0g7eb.png" alt="Forgot Password" style="width: 100%; border-radius: 8px;" />
-      <br /><strong>Reverse Share (WeTransfer Style)</strong>
-    </td>
-  </tr>
-</table>
-
-
-## 👨‍💻 Core Maintainers
-
-| [**Daniel Luiz Alves**](https://github.com/danielalves96) |
-|------------------|
-| <img src="https://github.com/danielalves96.png" width="150px" alt="Daniel Luiz Alves" /> |
-
-</br>
-
-## 🤝 Supporters
-
-[<img src="https://i.ibb.co/nMN40STL/Repoflow.png" width="200px" alt="Daniel Luiz Alves" />](https://www.repoflow.io/)
-
-## ⭐ Star History
-
-  <a href="https://www.star-history.com/#kyantech/Palmr&Date">
-   <picture>
-     <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=kyantech/Palmr&type=Date&theme=dark" />
-     <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=kyantech/Palmr&type=Date" />
-     <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=kyantech/Palmr&type=Date" />
-   </picture>
-  </a>
-
-## 🛠️ Contributing
-
-For contribution guidelines, please refer to the [CONTRIBUTING.md](CONTRIBUTING.md) file.
-
+# 🌴 Palmr. - Open-Source File Transfer
+
+<p align="center">
+  <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749825361/Group_47_1_bcx8gw.png" alt="Palmr Banner" style="width: 100%;"/>
+</p>
+
+**Palmr.** is a **flexible** and **open-source** alternative to file transfer services like **WeTransfer**, **SendGB**, **Send Anywhere**, and **Files.fm**.
+
+<div align="center">
+  <div style="background: linear-gradient(135deg, #ff4757, #ff3838); padding: 20px; border-radius: 12px; margin: 20px 0; box-shadow: 0 4px 15px rgba(255, 71, 87, 0.3); border: 2px solid #ff3838;">
+    <h3 style="color: white; margin: 0 0 10px 0; font-size: 18px; font-weight: bold;">
+      ⚠️ BETA VERSION
+    </h3>
+    <p style="color: white; margin: 0; font-size: 14px; opacity: 0.95;">
+      <strong>This project is currently in beta phase.</strong><br>
+      Not recommended for production environments.
+    </p>
+  </div>
+</div>
+
+🔗 **For detailed documentation visit:** [Palmr. - Documentation](https://palmr.kyantech.com.br)
+
+## 📌 Why Choose Palmr.?
+
+- **Self-hosted** – Deploy on your own server or VPS.
+- **Full control** – No third-party dependencies, ensuring privacy and security.
+- **No artificial limits** – Share files without hidden restrictions or fees.
+- **Folder organization** – Create folders to organize and share files.
+- **Simple deployment** – SQLite database and filesystem storage for easy setup.
+- **Scalable storage** – Optional S3-compatible object storage for enterprise needs.
+
+## 🚀 Technologies Used
+
+### **Palmr.** is built with a focus on **performance**, **scalability**, and **security**.
+
+<div align="center">
+  <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1745548231/Palmr./Captura_de_Tela_2025-04-24_a%CC%80s_23.24.26_kr4hsl.png" style="width: 100%; border-radius: 15px;" />
+</div>
+
+
+### **Backend & API**
+- **Fastify (Node.js)** – High-performance API framework with built-in schema validation.
+- **SQLite** – Lightweight, reliable database with zero-configuration setup.
+- **Filesystem Storage** – Direct file storage with optional S3-compatible object storage.
+
+### **Frontend**
+- **NextJS 15 + TypeScript + Shadcn/ui** – Modern and fast web interface.
+
+
+## 🛠️ How It Works
+
+1. **Web Interface** → Built with Next, React and TypeScript for a seamless user experience.
+2. **Backend API** → Fastify handles requests and manages file operations.
+3. **Database** → SQLite stores metadata and transactional data with zero configuration.
+4. **Storage** → Filesystem storage ensures reliable file storage with optional S3-compatible object storage for scalability.
+
+## 📸 Screenshots
+
+<table>
+  <tr>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824929/Login_veq6e7.png" alt="Login Page" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Login Page</strong>
+    </td>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824929/Home_lzvfzu.png" alt="Home Page" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Home Page</strong>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Dashboard_uycmxb.png" alt="Dashboard" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Dashboard</strong>
+    </td>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824929/Profile_wvnlzw.png" alt="Profile Page" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Profile Page</strong>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Files_List_ztwr1e.png" alt="Files List View" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Files List View</strong>
+    </td>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Files_Cards_pwsh5e.png" alt="Files Card View" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Files Card View</strong>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824927/Shares_cgplgw.png" alt="Shares Management" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Shares Management</strong>
+    </td>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Reive_Files_uhkeyc.png" alt="Receive Files" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Receive Files</strong>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824927/Default_Reverse_xedmhw.png" alt="Reverse Share" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Reverse Share</strong>
+    </td>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Settings_oampxr.png" alt="Settings Panel" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Settings Panel</strong>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/User_Management_xjbfhn.png" alt="User Management" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>User Management</strong>
+    </td>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/Forgot_Password_jcz9ad.png" alt="Forgot Password" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Forgot Password</strong>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+      <img src="https://res.cloudinary.com/technical-intelligence/image/upload/v1749824928/WeTransfer_Reverse_u0g7eb.png" alt="Forgot Password" style="width: 100%; border-radius: 8px;" />
+      <br /><strong>Reverse Share (WeTransfer Style)</strong>
+    </td>
+  </tr>
+</table>
+
+
+## 👨‍💻 Core Maintainers
+
+| [**Daniel Luiz Alves**](https://github.com/danielalves96) |
+|------------------|
+| <img src="https://github.com/danielalves96.png" width="150px" alt="Daniel Luiz Alves" /> |
+
+</br>
+
+## 🤝 Supporters
+
+[<img src="https://i.ibb.co/nMN40STL/Repoflow.png" width="200px" alt="Daniel Luiz Alves" />](https://www.repoflow.io/)
+
+## ⭐ Star History
+
+  <a href="https://www.star-history.com/#kyantech/Palmr&Date">
+   <picture>
+     <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=kyantech/Palmr&type=Date&theme=dark" />
+     <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=kyantech/Palmr&type=Date" />
+     <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=kyantech/Palmr&type=Date" />
+   </picture>
+  </a>
+
+## 🛠️ Contributing
+
+For contribution guidelines, please refer to the [CONTRIBUTING.md](CONTRIBUTING.md) file.
+

apps/docs/.turbo/turbo-lint.log

@@ -1,5 +0,0 @@
-
-
-> palmr-docs@3.1-beta lint /Users/daniel/clones/Palmr/apps/docs
-> eslint "src/**/*.+(ts|tsx)"
-

apps/docs/content/docs/3.1-beta/oidc-authentication/meta.json

@@ -1,6 +0,0 @@
-{
-  "defaultOpen": false,
-  "icon": "Key",
-  "pages": ["index", "google", "discord", "github", "zitadel", "auth0", "authentik", "frontegg", "kinde-auth", "other"],
-  "title": "OIDC Authentication"
-}

apps/docs/content/docs/3.1-beta/quick-start.mdx

@@ -1,267 +0,0 @@
----
-title: Quick Start (Docker)
-icon: "Rocket"
----
-
-Welcome to the fastest way to deploy <span className="font-bold">Palmr.</span> - your secure, self-hosted file sharing solution. This guide will have you up and running in minutes, whether you're new to self-hosting or an experienced developer.
-
-Palmr. offers flexible deployment options to match your infrastructure needs. This guide focuses on Docker deployment with our recommended filesystem storage, perfect for most use cases.
-
-## Prerequisites
-
-Ensure you have the following installed on your system:
-
-- **Docker** - Container runtime ([installation guide](https://docs.docker.com/get-docker/))
-- **Docker Compose** - Multi-container orchestration ([installation guide](https://docs.docker.com/compose/install/))
-
-> **Platform Support**: Palmr. is developed on macOS and extensively tested on Linux servers. While we haven't formally tested other platforms, Docker's cross-platform nature should ensure compatibility. Report any issues on our [GitHub repository](https://github.com/kyantech/Palmr/issues).
-
-## Storage Options
-
-Palmr. supports two storage approaches for persistent data:
-
-### Named Volumes (Recommended)
-
-**Best for**: Production environments, automated deployments
-
-- ✅ **Managed by Docker**: No permission issues or manual path management
-- ✅ **Optimized Performance**: Docker-native storage optimization
-- ✅ **Cross-platform**: Consistent behavior across operating systems
-- ✅ **Simplified Backups**: Docker volume commands for backup/restore
-
-### Bind Mounts
-
-**Best for**: Development, direct file access requirements
-
-- ✅ **Direct Access**: Files stored in local directory you specify
-- ✅ **Transparent Storage**: Direct filesystem access from host
-- ✅ **Custom Backup**: Use existing file system backup solutions
-- ⚠️ **Permission Considerations**: **Common Issue** - Requires UID/GID configuration (see troubleshooting below)
-
----
-
-## Option 1: Named Volumes (Recommended)
-
-Named volumes provide the best performance and are managed entirely by Docker.
-
-### Configuration
-
-Use the provided `docker-compose.yaml` for named volumes:
-
-```yaml
-services:
-  palmr:
-    image: kyantech/palmr:latest
-    container_name: palmr
-    environment:
-      - ENABLE_S3=false
-      - ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # CHANGE THIS KEY FOR SECURITY
-      # - SECURE_SITE=false # Set to true if you are using a reverse proxy
-    ports:
-      - "5487:5487" # Web interface
-      - "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
-    volumes:
-      - palmr_data:/app/server # Named volume for the application data
-    restart: unless-stopped # Restart the container unless it is stopped
-
-volumes:
-  palmr_data:
-```
-
-> **Note:** If you haveing problem with uploading files, try to change the `PALMR_UID` and `PALMR_GID` to the UID and GID of the user running the container. You can find the UID and GID of the user running the container with the command `id -u` and `id -g`. in Linux systems the default user is `1000` and the default group is `1000`. For test you can add the environment variables below to the `docker-compose.yaml` file and restart the container.
-
-```yaml
-environment:
-  - PALMR_UID=1000 # UID for the container processes (default is 1001)
-  - PALMR_GID=1000 # GID for the container processes (default is 1001)
-```
-
-> **Note:** For more information about UID and GID, see our [UID/GID Configuration](/docs/3.1-beta/uid-gid-configuration) guide.
-
-### Deployment
-
-```bash
-docker-compose up -d
-```
-
----
-
-## Option 2: Bind Mounts
-
-Bind mounts store data in a local directory, providing direct file system access.
-
-### Configuration
-
-To use bind mounts, **replace the content** of your `docker-compose.yaml` with the following configuration (you can also reference `docker-compose-bind-mount-example.yaml` as a template):
-
-```yaml
-services:
-  palmr:
-    image: kyantech/palmr:latest
-    container_name: palmr
-    environment:
-      - ENABLE_S3=false
-      - ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # CHANGE THIS KEY FOR SECURITY
-      # - SECURE_SITE=false # Set to true if you are using a reverse proxy
-      - PALMR_UID=1000 # UID for the container processes (default is 1001)
-      - PALMR_GID=1000 # GID for the container processes (default is 1001)
-    ports:
-      - "5487:5487" # Web port
-      - "3333:3333" # API port (OPTIONAL EXPOSED - ONLY IF YOU WANT TO ACCESS THE API DIRECTLY)
-    volumes:
-      # Bind mount for persistent data (uploads, database, temp files)
-      - ./data:/app/server # Local directory for the application data
-    restart: unless-stopped # Restart the container unless it is stopped
-```
-
-### Deployment
-
-```bash
-docker-compose up -d
-```
-
-> **Permission Configuration**: If you encounter permission issues with bind mounts (common on NAS systems), see our [UID/GID Configuration](/docs/3.1-beta/uid-gid-configuration) guide for automatic permission handling.
-
----
-
-## Environment Variables
-
-Configure Palmr. behavior through environment variables:
-
-| Variable         | Default | Description                                             |
-| ---------------- | ------- | ------------------------------------------------------- |
-| `ENABLE_S3`      | `false` | Enable S3-compatible storage                            |
-| `ENCRYPTION_KEY` | -       | **Required**: Minimum 32 characters for file encryption |
-| `SECURE_SITE`    | `false` | Enable secure cookies for HTTPS/reverse proxy setups    |
-
-> **⚠️ Security Warning**: Always change the `ENCRYPTION_KEY` in production. This key encrypts your files - losing it makes files permanently inaccessible.
-
-> **🔗 Reverse Proxy**: If deploying behind a reverse proxy (Traefik, Nginx, etc.), set `SECURE_SITE=true` and review our [Reverse Proxy Configuration](/docs/3.1-beta/reverse-proxy-configuration) guide for proper setup.
-
-### Generate Secure Encryption Keys
-
-Need a strong key for `ENCRYPTION_KEY`? Use our built-in generator to create cryptographically secure keys:
-
-<KeyGenerator />
-
----
-
-## Accessing Palmr.
-
-Once deployed, access Palmr. through your web browser:
-
-- **Local**: `http://localhost:5487`
-- **Server**: `http://YOUR_SERVER_IP:5487`
-
-### API Access (Optional)
-
-If you exposed port 3333 in your configuration, you can also access:
-
-- **API Documentation**: `http://localhost:3333/docs` (local) or `http://YOUR_SERVER_IP:3333/docs` (server)
-- **API Endpoints**: Available at `http://localhost:3333` (local) or `http://YOUR_SERVER_IP:3333` (server)
-
-> **📚 Learn More**: For complete API documentation, authentication, and integration examples, see our [API Reference](/docs/3.1-beta/api) guide.
-
-> **💡 Production Tip**: For production deployments, configure HTTPS with a valid SSL certificate for enhanced security.
-
----
-
-## Docker CLI Alternative
-
-Prefer using Docker directly? Both storage options are supported:
-
-**Named Volume:**
-
-```bash
-docker run -d \
-  --name palmr \
-  -e ENABLE_S3=false \
-  -e ENCRYPTION_KEY=your-secure-key-min-32-chars \
-  -p 5487:5487 \
-  -p 3333:3333 \
-  -v palmr_data:/app/server \
-  --restart unless-stopped \
-  kyantech/palmr:latest
-```
-
-**Bind Mount:**
-
-```bash
-docker run -d \
-  --name palmr \
-  -e ENABLE_S3=false \
-  -e ENCRYPTION_KEY=your-secure-key-min-32-chars \
-  -p 5487:5487 \
-  -p 3333:3333 \
-  -v $(pwd)/data:/app/server \
-  --restart unless-stopped \
-  kyantech/palmr:latest
-```
-
----
-
-## Maintenance
-
-### Updates
-
-Keep Palmr. current with the latest features and security fixes:
-
-```bash
-docker-compose pull
-docker-compose up -d
-```
-
-### Backup & Restore
-
-The backup method depends on which storage option you're using:
-
-**Named Volume Backup:**
-
-```bash
-docker run --rm \
-  -v palmr_data:/data \
-  -v $(pwd):/backup \
-  alpine tar czf /backup/palmr-backup.tar.gz -C /data .
-```
-
-**Named Volume Restore:**
-
-```bash
-docker run --rm \
-  -v palmr_data:/data \
-  -v $(pwd):/backup \
-  alpine tar xzf /backup/palmr-backup.tar.gz -C /data
-```
-
-**Bind Mount Backup:**
-
-```bash
-tar czf palmr-backup.tar.gz ./data
-```
-
-**Bind Mount Restore:**
-
-```bash
-tar xzf palmr-backup.tar.gz
-```
-
----
-
-## Next Steps
-
-Your Palmr. instance is now ready! Explore additional configuration options:
-
-### Advanced Configuration
-
-- **[UID/GID Configuration](/docs/3.1-beta/uid-gid-configuration)** - Configure user permissions for NAS systems and custom environments
-- **[S3 Storage](/docs/3.1-beta/s3-configuration)** - Scale with Amazon S3 or compatible storage providers
-- **[Manual Installation](/docs/3.1-beta/manual-installation)** - Manual installation and custom configurations
-
-### Integration & Development
-
-- **[API Reference](/docs/3.1-beta/api)** - Integrate Palmr. with your applications
-- **[Architecture Guide](/docs/3.1-beta/architecture)** - Understanding Palmr. components and design
-
----
-
-Need help? Visit our [GitHub Issues](https://github.com/kyantech/Palmr/issues) or community discussions.

apps/docs/content/docs/3.2-beta/api.mdx

@@ -30,8 +30,6 @@ services:
 ```bash
 docker run -d \
   --name palmr \
-  -e ENABLE_S3=false \
-  -e ENCRYPTION_KEY=change-this-key-in-production-min-32-chars \
   -p 5487:5487 \
   -p 3333:3333 \
   -v palmr_data:/app/server \
@@ -107,6 +105,12 @@ The Palmr. API provides comprehensive access to all platform features:
 - **File management** - Rename, delete, and organize files
 - **Metadata access** - Retrieve file information and properties
 
+### Folder operations
+
+- **Create folders** - Build folder structures for organization
+- **Folder management** - Rename, move, delete folders
+- **Folder sharing** - Share folders with same controls as files
+
 ### Share management
 
 - **Create shares** - Generate public links for file sharing

apps/docs/content/docs/3.2-beta/architecture.mdx

@@ -43,6 +43,16 @@ Palmr. uses **filesystem storage** as the default storage solution, keeping thin
 - Excellent performance for local file operations
 - Optional S3-compatible storage support for cloud deployments and scalability
 
+#### Performance Considerations with Encryption
+
+By default, filesystem storage operates without encryption for optimal performance, providing fast uploads and downloads with minimal CPU overhead. This approach is ideal for most use cases where performance is prioritized.
+
+If you need to protect sensitive files at rest, you can enable encryption by setting `DISABLE_FILESYSTEM_ENCRYPTION=false` and providing an `ENCRYPTION_KEY` in your configuration. When enabled, Palmr uses AES-256-CBC encryption, which adds CPU overhead during uploads (encryption) and downloads (decryption), particularly for large files or in resource-constrained environments like containers or low-end VMs.
+
+For optimal performance with encryption enabled, ensure your hardware supports AES-NI acceleration (check with `cat /proc/cpuinfo | grep aes` on Linux).
+
+As an alternative, consider using S3-compatible object storage (e.g., AWS S3 or MinIO), which can offload file storage from the local filesystem and potentially reduce local CPU overhead for encryption/decryption. See [S3 Providers](/docs/3.2-beta/s3-providers) for setup instructions.
+
 ### Fastify + Zod + TypeScript
 
 The backend of Palmr. is powered by **Fastify**, **Zod**, and **TypeScript**, creating a robust and type-safe API layer. Fastify is a super-fast Node.js web framework optimized for performance and low overhead, designed to handle lots of concurrent requests with minimal resource usage. Zod provides runtime type validation and schema definition, ensuring all incoming data is properly validated before reaching business logic. TypeScript adds compile-time type safety throughout the entire backend codebase. This combination creates a highly reliable and maintainable backend that prevents bugs and security issues while maintaining excellent performance.
@@ -117,7 +127,7 @@ Palmr. is designed to be flexible in how you handle file storage:
 
 **Optional S3-compatible storage:**
 
-- Enable S3 storage by setting `ENABLE_S3=true`, look at [S3 Providers](/docs/3.1-beta/s3-providers) for more information.
+- Enable S3 storage by setting `ENABLE_S3=true`, look at [S3 Providers](/docs/3.2-beta/s3-providers) for more information.
 - Compatible with AWS S3, MinIO, and other S3-compatible services
 - Ideal for cloud deployments and distributed setups
 - Provides additional scalability and redundancy options

apps/docs/content/docs/3.2-beta/download-memory-management.mdx

@@ -0,0 +1,391 @@
+---
+title: Memory Management
+icon: Download
+---
+
+import { Callout } from "fumadocs-ui/components/callout";
+import { Tab, Tabs } from "fumadocs-ui/components/tabs";
+
+Palmr implements an intelligent memory management system that prevents crashes during large file downloads (3GB+ by default), maintaining unlimited download capacity through adaptive resource control and an automatic queue system.
+
+## How It Works
+
+### Automatic Resource Detection
+
+The system automatically detects available container/system memory and configures appropriate limits based on available infrastructure:
+
+```typescript
+const totalMemoryGB = require("os").totalmem() / 1024 ** 3;
+```
+
+### System Configuration
+
+The system supports two configuration approaches that you can choose based on your needs:
+
+<Tabs items={["Manual Configuration", "Auto-scaling (Default)"]}>
+  <Tab value="Manual Configuration">
+    Manually configure all parameters for total control over the system:
+
+    ```bash
+    # Custom configuration (overrides auto-scaling)
+    DOWNLOAD_MAX_CONCURRENT=8              # Maximum simultaneous downloads
+    DOWNLOAD_MEMORY_THRESHOLD_MB=1536      # Memory threshold in MB
+    DOWNLOAD_QUEUE_SIZE=40                 # Maximum queue size
+    DOWNLOAD_AUTO_SCALE=false              # Disable auto-scaling
+    ```
+
+    <Callout>
+      Manual configuration offers total control and predictability for specific environments where you know exactly the available resources.
+    </Callout>
+
+  </Tab>
+  <Tab value="Auto-scaling (Default)">
+    Automatic configuration based on detected system memory:
+
+    | Available Memory | Concurrent Downloads | Memory Threshold | Queue Size | Recommended Use    |
+    |------------------|----------------------|-------------------|------------|--------------------|
+    | ≤ 2GB            | 1                    | 256MB            | 5          | Development        |
+    | 2GB - 4GB        | 2                    | 512MB            | 10         | Small Environment  |
+    | 4GB - 8GB        | 3                    | 1GB              | 15         | Standard Production|
+    | 8GB - 16GB       | 5                    | 2GB              | 25         | High Performance   |
+    | > 16GB           | 10                   | 4GB              | 50         | Enterprise         |
+
+    <Callout>
+      Auto-scaling automatically adapts to different environments without manual configuration, perfect for flexible deployment.
+    </Callout>
+
+  </Tab>
+</Tabs>
+
+<Callout type="info">If environment variables are configured, they take **priority** over auto-scaling.</Callout>
+
+## Download Queue System
+
+### How It Works
+
+The memory management system only activates for files larger than the configured minimum size (3GB by default). Smaller files bypass the queue system entirely and download immediately without memory management.
+
+When a user requests a download for a large file but all slots are occupied, the system automatically queues the download instead of returning a 429 error. The queue processes downloads in FIFO order (first in, first out).
+
+### Practical Example
+
+Consider a system with 8GB RAM (5 concurrent downloads, queue of 25, 3GB minimum) where users want to download files of various sizes:
+
+```bash
+# Small files (< 3GB): Bypass queue entirely
+[DOWNLOAD MANAGER] File document.pdf (0.05GB) below threshold (3.0GB), bypassing queue
+
+# Large files 1-5: Start immediately
+[DOWNLOAD MANAGER] Immediate start: 1734567890-abc123def
+[DOWNLOAD MANAGER] Starting video1.mp4 (5.2GB)
+
+# Large files 6-10: Automatically queued
+[DOWNLOAD MANAGER] Queued: 1734567891-def456ghi (Position: 1/25)
+[DOWNLOAD MANAGER] Queued file: video2.mp4 (8.1GB)
+
+# When download 1 finishes: download 6 starts automatically
+[DOWNLOAD MANAGER] Processing queue: 1734567891-def456ghi (4 remaining)
+[DOWNLOAD MANAGER] Starting queued file: video2.mp4 (8.1GB)
+```
+
+### System Benefits
+
+**User Experience**
+
+- Users don't receive errors, they simply wait in queue
+- Downloads start automatically when slots become available
+- Transparent operation without client changes
+- Fair processing order with FIFO queue
+
+**Technical Features**
+
+- Limited buffers (64KB per stream) for controlled memory usage
+- Automatic backpressure control with pipeline streams
+- Adaptive memory throttling based on usage patterns
+- Forced garbage collection after large downloads
+- Smart timeout handling (30 minutes for queued downloads)
+- Automatic cleanup of orphaned downloads every 30 seconds
+
+## Container Compatibility
+
+The system works with Docker, Kubernetes, and any containerized environment:
+
+<Tabs items={["Docker", "Kubernetes", "Docker Compose"]}>
+  <Tab value="Docker">
+
+    ```bash
+    # Example: Container with 8GB
+    docker run -m 8g palmr/server
+    # Result: 5 concurrent downloads, queue of 25, threshold 2GB
+    ```
+
+  </Tab>
+  <Tab value="Kubernetes">
+
+    ```yaml
+    apiVersion: apps/v1
+    kind: Deployment
+    spec:
+      template:
+        spec:
+          containers:
+          - name: palmr-server
+            resources:
+              limits:
+                memory: "4Gi"     # Detects 4GB
+                cpu: "2"
+              requests:
+                memory: "2Gi"
+                cpu: "1"
+    # Result: 3 concurrent downloads, queue of 15, threshold 1GB
+    ```
+
+  </Tab>
+  <Tab value="Docker Compose">
+
+    ```yaml
+    services:
+      palmr-server:
+        image: palmr/server
+        deploy:
+          resources:
+            limits:
+              memory: 16G       # Detects 16GB
+    # Result: 10 concurrent downloads, queue of 50, threshold 4GB
+    ```
+
+  </Tab>
+</Tabs>
+
+## Configuration
+
+### Environment Variables
+
+Configure the download memory management system using these environment variables:
+
+| Variable                       | Default    | Description                                           |
+| ------------------------------ | ---------- | ----------------------------------------------------- |
+| `DOWNLOAD_MAX_CONCURRENT`      | auto-scale | Maximum number of simultaneous downloads              |
+| `DOWNLOAD_MEMORY_THRESHOLD_MB` | auto-scale | Memory limit in MB before throttling                  |
+| `DOWNLOAD_QUEUE_SIZE`          | auto-scale | Maximum download queue size                           |
+| `DOWNLOAD_AUTO_SCALE`          | `true`     | Enable/disable auto-scaling based on system memory    |
+| `DOWNLOAD_MIN_FILE_SIZE_GB`    | `3.0`      | Minimum file size in GB to activate memory management |
+
+### Configuration Examples by Scenario
+
+<Tabs items={["Home Server", "Enterprise", "High Performance", "Conservative"]}>
+  <Tab value="Home Server">
+    Configuration optimized for personal use or small groups (4GB RAM):
+
+    ```bash
+    DOWNLOAD_MAX_CONCURRENT=2
+    DOWNLOAD_MEMORY_THRESHOLD_MB=1024
+    DOWNLOAD_QUEUE_SIZE=8
+    DOWNLOAD_MIN_FILE_SIZE_GB=2.0
+    DOWNLOAD_AUTO_SCALE=false
+    ```
+
+  </Tab>
+  <Tab value="Enterprise">
+    Configuration for corporate environments with multiple users (16GB RAM):
+
+    ```bash
+    DOWNLOAD_MAX_CONCURRENT=12
+    DOWNLOAD_MEMORY_THRESHOLD_MB=4096
+    DOWNLOAD_QUEUE_SIZE=60
+    DOWNLOAD_MIN_FILE_SIZE_GB=5.0
+    DOWNLOAD_AUTO_SCALE=false
+    ```
+
+  </Tab>
+  <Tab value="High Performance">
+    Configuration for maximum performance and throughput (32GB RAM):
+
+    ```bash
+    DOWNLOAD_MAX_CONCURRENT=20
+    DOWNLOAD_MEMORY_THRESHOLD_MB=8192
+    DOWNLOAD_QUEUE_SIZE=100
+    DOWNLOAD_MIN_FILE_SIZE_GB=10.0
+    DOWNLOAD_AUTO_SCALE=false
+    ```
+
+  </Tab>
+  <Tab value="Conservative">
+    For environments with limited or shared resources:
+
+    ```bash
+    DOWNLOAD_MAX_CONCURRENT=3
+    DOWNLOAD_MEMORY_THRESHOLD_MB=1024
+    DOWNLOAD_QUEUE_SIZE=15
+    DOWNLOAD_MIN_FILE_SIZE_GB=1.0
+    DOWNLOAD_AUTO_SCALE=false
+    ```
+
+  </Tab>
+</Tabs>
+
+### Additional Configuration
+
+For optimal performance with large downloads, consider these additional settings:
+
+```bash
+# Force garbage collection (recommended for large downloads)
+NODE_OPTIONS="--expose-gc"
+
+# Adjust timeout for very large downloads
+KEEP_ALIVE_TIMEOUT=300000
+REQUEST_TIMEOUT=0
+```
+
+## Monitoring and Logs
+
+### System Logs
+
+The system provides detailed logs to track operation:
+
+```bash
+[DOWNLOAD MANAGER] System Memory: 8.0GB, Max Concurrent: 5, Memory Threshold: 2048MB, Queue Size: 25
+[DOWNLOAD] Requesting slot for 1734567890-abc123def: video.mp4 (15.2GB)
+[DOWNLOAD MANAGER] Queued: 1734567890-abc123def (Position: 3/25)
+[DOWNLOAD MANAGER] Processing queue: 1734567890-abc123def (2 remaining)
+[DOWNLOAD] Starting 1734567890-abc123def: video.mp4 (15.2GB)
+[MEMORY THROTTLE] video.mp4 - Pausing stream due to high memory usage: 1843MB
+[DOWNLOAD] Applying throttling: 100ms delay for 1734567890-abc123def
+```
+
+### Configuration Validation
+
+The system automatically validates configurations at startup and provides warnings or errors:
+
+**Warnings**
+
+- `DOWNLOAD_MAX_CONCURRENT > 50`: May cause performance issues
+- `DOWNLOAD_MEMORY_THRESHOLD_MB < 128MB`: Downloads may be throttled frequently
+- `DOWNLOAD_MEMORY_THRESHOLD_MB > 16GB`: System may run out of memory
+- `DOWNLOAD_QUEUE_SIZE > 1000`: May consume significant memory
+- `DOWNLOAD_QUEUE_SIZE < DOWNLOAD_MAX_CONCURRENT`: Queue smaller than concurrent downloads
+
+**Errors**
+
+- `DOWNLOAD_MAX_CONCURRENT < 1`: Invalid value
+- `DOWNLOAD_QUEUE_SIZE < 1`: Invalid value
+
+## Queue Management APIs
+
+The system provides REST APIs to monitor and manage the download queue:
+
+### Get Queue Status
+
+```http
+GET /api/filesystem/download-queue/status
+```
+
+**Response:**
+
+```json
+{
+  "data": {
+    "queueLength": 3,
+    "maxQueueSize": 25,
+    "activeDownloads": 5,
+    "maxConcurrent": 5,
+    "queuedDownloads": [
+      {
+        "downloadId": "1734567890-abc123def",
+        "position": 1,
+        "waitTime": 45000,
+        "fileName": "video.mp4",
+        "fileSize": 16106127360
+      }
+    ]
+  },
+  "status": "success"
+}
+```
+
+### Cancel Download
+
+```http
+DELETE /api/filesystem/download-queue/{downloadId}
+```
+
+**Response:**
+
+```json
+{
+  "downloadId": "1734567890-abc123def",
+  "message": "Download cancelled successfully"
+}
+```
+
+### Clear Queue (Admin)
+
+```http
+DELETE /api/filesystem/download-queue
+```
+
+**Response:**
+
+```json
+{
+  "clearedCount": 8,
+  "message": "Download queue cleared successfully"
+}
+```
+
+## Troubleshooting
+
+### Common Issues
+
+**Downloads failing with "Download queue is full"**
+
+_Cause:_ Too many simultaneous downloads with a full queue
+
+_Solutions:_
+
+- Wait for some downloads to finish
+- Check for orphaned downloads in queue
+- Consider increasing container resources
+- Use API to clear queue if necessary
+
+**Downloads stay too long in queue**
+
+_Cause:_ Active downloads are slow or stuck
+
+_Solutions:_
+
+- Check logs for orphaned downloads
+- Use API to cancel specific downloads
+- Check client network connections
+- Monitor memory throttling
+
+**Very slow downloads**
+
+_Cause:_ Active throttling due to high memory usage
+
+_Solutions:_
+
+- Check other processes consuming memory
+- Consider increasing container resources
+- Monitor throttling logs
+- Check number of simultaneous downloads
+
+## Summary
+
+This system enables unlimited downloads (including 50TB+ files) without compromising system stability through:
+
+**Key Features**
+
+- Auto-configuration based on available resources
+- Automatic FIFO queue system for pending downloads
+- Adaptive control of simultaneous downloads
+- Intelligent throttling when needed
+
+**System Benefits**
+
+- Management APIs to monitor and control queue
+- Automatic cleanup of resources and orphaned downloads
+- Full compatibility with Docker/Kubernetes
+- Perfect user experience with no 429 errors
+
+The system maintains high performance for small/medium files while preventing crashes with gigantic files, offering a seamless experience where users never see 429 errors, they simply wait in queue until their download starts automatically.

apps/docs/content/docs/3.2-beta/github-architecture.mdx

@@ -49,6 +49,7 @@ The frontend is organized with:
 - **Custom hooks** to isolate logic and side effects
 - A **route protection system** using session cookies and middleware
 - A **file management interface** integrated with the backend
+- **Folder support** for organizing files hierarchically
 - A **reusable modal system** used for file actions, confirmations, and more
 - **Dynamic, locale-aware routing** using next-intl
 
@@ -68,7 +69,7 @@ Data is stored in **SQLite**, which handles user info, file metadata, session to
 Key features include:
 
 - **Authentication/authorization** with JWT + cookie sessions
-- **File management logic** including uploads, deletes, and renames
+- **File management logic** including uploads, deletes, renames, and folders
 - **Storage operations** to handle file organization, usage tracking, and cleanup
 - A **share system** that generates tokenized public file links
 - Schema-based request validation for all endpoints
@@ -106,9 +107,10 @@ Volumes are used to persist data locally, and containers are networked together
 
 ### File management
 
-Files are at the heart of Palmr. Users can upload files via the frontend, and they're stored directly in the filesystem. The backend handles metadata (name, size, type, ownership), and also handles deletion, renaming, and public sharing. Every file operation is tracked, and all actions can be scoped per user.
+Files are at the heart of Palmr. Users can upload files via the frontend, and they're stored directly in the filesystem. Users can also create folders to organize files. The backend handles metadata (name, size, type, ownership), and also handles deletion, renaming, and public sharing. Every file operation is tracked, and all actions can be scoped per user.
 
 - Upload/download with instant feedback
+- Create and organize files in folders
 - File previews, type validation, and size limits
 - Token-based sharing system
 - Disk usage tracking by user

apps/docs/content/docs/3.2-beta/manual-installation.mdx

@@ -5,7 +5,7 @@ icon: Cog
 
 Hey there! Looking to run **Palmr.** your way, with complete control over every piece of the stack? This manual installation guide is for you. No Docker, no pre-built containers just the raw source code to tweak, customize, and deploy as you see fit.
 
-> **Prefer a quicker setup?** If this hands-on approach feels like overkill, check out our [**Quick Start (Docker)**](/docs/3.1-beta/quick-start) guide for a fast, containerized deployment. This manual path is tailored for developers who want to dive deep, modify the codebase, or integrate custom services.
+> **Prefer a quicker setup?** If this hands-on approach feels like overkill, check out our [**Quick Start (Docker)**](/docs/3.2-beta/quick-start) guide for a fast, containerized deployment. This manual path is tailored for developers who want to dive deep, modify the codebase, or integrate custom services.
 
 Here's what you'll do at a glance:
 
@@ -165,6 +165,27 @@ cp .env.example .env
 
 This creates a `.env` file with the necessary configurations for the frontend.
 
+##### Upload Configuration
+
+Palmr. supports configurable chunked uploading for large files. You can customize the chunk size by setting the following environment variable in your `.env` file:
+
+```bash
+NEXT_PUBLIC_UPLOAD_CHUNK_SIZE_MB=100
+```
+
+**How it works:**
+
+- If `NEXT_PUBLIC_UPLOAD_CHUNK_SIZE_MB` is set, Palmr. will use this value (in megabytes) as the chunk size for all file uploads that exceed this threshold.
+- If not set or left empty, Palmr. automatically calculates optimal chunk sizes based on file size:
+  - Files ≤ 100MB: uploaded without chunking
+  - Files > 100MB and ≤ 1GB: 75MB chunks
+  - Files > 1GB: 150MB chunks
+
+**When to configure:**
+
+- **Default (not set):** Recommended for most use cases. Palmr. will intelligently determine the best chunk size.
+- **Custom value:** Set this if you have specific network conditions or want to optimize for your infrastructure (e.g., slower connections may benefit from smaller chunks like 50MB, while fast networks can handle larger chunks like 200MB, or the upload size per payload may be limited by a proxy like Cloudflare)
+
 #### Install dependencies
 
 Install all the frontend dependencies:
@@ -201,6 +222,17 @@ You should see the full Palmr. application ready to go!
 
 This guide sets up Palmr. using the local file system for storage. Want to use an S3-compatible object storage instead? You can configure that in the `.env` file. Check the Palmr. documentation for details on setting up S3 storage just update the environment variables, then build and run as shown here.
 
+### Custom Installation Paths and Symlinks
+
+If you're using a custom installation setup with symlinks (for example, `/opt/palmr_data/uploads -> /mnt/data/uploads`), you might encounter issues with disk space detection. Palmr. includes a `CUSTOM_PATH` environment variable to handle these scenarios:
+
+```bash
+# In your .env file (apps/server/.env)
+CUSTOM_PATH=/opt/palmr_data
+```
+
+This tells Palmr. to check your custom path first when determining available disk space, ensuring proper detection even when using symlinks or non-standard directory structures.
+
 ---
 
 ## Command cheat sheet
@@ -232,10 +264,10 @@ pnpm serve
 
 Palmr. is now up and running locally . Here are some suggested next steps:
 
-- **Manage Users**: Dive into the [Users Management](/docs/3.1-beta/manage-users) guide.
+- **Manage Users**: Dive into the [Users Management](/docs/3.2-beta/manage-users) guide.
 - **Switch to Object Storage**: Update `.env` variables to use an S3-compatible bucket (see Quick Notes above).
 - **Secure Your Instance**: Put Palmr. behind a reverse proxy like **Nginx** or **Caddy** and enable HTTPS.
-- **Learn the Internals**: Explore how everything connects in the [Architecture](/docs/3.1-beta/architecture) overview.
+- **Learn the Internals**: Explore how everything connects in the [Architecture](/docs/3.2-beta/architecture) overview.
 
 Jump into whichever area fits your needs our docs are designed for exploration in any order.
 

apps/docs/content/docs/3.2-beta/meta.json

@@ -14,6 +14,7 @@
     "available-languages",
     "uid-gid-configuration",
     "reverse-proxy-configuration",
+    "download-memory-management",
     "password-reset-without-smtp",
     "oidc-authentication",
     "troubleshooting",
@@ -29,5 +30,5 @@
     "gh-sponsor"
   ],
   "root": true,
-  "title": "v3.1-beta"
+  "title": "v3.2-beta"
 }

apps/docs/content/docs/3.2-beta/oidc-authentication/auth0.mdx

@@ -360,7 +360,7 @@ With Auth0 authentication configured, you might want to:
 - **Review security settings**: Ensure your authentication setup meets your security requirements
 - **Monitor usage**: Keep track of authentication patterns and user activity
 
-For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.1-beta/oidc-authentication).
+For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.2-beta/oidc-authentication).
 
 ## Useful resources
 

apps/docs/content/docs/3.2-beta/oidc-authentication/authentik.mdx

@@ -374,7 +374,7 @@ With Authentik authentication configured, you might want to:
 - **Review security settings**: Ensure your authentication setup meets your security requirements
 - **Monitor usage**: Keep track of authentication patterns and user activity
 
-For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.1-beta/oidc-authentication).
+For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.2-beta/oidc-authentication).
 
 ## Useful resources
 

apps/docs/content/docs/3.2-beta/oidc-authentication/discord.mdx

@@ -332,7 +332,7 @@ With Discord authentication configured, you might want to:
 - **Review security settings**: Ensure your authentication setup meets your security requirements
 - **Monitor usage**: Keep track of authentication patterns and user activity
 
-For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.1-beta/oidc-authentication).
+For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.2-beta/oidc-authentication).
 
 ## Useful resources
 

apps/docs/content/docs/3.2-beta/oidc-authentication/frontegg.mdx

@@ -314,7 +314,7 @@ With Frontegg authentication configured, you might want to:
 - **Review security settings**: Ensure your authentication setup meets your security requirements
 - **Monitor usage**: Keep track of authentication patterns and user activity
 
-For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.1-beta/oidc-authentication).
+For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.2-beta/oidc-authentication).
 
 ## Useful resources
 

apps/docs/content/docs/3.2-beta/oidc-authentication/github.mdx

@@ -295,7 +295,7 @@ With GitHub authentication configured, you might want to:
 - **Review security settings**: Ensure your authentication setup meets your security requirements
 - **Monitor usage**: Keep track of authentication patterns and user activity
 
-For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.1-beta/oidc-authentication).
+For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.2-beta/oidc-authentication).
 
 ## Useful resources
 

apps/docs/content/docs/3.2-beta/oidc-authentication/google.mdx

@@ -325,7 +325,7 @@ With Google authentication configured, you might want to:
 - **Review security settings**: Ensure your authentication setup meets your security requirements
 - **Monitor usage**: Keep track of authentication patterns and user activity
 
-For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.1-beta/oidc-authentication).
+For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.2-beta/oidc-authentication).
 
 ## Useful resources
 

apps/docs/content/docs/3.2-beta/oidc-authentication/index.mdx

@@ -38,14 +38,14 @@ Before configuring OIDC authentication, ensure you have:
 
 Palmr's OIDC implementation is compatible with any OpenID Connect compliant provider, including as official providers:
 
-- **[Google](/docs/3.1-beta/oidc-authentication/google)**
-- **[Discord](/docs/3.1-beta/oidc-authentication/discord)**
-- **[Github](/docs/3.1-beta/oidc-authentication/github)**
-- **[Zitadel](/docs/3.1-beta/oidc-authentication/zitadel)**
-- **[Auth0](/docs/3.1-beta/oidc-authentication/auth0)**
-- **[Authentik](/docs/3.1-beta/oidc-authentication/authentik)**
-- **[Frontegg](/docs/3.1-beta/oidc-authentication/frontegg)**
-- **[Kinde Auth](/docs/3.1-beta/oidc-authentication/kinde-auth)**
+- **[Google](/docs/3.2-beta/oidc-authentication/google)**
+- **[Discord](/docs/3.2-beta/oidc-authentication/discord)**
+- **[Github](/docs/3.2-beta/oidc-authentication/github)**
+- **[Zitadel](/docs/3.2-beta/oidc-authentication/zitadel)**
+- **[Auth0](/docs/3.2-beta/oidc-authentication/auth0)**
+- **[Authentik](/docs/3.2-beta/oidc-authentication/authentik)**
+- **[Frontegg](/docs/3.2-beta/oidc-authentication/frontegg)**
+- **[Kinde Auth](/docs/3.2-beta/oidc-authentication/kinde-auth)**
 
 Although these are the official providers (internally tested with 100% success), you can connect any OIDC provider by providing your credentials and connection URL. We've developed a practical way to integrate virtually all OIDC providers available in the market. In this documentation, you can consult how to configure each of the official providers, as well as include other providers not listed as official. Just below, you will find instructions on how to access the OIDC provider configuration. For specific details about configuring each provider, select the desired option in the sidebar, in the "OIDC Authentication" section.
 

apps/docs/content/docs/3.2-beta/oidc-authentication/kinde-auth.mdx

@@ -359,7 +359,7 @@ With Kinde Auth authentication configured, you might want to:
 - **Review security settings**: Ensure your authentication setup meets your security requirements
 - **Monitor usage**: Keep track of authentication patterns and user activity
 
-For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.1-beta/oidc-authentication).
+For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.2-beta/oidc-authentication).
 
 ## Useful resources
 

apps/docs/content/docs/3.2-beta/oidc-authentication/meta.json

@@ -0,0 +1,18 @@
+{
+  "defaultOpen": false,
+  "icon": "Key",
+  "pages": [
+    "index",
+    "google",
+    "discord",
+    "github",
+    "zitadel",
+    "auth0",
+    "authentik",
+    "frontegg",
+    "kinde-auth",
+    "pocket-id",
+    "other"
+  ],
+  "title": "OIDC Authentication"
+}

apps/docs/content/docs/3.2-beta/oidc-authentication/pocket-id.mdx

@@ -0,0 +1,279 @@
+---
+title: Pocket ID
+icon: IdCardLanyard
+---
+
+import { ZoomableImage } from "@/components/ui/zoomable-image";
+
+Pocket ID is one of Palmr's officially supported OIDC providers, offering a robust and flexible identity management solution. This integration allows users to sign in to Palmr using Pocket ID's authentication system, making it perfect for organizations that need a self-hosted identity provider with OIDC support.
+
+<ZoomableImage src="/assets/v3/oidc/pocket-id/sign-in-with-pocket-id.png" alt="Sign in with Pocket ID" />
+
+## Why use Pocket ID authentication?
+
+Pocket ID authentication provides several advantages for organizations seeking a self-hosted identity solution:
+
+- **Self-hosted control** - Full control over your authentication infrastructure and data
+- **OIDC compliance** - Standard OpenID Connect implementation for seamless integration
+- **Flexible deployment** - Deploy on any infrastructure that suits your needs
+- **Automatic discovery** - Supports OIDC discovery for streamlined configuration
+- **Simple configuration** - Intuitive setup process with minimal complexity
+- **Data sovereignty** - Keep all authentication data within your infrastructure
+- **Cost-effective** - No per-user pricing, perfect for growing organizations
+
+---
+
+## Prerequisites
+
+Before configuring Pocket ID authentication, ensure you have:
+
+- **Pocket ID instance** - A running Pocket ID server accessible via HTTPS
+- **Admin privileges in Palmr** - Required to configure OIDC settings
+- **Domain configuration** - For production deployments with custom domains
+
+> **Note:** Pocket ID is pre-configured as an official provider in Palmr, which means the technical configuration is handled automatically. You only need to provide your OAuth credentials.
+
+---
+
+## Setting up Pocket ID Application
+
+### Creating a Pocket ID application
+
+To get started with Pocket ID authentication, you'll need to create an application in your Pocket ID admin interface.
+
+1. **Navigate to Pocket ID Admin**: Go to your Pocket ID instance URL (e.g., `https://your-pocket-id.domain.com`)
+
+<ZoomableImage src="/assets/v3/oidc/pocket-id/pocket-id-console.png" alt="Pocket ID Console" />
+
+2. **Navigate to OIDC Clients**: Click **"OIDC Clients"** in the applications in the left sidebar, you will be redirected to the OIDC Clients page
+
+<ZoomableImage src="/assets/v3/oidc/pocket-id/oidc-clients.png" alt="OIDC Clients" />
+
+3. **Create a new OIDC Client**: Click **"Add OIDC Client"** button in the OIDC Clients page
+
+<ZoomableImage src="/assets/v3/oidc/pocket-id/create-oidc-client-button.png" alt="Create OIDC Client Button" />
+
+Configure the following settings:
+
+- **Name**: "Palmr File Sharing" (or your preferred name)
+- **Public Client**: "Diasabled"
+- **PKCE**: "Disabled"
+- **Logo**: "Upload a logo image"
+
+<ZoomableImage src="/assets/v3/oidc/pocket-id/create-oidc-client.png" alt="Create OIDC Client" />
+
+### Configuring application URLs
+
+You'll need to configure several URLs in your Pocket ID application settings. Here's what to add for each environment:
+
+### Redirect URIs
+
+| Environment | URL                                                                |
+| ----------- | ------------------------------------------------------------------ |
+| Production  | `https://yourdomain.com/api/auth/providers/pocketid/callback`      |
+| Development | `http://localhost:3000/api/auth/providers/pocketid/callback`       |
+| Custom Port | `https://yourdomain.com:5487/api/auth/providers/pocketid/callback` |
+
+### Post Logout Redirect URIs
+
+| Environment | URL                           |
+| ----------- | ----------------------------- |
+| Production  | `https://yourdomain.com`      |
+| Development | `http://localhost:3000`       |
+| Custom Port | `https://yourdomain.com:5487` |
+
+> **Note:** Replace `yourdomain.com` with your actual domain name in all production and custom port URLs.
+> **Note:** You can add multiple redirect URIs for different environments (development, staging, production).
+
+<ZoomableImage src="/assets/v3/oidc/pocket-id/config-urls.png" alt="Pocket ID Application URLs Configuration" />
+
+### Getting OAuth credentials
+
+After creating your application, you'll receive your OAuth credentials:
+
+<ZoomableImage
+  src="/assets/v3/oidc/pocket-id/credentials.png"
+  alt="Pocket ID OAuth Credentials"
+  legend="The client ID and client secret shown in the image are examples only (fake credentials). You must use your own credentials from Pocket ID."
+/>
+
+Save these credentials securely - you'll need them to configure Palmr:
+
+- Client ID
+- Client Secret
+- Provider URL (your Pocket ID instance URL)
+
+---
+
+## Configuring Palmr
+
+### Accessing OIDC settings
+
+To configure Pocket ID authentication in Palmr:
+
+1. **Login as administrator**: Sign in to Palmr with an admin account
+2. **Access settings**: Click your profile picture in the header and select **Settings**
+3. **Navigate to authentication**: Find and click on the **Authentication Providers** section
+
+<ZoomableImage src="/assets/v3/oidc/auth-providers.png" alt="Palmr Authentication Providers" />
+
+### Enabling Pocket ID provider
+
+1. **Locate Pocket ID**: Find Pocket ID in the list of available providers
+2. **Enable the provider**: Toggle the status to **Enabled**
+
+<ZoomableImage src="/assets/v3/oidc/pocket-id/enabled-pocket-id.png" alt="Palmr Pocket ID Provider Enabled" />
+
+3. **Configure credentials**:
+   - **Provider URL**: Your Pocket ID server URL (e.g., `https://auth.yourdomain.com`)
+   - **Client ID**: Paste the Client ID from your Pocket ID application
+   - **Client Secret**: Paste the Client Secret from your Pocket ID application
+
+<ZoomableImage
+  src="/assets/v3/oidc/pocket-id/edit-pocket-id.png"
+  alt="Edit Pocket ID Provider"
+  legend="This is a fake application, you have to use your own credentials."
+/>
+
+### Advanced configuration options
+
+Configure additional settings to customize the authentication behavior:
+
+**Auto Registration**: Enable to automatically create user accounts when someone authenticates for the first time.
+
+**Sort Order**: Control where the Pocket ID login button appears relative to other authentication providers.
+
+**Icon**: Choose a custom icon for the Pocket ID login button (default is `Key`).
+
+<ZoomableImage src="/assets/v3/oidc/pocket-id/pocket-id-icon.png" alt="Pocket ID Icon" />
+
+---
+
+## Account linking
+
+By default, if a user is already registered in Palmr with their Pocket ID email, they will be automatically linked to their Palmr account.
+
+> **Note:** You can't disable account linking. If you want to unlink a user from their Pocket ID account, you need to delete the user from Palmr.
+
+---
+
+## Technical configuration
+
+Pocket ID's technical configuration is handled automatically through OIDC discovery, but understanding the setup can help with troubleshooting:
+
+```yaml
+Provider Type: OAuth 2.0 with OIDC Discovery
+Issuer URL: https://your-pocket-id.domain.com
+Authorization Endpoint: /authorize
+Token Endpoint: /api/oidc/token
+UserInfo Endpoint: /api/oidc/userinfo
+Scopes: openid profile email
+```
+
+### Field mappings
+
+Palmr automatically maps Pocket ID user information to local user accounts:
+
+- **User ID**: Maps from Pocket ID's `sub` field
+- **Email**: Maps from Pocket ID's `email` field
+- **Name**: Maps from Pocket ID's `name` field, falls back to `preferred_username`
+- **First Name**: Maps from Pocket ID's `given_name` field
+- **Last Name**: Maps from Pocket ID's `family_name` field
+- **Avatar**: Maps from Pocket ID's `picture` field
+
+---
+
+## Testing the configuration
+
+### Verifying the setup
+
+After configuring Pocket ID authentication, test the integration:
+
+1. **Check login page**: Verify the "Sign in with Pocket ID" button appears
+2. **Test authentication flow**: Click the button and complete authentication
+3. **Verify user creation**: Confirm new user account creation (if auto-registration is enabled)
+
+### Login flow verification
+
+The complete authentication process should work as follows:
+
+1. User clicks "Sign in with Pocket ID"
+2. User is redirected to Pocket ID login page
+3. User authenticates with their credentials
+4. Pocket ID redirects back to Palmr
+5. Palmr creates or updates the user account
+6. User gains access to Palmr
+
+---
+
+## Troubleshooting common issues
+
+### Redirect URI mismatch
+
+**Error**: `invalid_redirect_uri`
+
+**Solution**:
+
+1. Verify the exact callback URL in your Pocket ID application
+2. Check for protocol mismatches (http vs https)
+3. Ensure no trailing slashes unless specified
+4. Add development URLs if testing locally
+
+### Authentication failures
+
+**Error**: `access_denied` or `unauthorized_client`
+
+**Solution**:
+
+1. Verify Client ID and Secret are correct
+2. Check if the application is enabled in Pocket ID
+3. Ensure required scopes are configured
+4. Verify the user has necessary permissions
+
+### Discovery endpoint issues
+
+**Error**: Cannot fetch OIDC configuration
+
+**Solution**:
+
+1. Verify your Pocket ID server is accessible
+2. Check if the discovery endpoint (`/.well-known/openid-configuration`) is available
+3. Ensure SSL certificates are valid
+4. Check network connectivity and firewall rules
+
+---
+
+## Security best practices
+
+### Credential management
+
+- **Secure storage**: Keep Client Secret secure and never commit to version control
+- **Regular rotation**: Periodically rotate Client Secret
+- **Environment variables**: Store credentials in environment variables
+- **Access monitoring**: Regular review of authentication logs
+
+### Production considerations
+
+- **HTTPS required**: Always use HTTPS in production
+- **Valid certificates**: Ensure SSL certificates are valid
+- **Regular updates**: Keep Pocket ID server updated
+- **Backup strategy**: Regular backups of Pocket ID configuration
+
+---
+
+## Next steps
+
+After configuring Pocket ID authentication:
+
+- **Monitor usage**: Track authentication patterns
+- **Configure MFA**: Set up multi-factor authentication if needed
+- **User management**: Review auto-registration settings
+- **Backup verification**: Test backup and restore procedures
+
+For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.2-beta/oidc-authentication).
+
+## Useful resources
+
+- [Pocket ID Documentation](https://docs.pocket-id.org)
+- [OIDC Specification](https://openid.net/specs/openid-connect-core-1_0.html)
+- [Palmr OIDC Overview](/docs/3.2-beta/oidc-authentication)

apps/docs/content/docs/3.2-beta/oidc-authentication/zitadel.mdx

@@ -413,7 +413,7 @@ With Zitadel authentication configured, you might want to:
 - **Review security settings**: Ensure your authentication setup meets your security requirements
 - **Monitor usage**: Keep track of authentication patterns and user activity
 
-For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.1-beta/oidc-authentication).
+For more information about OIDC authentication in Palmr, see the [OIDC Authentication overview](/docs/3.2-beta/oidc-authentication).
 
 ## Useful resources
 

apps/docs/content/docs/3.2-beta/password-reset-without-smtp.mdx

@@ -47,12 +47,12 @@ docker exec -it <container_name_or_id> /bin/sh
 
 Replace `<container_name_or_id>` with the name or ID of your Palmr container. This command opens an interactive shell session inside the container, allowing you to execute commands directly.
 
-### 3. Navigate to the server directory
+### 3. Navigate to the application directory
 
-Once inside the container, navigate to the server directory where the reset script is located:
+Once inside the container, navigate to the application directory where the reset script is located:
 
 ```bash
-cd /app/server
+cd /app/palmr-app
 ```
 
 This directory contains the necessary scripts and configurations for managing Palmr's backend operations.
@@ -135,11 +135,11 @@ If you encounter issues while running the script, refer to the following solutio
   - Confirm that the `prisma/palmr.db` file exists and has the correct permissions.
   - Verify that the container has access to the database volume.
 
-- **Error: "Script must be run from server directory"**  
-  This error appears if you are not in the correct directory. Navigate to the server directory with:
+- **Error: "Script must be run from application directory"**  
+  This error appears if you are not in the correct directory. Navigate to the application directory with:
 
   ```bash
-  cd /app/server
+  cd /app/palmr-app
   ```
 
 - **Error: "User not found"**  

apps/docs/content/docs/3.2-beta/quick-start.mdx

@@ -0,0 +1,409 @@
+---
+title: Quick Start (Docker)
+icon: "Rocket"
+---
+
+import { Callout } from "fumadocs-ui/components/callout";
+import { Tab, Tabs } from "fumadocs-ui/components/tabs";
+
+import { Card, CardGrid } from "@/components/ui/card";
+
+Welcome to the fastest way to deploy <span className="font-bold">Palmr.</span> - your secure, self-hosted file sharing solution. This guide will have you up and running in minutes, whether you're new to self-hosting or an experienced developer.
+
+Palmr. offers flexible deployment options to match your infrastructure needs. This guide focuses on Docker deployment with our recommended filesystem storage, perfect for most use cases.
+
+## Prerequisites
+
+Before you begin, make sure you have:
+
+- **Docker** - Container runtime ([installation guide](https://docs.docker.com/get-docker/))
+- **Docker Compose** - Multi-container orchestration ([installation guide](https://docs.docker.com/compose/install/))
+- **2GB+ available disk space** for the application and your files
+- **Port 5487** available for the web interface
+- **Port 3333** available for API access (optional)
+
+<Callout>
+  **Platform Support**: Palmr. is developed on macOS and extensively tested on Linux servers. While we haven't formally
+  tested other platforms, Docker's cross-platform nature should ensure compatibility. Report any issues on our [GitHub
+  repository](https://github.com/kyantech/Palmr/issues).
+</Callout>
+
+## Storage Options
+
+Palmr. supports two storage approaches for persistent data:
+
+- **Named Volumes (Recommended)** - Docker-managed storage with optimal performance and no permission issues
+- **Bind Mounts** - Direct host filesystem access, ideal for development and direct file management
+
+## Deployment Options
+
+Choose your storage method based on your needs:
+
+<Tabs items={['Named Volumes (Recommended)', 'Bind Mounts']}>
+  <Tab value="Named Volumes (Recommended)">
+    Docker-managed storage that provides the best balance of performance, security, and ease of use:
+
+    - **No Permission Issues**: Docker handles all permission management automatically
+    - **Performance**: Optimized for container workloads with better I/O performance
+    - **Production Ready**: Recommended for production deployments
+
+    ### Configuration
+
+    Create a `docker-compose.yml` file:
+
+    ```yaml
+    services:
+      palmr:
+        image: kyantech/palmr:latest
+        container_name: palmr
+        restart: unless-stopped
+        ports:
+          - "5487:5487" # Web interface
+          # - "3333:3333" # API (optional)
+        environment:
+          # Optional: Uncomment and configure as needed (if you don`t use, you can remove)
+          # - ENABLE_S3=true # Set to true to enable S3-compatible storage
+          # - DISABLE_FILESYSTEM_ENCRYPTION=true # Set to false to enable file encryption
+          # - ENCRYPTION_KEY=your-secure-key-min-32-chars # Required only if encryption is enabled
+          # - PALMR_UID=1000 # UID for the container processes (default is 1000)
+          # - PALMR_GID=1000 # GID for the container processes (default is 1000)
+          # - SECURE_SITE=false # Set to true if you are using a reverse proxy
+          # - DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US)
+          # - PRESIGNED_URL_EXPIRATION=3600 # Duration in seconds for presigned URL expiration (optional, defaults to 3600 seconds / 1 hour)
+          # - DOWNLOAD_MAX_CONCURRENT=5 # Maximum simultaneous downloads (auto-scales if not set)
+          # - DOWNLOAD_MEMORY_THRESHOLD_MB=2048 # Memory threshold in MB before throttling (auto-scales if not set)
+          # - DOWNLOAD_QUEUE_SIZE=25 # Maximum queue size for pending downloads (auto-scales if not set)
+          # - DOWNLOAD_MIN_FILE_SIZE_GB=3.0 # Minimum file size in GB to activate memory management (default: 3.0)
+          # - DOWNLOAD_AUTO_SCALE=true # Enable auto-scaling based on system memory (default: true)
+          # - NODE_OPTIONS=--expose-gc # Enable garbage collection for large downloads (recommended for production)
+          # - NEXT_PUBLIC_UPLOAD_CHUNK_SIZE_MB=100 # Chunk size in MB for large file uploads (OPTIONAL - auto-calculates if not set)
+        volumes:
+          - palmr_data:/app/server
+
+    volumes:
+      palmr_data:
+    ```
+
+    <Callout type="info">
+      **Having upload or permission issues?** Add `PALMR_UID=1000` and `PALMR_GID=1000` to your environment variables. Check our [UID/GID Configuration](/docs/3.2-beta/uid-gid-configuration) guide for more details.
+    </Callout>
+
+    ### Deploy
+
+    ```bash
+    docker-compose up -d
+    ```
+
+  </Tab>
+  <Tab value="Bind Mounts">
+    Direct mapping to host filesystem directories, providing direct file access:
+
+    - **Direct Access**: Files are directly accessible from your host system
+    - **Development Friendly**: Easy to inspect, modify, or backup files manually
+    - **Platform Dependent**: May require UID/GID configuration, especially on NAS systems
+
+    ### Configuration
+
+    Create a `docker-compose.yml` file:
+
+    ```yaml
+    services:
+      palmr:
+        image: kyantech/palmr:latest
+        container_name: palmr
+        restart: unless-stopped
+        ports:
+          - "5487:5487" # Web interface
+          # - "3333:3333" # API (optional)
+        environment:
+          # Optional: Uncomment and configure as needed (if you don`t use, you can remove)
+          # - ENABLE_S3=true # Set to true to enable S3-compatible storage
+          # - DISABLE_FILESYSTEM_ENCRYPTION=false # Set to false to enable file encryption
+          # - ENCRYPTION_KEY=your-secure-key-min-32-chars # Required only if encryption is enabled
+          # - PALMR_UID=1000 # UID for the container processes (default is 1000)
+          # - PALMR_GID=1000 # GID for the container processes (default is 1000)
+          # - SECURE_SITE=false # Set to true if you are using a reverse proxy
+          # - DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US)
+          # - PRESIGNED_URL_EXPIRATION=3600 # Duration in seconds for presigned URL expiration (optional, defaults to 3600 seconds / 1 hour)
+          # - DOWNLOAD_MAX_CONCURRENT=5 # Maximum simultaneous downloads (auto-scales if not set)
+          # - DOWNLOAD_MEMORY_THRESHOLD_MB=2048 # Memory threshold in MB before throttling (auto-scales if not set)
+          # - DOWNLOAD_QUEUE_SIZE=25 # Maximum queue size for pending downloads (auto-scales if not set)
+          # - DOWNLOAD_MIN_FILE_SIZE_GB=3.0 # Minimum file size in GB to activate memory management (default: 3.0)
+          # - DOWNLOAD_AUTO_SCALE=true # Enable auto-scaling based on system memory (default: true)
+          # - NODE_OPTIONS=--expose-gc # Enable garbage collection for large downloads (recommended for production)
+        volumes:
+          - ./data:/app/server
+    ```
+
+    <Callout type="info">
+      **Having upload or permission issues?** Add `PALMR_UID=1000` and `PALMR_GID=1000` to your environment variables. Check our [UID/GID Configuration](/docs/3.2-beta/uid-gid-configuration) guide for more details.
+    </Callout>
+
+    ### Deploy
+
+    ```bash
+    docker-compose up -d
+    ```
+
+  </Tab>
+</Tabs>
+
+## Configuration
+
+Customize Palmr's behavior with these environment variables:
+
+| Variable                           | Default        | Description                                                                                                                           |
+| ---------------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
+| `ENABLE_S3`                        | `false`        | Enable S3-compatible storage backends                                                                                                 |
+| `S3_ENDPOINT`                      | -              | S3 server endpoint URL (required when using S3)                                                                                       |
+| `S3_PORT`                          | -              | S3 server port (optional when using S3)                                                                                               |
+| `S3_USE_SSL`                       | -              | Enable SSL for S3 connections (optional when using S3)                                                                                |
+| `S3_ACCESS_KEY`                    | -              | S3 access key for authentication (required when using S3)                                                                             |
+| `S3_SECRET_KEY`                    | -              | S3 secret key for authentication (required when using S3)                                                                             |
+| `S3_REGION`                        | -              | S3 region configuration (optional when using S3)                                                                                      |
+| `S3_BUCKET_NAME`                   | -              | S3 bucket name for file storage (required when using S3)                                                                              |
+| `S3_FORCE_PATH_STYLE`              | `false`        | Force path-style S3 URLs (optional when using S3)                                                                                     |
+| `S3_REJECT_UNAUTHORIZED`           | `true`         | Enable strict SSL certificate validation for S3 (set to `false` for self-signed certificates)                                         |
+| `ENCRYPTION_KEY`                   | -              | **Required when encryption is enabled**: 32+ character key for file encryption                                                        |
+| `DISABLE_FILESYSTEM_ENCRYPTION`    | `true`         | Disable file encryption for better performance (set to `false` to enable encryption)                                                  |
+| `PRESIGNED_URL_EXPIRATION`         | `3600`         | Duration in seconds for presigned URL expiration (applies to both filesystem and S3 storage)                                          |
+| `CUSTOM_PATH`                      | -              | Custom base path for disk space detection in manual installations with symlinks                                                       |
+| `SECURE_SITE`                      | `false`        | Enable secure cookies for HTTPS/reverse proxy deployments                                                                             |
+| `DEFAULT_LANGUAGE`                 | `en-US`        | Default application language ([see available languages](/docs/3.2-beta/available-languages))                                          |
+| `PALMR_UID`                        | `1000`         | User ID for container processes (helps with file permissions)                                                                         |
+| `PALMR_GID`                        | `1000`         | Group ID for container processes (helps with file permissions)                                                                        |
+| `NODE_OPTIONS`                     | -              | Node.js options (recommended: `--expose-gc` for garbage collection in production)                                                     |
+| `DOWNLOAD_MAX_CONCURRENT`          | auto-scale     | Maximum number of simultaneous downloads (see [Download Memory Management](/docs/3.2-beta/download-memory-management))                |
+| `DOWNLOAD_MEMORY_THRESHOLD_MB`     | auto-scale     | Memory threshold in MB before throttling                                                                                              |
+| `DOWNLOAD_QUEUE_SIZE`              | auto-scale     | Maximum queue size for pending downloads                                                                                              |
+| `DOWNLOAD_MIN_FILE_SIZE_GB`        | `3.0`          | Minimum file size in GB to activate memory management                                                                                 |
+| `NEXT_PUBLIC_UPLOAD_CHUNK_SIZE_MB` | auto-calculate | Chunk size in MB for large file uploads (see [Chunked Upload Configuration](/docs/3.2-beta/quick-start#chunked-upload-configuration)) |
+| `DOWNLOAD_AUTO_SCALE`              | `true`         | Enable auto-scaling based on system memory                                                                                            |
+
+<Callout type="info">
+  **Performance First**: Palmr runs without encryption by default for optimal speed and lower resource usage—perfect for
+  most use cases.
+</Callout>
+
+<Callout type="warn">
+  **Encryption Notice**: To enable encryption, set `DISABLE_FILESYSTEM_ENCRYPTION=false` and provide a 32+ character
+  `ENCRYPTION_KEY`. **Important**: This choice is permanent—switching encryption modes after uploading files will break
+  access to existing uploads.
+</Callout>
+
+<Callout>
+  **Using a Reverse Proxy?** Set `SECURE_SITE=true` and check our [Reverse Proxy
+  Configuration](/docs/3.2-beta/reverse-proxy-configuration) guide for proper HTTPS setup.
+</Callout>
+
+### Generate Encryption Keys (Optional)
+
+Need file encryption? Generate a secure key:
+
+<KeyGenerator />
+
+> **Pro Tip**: Only enable encryption if you're handling sensitive data. For most users, the default unencrypted mode provides better performance.
+
+## Access Your Instance
+
+Once deployed, open Palmr in your browser:
+
+- **Web Interface**: `http://localhost:5487` (local) or `http://YOUR_SERVER_IP:5487` (remote)
+- **API Documentation**: `http://localhost:3333/docs` (if port 3333 is exposed)
+
+<Callout type="info">
+  **Learn More**: For complete API documentation, authentication, and integration examples, see our [API
+  Reference](/docs/3.2-beta/api) guide
+</Callout>
+
+<Callout type="warn">
+  **Production Ready?** Configure HTTPS with a valid SSL certificate for secure production deployments.
+</Callout>
+
+---
+
+## Docker CLI Alternative
+
+Prefer Docker commands over Compose? Here are the equivalent commands:
+
+<Tabs items={["Named Volume", "Bind Mount"]}>
+  <Tab value="Named Volume">
+
+    ```bash
+    docker run -d \
+      --name palmr \
+      # Optional: Uncomment and configure as needed (if you don`t use, you can remove)
+      # -e ENABLE_S3=true \ # Set to true to enable S3-compatible storage (OPTIONAL - default is false)
+      # -e DISABLE_FILESYSTEM_ENCRYPTION=false \ # Set to false to enable file encryption (ENCRYPTION_KEY becomes required) | (OPTIONAL - default is true)
+      # -e ENCRYPTION_KEY=your-secure-key-min-32-chars # Required only if encryption is enabled
+      # -e PALMR_UID=1000 # UID for the container processes (default is 1000)
+      # -e PALMR_GID=1000 # GID for the container processes (default is 1000)
+      # -e SECURE_SITE=false # Set to true if you are using a reverse proxy
+      # -e DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US)
+      -p 5487:5487 \
+      -p 3333:3333 \
+      -v palmr_data:/app/server \
+      --restart unless-stopped \
+      kyantech/palmr:latest
+    ```
+
+
+    <Callout type="info">
+      **Permission Issues?** Add `-e PALMR_UID=1000 -e PALMR_GID=1000` to the command above. See our [UID/GID Configuration](/docs/3.2-beta/uid-gid-configuration) guide for details.
+    </Callout>
+
+  </Tab>
+
+  <Tab value="Bind Mount">
+
+    ```bash
+    docker run -d \
+      --name palmr \
+      # Optional: Uncomment and configure as needed (if you don`t use, you can remove)
+      # -e ENABLE_S3=true \ # Set to true to enable S3-compatible storage (OPTIONAL - default is false)
+      # -e DISABLE_FILESYSTEM_ENCRYPTION=true \ # Set to false to enable file encryption (ENCRYPTION_KEY becomes required) | (OPTIONAL - default is true)
+      # -e ENCRYPTION_KEY=your-secure-key-min-32-chars # Required only if encryption is enabled
+      # -e PALMR_UID=1000 # UID for the container processes (default is 1000)
+      # -e PALMR_GID=1000 # GID for the container processes (default is 1000)
+      # -e SECURE_SITE=false # Set to true if you are using a reverse proxy
+      # -e DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US)
+      -p 5487:5487 \
+      -p 3333:3333 \
+      -v $(pwd)/data:/app/server \
+      --restart unless-stopped \
+      kyantech/palmr:latest
+    ```
+
+    <Callout type="info">
+      **Permission Issues?** Add `-e PALMR_UID=1000 -e PALMR_GID=1000` to the command above. See our [UID/GID Configuration](/docs/3.2-beta/uid-gid-configuration) guide for details.
+    </Callout>
+
+  </Tab>
+</Tabs>
+
+---
+
+## Common Configuration Options
+
+### Presigned URL Expiration
+
+Palmr. uses temporary URLs (presigned URLs) for secure file access. These URLs expire after a configurable time period to enhance security.
+
+**Default:** 1 hour (3600 seconds)
+
+You can customize this for all storage types (filesystem or S3) by adding:
+
+```yaml
+environment:
+  - PRESIGNED_URL_EXPIRATION=7200 # 2 hours
+```
+
+**When to adjust:**
+
+- **Shorter time (1800 = 30 min):** Higher security, but users may need to refresh download links
+- **Longer time (7200-21600 = 2-6 hours):** Better for large file transfers, but URLs stay valid longer
+- **Default (3600 = 1 hour):** Good balance for most use cases
+
+### File Encryption
+
+For filesystem storage, you can enable file encryption:
+
+```yaml
+environment:
+  - DISABLE_FILESYSTEM_ENCRYPTION=false
+  - ENCRYPTION_KEY=your-secure-32-character-key-here
+```
+
+**Note:** S3 storage handles encryption through your S3 provider's encryption features.
+
+### Chunked Upload Configuration
+
+Palmr supports configurable chunked uploading for large files. You can customize the chunk size by setting the following environment variable:
+
+```yaml
+environment:
+  - NEXT_PUBLIC_UPLOAD_CHUNK_SIZE_MB=100 # Chunk size in MB
+```
+
+**How it works:**
+
+- If `NEXT_PUBLIC_UPLOAD_CHUNK_SIZE_MB` is set, Palmr will use this value (in megabytes) as the chunk size for all file uploads that exceed this threshold.
+- If not set or left empty, Palmr automatically calculates optimal chunk sizes based on file size:
+  - Files ≤ 100MB: uploaded without chunking
+  - Files > 100MB and ≤ 1GB: 75MB chunks
+  - Files > 1GB: 150MB chunks
+
+**When to configure:**
+
+- **Default (not set):** Recommended for most use cases. Palmr will intelligently determine the best chunk size.
+- **Custom value:** Set this if you have specific network conditions or want to optimize for your infrastructure (e.g., slower connections may benefit from smaller chunks like 50MB, while fast networks can handle larger chunks like 200MB, or the upload size per payload may be limited by a proxy like Cloudflare)
+
+---
+
+## Maintenance
+
+### Updates
+
+Keep Palmr up to date with the latest features and security patches:
+
+```bash
+docker-compose pull
+docker-compose up -d
+```
+
+### Backup Your Data
+
+**Named Volumes:**
+
+```bash
+docker run --rm -v palmr_data:/data -v $(pwd):/backup alpine tar czf /backup/palmr-backup.tar.gz -C /data .
+```
+
+**Bind Mounts:**
+
+```bash
+tar czf palmr-backup.tar.gz ./data
+```
+
+### Restore From Backup
+
+**Named Volumes:**
+
+```bash
+docker-compose down
+docker run --rm -v palmr_data:/data -v $(pwd):/backup alpine tar xzf /backup/palmr-backup.tar.gz -C /data
+docker-compose up -d
+```
+
+**Bind Mounts:**
+
+```bash
+docker-compose down
+tar xzf palmr-backup.tar.gz
+docker-compose up -d
+```
+
+---
+
+## What's Next?
+
+Your Palmr instance is ready! Here's what you can explore:
+
+### Advanced Configuration
+
+- **[UID/GID Configuration](/docs/3.2-beta/uid-gid-configuration)** - Configure user permissions for NAS systems and custom environments
+- **[Download Memory Management](/docs/3.2-beta/download-memory-management)** - Configure large file download handling and queue system
+- **[S3 Storage](/docs/3.2-beta/s3-configuration)** - Scale with Amazon S3 or compatible storage providers
+- **[Manual Installation](/docs/3.2-beta/manual-installation)** - Manual installation and custom configurations
+
+### Integration & Development
+
+- **[API Reference](/docs/3.2-beta/api)** - Integrate Palmr. with your applications
+
+<Callout type="info">
+  **Need help?** Check our [Troubleshooting Guide](/docs/3.2-beta/troubleshooting) for common issues and solutions.
+</Callout>
+
+---
+
+**Questions?** Visit our [GitHub Issues](https://github.com/kyantech/Palmr/issues) or join the community discussions.

apps/docs/content/docs/3.2-beta/reverse-proxy-configuration.mdx

@@ -127,10 +127,11 @@ proxy_pass_header Set-Cookie;
 environment:
   - PALMR_UID=1000 # Your host UID (check with: id)
   - PALMR_GID=1000 # Your host GID
-  - ENCRYPTION_KEY=your-key-here
+  - DISABLE_FILESYSTEM_ENCRYPTION=true # Set to false to enable file encryption
+  # - ENCRYPTION_KEY=your-key-here # Required only if encryption is enabled
 ```
 
-> **💡 Note**: Check your host UID/GID with `id` command and use those values. See [UID/GID Configuration](/docs/3.1-beta/uid-gid-configuration) for detailed setup.
+> **💡 Note**: Check your host UID/GID with `id` command and use those values. See [UID/GID Configuration](/docs/3.2-beta/uid-gid-configuration) for detailed setup.
 
 ---
 

apps/docs/content/docs/3.2-beta/s3-providers.mdx

@@ -7,6 +7,8 @@ This guide provides comprehensive configuration instructions for integrating Pal
 
 > **Overview:** Palmr. supports any S3-compatible storage provider, giving you flexibility to choose the solution that best fits your needs and budget.
 
+> **Note:** Some configuration options (like presigned URL expiration) apply to **all storage types**, including filesystem storage. These are marked accordingly in the documentation.
+
 ## When to use S3-compatible storage
 
 Consider using S3-compatible storage when you need:
@@ -19,18 +21,27 @@ Consider using S3-compatible storage when you need:
 
 ## Environment variables
 
+### General configuration (applies to all storage types)
+
+| Variable                   | Description                                      | Required | Default         |
+| -------------------------- | ------------------------------------------------ | -------- | --------------- |
+| `PRESIGNED_URL_EXPIRATION` | Duration in seconds for presigned URL expiration | No       | `3600` (1 hour) |
+
+### S3-specific configuration
+
 To enable S3-compatible storage, set `ENABLE_S3=true` and configure the following environment variables:
 
-| Variable              | Description                   | Required | Default           |
-| --------------------- | ----------------------------- | -------- | ----------------- |
-| `S3_ENDPOINT`         | S3 provider endpoint URL      | Yes      | -                 |
-| `S3_PORT`             | Connection port               | No       | Based on protocol |
-| `S3_USE_SSL`          | Enable SSL/TLS encryption     | Yes      | `true`            |
-| `S3_ACCESS_KEY`       | Access key for authentication | Yes      | -                 |
-| `S3_SECRET_KEY`       | Secret key for authentication | Yes      | -                 |
-| `S3_REGION`           | Storage region                | Yes      | -                 |
-| `S3_BUCKET_NAME`      | Bucket/container name         | Yes      | -                 |
-| `S3_FORCE_PATH_STYLE` | Use path-style URLs           | No       | `false`           |
+| Variable                 | Description                              | Required | Default           |
+| ------------------------ | ---------------------------------------- | -------- | ----------------- |
+| `S3_ENDPOINT`            | S3 provider endpoint URL                 | Yes      | -                 |
+| `S3_PORT`                | Connection port                          | No       | Based on protocol |
+| `S3_USE_SSL`             | Enable SSL/TLS encryption                | Yes      | `true`            |
+| `S3_ACCESS_KEY`          | Access key for authentication            | Yes      | -                 |
+| `S3_SECRET_KEY`          | Secret key for authentication            | Yes      | -                 |
+| `S3_REGION`              | Storage region                           | Yes      | -                 |
+| `S3_BUCKET_NAME`         | Bucket/container name                    | Yes      | -                 |
+| `S3_FORCE_PATH_STYLE`    | Use path-style URLs                      | No       | `false`           |
+| `S3_REJECT_UNAUTHORIZED` | Enable strict SSL certificate validation | No       | `true`            |
 
 ## Provider configurations
 
@@ -51,6 +62,7 @@ S3_SECRET_KEY=your-secret-access-key
 S3_REGION=us-east-1
 S3_BUCKET_NAME=your-bucket-name
 S3_FORCE_PATH_STYLE=false
+# PRESIGNED_URL_EXPIRATION=3600  # Optional: 1 hour (default)
 ```
 
 **Getting credentials:**
@@ -81,6 +93,21 @@ S3_FORCE_PATH_STYLE=true
 - Default MinIO port is 9000
 - SSL can be disabled for local development
 
+**For MinIO with self-signed SSL certificates:**
+
+```bash
+ENABLE_S3=true
+S3_ENDPOINT=your-minio-domain.com
+S3_PORT=9000
+S3_USE_SSL=true
+S3_ACCESS_KEY=your-minio-access-key
+S3_SECRET_KEY=your-minio-secret-key
+S3_REGION=us-east-1
+S3_BUCKET_NAME=your-bucket-name
+S3_FORCE_PATH_STYLE=true
+S3_REJECT_UNAUTHORIZED=false  # Allows self-signed certificates
+```
+
 ### Google Cloud Storage
 
 Google Cloud Storage offers competitive pricing and global infrastructure.
@@ -137,6 +164,7 @@ S3_SECRET_KEY=your-application-key
 S3_REGION=us-west-002
 S3_BUCKET_NAME=your-bucket-name
 S3_FORCE_PATH_STYLE=false
+# PRESIGNED_URL_EXPIRATION=7200  # Optional: 2 hours for large files
 ```
 
 **Cost advantage:**
@@ -187,6 +215,93 @@ S3_FORCE_PATH_STYLE=false
 - Use container name as bucket name
 - Configure appropriate access policies
 
+## Presigned URL configuration
+
+Palmr. uses presigned URLs to provide secure, temporary access to files stored in **both S3-compatible storage and filesystem storage**. These URLs have a configurable expiration time to balance security and usability.
+
+> **Note:** This configuration applies to **all storage types** (S3, filesystem, etc.), not just S3-compatible storage.
+
+### Understanding presigned URLs
+
+Presigned URLs are temporary URLs that allow direct access to files without exposing storage credentials or requiring authentication. They automatically expire after a specified time period, enhancing security by limiting access duration.
+
+**How it works:**
+
+- **S3 Storage:** URLs are signed by AWS/S3-compatible provider credentials
+- **Filesystem Storage:** URLs use temporary tokens that are validated by Palmr server
+
+**Default behavior:**
+
+- Upload URLs: 1 hour (3600 seconds)
+- Download URLs: 1 hour (3600 seconds)
+
+### Configuring expiration time
+
+You can customize the expiration time using the `PRESIGNED_URL_EXPIRATION` environment variable:
+
+```bash
+# Set URLs to expire after 2 hours (7200 seconds)
+PRESIGNED_URL_EXPIRATION=7200
+
+# Set URLs to expire after 30 minutes (1800 seconds)
+PRESIGNED_URL_EXPIRATION=1800
+
+# Set URLs to expire after 6 hours (21600 seconds)
+PRESIGNED_URL_EXPIRATION=21600
+```
+
+### Choosing the right expiration time
+
+**Shorter expiration (15-30 minutes):**
+
+- [+] Higher security
+- [+] Reduced risk of unauthorized access
+- [-] May interrupt long uploads/downloads
+- [-] Users may need to refresh links more often
+
+**Longer expiration (2-6 hours):**
+
+- [+] Better user experience for large files
+- [+] Fewer interruptions during transfers
+- [-] Longer exposure window if URLs are compromised
+- [-] Potential for increased storage costs if users leave downloads incomplete
+
+**Recommended settings:**
+
+- **High security environments:** 1800 seconds (30 minutes)
+- **Standard usage:** 3600 seconds (1 hour) - default
+- **Large file transfers:** 7200-21600 seconds (2-6 hours)
+
+### Example configurations
+
+**For Backblaze B2 with extended expiration:**
+
+```bash
+ENABLE_S3=true
+S3_ENDPOINT=s3.us-west-002.backblazeb2.com
+S3_USE_SSL=true
+S3_ACCESS_KEY=your-key-id
+S3_SECRET_KEY=your-application-key
+S3_REGION=us-west-002
+S3_BUCKET_NAME=your-bucket-name
+S3_FORCE_PATH_STYLE=false
+PRESIGNED_URL_EXPIRATION=7200  # 2 hours for large file transfers
+```
+
+**For high-security environments:**
+
+```bash
+ENABLE_S3=true
+S3_ENDPOINT=s3.amazonaws.com
+S3_USE_SSL=true
+S3_ACCESS_KEY=your-access-key-id
+S3_SECRET_KEY=your-secret-access-key
+S3_REGION=us-east-1
+S3_BUCKET_NAME=your-bucket-name
+S3_FORCE_PATH_STYLE=false
+PRESIGNED_URL_EXPIRATION=1800  # 30 minutes for enhanced security
+```
+
 ## Configuration best practices
 
 ### Security considerations
@@ -212,6 +327,19 @@ S3_FORCE_PATH_STYLE=false
 - Check firewall and network connectivity
 - Ensure SSL/TLS settings match provider requirements
 
+**SSL certificate errors (self-signed certificates):**
+
+If you encounter errors like `unable to verify the first certificate` or `UNABLE_TO_VERIFY_LEAF_SIGNATURE`, you're likely using self-signed SSL certificates. This is common with self-hosted MinIO or other S3-compatible services.
+
+**Solution:**
+Set `S3_REJECT_UNAUTHORIZED=false` in your environment variables to allow self-signed certificates:
+
+```bash
+S3_REJECT_UNAUTHORIZED=false
+```
+
+**Note:** SSL certificate validation is enabled by default (`true`) for security. Set it to `false` only when using self-hosted S3 services with self-signed certificates.
+
 **Authentication failures:**
 
 - Confirm access key and secret key are correct

apps/docs/content/docs/3.2-beta/screenshots.mdx

@@ -44,7 +44,7 @@ The central hub after login, providing an overview of recent activity, quick act
 
 ### Files list view
 
-Comprehensive file browser displaying all uploaded files in a detailed list format with metadata, actions, and sorting options.
+Comprehensive file browser displaying all uploaded files in a detailed list format with metadata, actions, sorting options, and folder navigation.
 
 <ZoomableImage
   src="/assets/v3/screenshots/files-list.png"
@@ -53,7 +53,7 @@ Comprehensive file browser displaying all uploaded files in a detailed list form
 
 ### Files card view
 
-Alternative file browser layout showing files as visual cards, perfect for quick browsing and visual file identification.
+Alternative file browser layout showing files as visual cards, perfect for quick browsing, visual file identification, and folder navigation.
 
 <ZoomableImage
   src="/assets/v3/screenshots/files-card.png"
@@ -73,7 +73,7 @@ File upload interface where users can drag and drop or select files to upload to
 
 ### Shares page
 
-Management interface for all shared files and folders, showing share status, permissions, and access controls.
+Management interface for all shared files and folders, showing share status, permissions, and access controls for both individual files and folders.
 
 <ZoomableImage
   src="/assets/v3/screenshots/shares.png"

apps/docs/content/docs/3.2-beta/troubleshooting.mdx

@@ -17,7 +17,7 @@ docker-compose logs palmr | grep -i "permission\|denied\|eacces"
 
 # Common error messages:
 # EACCES: permission denied, open '/app/server/uploads/file.txt'
-# Error: EACCES: permission denied, mkdir '/app/server/temp-chunks'
+# Error: EACCES: permission denied, mkdir '/app/server/temp-uploads'
 ```
 
 ### The Root Cause
@@ -25,7 +25,7 @@ docker-compose logs palmr | grep -i "permission\|denied\|eacces"
 **Palmr. defaults**: UID 1001, GID 1001  
 **Linux standard**: UID 1000, GID 1000
 
-When using bind mounts, your host directories are owned by UID 1000, but Palmr. runs as UID 1001.
+When using bind mounts, your host directories may have different ownership than Palmr's default UID/GID.
 
 ### Solution 1: Environment Variables (Recommended)
 
@@ -63,8 +63,8 @@ If you prefer to keep Palmr's defaults:
 chown -R 1001:1001 ./data
 
 # For separate upload/temp directories
-mkdir -p uploads temp-chunks
-chown -R 1001:1001 uploads temp-chunks
+mkdir -p uploads temp-uploads
+chown -R 1001:1001 uploads temp-uploads
 ```
 
 ### Solution 3: Docker Volume (Avoid the Issue)
@@ -109,16 +109,19 @@ docker-compose logs palmr
 2. **Invalid encryption key**
 
    ```bash
-   # Error: Encryption key must be at least 32 characters
-   # Fix: Update ENCRYPTION_KEY in docker-compose.yaml
+   # Error: Encryption key must be at least 32 characters (only if encryption is enabled)
+   # Fix: Either disable encryption or provide a valid key
    environment:
-     - ENCRYPTION_KEY=your-very-long-secure-key-at-least-32-characters
+     - DISABLE_FILESYSTEM_ENCRYPTION=true  # Disable encryption (default)
+     # OR enable encryption with:
+     # - DISABLE_FILESYSTEM_ENCRYPTION=false
+     # - ENCRYPTION_KEY=your-very-long-secure-key-at-least-32-characters
    ```
 
 3. **Missing environment variables**
    ```bash
-   # Check required variables are set
-   docker exec palmr env | grep -E "ENCRYPTION_KEY|DATABASE_URL"
+   # Check variables are set (encryption is optional)
+   docker exec palmr env | grep -E "DISABLE_FILESYSTEM_ENCRYPTION|ENCRYPTION_KEY|DATABASE_URL"
    ```
 
 ### Container Starts But App Doesn't Load
@@ -151,7 +154,7 @@ curl http://localhost:3333/health
 
    ```bash
    docker exec palmr ls -la /app/server/uploads/
-   # Should show ownership by palmr user
+   # Should show ownership by palmr user (UID 1001)
    ```
 
 3. **Check upload limits:**
@@ -178,13 +181,13 @@ docker exec palmr stat /app/server/uploads/your-file.txt
 
    ```bash
    # Using the built-in reset script
-   docker exec -it palmr /app/reset-password.sh
+   docker exec -it palmr /app/palmr-app/reset-password.sh
    ```
 
 2. **Check database permissions:**
    ```bash
    docker exec palmr ls -la /app/server/prisma/
-   # palmr.db should be writable by palmr user
+   # palmr.db should be writable by palmr user (UID 1001)
    ```
 
 ### OIDC Authentication Not Working
@@ -243,8 +246,8 @@ docker exec palmr ls -la /app/server/prisma/palmr.db
 # Check database logs
 docker-compose logs palmr | grep -i database
 
-# Verify Prisma schema
-docker exec palmr npx prisma db push --schema=./prisma/schema.prisma
+# Verify Prisma schema (run from palmr-app directory)
+docker exec palmr sh -c "cd /app/palmr-app && npx prisma db push"
 ```
 
 ### Database Corruption
@@ -283,7 +286,7 @@ docker-compose up -d
 
 3. **Check temp directory permissions:**
    ```bash
-   docker exec palmr ls -la /app/server/temp-chunks/
+   docker exec palmr ls -la /app/server/temp-uploads/
    ```
 
 ### High Memory Usage
@@ -318,16 +321,19 @@ docker port palmr
 echo "4. File Permissions:"
 docker exec palmr ls -la /app/server/
 
-echo "5. Environment Variables:"
-docker exec palmr env | grep -E "PALMR_|ENCRYPTION_|DATABASE_"
+echo "5. Application Files:"
+docker exec palmr ls -la /app/palmr-app/
 
-echo "6. API Health:"
+echo "6. Environment Variables:"
+docker exec palmr env | grep -E "PALMR_|DISABLE_FILESYSTEM_ENCRYPTION|ENCRYPTION_|DATABASE_"
+
+echo "7. API Health:"
 curl -s http://localhost:3333/health || echo "API not accessible"
 
-echo "7. Web Interface:"
+echo "8. Web Interface:"
 curl -s -o /dev/null -w "%{http_code}" http://localhost:5487 || echo "Web interface not accessible"
 
-echo "8. Disk Space:"
+echo "9. Disk Space:"
 df -h
 
 echo "=== End Health Check ==="
@@ -360,13 +366,11 @@ If none of these solutions work:
    ```
 
 2. **Check our documentation:**
-
    - [UID/GID Configuration](/docs/3.0-beta/uid-gid-configuration)
    - [Quick Start Guide](/docs/3.0-beta/quick-start)
    - [API Reference](/docs/3.0-beta/api)
 
 3. **Open an issue on GitHub:**
-
    - Include your `docker-compose.yaml`
    - Include relevant log output
    - Describe your system (OS, Docker version, etc.)

apps/docs/content/docs/3.2-beta/uid-gid-configuration.mdx

@@ -9,15 +9,15 @@ Configure user and group permissions for seamless bind mount compatibility acros
 
 Palmr. supports runtime UID/GID configuration to resolve permission conflicts when using bind mounts. This eliminates the need for manual permission management on your host system.
 
-**⚠️ Important**: Palmr uses **UID 1001, GID 1001** by default, which is different from the standard Linux convention of **UID 1000, GID 1000**. This is the most common cause of permission issues with bind mounts.
+**⚠️ Important**: Palmr uses **UID 1000, GID 1000** by default, which matches the standard Linux convention. However, some systems may use different UID/GID values, which can cause permission issues with bind mounts.
 
 ## The Permission Problem
 
 ### Why This Happens
 
-- **Palmr Default**: UID 1001, GID 1001 (container)
+- **Palmr Default**: UID 1000, GID 1000 (container)
 - **Linux Standard**: UID 1000, GID 1000 (most host systems)
-- **Result**: Container can't write to host directories
+- **Result**: Usually compatible, but some systems may use different values
 
 ### Common Error Scenarios
 
@@ -30,7 +30,7 @@ EACCES: permission denied, open '/app/server/uploads/file.txt'
 # Or when checking permissions:
 $ ls -la uploads/
 drwxr-xr-x 2 user user 4096 Jan 15 10:00 uploads/
-# Container tries to write as UID 1001, but directory is owned by UID 1000
+# Container tries to write with different UID/GID than directory owner
 ```
 
 ## Quick Fix
@@ -45,15 +45,13 @@ services:
     image: kyantech/palmr:latest
     container_name: palmr
     environment:
-      - ENABLE_S3=false
-      - ENCRYPTION_KEY=your-secure-key-min-32-chars
       - PALMR_UID=1000
       - PALMR_GID=1000
     ports:
       - "5487:5487"
     volumes:
       - ./uploads:/app/server/uploads:rw
-      - ./temp-chunks:/app/server/temp-chunks:rw
+      - ./temp-uploads:/app/server/temp-uploads:rw
     restart: unless-stopped
 ```
 
@@ -63,8 +61,8 @@ If you prefer to keep Palmr's defaults:
 
 ```bash
 # Create directories with correct ownership
-mkdir -p uploads temp-chunks
-chown -R 1001:1001 uploads temp-chunks
+mkdir -p uploads temp-uploads
+chown -R 1001:1001 uploads temp-uploads
 ```
 
 ## Environment Variables
@@ -104,8 +102,6 @@ services:
     image: kyantech/palmr:latest
     container_name: palmr
     environment:
-      - ENABLE_S3=false
-      - ENCRYPTION_KEY=your-secure-key-min-32-chars
       - PALMR_UID=1000
       - PALMR_GID=1000
     ports:
@@ -123,8 +119,6 @@ services:
     image: kyantech/palmr:latest
     container_name: palmr
     environment:
-      - ENABLE_S3=false
-      - ENCRYPTION_KEY=your-secure-key-min-32-chars
       - PALMR_UID=1026
       - PALMR_GID=100
     ports:
@@ -142,8 +136,6 @@ services:
     image: kyantech/palmr:latest
     container_name: palmr
     environment:
-      - ENABLE_S3=false
-      - ENCRYPTION_KEY=your-secure-key-min-32-chars
       - PALMR_UID=1000
       - PALMR_GID=100
     ports:
@@ -166,7 +158,7 @@ services:
 id
 
 # 2. Check directory ownership
-ls -la uploads/ temp-chunks/
+ls -la uploads/ temp-uploads/
 
 # 3. Fix via environment variables (preferred)
 # Add to docker-compose.yaml:
@@ -174,7 +166,7 @@ ls -la uploads/ temp-chunks/
 # - PALMR_GID=1000
 
 # 4. Or fix via chown (alternative)
-chown -R 1001:1001 uploads temp-chunks
+chown -R 1001:1001 uploads temp-uploads
 ```
 
 **Error**: Container starts but files aren't accessible
@@ -225,11 +217,11 @@ cat /etc/passwd | grep -v nobody
 ```bash
 # Check if directories exist and are writable
 test -w uploads && echo "uploads writable" || echo "uploads NOT writable"
-test -w temp-chunks && echo "temp-chunks writable" || echo "temp-chunks NOT writable"
+test -w temp-uploads && echo "temp-uploads writable" || echo "temp-uploads NOT writable"
 
 # Create directories with correct permissions
-mkdir -p uploads temp-chunks
-sudo chown -R $(id -u):$(id -g) uploads temp-chunks
+mkdir -p uploads temp-uploads
+sudo chown -R $(id -u):$(id -g) uploads temp-uploads
 ```
 
 ---
@@ -270,7 +262,7 @@ To add UID/GID configuration to running installations:
    cp -r ./data ./data-backup
    # or
    cp -r ./uploads ./uploads-backup
-   cp -r ./temp-chunks ./temp-chunks-backup
+   cp -r ./temp-uploads ./temp-uploads-backup
    ```
 
 3. **Check your UID/GID**
@@ -344,4 +336,4 @@ For most users experiencing permission issues with bind mounts:
    ```
 3. **Restart**: `docker-compose down && docker-compose up -d`
 
-This resolves the mismatch between Palmr's default UID 1001 and the standard Linux UID 1000.
+This ensures compatibility between Palmr's UID/GID and your host system's file ownership.

apps/docs/content/docs/meta.json

@@ -1,3 +1,3 @@
 {
-  "pages": ["3.1-beta", "2.0.0-beta"]
+  "pages": ["3.2-beta", "2.0.0-beta"]
 }

apps/docs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "palmr-docs",
-  "version": "3.1-beta",
+  "version": "3.2.3-beta",
   "description": "Docs for Palmr",
   "private": true,
   "author": "Daniel Luiz Alves <daniel@kyantech.com.br>",

apps/docs/src/app/(home)/page.tsx

@@ -1,3 +1,5 @@
+"use client";
+
 import type { ReactNode } from "react";
 import Link from "next/link";
 import {
@@ -57,13 +59,13 @@ const images = [
   "https://res.cloudinary.com/technical-intelligence/image/upload/v1745546005/Palmr./profile_mizwvg.png",
 ];
 
-const docsLink = "/docs/3.1-beta";
+const docsLink = "/docs/3.2-beta";
 
 function Hero() {
   return (
     <section className="relative z-[2] flex flex-col border-x border-t  px-6 pt-12 pb-10 md:px-12 md:pt-16 max-md:text-center">
       <h1 className="mb-8 text-6xl font-bold">
-        Palmr. <span className="text-[13px] font-light text-muted-foreground/50 font-mono">v3.1-beta</span>
+        Palmr. <span className="text-[13px] font-light text-muted-foreground/50 font-mono">v3.2-beta</span>
       </h1>
       <h1 className="hidden text-4xl font-medium max-w-[600px] md:block mb-4">Modern & efficient file sharing</h1>
       <p className="mb-8 text-fd-muted-foreground md:max-w-[80%] md:text-xl">
@@ -79,7 +81,6 @@ function Hero() {
             <Link href={docsLink}>Documentation</Link>
           </div>
         </PulsatingButton>
-
         <RippleButton>
           <a
             href="https://github.com/kyantech/Palmr"
@@ -293,7 +294,7 @@ function FullWidthFooter() {
       <div className="flex items-center gap-1 text-sm max-w-7xl">
         <span>Powered by</span>
         <Link
-          href="http://kyantech.com.br"
+          href="https://github.com/kyantech"
           rel="noopener noreferrer"
           target="_blank"
           className="flex items-center hover:text-green-700 text-green-500 transition-colors font-light"

apps/docs/src/app/api/search/route.ts

@@ -9,6 +9,6 @@ export const { GET } = createFromSource(source, (page) => {
     url: page.url,
     id: page.url,
     structuredData: page.data.structuredData,
-    tag: page.url.startsWith("/docs/3.1-beta") ? "v3.1-beta" : "v2.0.0-beta",
+    tag: page.url.startsWith("/docs/3.2-beta") ? "v3.2-beta" : "v2.0.0-beta",
   };
 });

apps/docs/src/app/docs/[[...slug]]/page.tsx

@@ -11,11 +11,10 @@ import { Sponsor } from "../components/sponsor";
 export default async function Page(props: { params: Promise<{ slug?: string[] }> }) {
   const params = await props.params;
   const page = source.getPage(params.slug);
-  if (!page) redirect("/docs/3.1-beta");
+  if (!page) redirect("/docs/3.2-beta");
 
   const MDXContent = page.data.body;
 
-  // Check if this is an older version page that needs a warning
   const shouldShowWarning = page.url.startsWith("/docs/2.0.0-beta");
 
   return (
@@ -50,7 +49,7 @@ export async function generateStaticParams() {
 export async function generateMetadata(props: { params: Promise<{ slug?: string[] }> }) {
   const params = await props.params;
   const page = source.getPage(params.slug);
-  if (!page) redirect("/docs/3.1-beta");
+  if (!page) redirect("/docs/3.2-beta");
 
   return {
     title: page.data.title + " | Palmr. Docs",

apps/docs/src/app/docs/components/footer.tsx

@@ -6,7 +6,7 @@ export function Footer() {
       <div className="flex items-center gap-1 text-sm ">
         <span>Powered by</span>
         <Link
-          href="http://kyantech.com.br"
+          href="https://github.com/kyantech"
           rel="noopener noreferrer"
           target="_blank"
           className="flex items-center hover:text-green-700 text-green-500 transition-colors font-light"

apps/docs/src/app/layout.tsx

@@ -28,7 +28,7 @@ export default function Layout({ children }: { children: ReactNode }) {
         <RootProvider
           search={{
             options: {
-              defaultTag: "3.1-beta",
+              defaultTag: "3.2-beta",
               tags: [
                 {
                   name: "v2.0.0 Beta",
@@ -36,7 +36,7 @@ export default function Layout({ children }: { children: ReactNode }) {
                 },
                 {
                   name: "v3.0 Beta ✨",
-                  value: "3.1-beta",
+                  value: "3.2-beta",
                   props: {
                     style: {
                       border: "1px solid rgba(0,165,80,0.2)",

apps/docs/src/components/OIDCProviderCards.tsx

@@ -6,55 +6,61 @@ const providers = [
   {
     name: "Google",
     description: "Configure authentication using Google OAuth2 services",
-    href: "/docs/3.1-beta/oidc-authentication/google",
+    href: "/docs/3.2-beta/oidc-authentication/google",
     icon: <Chrome className="w-4 h-4" />,
   },
   {
     name: "Discord",
     description: "Set up Discord OAuth2 for community-based authentication",
-    href: "/docs/3.1-beta/oidc-authentication/discord",
+    href: "/docs/3.2-beta/oidc-authentication/discord",
     icon: <MessageSquare className="w-4 h-4" />,
   },
   {
     name: "GitHub",
     description: "Enable GitHub OAuth for developer-friendly sign-in",
-    href: "/docs/3.1-beta/oidc-authentication/github",
+    href: "/docs/3.2-beta/oidc-authentication/github",
     icon: <Github className="w-4 h-4" />,
   },
   {
     name: "Zitadel",
     description: "Enterprise-grade identity and access management",
-    href: "/docs/3.1-beta/oidc-authentication/zitadel",
+    href: "/docs/3.2-beta/oidc-authentication/zitadel",
     icon: <Shield className="w-4 h-4" />,
   },
   {
     name: "Auth0",
     description: "Flexible identity platform with extensive customization",
-    href: "/docs/3.1-beta/oidc-authentication/auth0",
+    href: "/docs/3.2-beta/oidc-authentication/auth0",
     icon: <Lock className="w-4 h-4" />,
   },
   {
     name: "Authentik",
     description: "Open-source identity provider with modern features",
-    href: "/docs/3.1-beta/oidc-authentication/authentik",
+    href: "/docs/3.2-beta/oidc-authentication/authentik",
     icon: <Key className="w-4 h-4" />,
   },
   {
     name: "Frontegg",
     description: "User management platform for B2B applications",
-    href: "/docs/3.1-beta/oidc-authentication/frontegg",
+    href: "/docs/3.2-beta/oidc-authentication/frontegg",
     icon: <Egg className="w-4 h-4" />,
   },
   {
     name: "Kinde Auth",
     description: "Developer-first authentication and user management",
-    href: "/docs/3.1-beta/oidc-authentication/kinde-auth",
+    href: "/docs/3.2-beta/oidc-authentication/kinde-auth",
     icon: <Users className="w-4 h-" />,
   },
+  {
+    name: "Pocket ID",
+    description: "Open-source identity provider with OIDC support",
+    href: "/docs/3.2-beta/oidc-authentication/pocket-id",
+    icon: <Key className="w-4 h-4" />,
+  },
   {
     name: "Other",
     description: "Configure any other OIDC-compliant identity provider",
-    href: "/docs/3.1-beta/oidc-authentication/other",
+    href: "/docs/3.2-beta/oidc-authentication/other",
     icon: <Settings className="w-4 h-4" />,
   },
 ];

apps/docs/src/components/ui/background-lights.tsx

@@ -0,0 +1,33 @@
+import { motion } from "motion/react";
+
+export function BackgroundLights() {
+  return (
+    <div className="absolute inset-0 -z-10 overflow-hidden">
+      <motion.div
+        animate={{
+          scale: [1, 1.1, 1],
+          opacity: [0.3, 0.5, 0.3],
+        }}
+        className="absolute -top-[20%] -left-[20%] w-[140%] h-[140%] bg-[radial-gradient(circle,rgba(34,197,94,0.15)_0%,transparent_70%)] dark:opacity-100 opacity-50"
+        transition={{
+          duration: 5,
+          repeat: Infinity,
+          ease: "easeInOut",
+        }}
+      />
+      <motion.div
+        animate={{
+          scale: [1, 1.1, 1],
+          opacity: [0.3, 0.5, 0.3],
+        }}
+        className="absolute -bottom-[20%] -right-[20%] w-[140%] h-[140%] bg-[radial-gradient(circle,rgba(34,197,94,0.15)_0%,transparent_70%)] dark:opacity-100 opacity-50"
+        transition={{
+          duration: 5,
+          repeat: Infinity,
+          ease: "easeInOut",
+          delay: 2.5,
+        }}
+      />
+    </div>
+  );
+}

apps/docs/src/components/ui/card.tsx

@@ -5,14 +5,15 @@ import { cn } from "@/lib/utils";
 
 interface CardProps {
   title: string;
-  description: string;
+  description?: string;
   href?: string;
   icon?: ReactNode;
   className?: string;
   onClick?: () => void;
+  children?: ReactNode;
 }
 
-export const Card = ({ title, description, href, icon, className, onClick }: CardProps) => {
+export const Card = ({ title, description, href, icon, className, onClick, children }: CardProps) => {
   const cardContent = (
     <div
       className={cn(
@@ -37,9 +38,16 @@ export const Card = ({ title, description, href, icon, className, onClick }: Car
           <h3 className="font-medium text-sm text-foreground mb-1 group-hover:text-primary transition-colors duration-200 mt-3 text-decoration-none">
             {title}
           </h3>
-          <p className="text-xs text-muted-foreground/80 leading-relaxed line-clamp-2 group-hover:text-muted-foreground transition-colors duration-200">
-            {description}
-          </p>
+          {description && (
+            <p className="text-xs text-muted-foreground/80 leading-relaxed line-clamp-2 group-hover:text-muted-foreground transition-colors duration-200">
+              {description}
+            </p>
+          )}
+          {children && (
+            <div className="text-xs text-muted-foreground/80 leading-relaxed group-hover:text-muted-foreground transition-colors duration-200 mt-2">
+              {children}
+            </div>
+          )}
         </div>
         <div className="flex-shrink-0 ml-2">
           <div className="w-5 h-5 rounded-full bg-muted/40 flex items-center justify-center opacity-0 group-hover:opacity-100 group-hover:bg-primary/10 transition-all duration-200">

apps/docs/src/config/constants.ts

@@ -1,2 +1,2 @@
-export const LATEST_VERSION_PATH = "/docs/3.1-beta";
-export const LATEST_VERSION = "v3.1-beta";
+export const LATEST_VERSION_PATH = "/docs/3.2-beta";
+export const LATEST_VERSION = "v3.2-beta";

apps/server/.env.example

@@ -1,6 +1,7 @@
 # FOR FILESYSTEM STORAGE ENV VARS
 ENABLE_S3=false 
-ENCRYPTION_KEY=change-this-key-in-production-min-32-chars
+DISABLE_FILESYSTEM_ENCRYPTION=true
+# ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # Required only if encryption is enabled (DISABLE_FILESYSTEM_ENCRYPTION=false)
 DATABASE_URL="file:./palmr.db"
 
 # FOR USE WITH S3 COMPATIBLE STORAGE
@@ -13,3 +14,5 @@ DATABASE_URL="file:./palmr.db"
 # S3_REGION=
 # S3_BUCKET_NAME=
 # S3_FORCE_PATH_STYLE=
+# S3_REJECT_UNAUTHORIZED=true # Set to false to disable strict SSL certificate validation for self-signed certificates (optional, defaults to true)
+# PRESIGNED_URL_EXPIRATION=3600 # Duration in seconds for presigned URL expiration (optional, defaults to 3600 seconds / 1 hour)

apps/server/.turbo/turbo-lint.log

@@ -1,5 +0,0 @@
-
-
-> palmr-api@3.1-beta lint /Users/daniel/clones/Palmr/apps/server
-> eslint "src/**/*.+(ts|tsx)"
-

apps/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "palmr-api",
-  "version": "3.1-beta",
+  "version": "3.2.3-beta",
   "description": "API for Palmr",
   "private": true,
   "author": "Daniel Luiz Alves <daniel@kyantech.com.br>",
@@ -51,7 +51,9 @@
     "node-fetch": "^3.3.2",
     "nodemailer": "^6.10.0",
     "openid-client": "^6.6.2",
+    "qrcode": "^1.5.4",
     "sharp": "^0.34.2",
+    "speakeasy": "^2.0.0",
     "zod": "^3.25.67"
   },
   "devDependencies": {
@@ -61,6 +63,8 @@
     "@types/bcryptjs": "^2.4.6",
     "@types/node": "^22.13.4",
     "@types/nodemailer": "^6.4.17",
+    "@types/qrcode": "^1.5.5",
+    "@types/speakeasy": "^2.0.10",
     "@typescript-eslint/eslint-plugin": "8.35.1",
     "@typescript-eslint/parser": "8.35.1",
     "eslint": "9.30.0",
@@ -73,4 +77,4 @@
     "tsx": "^4.19.2",
     "typescript": "^5.7.3"
   }
-}
+}

apps/server/prisma/schema.prisma

@@ -1,265 +1,319 @@
-generator client {
-  provider = "prisma-client-js"
-}
-
-datasource db {
-  provider = "sqlite"
-  url      = env("DATABASE_URL")
-}
-
-model User {
-  id        String   @id @default(cuid())
-  firstName String
-  lastName  String
-  username  String   @unique
-  email     String   @unique
-  password  String?
-  image     String?
-  isAdmin   Boolean  @default(false)
-  isActive  Boolean  @default(true)
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-
-  files         File[]
-  shares        Share[]
-  reverseShares ReverseShare[]
-
-  loginAttempts LoginAttempt?
-
-  passwordResets PasswordReset[]
-  authProviders  UserAuthProvider[]
-
-  @@map("users")
-}
-
-model File {
-  id          String  @id @default(cuid())
-  name        String
-  description String?
-  extension   String
-  size        BigInt
-  objectName  String
-
-  userId String
-  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
-
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-
-  shares Share[] @relation("ShareFiles")
-
-  @@map("files")
-}
-
-model Share {
-  id          String    @id @default(cuid())
-  name        String?
-  views       Int       @default(0)
-  expiration  DateTime?
-  description String?
-  createdAt   DateTime  @default(now())
-  updatedAt   DateTime  @updatedAt
-
-  creatorId String?
-  creator   User?   @relation(fields: [creatorId], references: [id], onDelete: SetNull)
-
-  securityId String        @unique
-  security   ShareSecurity @relation(fields: [securityId], references: [id])
-
-  files      File[]           @relation("ShareFiles")
-  recipients ShareRecipient[]
-
-  alias ShareAlias?
-
-  @@map("shares")
-}
-
-model ShareSecurity {
-  id        String   @id @default(cuid())
-  password  String?
-  maxViews  Int?
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-
-  share Share?
-
-  @@map("share_security")
-}
-
-model ShareRecipient {
-  id    String @id @default(cuid())
-  email String
-
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-
-  shareId String
-  share   Share  @relation(fields: [shareId], references: [id], onDelete: Cascade)
-
-  @@map("share_recipients")
-}
-
-model AppConfig {
-  id        String   @id @default(cuid())
-  key       String   @unique
-  value     String
-  type      String
-  group     String
-  isSystem  Boolean  @default(true)
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-
-  @@map("app_configs")
-}
-
-model LoginAttempt {
-  id          String   @id @default(cuid())
-  userId      String   @unique
-  user        User     @relation(fields: [userId], references: [id], onDelete: Cascade)
-  attempts    Int      @default(1)
-  lastAttempt DateTime @default(now())
-
-  @@map("login_attempts")
-}
-
-model PasswordReset {
-  id        String   @id @default(cuid())
-  userId    String
-  user      User     @relation(fields: [userId], references: [id], onDelete: Cascade)
-  token     String   @unique
-  expiresAt DateTime
-  used      Boolean  @default(false)
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-
-  @@map("password_resets")
-}
-
-model ShareAlias {
-  id        String   @id @default(cuid())
-  alias     String   @unique
-  shareId   String   @unique
-  share     Share    @relation(fields: [shareId], references: [id], onDelete: Cascade)
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-
-  @@map("share_aliases")
-}
-
-model AuthProvider {
-  id          String  @id @default(cuid())
-  name        String  @unique
-  displayName String
-  type        String
-  icon        String?
-  enabled     Boolean @default(false)
-
-  issuerUrl    String?
-  clientId     String?
-  clientSecret String?
-  redirectUri  String?
-  scope        String? @default("openid profile email")
-
-  authorizationEndpoint String?
-  tokenEndpoint         String?
-  userInfoEndpoint      String?
-
-  metadata String?
-
-  autoRegister      Boolean @default(true)
-  adminEmailDomains String?
-
-  sortOrder Int @default(0)
-
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-
-  userAuthProviders UserAuthProvider[]
-
-  @@map("auth_providers")
-}
-
-model UserAuthProvider {
-  id     String @id @default(cuid())
-  userId String
-  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
-
-  providerId   String
-  authProvider AuthProvider @relation(fields: [providerId], references: [id], onDelete: Cascade)
-
-  provider String?
-
-  externalId String
-  metadata   String?
-  createdAt  DateTime @default(now())
-  updatedAt  DateTime @updatedAt
-
-  @@unique([userId, providerId])
-  @@unique([providerId, externalId])
-  @@map("user_auth_providers")
-}
-
-model ReverseShare {
-  id                 String           @id @default(cuid())
-  name               String?
-  description        String?
-  expiration         DateTime?
-  maxFiles           Int?
-  maxFileSize        BigInt?
-  allowedFileTypes   String?
-  password           String?
-  pageLayout         PageLayout       @default(DEFAULT)
-  isActive           Boolean          @default(true)
-  nameFieldRequired  FieldRequirement @default(OPTIONAL)
-  emailFieldRequired FieldRequirement @default(OPTIONAL)
-  createdAt          DateTime         @default(now())
-  updatedAt          DateTime         @updatedAt
-
-  creatorId String
-  creator   User   @relation(fields: [creatorId], references: [id], onDelete: Cascade)
-
-  files ReverseShareFile[]
-  alias ReverseShareAlias?
-
-  @@map("reverse_shares")
-}
-
-model ReverseShareFile {
-  id            String   @id @default(cuid())
-  name          String
-  description   String?
-  extension     String
-  size          BigInt
-  objectName    String
-  uploaderEmail String?
-  uploaderName  String?
-  createdAt     DateTime @default(now())
-  updatedAt     DateTime @updatedAt
-
-  reverseShareId String
-  reverseShare   ReverseShare @relation(fields: [reverseShareId], references: [id], onDelete: Cascade)
-
-  @@map("reverse_share_files")
-}
-
-model ReverseShareAlias {
-  id             String       @id @default(cuid())
-  alias          String       @unique
-  reverseShareId String       @unique
-  reverseShare   ReverseShare @relation(fields: [reverseShareId], references: [id], onDelete: Cascade)
-  createdAt      DateTime     @default(now())
-  updatedAt      DateTime     @updatedAt
-
-  @@map("reverse_share_aliases")
-}
-
-enum FieldRequirement {
-  HIDDEN
-  OPTIONAL
-  REQUIRED
-}
-
-enum PageLayout {
-  DEFAULT
-  WETRANSFER
-}
+generator client {
+  provider = "prisma-client-js"
+}
+
+datasource db {
+  provider = "sqlite"
+  url      = env("DATABASE_URL")
+}
+
+model User {
+  id        String   @id @default(cuid())
+  firstName String
+  lastName  String
+  username  String   @unique
+  email     String   @unique
+  password  String?
+  image     String?
+  isAdmin   Boolean  @default(false)
+  isActive  Boolean  @default(true)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  twoFactorEnabled     Boolean @default(false)
+  twoFactorSecret      String?
+  twoFactorBackupCodes String?
+  twoFactorVerified    Boolean @default(false)
+
+  files         File[]
+  folders       Folder[]
+  shares        Share[]
+  reverseShares ReverseShare[]
+
+  loginAttempts LoginAttempt?
+
+  passwordResets PasswordReset[]
+  authProviders  UserAuthProvider[]
+  trustedDevices TrustedDevice[]
+
+  @@map("users")
+}
+
+model File {
+  id          String  @id @default(cuid())
+  name        String
+  description String?
+  extension   String
+  size        BigInt
+  objectName  String
+
+  userId String
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  folderId String?
+  folder   Folder? @relation(fields: [folderId], references: [id], onDelete: Cascade)
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  shares Share[] @relation("ShareFiles")
+
+  @@index([folderId])
+
+  @@map("files")
+}
+
+model Share {
+  id          String    @id @default(cuid())
+  name        String?
+  views       Int       @default(0)
+  expiration  DateTime?
+  description String?
+  createdAt   DateTime  @default(now())
+  updatedAt   DateTime  @updatedAt
+
+  creatorId String?
+  creator   User?   @relation(fields: [creatorId], references: [id], onDelete: SetNull)
+
+  securityId String        @unique
+  security   ShareSecurity @relation(fields: [securityId], references: [id])
+
+  files      File[]           @relation("ShareFiles")
+  folders    Folder[]         @relation("ShareFolders")
+  recipients ShareRecipient[]
+
+  alias ShareAlias?
+
+  @@map("shares")
+}
+
+model ShareSecurity {
+  id        String   @id @default(cuid())
+  password  String?
+  maxViews  Int?
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  share Share?
+
+  @@map("share_security")
+}
+
+model ShareRecipient {
+  id    String @id @default(cuid())
+  email String
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  shareId String
+  share   Share  @relation(fields: [shareId], references: [id], onDelete: Cascade)
+
+  @@map("share_recipients")
+}
+
+model AppConfig {
+  id        String   @id @default(cuid())
+  key       String   @unique
+  value     String
+  type      String
+  group     String
+  isSystem  Boolean  @default(true)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@map("app_configs")
+}
+
+model LoginAttempt {
+  id          String   @id @default(cuid())
+  userId      String   @unique
+  user        User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  attempts    Int      @default(1)
+  lastAttempt DateTime @default(now())
+
+  @@map("login_attempts")
+}
+
+model PasswordReset {
+  id        String   @id @default(cuid())
+  userId    String
+  user      User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  token     String   @unique
+  expiresAt DateTime
+  used      Boolean  @default(false)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@map("password_resets")
+}
+
+model ShareAlias {
+  id        String   @id @default(cuid())
+  alias     String   @unique
+  shareId   String   @unique
+  share     Share    @relation(fields: [shareId], references: [id], onDelete: Cascade)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@map("share_aliases")
+}
+
+model AuthProvider {
+  id          String  @id @default(cuid())
+  name        String  @unique
+  displayName String
+  type        String
+  icon        String?
+  enabled     Boolean @default(false)
+
+  issuerUrl    String?
+  clientId     String?
+  clientSecret String?
+  redirectUri  String?
+  scope        String? @default("openid profile email")
+
+  authorizationEndpoint String?
+  tokenEndpoint         String?
+  userInfoEndpoint      String?
+
+  metadata String?
+
+  autoRegister      Boolean @default(true)
+  adminEmailDomains String?
+
+  sortOrder Int @default(0)
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  userAuthProviders UserAuthProvider[]
+
+  @@map("auth_providers")
+}
+
+model UserAuthProvider {
+  id     String @id @default(cuid())
+  userId String
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  providerId   String
+  authProvider AuthProvider @relation(fields: [providerId], references: [id], onDelete: Cascade)
+
+  provider String?
+
+  externalId String
+  metadata   String?
+  createdAt  DateTime @default(now())
+  updatedAt  DateTime @updatedAt
+
+  @@unique([userId, providerId])
+  @@unique([providerId, externalId])
+  @@map("user_auth_providers")
+}
+
+model ReverseShare {
+  id                 String           @id @default(cuid())
+  name               String?
+  description        String?
+  expiration         DateTime?
+  maxFiles           Int?
+  maxFileSize        BigInt?
+  allowedFileTypes   String?
+  password           String?
+  pageLayout         PageLayout       @default(DEFAULT)
+  isActive           Boolean          @default(true)
+  nameFieldRequired  FieldRequirement @default(OPTIONAL)
+  emailFieldRequired FieldRequirement @default(OPTIONAL)
+  createdAt          DateTime         @default(now())
+  updatedAt          DateTime         @updatedAt
+
+  creatorId String
+  creator   User   @relation(fields: [creatorId], references: [id], onDelete: Cascade)
+
+  files ReverseShareFile[]
+  alias ReverseShareAlias?
+
+  @@map("reverse_shares")
+}
+
+model ReverseShareFile {
+  id            String   @id @default(cuid())
+  name          String
+  description   String?
+  extension     String
+  size          BigInt
+  objectName    String
+  uploaderEmail String?
+  uploaderName  String?
+  createdAt     DateTime @default(now())
+  updatedAt     DateTime @updatedAt
+
+  reverseShareId String
+  reverseShare   ReverseShare @relation(fields: [reverseShareId], references: [id], onDelete: Cascade)
+
+  @@map("reverse_share_files")
+}
+
+model ReverseShareAlias {
+  id             String       @id @default(cuid())
+  alias          String       @unique
+  reverseShareId String       @unique
+  reverseShare   ReverseShare @relation(fields: [reverseShareId], references: [id], onDelete: Cascade)
+  createdAt      DateTime     @default(now())
+  updatedAt      DateTime     @updatedAt
+
+  @@map("reverse_share_aliases")
+}
+
+enum FieldRequirement {
+  HIDDEN
+  OPTIONAL
+  REQUIRED
+}
+
+enum PageLayout {
+  DEFAULT
+  WETRANSFER
+}
+
+model TrustedDevice {
+  id           String   @id @default(cuid())
+  userId       String
+  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  deviceHash   String   @unique
+  deviceName   String?
+  userAgent    String?
+  ipAddress    String?
+  lastUsedAt   DateTime @default(now())
+  expiresAt    DateTime
+  createdAt    DateTime @default(now())
+  updatedAt    DateTime @updatedAt
+
+  @@map("trusted_devices")
+}
+
+model Folder {
+  id          String   @id @default(cuid())
+  name        String
+  description String?
+  objectName  String
+
+  parentId    String?
+  parent      Folder?  @relation("FolderHierarchy", fields: [parentId], references: [id], onDelete: Cascade)
+  children    Folder[] @relation("FolderHierarchy")
+
+  userId      String
+  user        User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  files       File[]
+
+  shares      Share[]  @relation("ShareFolders")
+
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
+
+  @@index([userId])
+  @@index([parentId])
+  @@map("folders")
+}

apps/server/prisma/seed.js

@@ -147,6 +147,12 @@ const defaultConfigs = [
     type: "boolean",
     group: "auth-providers",
   },
+  {
+    key: "passwordAuthEnabled",
+    value: "true",
+    type: "boolean",
+    group: "security",
+  },
   {
     key: "serverUrl",
     value: "http://localhost:3333",
@@ -303,6 +309,24 @@ const defaultAuthProviders = [
       supportsDiscovery: true,
     }),
   },
+  {
+    name: "pocketid",
+    displayName: "Pocket ID",
+    type: "oidc",
+    icon: "BsFillPSquareFill",
+    enabled: false,
+    issuerUrl: "https://your-pocket-id.domain.com",
+    authorizationEndpoint: "/authorize",
+    tokenEndpoint: "/api/oidc/token",
+    userInfoEndpoint: "/api/oidc/userinfo",
+    scope: "openid profile email",
+    sortOrder: 9,
+    metadata: JSON.stringify({
+      description: "Sign in with Pocket ID - Replace with your Pocket ID instance URL",
+      docs: "https://docs.pocket-id.org",
+      supportsDiscovery: true,
+    }),
+  },
 ];
 
 async function main() {

apps/server/reset-password.sh

@@ -6,7 +6,7 @@
 echo "🔐 Palmr Password Reset Tool"
 echo "============================="
 
-# Check if we're in the right directory
+# Check if we're in the right directory and set DATABASE_URL
 if [ ! -f "package.json" ]; then
     echo "❌ Error: This script must be run from the server directory (/app/server)"
     echo "   Current directory: $(pwd)"
@@ -14,18 +14,26 @@ if [ ! -f "package.json" ]; then
     exit 1
 fi
 
+# Set DATABASE_URL if not already set
+if [ -z "$DATABASE_URL" ]; then
+    export DATABASE_URL="file:/app/server/prisma/palmr.db"
+fi
+
+# Ensure database directory exists
+mkdir -p /app/server/prisma
+
 # Function to check if tsx is available
 check_tsx() {
     # Check if tsx binary exists in node_modules
     if [ -f "node_modules/.bin/tsx" ]; then
         return 0
     fi
-    
+
     # Fallback: try npx
     if npx tsx --version >/dev/null 2>&1; then
         return 0
     fi
-    
+
     return 1
 }
 
@@ -39,7 +47,7 @@ install_tsx_only() {
     else
         return 1
     fi
-    
+
     return $?
 }
 
@@ -62,7 +70,7 @@ ensure_prisma() {
     if [ -d "node_modules/@prisma/client" ] && [ -f "node_modules/@prisma/client/index.js" ]; then
         return 0
     fi
-    
+
     echo "📦 Generating Prisma client..."
     if npx prisma generate --silent >/dev/null 2>&1; then
         echo "✅ Prisma client ready"
@@ -81,14 +89,14 @@ if check_tsx; then
     echo "✅ tsx is ready"
 else
     echo "📦 tsx not found, installing..."
-    
+
     # Try quick tsx-only install first
     if install_tsx_only && check_tsx; then
         echo "✅ tsx installed successfully"
     else
         echo "⚠️  Quick install failed, installing all dependencies..."
         install_all_deps
-        
+
         # Final check
         if ! check_tsx; then
             echo "❌ Error: tsx is still not available after full installation"
@@ -119,4 +127,4 @@ if [ -f "node_modules/.bin/tsx" ]; then
     node_modules/.bin/tsx src/scripts/reset-password.ts "$@"
 else
     npx tsx src/scripts/reset-password.ts "$@"
-fi 
+fi

apps/server/src/app.ts

@@ -1,4 +1,5 @@
 import crypto from "node:crypto";
+import * as http from "node:http";
 import fastifyCookie from "@fastify/cookie";
 import { fastifyCors } from "@fastify/cors";
 import fastifyJwt from "@fastify/jwt";
@@ -24,13 +25,38 @@ export async function buildApp() {
       },
     },
     logger: {
-      level: "info",
+      level: "warn",
     },
     bodyLimit: 1024 * 1024 * 1024 * 1024 * 1024,
     connectionTimeout: 0,
     keepAliveTimeout: envTimeoutOverrides.keepAliveTimeout,
     requestTimeout: envTimeoutOverrides.requestTimeout,
     trustProxy: true,
+    maxParamLength: 500,
+    onProtoPoisoning: "ignore",
+    onConstructorPoisoning: "ignore",
+    ignoreTrailingSlash: true,
+    serverFactory: (handler: (req: any, res: any) => void) => {
+      const server = http.createServer((req: http.IncomingMessage, res: http.ServerResponse) => {
+        res.setTimeout(0);
+        req.setTimeout(0);
+
+        req.on("close", () => {
+          if (typeof global !== "undefined" && global.gc) {
+            setImmediate(() => global.gc!());
+          }
+        });
+
+        handler(req, res);
+      });
+
+      server.maxHeadersCount = 0;
+      server.timeout = 0;
+      server.keepAliveTimeout = envTimeoutOverrides.keepAliveTimeout;
+      server.headersTimeout = envTimeoutOverrides.keepAliveTimeout + 1000;
+
+      return server;
+    },
   }).withTypeProvider<ZodTypeProvider>();
 
   app.setValidatorCompiler(validatorCompiler);

apps/server/src/config/storage.config.ts

@@ -1,3 +1,4 @@
+import process from "node:process";
 import { S3Client } from "@aws-sdk/client-s3";
 
 import { env } from "../env";
@@ -14,6 +15,14 @@ export const storageConfig: StorageConfig = {
   forcePathStyle: env.S3_FORCE_PATH_STYLE === "true",
 };
 
+if (storageConfig.useSSL && env.S3_REJECT_UNAUTHORIZED === "false") {
+  const originalRejectUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+  if (!originalRejectUnauthorized) {
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+    (global as any).PALMR_ORIGINAL_TLS_SETTING = originalRejectUnauthorized;
+  }
+}
+
 export const s3Client =
   env.ENABLE_S3 === "true"
     ? new S3Client({

apps/server/src/config/swagger.config.ts

@@ -18,6 +18,7 @@ export function registerSwagger(app: any) {
         { name: "Auth Providers", description: "External authentication providers management" },
         { name: "User", description: "User management endpoints" },
         { name: "File", description: "File management endpoints" },
+        { name: "Folder", description: "Folder management endpoints" },
         { name: "Share", description: "File sharing endpoints" },
         { name: "Storage", description: "Storage management endpoints" },
         { name: "App", description: "Application configuration endpoints" },

apps/server/src/env.ts

@@ -2,7 +2,8 @@ import { z } from "zod";
 
 const envSchema = z.object({
   ENABLE_S3: z.union([z.literal("true"), z.literal("false")]).default("false"),
-  ENCRYPTION_KEY: z.string().optional().default("palmr-default-encryption-key-2025"),
+  ENCRYPTION_KEY: z.string().optional(),
+  DISABLE_FILESYSTEM_ENCRYPTION: z.union([z.literal("true"), z.literal("false")]).default("true"),
   S3_ENDPOINT: z.string().optional(),
   S3_PORT: z.string().optional(),
   S3_USE_SSL: z.string().optional(),
@@ -11,8 +12,28 @@ const envSchema = z.object({
   S3_REGION: z.string().optional(),
   S3_BUCKET_NAME: z.string().optional(),
   S3_FORCE_PATH_STYLE: z.union([z.literal("true"), z.literal("false")]).default("false"),
+  S3_REJECT_UNAUTHORIZED: z.union([z.literal("true"), z.literal("false")]).default("true"),
+  PRESIGNED_URL_EXPIRATION: z.string().optional().default("3600"),
   SECURE_SITE: z.union([z.literal("true"), z.literal("false")]).default("false"),
   DATABASE_URL: z.string().optional().default("file:/app/server/prisma/palmr.db"),
+  DOWNLOAD_MAX_CONCURRENT: z
+    .string()
+    .optional()
+    .transform((val) => (val ? parseInt(val, 10) : undefined)),
+  DOWNLOAD_MEMORY_THRESHOLD_MB: z
+    .string()
+    .optional()
+    .transform((val) => (val ? parseInt(val, 10) : undefined)),
+  DOWNLOAD_QUEUE_SIZE: z
+    .string()
+    .optional()
+    .transform((val) => (val ? parseInt(val, 10) : undefined)),
+  DOWNLOAD_AUTO_SCALE: z.union([z.literal("true"), z.literal("false")]).default("true"),
+  DOWNLOAD_MIN_FILE_SIZE_GB: z
+    .string()
+    .optional()
+    .transform((val) => (val ? parseFloat(val) : undefined)),
+  CUSTOM_PATH: z.string().optional(),
 });
 
 export const env = envSchema.parse(process.env);

apps/server/src/modules/app/controller.ts

@@ -9,7 +9,7 @@ export class AppController {
   private logoService = new LogoService();
   private emailService = new EmailService();
 
-  async getAppInfo(request: FastifyRequest, reply: FastifyReply) {
+  async getAppInfo(_request: FastifyRequest, reply: FastifyReply) {
     try {
       const appInfo = await this.appService.getAppInfo();
       return reply.send(appInfo);
@@ -18,7 +18,16 @@ export class AppController {
     }
   }
 
-  async getAllConfigs(request: FastifyRequest, reply: FastifyReply) {
+  async getSystemInfo(_request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const systemInfo = await this.appService.getSystemInfo();
+      return reply.send(systemInfo);
+    } catch (error: any) {
+      return reply.status(400).send({ error: error.message });
+    }
+  }
+
+  async getAllConfigs(_request: FastifyRequest, reply: FastifyReply) {
     try {
       const configs = await this.appService.getAllConfigs();
       return reply.send({ configs });
@@ -27,6 +36,15 @@ export class AppController {
     }
   }
 
+  async getPublicConfigs(_request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const configs = await this.appService.getPublicConfigs();
+      return reply.send({ configs });
+    } catch (error: any) {
+      return reply.status(400).send({ error: error.message });
+    }
+  }
+
   async updateConfig(request: FastifyRequest, reply: FastifyReply) {
     try {
       const { key } = request.params as { key: string };
@@ -81,9 +99,8 @@ export class AppController {
         return reply.status(400).send({ error: "Only images are allowed" });
       }
 
-      // Logo files should be small (max 5MB), so we can safely use streaming to buffer
       const chunks: Buffer[] = [];
-      const maxLogoSize = 5 * 1024 * 1024; // 5MB
+      const maxLogoSize = 5 * 1024 * 1024;
       let totalSize = 0;
 
       for await (const chunk of file.file) {
@@ -105,7 +122,7 @@ export class AppController {
     }
   }
 
-  async removeLogo(request: FastifyRequest, reply: FastifyReply) {
+  async removeLogo(_request: FastifyRequest, reply: FastifyReply) {
     try {
       await this.logoService.deleteLogo();
       return reply.send({ message: "Logo removed successfully" });

apps/server/src/modules/app/routes.ts

@@ -53,6 +53,26 @@ export async function appRoutes(app: FastifyInstance) {
     appController.getAppInfo.bind(appController)
   );
 
+  app.get(
+    "/app/system-info",
+    {
+      schema: {
+        tags: ["App"],
+        operationId: "getSystemInfo",
+        summary: "Get system information",
+        description: "Get system information including storage provider",
+        response: {
+          200: z.object({
+            storageProvider: z.enum(["s3", "filesystem"]).describe("The active storage provider"),
+            s3Enabled: z.boolean().describe("Whether S3 storage is enabled"),
+          }),
+          400: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    appController.getSystemInfo.bind(appController)
+  );
+
   app.patch(
     "/app/configs/:key",
     {
@@ -82,15 +102,34 @@ export async function appRoutes(app: FastifyInstance) {
     appController.updateConfig.bind(appController)
   );
 
+  app.get(
+    "/app/configs/public",
+    {
+      schema: {
+        tags: ["App"],
+        operationId: "getPublicConfigs",
+        summary: "List public configurations",
+        description: "List public configurations (excludes sensitive data like SMTP credentials)",
+        response: {
+          200: z.object({
+            configs: z.array(ConfigResponseSchema),
+          }),
+          400: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    appController.getPublicConfigs.bind(appController)
+  );
+
   app.get(
     "/app/configs",
     {
-      // preValidation: adminPreValidation,
+      preValidation: adminPreValidation,
       schema: {
         tags: ["App"],
         operationId: "getAllConfigs",
         summary: "List all configurations",
-        description: "List all configurations (admin only)",
+        description: "List all configurations including sensitive data (admin only)",
         response: {
           200: z.object({
             configs: z.array(ConfigResponseSchema),

apps/server/src/modules/app/service.ts

@@ -1,3 +1,4 @@
+import { isS3Enabled } from "../../config/storage.config";
 import { prisma } from "../../shared/prisma";
 import { ConfigService } from "../config/service";
 
@@ -20,6 +21,13 @@ export class AppService {
     };
   }
 
+  async getSystemInfo() {
+    return {
+      storageProvider: isS3Enabled ? "s3" : "filesystem",
+      s3Enabled: isS3Enabled,
+    };
+  }
+
   async getAllConfigs() {
     return prisma.appConfig.findMany({
       where: {
@@ -33,11 +41,46 @@ export class AppService {
     });
   }
 
+  async getPublicConfigs() {
+    const sensitiveKeys = [
+      "smtpHost",
+      "smtpPort",
+      "smtpUser",
+      "smtpPass",
+      "smtpSecure",
+      "smtpNoAuth",
+      "smtpTrustSelfSigned",
+      "jwtSecret",
+    ];
+
+    return prisma.appConfig.findMany({
+      where: {
+        key: {
+          notIn: sensitiveKeys,
+        },
+      },
+      orderBy: {
+        group: "asc",
+      },
+    });
+  }
+
   async updateConfig(key: string, value: string) {
     if (key === "jwtSecret") {
       throw new Error("JWT Secret cannot be updated through this endpoint");
     }
 
+    if (key === "passwordAuthEnabled") {
+      if (value === "false") {
+        const canDisable = await this.configService.validatePasswordAuthDisable();
+        if (!canDisable) {
+          throw new Error(
+            "Password authentication cannot be disabled. At least one authentication provider must be active."
+          );
+        }
+      }
+    }
+
     const config = await prisma.appConfig.findUnique({
       where: { key },
     });
@@ -56,6 +99,15 @@ export class AppService {
     if (updates.some((update) => update.key === "jwtSecret")) {
       throw new Error("JWT Secret cannot be updated through this endpoint");
     }
+    const passwordAuthUpdate = updates.find((update) => update.key === "passwordAuthEnabled");
+    if (passwordAuthUpdate && passwordAuthUpdate.value === "false") {
+      const canDisable = await this.configService.validatePasswordAuthDisable();
+      if (!canDisable) {
+        throw new Error(
+          "Password authentication cannot be disabled. At least one authentication provider must be active."
+        );
+      }
+    }
 
     const keys = updates.map((update) => update.key);
     const existingConfigs = await prisma.appConfig.findMany({

apps/server/src/modules/auth-providers/controller.ts

@@ -1,5 +1,6 @@
 import { FastifyReply, FastifyRequest } from "fastify";
 
+import { ConfigService } from "../config/service";
 import { UpdateAuthProviderSchema } from "./dto";
 import { AuthProvidersService } from "./service";
 import {
@@ -39,9 +40,11 @@ const ERROR_MESSAGES = {
 
 export class AuthProvidersController {
   private authProvidersService: AuthProvidersService;
+  private configService: ConfigService;
 
   constructor() {
     this.authProvidersService = new AuthProvidersService();
+    this.configService = new ConfigService();
   }
 
   private buildRequestContext(request: FastifyRequest): RequestContext {
@@ -223,13 +226,24 @@ export class AuthProvidersController {
 
     try {
       const { id } = request.params;
-      const data = request.body;
+      const data = request.body as any;
 
       const existingProvider = await this.authProvidersService.getProviderById(id);
       if (!existingProvider) {
         return this.sendErrorResponse(reply, 404, ERROR_MESSAGES.PROVIDER_NOT_FOUND);
       }
 
+      if (data.enabled === false && existingProvider.enabled === true) {
+        const canDisable = await this.configService.validateAllProvidersDisable();
+        if (!canDisable) {
+          return this.sendErrorResponse(
+            reply,
+            400,
+            "Cannot disable the last authentication provider when password authentication is disabled"
+          );
+        }
+      }
+
       const isOfficial = this.authProvidersService.isOfficialProvider(existingProvider.name);
 
       if (isOfficial) {
@@ -300,6 +314,17 @@ export class AuthProvidersController {
         return this.sendErrorResponse(reply, 400, ERROR_MESSAGES.OFFICIAL_CANNOT_DELETE);
       }
 
+      if (provider.enabled) {
+        const canDisable = await this.configService.validateAllProvidersDisable();
+        if (!canDisable) {
+          return this.sendErrorResponse(
+            reply,
+            400,
+            "Cannot delete the last authentication provider when password authentication is disabled"
+          );
+        }
+      }
+
       await this.authProvidersService.deleteProvider(id);
       return this.sendSuccessResponse(reply, undefined, "Provider deleted successfully");
     } catch (error) {

apps/server/src/modules/auth-providers/providers.config.ts

@@ -13,6 +13,7 @@ export const PROVIDER_PATTERNS = [
   { pattern: "okta.com", type: "okta" },
   { pattern: "kinde.com", type: "kinde" },
   { pattern: "zitadel.com", type: "zitadel" },
+  { pattern: "pocketid", type: "pocketid" },
 ] as const;
 
 export const DEFAULT_SCOPES_BY_TYPE: Record<string, string[]> = {
@@ -28,6 +29,7 @@ export const DEFAULT_SCOPES_BY_TYPE: Record<string, string[]> = {
   okta: ["openid", "profile", "email"],
   kinde: ["openid", "profile", "email"],
   zitadel: ["openid", "profile", "email"],
+  pocketid: ["openid", "profile", "email"],
 } as const;
 
 export const DISCOVERY_SUPPORTED_PROVIDERS = [
@@ -41,6 +43,7 @@ export const DISCOVERY_SUPPORTED_PROVIDERS = [
   "microsoft",
   "kinde",
   "zitadel",
+  "pocketid",
 ] as const;
 
 export const DISCOVERY_PATHS = [
@@ -75,6 +78,11 @@ export const FALLBACK_ENDPOINTS: Record<string, any> = {
     tokenEndpoint: "/oauth2/token",
     userInfoEndpoint: "/oauth2/userinfo",
   },
+  pocketid: {
+    authorizationEndpoint: "/authorize",
+    tokenEndpoint: "/api/oidc/token",
+    userInfoEndpoint: "/api/oidc/userinfo",
+  },
 } as const;
 
 /**
@@ -232,6 +240,29 @@ const fronteggConfig: ProviderConfig = {
   },
 };
 
+/**
+ * Configuração técnica oficial do Pocket ID
+ * OIDC com discovery automático
+ * Endpoints vêm do banco de dados
+ */
+const pocketidConfig: ProviderConfig = {
+  supportsDiscovery: true,
+  discoveryEndpoint: "/.well-known/openid-configuration",
+  authMethod: "body",
+  fieldMappings: {
+    id: ["sub"],
+    email: ["email"],
+    name: ["name", "preferred_username"],
+    firstName: ["given_name"],
+    lastName: ["family_name"],
+    avatar: ["picture"],
+  },
+  specialHandling: {
+    emailFetchRequired: false,
+    responseFormat: "json",
+  },
+};
+
 /**
  * Template genérico ULTRA-INTELIGENTE para providers customizados
  * Detecta automaticamente padrões comuns e se adapta
@@ -275,6 +306,7 @@ export const providersConfig: ProvidersConfigFile = {
     zitadel: zitadelConfig,
     authentik: authentikConfig,
     frontegg: fronteggConfig,
+    pocketid: pocketidConfig,
   },
   genericProviderTemplate,
 };

apps/server/src/modules/auth-providers/service.ts

@@ -18,7 +18,6 @@ import {
   TokenResponse,
 } from "./types";
 
-// Constants
 const DEFAULT_BASE_URL = "http://localhost:3000";
 const STATE_EXPIRY_TIME = 600000; // 10 minutes
 const CLEANUP_INTERVAL = 5 * 60 * 1000; // 5 minutes
@@ -43,7 +42,6 @@ export class AuthProvidersService {
     setInterval(() => this.cleanupExpiredStates(), CLEANUP_INTERVAL);
   }
 
-  // Utility methods
   private buildBaseUrl(requestContext?: RequestContextService): string {
     return requestContext ? `${requestContext.protocol}://${requestContext.host}` : DEFAULT_BASE_URL;
   }
@@ -87,7 +85,6 @@ export class AuthProvidersService {
     }
   }
 
-  // Provider configuration methods
   private isOfficial(providerName: string): boolean {
     return providerName in providersConfig.officialProviders;
   }
@@ -114,7 +111,6 @@ export class AuthProvidersService {
   }
 
   private async resolveEndpoints(provider: any, config: ProviderConfig): Promise<ProviderEndpoints> {
-    // Use custom endpoints if all are provided
     if (provider.authorizationEndpoint && provider.tokenEndpoint && provider.userInfoEndpoint) {
       return {
         authorizationEndpoint: this.resolveEndpointUrl(provider.authorizationEndpoint, provider.issuerUrl),
@@ -123,7 +119,6 @@ export class AuthProvidersService {
       };
     }
 
-    // Try discovery if supported
     if (config.supportsDiscovery && provider.issuerUrl) {
       const discoveredEndpoints = await this.attemptDiscovery(provider.issuerUrl);
       if (discoveredEndpoints) {
@@ -131,7 +126,6 @@ export class AuthProvidersService {
       }
     }
 
-    // Fallback to intelligent endpoints
     const baseUrl = provider.issuerUrl?.replace(/\/$/, "") || "";
     const detectedType = detectProviderType(provider.issuerUrl || "");
     const fallbackPattern = getFallbackEndpoints(detectedType);
@@ -224,7 +218,6 @@ export class AuthProvidersService {
     return config.specialHandling?.emailEndpoint || null;
   }
 
-  // PKCE and OAuth setup methods
   private setupPkceIfNeeded(provider: any): { codeVerifier?: string; codeChallenge?: string } {
     const needsPkce = provider.type === DEFAULT_PROVIDER_TYPE;
 
@@ -263,7 +256,6 @@ export class AuthProvidersService {
     return authUrl.toString();
   }
 
-  // Callback handling methods
   private validateAndGetPendingState(state: string): PendingState {
     const pendingState = this.pendingStates.get(state);
 
@@ -299,7 +291,6 @@ export class AuthProvidersService {
     };
   }
 
-  // Public methods
   async getEnabledProviders(requestContext?: RequestContextService) {
     const providers = await prisma.authProvider.findMany({
       where: { enabled: true },
@@ -605,16 +596,13 @@ export class AuthProvidersService {
       throw new Error(ERROR_MESSAGES.MISSING_USER_INFO);
     }
 
-    // First, check if there's already an auth provider entry for this external ID
     const existingAuthProvider = await this.findExistingAuthProvider(provider.id, String(externalId));
     if (existingAuthProvider) {
       return await this.updateExistingUserFromProvider(existingAuthProvider.user, userInfo);
     }
 
-    // Check if there's a user with this email
     const existingUser = await this.findExistingUserByEmail(userInfo.email);
     if (existingUser) {
-      // Check if this user already has this provider linked
       const existingUserProvider = await prisma.userAuthProvider.findFirst({
         where: {
           userId: existingUser.id,

apps/server/src/modules/auth/controller.ts

@@ -1,16 +1,70 @@
 import { FastifyReply, FastifyRequest } from "fastify";
 
 import { env } from "../../env";
-import { createResetPasswordSchema, LoginSchema, RequestPasswordResetSchema } from "./dto";
+import { ConfigService } from "../config/service";
+import {
+  CompleteTwoFactorLoginSchema,
+  createResetPasswordSchema,
+  LoginSchema,
+  RequestPasswordResetSchema,
+} from "./dto";
 import { AuthService } from "./service";
 
 export class AuthController {
   private authService = new AuthService();
+  private configService = new ConfigService();
+
+  private getClientInfo(request: FastifyRequest) {
+    const realIP = request.headers["x-real-ip"] as string;
+    const realUserAgent = request.headers["x-user-agent"] as string;
+
+    const userAgent = realUserAgent || request.headers["user-agent"] || "";
+    const ipAddress = realIP || request.ip || request.socket.remoteAddress || "";
+
+    return { userAgent, ipAddress };
+  }
 
   async login(request: FastifyRequest, reply: FastifyReply) {
     try {
       const input = LoginSchema.parse(request.body);
-      const user = await this.authService.login(input);
+      const { userAgent, ipAddress } = this.getClientInfo(request);
+      const result = await this.authService.login(input, userAgent, ipAddress);
+
+      if ("requiresTwoFactor" in result) {
+        return reply.send(result);
+      }
+
+      const user = result;
+      const token = await request.jwtSign({
+        userId: user.id,
+        isAdmin: user.isAdmin,
+      });
+
+      reply.setCookie("token", token, {
+        httpOnly: true,
+        path: "/",
+        secure: env.SECURE_SITE === "true" ? true : false,
+        sameSite: env.SECURE_SITE === "true" ? "lax" : "strict",
+      });
+
+      return reply.send({ user });
+    } catch (error: any) {
+      return reply.status(400).send({ error: error.message });
+    }
+  }
+
+  async completeTwoFactorLogin(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const input = CompleteTwoFactorLoginSchema.parse(request.body);
+      const { userAgent, ipAddress } = this.getClientInfo(request);
+      const user = await this.authService.completeTwoFactorLogin(
+        input.userId,
+        input.token,
+        input.rememberDevice,
+        userAgent,
+        ipAddress
+      );
+
       const token = await request.jwtSign({
         userId: user.id,
         isAdmin: user.isAdmin,
@@ -59,14 +113,21 @@ export class AuthController {
 
   async getCurrentUser(request: FastifyRequest, reply: FastifyReply) {
     try {
-      const userId = (request as any).user?.userId;
+      let userId: string | null = null;
+      try {
+        await request.jwtVerify();
+        userId = (request as any).user?.userId;
+      } catch (err) {
+        return reply.send({ user: null });
+      }
+
       if (!userId) {
-        return reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
+        return reply.send({ user: null });
       }
 
       const user = await this.authService.getUserById(userId);
       if (!user) {
-        return reply.status(404).send({ error: "User not found" });
+        return reply.send({ user: null });
       }
 
       return reply.send({ user });
@@ -74,4 +135,58 @@ export class AuthController {
       return reply.status(400).send({ error: error.message });
     }
   }
+
+  async getTrustedDevices(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const userId = (request as any).user?.userId;
+      if (!userId) {
+        return reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
+      }
+
+      const devices = await this.authService.getTrustedDevices(userId);
+      return reply.send({ devices });
+    } catch (error: any) {
+      return reply.status(400).send({ error: error.message });
+    }
+  }
+
+  async removeTrustedDevice(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const userId = (request as any).user?.userId;
+      if (!userId) {
+        return reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
+      }
+
+      const { id } = request.params as { id: string };
+      await this.authService.removeTrustedDevice(userId, id);
+      return reply.send({ success: true, message: "Trusted device removed successfully" });
+    } catch (error: any) {
+      return reply.status(400).send({ error: error.message });
+    }
+  }
+
+  async removeAllTrustedDevices(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const userId = (request as any).user?.userId;
+      if (!userId) {
+        return reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
+      }
+
+      const result = await this.authService.removeAllTrustedDevices(userId);
+      return reply.send(result);
+    } catch (error: any) {
+      return reply.status(400).send({ error: error.message });
+    }
+  }
+
+  async getAuthConfig(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const passwordAuthEnabled = await this.configService.getValue("passwordAuthEnabled");
+      return reply.send({
+        passwordAuthEnabled: passwordAuthEnabled === "true",
+      });
+    } catch (error: any) {
+      return reply.status(400).send({ error: error.message });
+    }
+  }
 }

apps/server/src/modules/auth/dto.ts

@@ -36,3 +36,11 @@ export const createResetPasswordSchema = async () => {
 export type ResetPasswordInput = BaseResetPasswordInput & {
   password: string;
 };
+
+export const CompleteTwoFactorLoginSchema = z.object({
+  userId: z.string().min(1, "User ID is required").describe("User ID"),
+  token: z.string().min(6, "Two-factor authentication code must be at least 6 characters").describe("2FA token"),
+  rememberDevice: z.boolean().optional().default(false).describe("Remember this device for 30 days"),
+});
+
+export type CompleteTwoFactorLoginInput = z.infer<typeof CompleteTwoFactorLoginSchema>;

apps/server/src/modules/auth/routes.ts

@@ -4,7 +4,7 @@ import { z } from "zod";
 import { ConfigService } from "../config/service";
 import { validatePasswordMiddleware } from "../user/middleware";
 import { AuthController } from "./controller";
-import { createResetPasswordSchema, RequestPasswordResetSchema } from "./dto";
+import { CompleteTwoFactorLoginSchema, createResetPasswordSchema, RequestPasswordResetSchema } from "./dto";
 
 const configService = new ConfigService();
 
@@ -31,6 +31,43 @@ export async function authRoutes(app: FastifyInstance) {
         summary: "Login",
         description: "Performs login and returns user data",
         body: loginSchema,
+        response: {
+          200: z.union([
+            z.object({
+              user: z.object({
+                id: z.string().describe("User ID"),
+                firstName: z.string().describe("User first name"),
+                lastName: z.string().describe("User last name"),
+                username: z.string().describe("User username"),
+                email: z.string().email().describe("User email"),
+                isAdmin: z.boolean().describe("User is admin"),
+                isActive: z.boolean().describe("User is active"),
+                createdAt: z.date().describe("User creation date"),
+                updatedAt: z.date().describe("User last update date"),
+              }),
+            }),
+            z.object({
+              requiresTwoFactor: z.boolean().describe("Whether 2FA is required"),
+              userId: z.string().describe("User ID for 2FA verification"),
+              message: z.string().describe("2FA required message"),
+            }),
+          ]),
+          400: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    authController.login.bind(authController)
+  );
+
+  app.post(
+    "/auth/2fa/login",
+    {
+      schema: {
+        tags: ["Authentication"],
+        operationId: "completeTwoFactorLogin",
+        summary: "Complete Two-Factor Login",
+        description: "Complete login process with 2FA verification",
+        body: CompleteTwoFactorLoginSchema,
         response: {
           200: z.object({
             user: z.object({
@@ -49,7 +86,7 @@ export async function authRoutes(app: FastifyInstance) {
         },
       },
     },
-    authController.login.bind(authController)
+    authController.completeTwoFactorLogin.bind(authController)
   );
 
   app.post(
@@ -116,21 +153,54 @@ export async function authRoutes(app: FastifyInstance) {
         tags: ["Authentication"],
         operationId: "getCurrentUser",
         summary: "Get Current User",
-        description: "Returns the current authenticated user's information",
+        description: "Returns the current authenticated user's information or null if not authenticated",
+        response: {
+          200: z.union([
+            z.object({
+              user: z.object({
+                id: z.string().describe("User ID"),
+                firstName: z.string().describe("User first name"),
+                lastName: z.string().describe("User last name"),
+                username: z.string().describe("User username"),
+                email: z.string().email().describe("User email"),
+                image: z.string().nullable().describe("User profile image URL"),
+                isAdmin: z.boolean().describe("User is admin"),
+                isActive: z.boolean().describe("User is active"),
+                createdAt: z.date().describe("User creation date"),
+                updatedAt: z.date().describe("User last update date"),
+              }),
+            }),
+            z.object({
+              user: z.null().describe("No user when not authenticated"),
+            }),
+          ]),
+        },
+      },
+    },
+    authController.getCurrentUser.bind(authController)
+  );
+
+  app.get(
+    "/auth/trusted-devices",
+    {
+      schema: {
+        tags: ["Authentication"],
+        operationId: "getTrustedDevices",
+        summary: "Get Trusted Devices",
+        description: "Get all trusted devices for the current user",
         response: {
           200: z.object({
-            user: z.object({
-              id: z.string().describe("User ID"),
-              firstName: z.string().describe("User first name"),
-              lastName: z.string().describe("User last name"),
-              username: z.string().describe("User username"),
-              email: z.string().email().describe("User email"),
-              image: z.string().nullable().describe("User profile image URL"),
-              isAdmin: z.boolean().describe("User is admin"),
-              isActive: z.boolean().describe("User is active"),
-              createdAt: z.date().describe("User creation date"),
-              updatedAt: z.date().describe("User last update date"),
-            }),
+            devices: z.array(
+              z.object({
+                id: z.string().describe("Device ID"),
+                deviceName: z.string().nullable().describe("Device name"),
+                userAgent: z.string().nullable().describe("User agent"),
+                ipAddress: z.string().nullable().describe("IP address"),
+                createdAt: z.date().describe("Creation date"),
+                lastUsedAt: z.date().describe("Last used date"),
+                expiresAt: z.date().describe("Expiration date"),
+              })
+            ),
           }),
           401: z.object({ error: z.string().describe("Error message") }),
         },
@@ -144,6 +214,85 @@ export async function authRoutes(app: FastifyInstance) {
         }
       },
     },
-    authController.getCurrentUser.bind(authController)
+    authController.getTrustedDevices.bind(authController)
+  );
+
+  app.delete(
+    "/auth/trusted-devices/:id",
+    {
+      schema: {
+        tags: ["Authentication"],
+        operationId: "removeTrustedDevice",
+        summary: "Remove Trusted Device",
+        description: "Remove a specific trusted device",
+        params: z.object({
+          id: z.string().describe("Device ID"),
+        }),
+        response: {
+          200: z.object({
+            success: z.boolean().describe("Success status"),
+            message: z.string().describe("Success message"),
+          }),
+          401: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+      preValidation: async (request: FastifyRequest, reply: FastifyReply) => {
+        try {
+          await request.jwtVerify();
+        } catch (err) {
+          console.error(err);
+          reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
+        }
+      },
+    },
+    authController.removeTrustedDevice.bind(authController)
+  );
+
+  app.delete(
+    "/auth/trusted-devices",
+    {
+      schema: {
+        tags: ["Authentication"],
+        operationId: "removeAllTrustedDevices",
+        summary: "Remove All Trusted Devices",
+        description: "Remove all trusted devices for the current user",
+        response: {
+          200: z.object({
+            success: z.boolean().describe("Success status"),
+            message: z.string().describe("Success message"),
+            removedCount: z.number().describe("Number of devices removed"),
+          }),
+          401: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+      preValidation: async (request: FastifyRequest, reply: FastifyReply) => {
+        try {
+          await request.jwtVerify();
+        } catch (err) {
+          console.error(err);
+          reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
+        }
+      },
+    },
+    authController.removeAllTrustedDevices.bind(authController)
+  );
+
+  app.get(
+    "/auth/config",
+    {
+      schema: {
+        tags: ["Authentication"],
+        operationId: "getAuthConfig",
+        summary: "Get Authentication Configuration",
+        description: "Get authentication configuration settings",
+        response: {
+          200: z.object({
+            passwordAuthEnabled: z.boolean().describe("Whether password authentication is enabled"),
+          }),
+          400: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    authController.getAuthConfig.bind(authController)
   );
 }

apps/server/src/modules/auth/service.ts

@@ -4,16 +4,25 @@ import bcrypt from "bcryptjs";
 import { prisma } from "../../shared/prisma";
 import { ConfigService } from "../config/service";
 import { EmailService } from "../email/service";
+import { TwoFactorService } from "../two-factor/service";
 import { UserResponseSchema } from "../user/dto";
 import { PrismaUserRepository } from "../user/repository";
 import { LoginInput } from "./dto";
+import { TrustedDeviceService } from "./trusted-device.service";
 
 export class AuthService {
   private userRepository = new PrismaUserRepository();
   private configService = new ConfigService();
   private emailService = new EmailService();
+  private twoFactorService = new TwoFactorService();
+  private trustedDeviceService = new TrustedDeviceService();
+
+  async login(data: LoginInput, userAgent?: string, ipAddress?: string) {
+    const passwordAuthEnabled = await this.configService.getValue("passwordAuthEnabled");
+    if (passwordAuthEnabled === "false") {
+      throw new Error("Password authentication is disabled. Please use an external authentication provider.");
+    }
 
-  async login(data: LoginInput) {
     const user = await this.userRepository.findUserByEmailOrUsername(data.emailOrUsername);
     if (!user) {
       throw new Error("Invalid credentials");
@@ -77,10 +86,76 @@ export class AuthService {
       });
     }
 
+    const has2FA = await this.twoFactorService.isEnabled(user.id);
+
+    if (has2FA) {
+      if (userAgent && ipAddress) {
+        const isDeviceTrusted = await this.trustedDeviceService.isDeviceTrusted(user.id, userAgent, ipAddress);
+        if (isDeviceTrusted) {
+          // Update last used timestamp for trusted device
+          await this.trustedDeviceService.updateLastUsed(user.id, userAgent, ipAddress);
+          return UserResponseSchema.parse(user);
+        }
+      }
+
+      return {
+        requiresTwoFactor: true,
+        userId: user.id,
+        message: "Two-factor authentication required",
+      };
+    }
+
+    return UserResponseSchema.parse(user);
+  }
+
+  async completeTwoFactorLogin(
+    userId: string,
+    token: string,
+    rememberDevice: boolean = false,
+    userAgent?: string,
+    ipAddress?: string
+  ) {
+    const user = await prisma.user.findUnique({
+      where: { id: userId },
+    });
+
+    if (!user) {
+      throw new Error("User not found");
+    }
+
+    if (!user.isActive) {
+      throw new Error("Account is inactive. Please contact an administrator.");
+    }
+
+    const verificationResult = await this.twoFactorService.verifyToken(userId, token);
+
+    if (!verificationResult.success) {
+      throw new Error("Invalid two-factor authentication code");
+    }
+
+    await prisma.loginAttempt.deleteMany({
+      where: { userId },
+    });
+
+    if (rememberDevice && userAgent && ipAddress) {
+      await this.trustedDeviceService.addTrustedDevice(userId, userAgent, ipAddress);
+    } else if (userAgent && ipAddress) {
+      // Update last used timestamp if this is already a trusted device
+      const isDeviceTrusted = await this.trustedDeviceService.isDeviceTrusted(userId, userAgent, ipAddress);
+      if (isDeviceTrusted) {
+        await this.trustedDeviceService.updateLastUsed(userId, userAgent, ipAddress);
+      }
+    }
+
     return UserResponseSchema.parse(user);
   }
 
   async requestPasswordReset(email: string, origin: string) {
+    const passwordAuthEnabled = await this.configService.getValue("passwordAuthEnabled");
+    if (passwordAuthEnabled === "false") {
+      throw new Error("Password authentication is disabled. Password reset is not available.");
+    }
+
     const user = await this.userRepository.findUserByEmail(email);
     if (!user) {
       return;
@@ -106,6 +181,11 @@ export class AuthService {
   }
 
   async resetPassword(token: string, newPassword: string) {
+    const passwordAuthEnabled = await this.configService.getValue("passwordAuthEnabled");
+    if (passwordAuthEnabled === "false") {
+      throw new Error("Password authentication is disabled. Password reset is not available.");
+    }
+
     const resetRequest = await prisma.passwordReset.findFirst({
       where: {
         token,
@@ -146,4 +226,21 @@ export class AuthService {
     }
     return UserResponseSchema.parse(user);
   }
+
+  async getTrustedDevices(userId: string) {
+    return await this.trustedDeviceService.getUserTrustedDevices(userId);
+  }
+
+  async removeTrustedDevice(userId: string, deviceId: string) {
+    return await this.trustedDeviceService.removeTrustedDevice(userId, deviceId);
+  }
+
+  async removeAllTrustedDevices(userId: string) {
+    const result = await this.trustedDeviceService.removeAllTrustedDevices(userId);
+    return {
+      success: true,
+      message: "All trusted devices removed successfully",
+      removedCount: result.count,
+    };
+  }
 }

apps/server/src/modules/auth/trusted-device.service.ts

@@ -0,0 +1,109 @@
+import crypto from "node:crypto";
+
+import { prisma } from "../../shared/prisma";
+
+export class TrustedDeviceService {
+  private generateDeviceHash(userAgent: string, ipAddress: string): string {
+    const deviceInfo = `${userAgent}-${ipAddress}`;
+    return crypto.createHash("sha256").update(deviceInfo).digest("hex");
+  }
+
+  async isDeviceTrusted(userId: string, userAgent: string, ipAddress: string): Promise<boolean> {
+    const deviceHash = this.generateDeviceHash(userAgent, ipAddress);
+
+    const trustedDevice = await prisma.trustedDevice.findFirst({
+      where: {
+        userId,
+        deviceHash,
+        expiresAt: {
+          gt: new Date(),
+        },
+      },
+    });
+
+    return !!trustedDevice;
+  }
+
+  async addTrustedDevice(userId: string, userAgent: string, ipAddress: string, deviceName?: string): Promise<void> {
+    const deviceHash = this.generateDeviceHash(userAgent, ipAddress);
+    const expiresAt = new Date();
+    expiresAt.setDate(expiresAt.getDate() + 30); // 30 dias
+
+    await prisma.trustedDevice.upsert({
+      where: {
+        deviceHash,
+      },
+      create: {
+        userId,
+        deviceHash,
+        deviceName,
+        userAgent,
+        ipAddress,
+        expiresAt,
+        lastUsedAt: new Date(),
+      },
+      update: {
+        expiresAt,
+        userAgent,
+        ipAddress,
+        lastUsedAt: new Date(),
+      },
+    });
+  }
+
+  async cleanupExpiredDevices(): Promise<void> {
+    await prisma.trustedDevice.deleteMany({
+      where: {
+        expiresAt: {
+          lt: new Date(),
+        },
+      },
+    });
+  }
+
+  async getUserTrustedDevices(userId: string) {
+    return prisma.trustedDevice.findMany({
+      where: {
+        userId,
+        expiresAt: {
+          gt: new Date(),
+        },
+      },
+      orderBy: {
+        createdAt: "desc",
+      },
+    });
+  }
+
+  async removeTrustedDevice(userId: string, deviceId: string): Promise<void> {
+    await prisma.trustedDevice.deleteMany({
+      where: {
+        id: deviceId,
+        userId,
+      },
+    });
+  }
+
+  async removeAllTrustedDevices(userId: string): Promise<{ count: number }> {
+    const result = await prisma.trustedDevice.deleteMany({
+      where: {
+        userId,
+      },
+    });
+    return { count: result.count };
+  }
+
+  async updateLastUsed(userId: string, userAgent: string, ipAddress: string): Promise<void> {
+    const deviceHash = this.generateDeviceHash(userAgent, ipAddress);
+
+    await prisma.trustedDevice.updateMany({
+      where: {
+        userId,
+        deviceHash,
+      },
+      data: {
+        lastUsedAt: new Date(),
+      },
+    });
+  }
+}

apps/server/src/modules/config/service.ts

@@ -13,6 +13,26 @@ export class ConfigService {
     return config.value;
   }
 
+  async setValue(key: string, value: string): Promise<void> {
+    await prisma.appConfig.update({
+      where: { key },
+      data: { value },
+    });
+  }
+
+  async validatePasswordAuthDisable(): Promise<boolean> {
+    const enabledProviders = await prisma.authProvider.findMany({
+      where: { enabled: true },
+    });
+
+    return enabledProviders.length > 0;
+  }
+
+  async validateAllProvidersDisable(): Promise<boolean> {
+    const passwordAuthEnabled = await this.getValue("passwordAuthEnabled");
+    return passwordAuthEnabled === "true";
+  }
+
   async getGroupConfigs(group: string) {
     const configs = await prisma.appConfig.findMany({
       where: { group },

apps/server/src/modules/email/service.ts

@@ -72,10 +72,8 @@ export class EmailService {
     let smtpConfig: SmtpConfig;
 
     if (config) {
-      // Use provided configuration
       smtpConfig = config;
     } else {
-      // Fallback to saved configuration
       smtpConfig = {
         smtpEnabled: await this.configService.getValue("smtpEnabled"),
         smtpHost: await this.configService.getValue("smtpHost"),
@@ -169,7 +167,7 @@ export class EmailService {
     });
   }
 
-  async sendShareNotification(to: string, shareLink: string, shareName?: string) {
+  async sendShareNotification(to: string, shareLink: string, shareName?: string, senderName?: string) {
     const transporter = await this.createTransporter();
     if (!transporter) {
       throw new Error("SMTP is not enabled");
@@ -180,19 +178,151 @@ export class EmailService {
     const appName = await this.configService.getValue("appName");
 
     const shareTitle = shareName || "Files";
+    const sender = senderName || "Someone";
 
     await transporter.sendMail({
       from: `"${fromName}" <${fromEmail}>`,
       to,
       subject: `${appName} - ${shareTitle} shared with you`,
       html: `
-        <h1>${appName} - Shared Files</h1>
-        <p>Someone has shared "${shareTitle}" with you.</p>
-        <p>Click the link below to access the shared files:</p>
-        <a href="${shareLink}">
-          Access Shared Files
-        </a>
-        <p>Note: This share may have an expiration date or view limit.</p>
+        <!DOCTYPE html>
+        <html lang="en">
+        <head>
+          <meta charset="UTF-8">
+          <meta name="viewport" content="width=device-width, initial-scale=1.0">
+          <title>${appName} - Shared Files</title>
+        </head>
+        <body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f5f5f5; color: #333333;">
+          <div style="max-width: 600px; margin: 0 auto; background-color: #ffffff; box-shadow: 0 2px 8px rgba(0, 0, 0, 0.1); overflow: hidden; margin-top: 40px; margin-bottom: 40px;">
+            <!-- Header -->
+            <div style="background-color: #22B14C; padding: 30px 20px; text-align: center;">
+              <h1 style="margin: 0; color: #ffffff; font-size: 28px; font-weight: 600; letter-spacing: -0.5px;">${appName}</h1>
+              <p style="margin: 2px 0 0 0; color: #ffffff; font-size: 16px; opacity: 0.9;">Shared Files</p>
+            </div>
+            
+            <!-- Content -->
+            <div style="padding: 40px 30px;">
+              <div style="text-align: center; margin-bottom: 32px;">
+                <h2 style="margin: 0 0 12px 0; color: #1f2937; font-size: 24px; font-weight: 600;">Files Shared With You</h2>
+                <p style="margin: 0; color: #6b7280; font-size: 16px; line-height: 1.6;">
+                  <strong style="color: #374151;">${sender}</strong> has shared <strong style="color: #374151;">"${shareTitle}"</strong> with you.
+                </p>
+              </div>
+              
+              <!-- CTA Button -->
+              <div style="text-align: center; margin: 32px 0;">
+                <a href="${shareLink}" style="display: inline-block; background-color: #22B14C; color: #ffffff; text-decoration: none; padding: 12px 24px; font-weight: 600; font-size: 16px; border: 2px solid #22B14C; border-radius: 8px; transition: all 0.3s ease;">
+                  Access Shared Files
+                </a>
+              </div>
+              
+              <!-- Info Box -->
+              <div style="background-color: #f9fafb; border-left: 4px solid #22B14C; padding: 16px 20px; margin-top: 32px;">
+                <p style="margin: 0; color: #4b5563; font-size: 14px; line-height: 1.5;">
+                  <strong>Important:</strong> This share may have an expiration date or view limit. Access it as soon as possible to ensure availability.
+                </p>
+              </div>
+            </div>
+            
+            <!-- Footer -->
+            <div style="background-color: #f9fafb; padding: 24px 30px; text-align: center; border-top: 1px solid #e5e7eb;">
+              <p style="margin: 0; color: #6b7280; font-size: 14px;">
+                This email was sent by <strong>${appName}</strong>
+              </p>
+              <p style="margin: 8px 0 0 0; color: #9ca3af; font-size: 12px;">
+                If you didn't expect this email, you can safely ignore it.
+              </p>
+              <p style="margin: 4px 0 0 0; color: #9ca3af; font-size: 10px;">
+                Powered by <a href="https://kyantech.com.br" style="color: #9ca3af; text-decoration: none;">Kyantech Solutions</a>
+              </p>
+            </div>
+          </div>
+        </body>
+        </html>
+      `,
+    });
+  }
+
+  async sendReverseShareBatchFileNotification(
+    recipientEmail: string,
+    reverseShareName: string,
+    fileCount: number,
+    fileList: string,
+    uploaderName: string
+  ) {
+    const transporter = await this.createTransporter();
+    if (!transporter) {
+      throw new Error("SMTP is not enabled");
+    }
+
+    const fromName = await this.configService.getValue("smtpFromName");
+    const fromEmail = await this.configService.getValue("smtpFromEmail");
+    const appName = await this.configService.getValue("appName");
+
+    await transporter.sendMail({
+      from: `"${fromName}" <${fromEmail}>`,
+      to: recipientEmail,
+      subject: `${appName} - ${fileCount} file${fileCount > 1 ? "s" : ""} uploaded to "${reverseShareName}"`,
+      html: `
+        <!DOCTYPE html>
+        <html lang="en">
+        <head>
+          <meta charset="UTF-8">
+          <meta name="viewport" content="width=device-width, initial-scale=1.0">
+          <title>${appName} - File Upload Notification</title>
+        </head>
+        <body style="margin: 0; padding: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: #f5f5f5; color: #333333;">
+          <div style="max-width: 600px; margin: 0 auto; background-color: #ffffff; box-shadow: 0 2px 8px rgba(0, 0, 0, 0.1); overflow: hidden; margin-top: 40px; margin-bottom: 40px;">
+            <!-- Header -->
+            <div style="background-color: #22B14C; padding: 30px 20px; text-align: center;">
+              <h1 style="margin: 0; color: #ffffff; font-size: 28px; font-weight: 600; letter-spacing: -0.5px;">${appName}</h1>
+              <p style="margin: 2px 0 0 0; color: #ffffff; font-size: 16px; opacity: 0.9;">File Upload Notification</p>
+            </div>
+            
+            <!-- Content -->
+            <div style="padding: 40px 30px;">
+              <div style="text-align: center; margin-bottom: 32px;">
+                <h2 style="margin: 0 0 12px 0; color: #1f2937; font-size: 24px; font-weight: 600;">New File Uploaded</h2>
+                <p style="margin: 0; color: #6b7280; font-size: 16px; line-height: 1.6;">
+                  <strong style="color: #374151;">${uploaderName}</strong> has uploaded <strong style="color: #374151;">${fileCount} file${fileCount > 1 ? "s" : ""}</strong> to your reverse share <strong style="color: #374151;">"${reverseShareName}"</strong>.
+                </p>
+              </div>
+              
+              <!-- File List -->
+              <div style="background-color: #f9fafb; border-radius: 8px; padding: 16px; margin: 32px 0; border-left: 4px solid #22B14C;">
+                <p style="margin: 0 0 8px 0; color: #374151; font-size: 14px;"><strong>Files (${fileCount}):</strong></p>
+                <ul style="margin: 0; padding-left: 20px; color: #6b7280; font-size: 14px; line-height: 1.5;">
+                   ${fileList
+                     .split(", ")
+                     .map((file) => `<li style="margin: 4px 0;">${file}</li>`)
+                     .join("")}
+                 </ul>
+              </div>
+              
+              <!-- Info Text -->
+              <div style="text-align: center; margin-top: 32px;">
+                <p style="margin: 0; color: #9ca3af; font-size: 12px;">
+                  You can now access and manage these files through your dashboard.
+                </p>
+              </div>
+              
+            </div>
+            
+            <!-- Footer -->
+            <div style="background-color: #f9fafb; padding: 24px 30px; text-align: center; border-top: 1px solid #e5e7eb;">
+              <p style="margin: 0; color: #6b7280; font-size: 14px;">
+                This email was sent by <strong>${appName}</strong>
+              </p>
+              <p style="margin: 8px 0 0 0; color: #9ca3af; font-size: 12px;">
+                If you didn't expect this email, you can safely ignore it.
+              </p>
+              <p style="margin: 4px 0 0 0; color: #9ca3af; font-size: 10px;">
+                Powered by <a href="https://kyantech.com.br" style="color: #9ca3af; text-decoration: none;">Kyantech Solutions</a>
+              </p>
+            </div>
+          </div>
+        </body>
+        </html>
       `,
     });
   }

apps/server/src/modules/file/controller.ts

@@ -1,8 +1,21 @@
+import bcrypt from "bcryptjs";
 import { FastifyReply, FastifyRequest } from "fastify";
 
+import { env } from "../../env";
 import { prisma } from "../../shared/prisma";
 import { ConfigService } from "../config/service";
-import { CheckFileInput, CheckFileSchema, RegisterFileInput, RegisterFileSchema, UpdateFileSchema } from "./dto";
+import {
+  CheckFileInput,
+  CheckFileSchema,
+  ListFilesInput,
+  ListFilesSchema,
+  MoveFileInput,
+  MoveFileSchema,
+  RegisterFileInput,
+  RegisterFileSchema,
+  UpdateFileInput,
+  UpdateFileSchema,
+} from "./dto";
 import { FileService } from "./service";
 
 export class FileController {
@@ -27,7 +40,7 @@ export class FileController {
       }
 
       const objectName = `${userId}/${Date.now()}-${filename}.${extension}`;
-      const expires = 3600;
+      const expires = parseInt(env.PRESIGNED_URL_EXPIRATION);
 
       const url = await this.fileService.getPresignedPutUrl(objectName, expires);
       return reply.send({ url, objectName });
@@ -71,6 +84,15 @@ export class FileController {
         });
       }
 
+      if (input.folderId) {
+        const folder = await prisma.folder.findFirst({
+          where: { id: input.folderId, userId },
+        });
+        if (!folder) {
+          return reply.status(400).send({ error: "Folder not found or access denied." });
+        }
+      }
+
       const fileRecord = await prisma.file.create({
         data: {
           name: input.name,
@@ -79,6 +101,7 @@ export class FileController {
           size: BigInt(input.size),
           objectName: input.objectName,
           userId,
+          folderId: input.folderId,
         },
       });
 
@@ -90,6 +113,7 @@ export class FileController {
         size: fileRecord.size.toString(),
         objectName: fileRecord.objectName,
         userId: fileRecord.userId,
+        folderId: fileRecord.folderId,
         createdAt: fileRecord.createdAt,
         updatedAt: fileRecord.updatedAt,
       };
@@ -160,6 +184,7 @@ export class FileController {
         objectName: string;
       };
       const objectName = decodeURIComponent(encodedObjectName);
+      const { password } = request.query as { password?: string };
 
       if (!objectName) {
         return reply.status(400).send({ error: "The 'objectName' parameter is required." });
@@ -170,8 +195,53 @@ export class FileController {
       if (!fileRecord) {
         return reply.status(404).send({ error: "File not found." });
       }
+
+      let hasAccess = false;
+
+      console.log("Requested file with password " + password);
+
+      const shares = await prisma.share.findMany({
+        where: {
+          files: {
+            some: {
+              id: fileRecord.id,
+            },
+          },
+        },
+        include: {
+          security: true,
+        },
+      });
+
+      for (const share of shares) {
+        if (!share.security.password) {
+          hasAccess = true;
+          break;
+        } else if (password) {
+          const isPasswordValid = await bcrypt.compare(password, share.security.password);
+          if (isPasswordValid) {
+            hasAccess = true;
+            break;
+          }
+        }
+      }
+
+      if (!hasAccess) {
+        try {
+          await request.jwtVerify();
+          const userId = (request as any).user?.userId;
+          if (userId && fileRecord.userId === userId) {
+            hasAccess = true;
+          }
+        } catch (err) {}
+      }
+
+      if (!hasAccess) {
+        return reply.status(401).send({ error: "Unauthorized access to file." });
+      }
+
       const fileName = fileRecord.name;
-      const expires = 3600;
+      const expires = parseInt(env.PRESIGNED_URL_EXPIRATION);
       const url = await this.fileService.getPresignedGetUrl(objectName, expires, fileName);
       return reply.send({ url, expiresIn: expires });
     } catch (error) {
@@ -188,18 +258,43 @@ export class FileController {
         return reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
       }
 
-      const files = await prisma.file.findMany({
-        where: { userId },
-      });
+      const input: ListFilesInput = ListFilesSchema.parse(request.query);
+      const { folderId, recursive: recursiveStr } = input;
+      const recursive = recursiveStr === "false" ? false : true;
 
-      const filesResponse = files.map((file) => ({
+      let files: any[];
+
+      let targetFolderId: string | null;
+      if (folderId === "null" || folderId === "" || !folderId) {
+        targetFolderId = null; // Root folder
+      } else {
+        targetFolderId = folderId;
+      }
+
+      if (recursive) {
+        if (targetFolderId === null) {
+          files = await this.getAllUserFilesRecursively(userId);
+        } else {
+          const { FolderService } = await import("../folder/service.js");
+          const folderService = new FolderService();
+          files = await folderService.getAllFilesInFolder(targetFolderId, userId);
+        }
+      } else {
+        files = await prisma.file.findMany({
+          where: { userId, folderId: targetFolderId },
+        });
+      }
+
+      const filesResponse = files.map((file: any) => ({
         id: file.id,
         name: file.name,
         description: file.description,
         extension: file.extension,
-        size: file.size.toString(),
+        size: typeof file.size === "bigint" ? file.size.toString() : file.size,
         objectName: file.objectName,
         userId: file.userId,
+        folderId: file.folderId,
+        relativePath: file.relativePath || null,
         createdAt: file.createdAt,
         updatedAt: file.updatedAt,
       }));
@@ -277,6 +372,7 @@ export class FileController {
         size: updatedFile.size.toString(),
         objectName: updatedFile.objectName,
         userId: updatedFile.userId,
+        folderId: updatedFile.folderId,
         createdAt: updatedFile.createdAt,
         updatedAt: updatedFile.updatedAt,
       };
@@ -290,4 +386,86 @@ export class FileController {
       return reply.status(400).send({ error: error.message });
     }
   }
+
+  async moveFile(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      await request.jwtVerify();
+      const userId = (request as any).user?.userId;
+
+      if (!userId) {
+        return reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
+      }
+
+      const { id } = request.params as { id: string };
+      const input: MoveFileInput = MoveFileSchema.parse(request.body);
+
+      const existingFile = await prisma.file.findFirst({
+        where: { id, userId },
+      });
+
+      if (!existingFile) {
+        return reply.status(404).send({ error: "File not found." });
+      }
+
+      if (input.folderId) {
+        const targetFolder = await prisma.folder.findFirst({
+          where: { id: input.folderId, userId },
+        });
+        if (!targetFolder) {
+          return reply.status(400).send({ error: "Target folder not found." });
+        }
+      }
+
+      const updatedFile = await prisma.file.update({
+        where: { id },
+        data: { folderId: input.folderId },
+      });
+
+      const fileResponse = {
+        id: updatedFile.id,
+        name: updatedFile.name,
+        description: updatedFile.description,
+        extension: updatedFile.extension,
+        size: updatedFile.size.toString(),
+        objectName: updatedFile.objectName,
+        userId: updatedFile.userId,
+        folderId: updatedFile.folderId,
+        createdAt: updatedFile.createdAt,
+        updatedAt: updatedFile.updatedAt,
+      };
+
+      return reply.send({
+        file: fileResponse,
+        message: "File moved successfully.",
+      });
+    } catch (error: any) {
+      console.error("Error moving file:", error);
+      return reply.status(400).send({ error: error.message });
+    }
+  }
+
+  private async getAllUserFilesRecursively(userId: string): Promise<any[]> {
+    const rootFiles = await prisma.file.findMany({
+      where: { userId, folderId: null },
+    });
+
+    const rootFolders = await prisma.folder.findMany({
+      where: { userId, parentId: null },
+      select: { id: true },
+    });
+
+    let allFiles = [...rootFiles];
+
+    if (rootFolders.length > 0) {
+      const { FolderService } = await import("../folder/service.js");
+      const folderService = new FolderService();
+
+      for (const folder of rootFolders) {
+        const folderFiles = await folderService.getAllFilesInFolder(folder.id, userId);
+        allFiles = [...allFiles, ...folderFiles];
+      }
+    }
+
+    return allFiles;
+  }
 }

apps/server/src/modules/file/dto.ts

@@ -9,6 +9,7 @@ export const RegisterFileSchema = z.object({
     invalid_type_error: "O tamanho deve ser um número",
   }),
   objectName: z.string().min(1, "O objectName é obrigatório"),
+  folderId: z.string().optional(),
 });
 
 export const CheckFileSchema = z.object({
@@ -20,6 +21,7 @@ export const CheckFileSchema = z.object({
     invalid_type_error: "O tamanho deve ser um número",
   }),
   objectName: z.string().min(1, "O objectName é obrigatório"),
+  folderId: z.string().optional(),
 });
 
 export type RegisterFileInput = z.infer<typeof RegisterFileSchema>;
@@ -30,4 +32,15 @@ export const UpdateFileSchema = z.object({
   description: z.string().optional().nullable().describe("The file description"),
 });
 
+export const MoveFileSchema = z.object({
+  folderId: z.string().nullable(),
+});
+
+export const ListFilesSchema = z.object({
+  folderId: z.string().optional().describe("The folder ID"),
+  recursive: z.string().optional().default("true").describe("Include files from subfolders"),
+});
+
 export type UpdateFileInput = z.infer<typeof UpdateFileSchema>;
+export type MoveFileInput = z.infer<typeof MoveFileSchema>;
+export type ListFilesInput = z.infer<typeof ListFilesSchema>;

apps/server/src/modules/file/routes.ts

@@ -2,7 +2,7 @@ import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { z } from "zod";
 
 import { FileController } from "./controller";
-import { CheckFileSchema, RegisterFileSchema, UpdateFileSchema } from "./dto";
+import { CheckFileSchema, ListFilesSchema, MoveFileSchema, RegisterFileSchema, UpdateFileSchema } from "./dto";
 
 export async function fileRoutes(app: FastifyInstance) {
   const fileController = new FileController();
@@ -62,6 +62,7 @@ export async function fileRoutes(app: FastifyInstance) {
               size: z.string().describe("The file size"),
               objectName: z.string().describe("The object name of the file"),
               userId: z.string().describe("The user ID"),
+              folderId: z.string().nullable().describe("The folder ID"),
               createdAt: z.date().describe("The file creation date"),
               updatedAt: z.date().describe("The file last update date"),
             }),
@@ -78,6 +79,7 @@ export async function fileRoutes(app: FastifyInstance) {
   app.post(
     "/files/check",
     {
+      preValidation,
       schema: {
         tags: ["File"],
         operationId: "checkFile",
@@ -110,10 +112,13 @@ export async function fileRoutes(app: FastifyInstance) {
         tags: ["File"],
         operationId: "getDownloadUrl",
         summary: "Get Download URL",
-        description: "Generates a pre-signed URL for downloading a private file",
+        description: "Generates a pre-signed URL for downloading a file",
         params: z.object({
           objectName: z.string().min(1, "The objectName is required"),
         }),
+        querystring: z.object({
+          password: z.string().optional().describe("Share password if required"),
+        }),
         response: {
           200: z.object({
             url: z.string().describe("The download URL"),
@@ -136,7 +141,8 @@ export async function fileRoutes(app: FastifyInstance) {
         tags: ["File"],
         operationId: "listFiles",
         summary: "List Files",
-        description: "Lists user files",
+        description: "Lists user files recursively by default, optionally filtered by folder",
+        querystring: ListFilesSchema,
         response: {
           200: z.object({
             files: z.array(
@@ -148,6 +154,8 @@ export async function fileRoutes(app: FastifyInstance) {
                 size: z.string().describe("The file size"),
                 objectName: z.string().describe("The object name of the file"),
                 userId: z.string().describe("The user ID"),
+                folderId: z.string().nullable().describe("The folder ID"),
+                relativePath: z.string().nullable().describe("The relative path (only for recursive listing)"),
                 createdAt: z.date().describe("The file creation date"),
                 updatedAt: z.date().describe("The file last update date"),
               })
@@ -160,6 +168,84 @@ export async function fileRoutes(app: FastifyInstance) {
     fileController.listFiles.bind(fileController)
   );
 
+  app.patch(
+    "/files/:id",
+    {
+      preValidation,
+      schema: {
+        tags: ["File"],
+        operationId: "updateFile",
+        summary: "Update File Metadata",
+        description: "Updates file metadata in the database",
+        params: z.object({
+          id: z.string().min(1, "The file id is required").describe("The file ID"),
+        }),
+        body: UpdateFileSchema,
+        response: {
+          200: z.object({
+            file: z.object({
+              id: z.string().describe("The file ID"),
+              name: z.string().describe("The file name"),
+              description: z.string().nullable().describe("The file description"),
+              extension: z.string().describe("The file extension"),
+              size: z.string().describe("The file size"),
+              objectName: z.string().describe("The object name of the file"),
+              userId: z.string().describe("The user ID"),
+              folderId: z.string().nullable().describe("The folder ID"),
+              createdAt: z.date().describe("The file creation date"),
+              updatedAt: z.date().describe("The file last update date"),
+            }),
+            message: z.string().describe("Success message"),
+          }),
+          400: z.object({ error: z.string().describe("Error message") }),
+          401: z.object({ error: z.string().describe("Error message") }),
+          403: z.object({ error: z.string().describe("Error message") }),
+          404: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    fileController.updateFile.bind(fileController)
+  );
+
+  app.put(
+    "/files/:id/move",
+    {
+      preValidation,
+      schema: {
+        tags: ["File"],
+        operationId: "moveFile",
+        summary: "Move File",
+        description: "Moves a file to a different folder",
+        params: z.object({
+          id: z.string().min(1, "The file id is required").describe("The file ID"),
+        }),
+        body: MoveFileSchema,
+        response: {
+          200: z.object({
+            file: z.object({
+              id: z.string().describe("The file ID"),
+              name: z.string().describe("The file name"),
+              description: z.string().nullable().describe("The file description"),
+              extension: z.string().describe("The file extension"),
+              size: z.string().describe("The file size"),
+              objectName: z.string().describe("The object name of the file"),
+              userId: z.string().describe("The user ID"),
+              folderId: z.string().nullable().describe("The folder ID"),
+              createdAt: z.date().describe("The file creation date"),
+              updatedAt: z.date().describe("The file last update date"),
+            }),
+            message: z.string().describe("Success message"),
+          }),
+          400: z.object({ error: z.string().describe("Error message") }),
+          401: z.object({ error: z.string().describe("Error message") }),
+          403: z.object({ error: z.string().describe("Error message") }),
+          404: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    fileController.moveFile.bind(fileController)
+  );
+
   app.delete(
     "/files/:id",
     {
@@ -185,42 +271,4 @@ export async function fileRoutes(app: FastifyInstance) {
     },
     fileController.deleteFile.bind(fileController)
   );
-
-  app.patch(
-    "/files/:id",
-    {
-      preValidation,
-      schema: {
-        tags: ["File"],
-        operationId: "updateFile",
-        summary: "Update File Metadata",
-        description: "Updates file metadata in the database",
-        params: z.object({
-          id: z.string().min(1, "The file id is required").describe("The file ID"),
-        }),
-        body: UpdateFileSchema,
-        response: {
-          200: z.object({
-            file: z.object({
-              id: z.string().describe("The file ID"),
-              name: z.string().describe("The file name"),
-              description: z.string().nullable().describe("The file description"),
-              extension: z.string().describe("The file extension"),
-              size: z.string().describe("The file size"),
-              objectName: z.string().describe("The object name of the file"),
-              userId: z.string().describe("The user ID"),
-              createdAt: z.date().describe("The file creation date"),
-              updatedAt: z.date().describe("The file last update date"),
-            }),
-            message: z.string().describe("Success message"),
-          }),
-          400: z.object({ error: z.string().describe("Error message") }),
-          401: z.object({ error: z.string().describe("Error message") }),
-          403: z.object({ error: z.string().describe("Error message") }),
-          404: z.object({ error: z.string().describe("Error message") }),
-        },
-      },
-    },
-    fileController.updateFile.bind(fileController)
-  );
 }

apps/server/src/modules/filesystem/chunk-manager.ts

@@ -0,0 +1,345 @@
+import * as fs from "fs";
+import * as path from "path";
+
+import { getTempFilePath } from "../../config/directories.config";
+import { FilesystemStorageProvider } from "../../providers/filesystem-storage.provider";
+
+export interface ChunkMetadata {
+  fileId: string;
+  chunkIndex: number;
+  totalChunks: number;
+  chunkSize: number;
+  totalSize: number;
+  fileName: string;
+  isLastChunk: boolean;
+}
+
+export interface ChunkInfo {
+  fileId: string;
+  fileName: string;
+  totalSize: number;
+  totalChunks: number;
+  uploadedChunks: Set<number>;
+  tempPath: string;
+  createdAt: number;
+}
+
+export class ChunkManager {
+  private static instance: ChunkManager;
+  private activeUploads = new Map<string, ChunkInfo>();
+  private finalizingUploads = new Set<string>(); // Track uploads currently being finalized
+  private cleanupInterval: NodeJS.Timeout;
+
+  private constructor() {
+    // Cleanup expired uploads every 30 minutes
+    this.cleanupInterval = setInterval(
+      () => {
+        this.cleanupExpiredUploads();
+      },
+      30 * 60 * 1000
+    );
+  }
+
+  public static getInstance(): ChunkManager {
+    if (!ChunkManager.instance) {
+      ChunkManager.instance = new ChunkManager();
+    }
+    return ChunkManager.instance;
+  }
+
+  /**
+   * Process a chunk upload with streaming
+   */
+  async processChunk(
+    metadata: ChunkMetadata,
+    inputStream: NodeJS.ReadableStream,
+    originalObjectName: string
+  ): Promise<{ isComplete: boolean; finalPath?: string }> {
+    const startTime = Date.now();
+    const { fileId, chunkIndex, totalChunks, fileName, totalSize, isLastChunk } = metadata;
+
+    console.log(`Processing chunk ${chunkIndex + 1}/${totalChunks} for file ${fileName} (${fileId})`);
+
+    let chunkInfo = this.activeUploads.get(fileId);
+    if (!chunkInfo) {
+      if (chunkIndex !== 0) {
+        throw new Error("First chunk must be chunk 0");
+      }
+
+      const tempPath = getTempFilePath(fileId);
+      chunkInfo = {
+        fileId,
+        fileName,
+        totalSize,
+        totalChunks,
+        uploadedChunks: new Set(),
+        tempPath,
+        createdAt: Date.now(),
+      };
+      this.activeUploads.set(fileId, chunkInfo);
+      console.log(`Created new upload session for ${fileName} at ${tempPath}`);
+    }
+
+    console.log(
+      `Validating chunk ${chunkIndex} (total: ${totalChunks}, uploaded: ${Array.from(chunkInfo.uploadedChunks).join(",")})`
+    );
+
+    if (chunkIndex < 0 || chunkIndex >= totalChunks) {
+      throw new Error(`Invalid chunk index: ${chunkIndex} (must be 0-${totalChunks - 1})`);
+    }
+
+    if (chunkInfo.uploadedChunks.has(chunkIndex)) {
+      console.log(`Chunk ${chunkIndex} already uploaded, treating as success`);
+
+      if (isLastChunk && chunkInfo.uploadedChunks.size === totalChunks) {
+        if (this.finalizingUploads.has(fileId)) {
+          console.log(`Upload ${fileId} is already being finalized, waiting...`);
+          return { isComplete: false };
+        }
+
+        console.log(`All chunks uploaded, finalizing ${fileName}`);
+        return await this.finalizeUpload(chunkInfo, metadata, originalObjectName);
+      }
+
+      return { isComplete: false };
+    }
+
+    const tempDir = path.dirname(chunkInfo.tempPath);
+    await fs.promises.mkdir(tempDir, { recursive: true });
+    console.log(`Temp directory ensured: ${tempDir}`);
+
+    await this.writeChunkToFile(chunkInfo.tempPath, inputStream, chunkIndex === 0);
+
+    chunkInfo.uploadedChunks.add(chunkIndex);
+
+    try {
+      const stats = await fs.promises.stat(chunkInfo.tempPath);
+      const processingTime = Date.now() - startTime;
+      console.log(
+        `Chunk ${chunkIndex + 1}/${totalChunks} uploaded successfully in ${processingTime}ms. Temp file size: ${stats.size} bytes`
+      );
+    } catch (error) {
+      console.warn(`Could not get temp file stats:`, error);
+    }
+
+    console.log(
+      `Checking completion: isLastChunk=${isLastChunk}, uploadedChunks.size=${chunkInfo.uploadedChunks.size}, totalChunks=${totalChunks}`
+    );
+
+    if (isLastChunk && chunkInfo.uploadedChunks.size === totalChunks) {
+      if (this.finalizingUploads.has(fileId)) {
+        console.log(`Upload ${fileId} is already being finalized, waiting...`);
+        return { isComplete: false };
+      }
+
+      console.log(`All chunks uploaded, finalizing ${fileName}`);
+
+      const uploadedChunksArray = Array.from(chunkInfo.uploadedChunks).sort((a, b) => a - b);
+      console.log(`Uploaded chunks in order: ${uploadedChunksArray.join(", ")}`);
+
+      const expectedChunks = Array.from({ length: totalChunks }, (_, i) => i);
+      const missingChunks = expectedChunks.filter((chunk) => !chunkInfo.uploadedChunks.has(chunk));
+
+      if (missingChunks.length > 0) {
+        throw new Error(`Missing chunks: ${missingChunks.join(", ")}`);
+      }
+
+      return await this.finalizeUpload(chunkInfo, metadata, originalObjectName);
+    } else {
+      console.log(
+        `Not ready for finalization: isLastChunk=${isLastChunk}, uploadedChunks.size=${chunkInfo.uploadedChunks.size}, totalChunks=${totalChunks}`
+      );
+    }
+
+    return { isComplete: false };
+  }
+
+  /**
+   * Write chunk to file using streaming
+   */
+  private async writeChunkToFile(
+    filePath: string,
+    inputStream: NodeJS.ReadableStream,
+    isFirstChunk: boolean
+  ): Promise<void> {
+    return new Promise((resolve, reject) => {
+      console.log(`Writing chunk to ${filePath} (first: ${isFirstChunk})`);
+
+      if (isFirstChunk) {
+        const writeStream = fs.createWriteStream(filePath, {
+          highWaterMark: 64 * 1024 * 1024, // 64MB buffer for better performance
+        });
+        writeStream.on("error", (error) => {
+          console.error("Write stream error:", error);
+          reject(error);
+        });
+        writeStream.on("finish", () => {
+          console.log("Write stream finished successfully");
+          resolve();
+        });
+        inputStream.pipe(writeStream);
+      } else {
+        const writeStream = fs.createWriteStream(filePath, {
+          flags: "a",
+          highWaterMark: 64 * 1024 * 1024, // 64MB buffer for better performance
+        });
+        writeStream.on("error", (error) => {
+          console.error("Write stream error:", error);
+          reject(error);
+        });
+        writeStream.on("finish", () => {
+          console.log("Write stream finished successfully");
+          resolve();
+        });
+        inputStream.pipe(writeStream);
+      }
+    });
+  }
+
+  /**
+   * Finalize upload by moving temp file to final location and encrypting (if enabled)
+   */
+  private async finalizeUpload(
+    chunkInfo: ChunkInfo,
+    metadata: ChunkMetadata,
+    originalObjectName: string
+  ): Promise<{ isComplete: boolean; finalPath: string }> {
+    // Mark as finalizing to prevent race conditions
+    this.finalizingUploads.add(chunkInfo.fileId);
+
+    try {
+      console.log(`Finalizing upload for ${chunkInfo.fileName}`);
+
+      const tempStats = await fs.promises.stat(chunkInfo.tempPath);
+      console.log(`Temp file size: ${tempStats.size} bytes, expected: ${chunkInfo.totalSize} bytes`);
+
+      if (tempStats.size !== chunkInfo.totalSize) {
+        console.warn(`Size mismatch! Temp: ${tempStats.size}, Expected: ${chunkInfo.totalSize}`);
+      }
+
+      const provider = FilesystemStorageProvider.getInstance();
+      const finalObjectName = originalObjectName;
+      const filePath = provider.getFilePath(finalObjectName);
+      const dir = path.dirname(filePath);
+
+      console.log(`Starting finalization: ${finalObjectName}`);
+
+      await fs.promises.mkdir(dir, { recursive: true });
+
+      const tempReadStream = fs.createReadStream(chunkInfo.tempPath, {
+        highWaterMark: 64 * 1024 * 1024, // 64MB buffer for better performance
+      });
+      const writeStream = fs.createWriteStream(filePath, {
+        highWaterMark: 64 * 1024 * 1024,
+      });
+      const encryptStream = provider.createEncryptStream();
+
+      await new Promise<void>((resolve, reject) => {
+        const startTime = Date.now();
+
+        tempReadStream
+          .pipe(encryptStream)
+          .pipe(writeStream)
+          .on("finish", () => {
+            const duration = Date.now() - startTime;
+            console.log(`File processed and saved to: ${filePath} in ${duration}ms`);
+            resolve();
+          })
+          .on("error", (error) => {
+            console.error("Error during processing:", error);
+            reject(error);
+          });
+      });
+
+      console.log(`File successfully uploaded and processed: ${finalObjectName}`);
+
+      await this.cleanupTempFile(chunkInfo.tempPath);
+
+      this.activeUploads.delete(chunkInfo.fileId);
+      this.finalizingUploads.delete(chunkInfo.fileId);
+
+      return { isComplete: true, finalPath: finalObjectName };
+    } catch (error) {
+      console.error("Error during finalization:", error);
+      await this.cleanupTempFile(chunkInfo.tempPath);
+      this.activeUploads.delete(chunkInfo.fileId);
+      this.finalizingUploads.delete(chunkInfo.fileId);
+      throw error;
+    }
+  }
+
+  /**
+   * Cleanup temporary file
+   */
+  private async cleanupTempFile(tempPath: string): Promise<void> {
+    try {
+      await fs.promises.access(tempPath);
+      await fs.promises.unlink(tempPath);
+      console.log(`Temp file cleaned up: ${tempPath}`);
+    } catch (error: any) {
+      if (error.code === "ENOENT") {
+        console.log(`Temp file already cleaned up: ${tempPath}`);
+      } else {
+        console.warn(`Failed to cleanup temp file ${tempPath}:`, error);
+      }
+    }
+  }
+
+  /**
+   * Cleanup expired uploads (older than 2 hours)
+   */
+  private async cleanupExpiredUploads(): Promise<void> {
+    const now = Date.now();
+    const maxAge = 2 * 60 * 60 * 1000; // 2 hours
+
+    for (const [fileId, chunkInfo] of this.activeUploads.entries()) {
+      if (now - chunkInfo.createdAt > maxAge) {
+        console.log(`Cleaning up expired upload: ${fileId}`);
+        await this.cleanupTempFile(chunkInfo.tempPath);
+        this.activeUploads.delete(fileId);
+        this.finalizingUploads.delete(fileId);
+      }
+    }
+  }
+
+  /**
+   * Get upload progress
+   */
+  getUploadProgress(fileId: string): { uploaded: number; total: number; percentage: number } | null {
+    const chunkInfo = this.activeUploads.get(fileId);
+    if (!chunkInfo) return null;
+
+    return {
+      uploaded: chunkInfo.uploadedChunks.size,
+      total: chunkInfo.totalChunks,
+      percentage: Math.round((chunkInfo.uploadedChunks.size / chunkInfo.totalChunks) * 100),
+    };
+  }
+
+  /**
+   * Cancel upload
+   */
+  async cancelUpload(fileId: string): Promise<void> {
+    const chunkInfo = this.activeUploads.get(fileId);
+    if (chunkInfo) {
+      await this.cleanupTempFile(chunkInfo.tempPath);
+      this.activeUploads.delete(fileId);
+      this.finalizingUploads.delete(fileId);
+    }
+  }
+
+  /**
+   * Cleanup on shutdown
+   */
+  destroy(): void {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+    }
+
+    for (const [fileId, chunkInfo] of this.activeUploads.entries()) {
+      this.cleanupTempFile(chunkInfo.tempPath);
+    }
+    this.activeUploads.clear();
+    this.finalizingUploads.clear();
+  }
+}

apps/server/src/modules/filesystem/controller.ts

@@ -1,17 +1,17 @@
 import * as fs from "fs";
-import * as path from "path";
 import { pipeline } from "stream/promises";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 import { FilesystemStorageProvider } from "../../providers/filesystem-storage.provider";
-import { FileService } from "../file/service";
+import { DownloadCancelResponse, QueueClearResponse, QueueStatusResponse } from "../../types/download-queue";
+import { DownloadMemoryManager } from "../../utils/download-memory-manager";
+import { getContentType } from "../../utils/mime-types";
+import { ChunkManager, ChunkMetadata } from "./chunk-manager";
 
 export class FilesystemController {
-  private fileService = new FileService();
+  private chunkManager = ChunkManager.getInstance();
+  private memoryManager = DownloadMemoryManager.getInstance();
 
-  /**
-   * Safely encode filename for Content-Disposition header
-   */
   private encodeFilenameForHeader(filename: string): string {
     if (!filename || filename.trim() === "") {
       return 'attachment; filename="download"';
@@ -65,26 +65,114 @@ export class FilesystemController {
         return reply.status(400).send({ error: "Invalid or expired upload token" });
       }
 
-      // Use streaming for all files to avoid loading into RAM
-      await this.uploadFileStream(request, provider, tokenData.objectName);
+      const chunkMetadata = this.extractChunkMetadata(request);
 
-      provider.consumeUploadToken(token);
-      reply.status(200).send({ message: "File uploaded successfully" });
+      if (chunkMetadata) {
+        try {
+          const result = await this.handleChunkedUpload(request, chunkMetadata, tokenData.objectName);
+
+          if (result.isComplete) {
+            provider.consumeUploadToken(token);
+            reply.status(200).send({
+              message: "File uploaded successfully",
+              objectName: result.finalPath,
+              finalObjectName: result.finalPath,
+            });
+          } else {
+            reply.status(200).send({
+              message: "Chunk uploaded successfully",
+              progress: this.chunkManager.getUploadProgress(chunkMetadata.fileId),
+            });
+          }
+        } catch (chunkError: any) {
+          return reply.status(400).send({
+            error: chunkError.message || "Chunked upload failed",
+            details: chunkError.toString(),
+          });
+        }
+      } else {
+        await this.uploadFileStream(request, provider, tokenData.objectName);
+        provider.consumeUploadToken(token);
+        reply.status(200).send({ message: "File uploaded successfully" });
+      }
     } catch (error) {
-      console.error("Error in filesystem upload:", error);
       return reply.status(500).send({ error: "Internal server error" });
     }
   }
 
   private async uploadFileStream(request: FastifyRequest, provider: FilesystemStorageProvider, objectName: string) {
-    // Use the provider's streaming upload method directly
     await provider.uploadFileFromStream(objectName, request.raw);
   }
 
+  private extractChunkMetadata(request: FastifyRequest): ChunkMetadata | null {
+    const fileId = request.headers["x-file-id"] as string;
+    const chunkIndex = request.headers["x-chunk-index"] as string;
+    const totalChunks = request.headers["x-total-chunks"] as string;
+    const chunkSize = request.headers["x-chunk-size"] as string;
+    const totalSize = request.headers["x-total-size"] as string;
+    const fileName = request.headers["x-file-name"] as string;
+    const isLastChunk = request.headers["x-is-last-chunk"] as string;
+
+    if (!fileId || !chunkIndex || !totalChunks || !chunkSize || !totalSize || !fileName) {
+      return null;
+    }
+
+    const metadata = {
+      fileId,
+      chunkIndex: parseInt(chunkIndex, 10),
+      totalChunks: parseInt(totalChunks, 10),
+      chunkSize: parseInt(chunkSize, 10),
+      totalSize: parseInt(totalSize, 10),
+      fileName,
+      isLastChunk: isLastChunk === "true",
+    };
+
+    return metadata;
+  }
+
+  private async handleChunkedUpload(request: FastifyRequest, metadata: ChunkMetadata, originalObjectName: string) {
+    const stream = request.raw;
+
+    stream.on("error", (error) => {
+      console.error("Request stream error:", error);
+    });
+
+    return await this.chunkManager.processChunk(metadata, stream, originalObjectName);
+  }
+
+  async getUploadProgress(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const { fileId } = request.params as { fileId: string };
+
+      const progress = this.chunkManager.getUploadProgress(fileId);
+
+      if (!progress) {
+        return reply.status(404).send({ error: "Upload not found" });
+      }
+
+      reply.status(200).send(progress);
+    } catch (error) {
+      return reply.status(500).send({ error: "Internal server error" });
+    }
+  }
+
+  async cancelUpload(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const { fileId } = request.params as { fileId: string };
+
+      await this.chunkManager.cancelUpload(fileId);
+
+      reply.status(200).send({ message: "Upload cancelled successfully" });
+    } catch (error) {
+      return reply.status(500).send({ error: "Internal server error" });
+    }
+  }
+
   async download(request: FastifyRequest, reply: FastifyReply) {
+    const downloadId = `${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;
+
     try {
       const { token } = request.params as { token: string };
-
       const provider = FilesystemStorageProvider.getInstance();
 
       const tokenData = provider.validateDownloadToken(token);
@@ -96,71 +184,233 @@ export class FilesystemController {
       const filePath = provider.getFilePath(tokenData.objectName);
       const stats = await fs.promises.stat(filePath);
       const fileSize = stats.size;
-      const isLargeFile = fileSize > 50 * 1024 * 1024;
-
       const fileName = tokenData.fileName || "download";
+
+      const fileSizeMB = fileSize / (1024 * 1024);
+      console.log(`[DOWNLOAD] Requesting slot for ${downloadId}: ${tokenData.objectName} (${fileSizeMB.toFixed(1)}MB)`);
+
+      try {
+        await this.memoryManager.requestDownloadSlot(downloadId, {
+          fileName,
+          fileSize,
+          objectName: tokenData.objectName,
+        });
+      } catch (error: any) {
+        console.warn(`[DOWNLOAD] Queue full for ${downloadId}: ${error.message}`);
+        return reply.status(503).send({
+          error: "Download queue is full",
+          message: error.message,
+          retryAfter: 60,
+        });
+      }
+
+      console.log(`[DOWNLOAD] Starting ${downloadId}: ${tokenData.objectName} (${fileSizeMB.toFixed(1)}MB)`);
+      this.memoryManager.startDownload(downloadId);
+
       const range = request.headers.range;
 
       reply.header("Content-Disposition", this.encodeFilenameForHeader(fileName));
-      reply.header("Content-Type", "application/octet-stream");
+      reply.header("Content-Type", getContentType(fileName));
       reply.header("Accept-Ranges", "bytes");
+      reply.header("X-Download-ID", downloadId);
 
-      if (range) {
-        const parts = range.replace(/bytes=/, "").split("-");
-        const start = parseInt(parts[0], 10);
-        const end = parts[1] ? parseInt(parts[1], 10) : fileSize - 1;
-        const chunkSize = end - start + 1;
+      reply.raw.on("close", () => {
+        this.memoryManager.endDownload(downloadId);
+        console.log(`[DOWNLOAD] Client disconnected: ${downloadId}`);
+      });
 
-        reply.status(206);
-        reply.header("Content-Range", `bytes ${start}-${end}/${fileSize}`);
-        reply.header("Content-Length", chunkSize);
+      reply.raw.on("error", () => {
+        this.memoryManager.endDownload(downloadId);
+        console.log(`[DOWNLOAD] Client error: ${downloadId}`);
+      });
 
-        if (isLargeFile) {
-          await this.downloadLargeFileRange(reply, provider, tokenData.objectName, start, end);
+      try {
+        if (range) {
+          const parts = range.replace(/bytes=/, "").split("-");
+          const start = parseInt(parts[0], 10);
+          const end = parts[1] ? parseInt(parts[1], 10) : fileSize - 1;
+
+          reply.status(206);
+          reply.header("Content-Range", `bytes ${start}-${end}/${fileSize}`);
+          reply.header("Content-Length", end - start + 1);
+
+          await this.downloadFileRange(reply, provider, tokenData.objectName, start, end, downloadId);
         } else {
-          const buffer = await provider.downloadFile(tokenData.objectName);
-          const chunk = buffer.slice(start, end + 1);
-          reply.send(chunk);
+          reply.header("Content-Length", fileSize);
+          await this.downloadFileStream(reply, provider, tokenData.objectName, downloadId);
         }
-      } else {
-        reply.header("Content-Length", fileSize);
 
-        if (isLargeFile) {
-          await this.downloadLargeFile(reply, provider, filePath);
-        } else {
-          const buffer = await provider.downloadFile(tokenData.objectName);
-          reply.send(buffer);
-        }
+        provider.consumeDownloadToken(token);
+      } finally {
+        this.memoryManager.endDownload(downloadId);
       }
-
-      provider.consumeDownloadToken(token);
     } catch (error) {
-      console.error("Error in filesystem download:", error);
+      this.memoryManager.endDownload(downloadId);
+      console.error(`[DOWNLOAD] Error in ${downloadId}:`, error);
       return reply.status(500).send({ error: "Internal server error" });
     }
   }
 
-  private async downloadLargeFile(reply: FastifyReply, provider: FilesystemStorageProvider, filePath: string) {
-    const readStream = fs.createReadStream(filePath);
-    const decryptStream = provider.createDecryptStream();
-
+  private async downloadFileStream(
+    reply: FastifyReply,
+    provider: FilesystemStorageProvider,
+    objectName: string,
+    downloadId?: string
+  ) {
     try {
-      await pipeline(readStream, decryptStream, reply.raw);
+      FilesystemStorageProvider.logMemoryUsage(`Download start: ${objectName} (${downloadId})`);
+
+      const downloadStream = provider.createDownloadStream(objectName);
+
+      downloadStream.on("error", (error) => {
+        console.error("Download stream error:", error);
+        FilesystemStorageProvider.logMemoryUsage(`Download error: ${objectName} (${downloadId})`);
+        if (!reply.sent) {
+          reply.status(500).send({ error: "Download failed" });
+        }
+      });
+
+      reply.raw.on("close", () => {
+        if (downloadStream.readable && typeof (downloadStream as any).destroy === "function") {
+          (downloadStream as any).destroy();
+        }
+        FilesystemStorageProvider.logMemoryUsage(`Download client disconnect: ${objectName} (${downloadId})`);
+      });
+
+      if (this.memoryManager.shouldThrottleStream()) {
+        console.log(
+          `[MEMORY THROTTLE] ${objectName} - Pausing stream due to high memory usage: ${this.memoryManager.getCurrentMemoryUsageMB().toFixed(0)}MB`
+        );
+
+        const { Transform } = require("stream");
+        const memoryManager = this.memoryManager;
+        const throttleStream = new Transform({
+          highWaterMark: 256 * 1024,
+          transform(chunk: Buffer, _encoding: BufferEncoding, callback: (error?: Error | null, data?: any) => void) {
+            if (memoryManager.shouldThrottleStream()) {
+              setImmediate(() => {
+                this.push(chunk);
+                callback();
+              });
+            } else {
+              this.push(chunk);
+              callback();
+            }
+          },
+        });
+
+        await pipeline(downloadStream, throttleStream, reply.raw);
+      } else {
+        await pipeline(downloadStream, reply.raw);
+      }
+
+      FilesystemStorageProvider.logMemoryUsage(`Download complete: ${objectName} (${downloadId})`);
     } catch (error) {
-      console.error("Error streaming large file:", error);
-      throw error;
+      console.error("Download error:", error);
+      FilesystemStorageProvider.logMemoryUsage(`Download failed: ${objectName} (${downloadId})`);
+      if (!reply.sent) {
+        reply.status(500).send({ error: "Download failed" });
+      }
     }
   }
 
-  private async downloadLargeFileRange(
+  private async downloadFileRange(
     reply: FastifyReply,
     provider: FilesystemStorageProvider,
     objectName: string,
     start: number,
-    end: number
+    end: number,
+    downloadId?: string
   ) {
-    const buffer = await provider.downloadFile(objectName);
-    const chunk = buffer.slice(start, end + 1);
-    reply.send(chunk);
+    try {
+      FilesystemStorageProvider.logMemoryUsage(`Range download start: ${objectName} (${start}-${end}) (${downloadId})`);
+
+      const rangeStream = await provider.createDownloadRangeStream(objectName, start, end);
+
+      rangeStream.on("error", (error) => {
+        console.error("Range download stream error:", error);
+        FilesystemStorageProvider.logMemoryUsage(
+          `Range download error: ${objectName} (${start}-${end}) (${downloadId})`
+        );
+        if (!reply.sent) {
+          reply.status(500).send({ error: "Download failed" });
+        }
+      });
+
+      reply.raw.on("close", () => {
+        if (rangeStream.readable && typeof (rangeStream as any).destroy === "function") {
+          (rangeStream as any).destroy();
+        }
+        FilesystemStorageProvider.logMemoryUsage(
+          `Range download client disconnect: ${objectName} (${start}-${end}) (${downloadId})`
+        );
+      });
+
+      await pipeline(rangeStream, reply.raw);
+
+      FilesystemStorageProvider.logMemoryUsage(
+        `Range download complete: ${objectName} (${start}-${end}) (${downloadId})`
+      );
+    } catch (error) {
+      console.error("Range download error:", error);
+      FilesystemStorageProvider.logMemoryUsage(
+        `Range download failed: ${objectName} (${start}-${end}) (${downloadId})`
+      );
+      if (!reply.sent) {
+        reply.status(500).send({ error: "Download failed" });
+      }
+    }
+  }
+
+  async getQueueStatus(_request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const queueStatus = this.memoryManager.getQueueStatus();
+      const response: QueueStatusResponse = {
+        status: "success",
+        data: queueStatus,
+      };
+      reply.status(200).send(response);
+    } catch (error) {
+      console.error("Error getting queue status:", error);
+      return reply.status(500).send({ error: "Internal server error" });
+    }
+  }
+
+  async cancelQueuedDownload(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const { downloadId } = request.params as { downloadId: string };
+
+      const cancelled = this.memoryManager.cancelQueuedDownload(downloadId);
+
+      if (cancelled) {
+        const response: DownloadCancelResponse = {
+          message: "Download cancelled successfully",
+          downloadId,
+        };
+        reply.status(200).send(response);
+      } else {
+        reply.status(404).send({
+          error: "Download not found in queue",
+          downloadId,
+        });
+      }
+    } catch (error) {
+      console.error("Error cancelling queued download:", error);
+      return reply.status(500).send({ error: "Internal server error" });
+    }
+  }
+
+  async clearDownloadQueue(_request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const clearedCount = this.memoryManager.clearQueue();
+      const response: QueueClearResponse = {
+        message: "Download queue cleared successfully",
+        clearedCount,
+      };
+      reply.status(200).send(response);
+    } catch (error) {
+      console.error("Error clearing download queue:", error);
+      return reply.status(500).send({ error: "Internal server error" });
+    }
   }
 }

apps/server/src/modules/filesystem/download-queue-routes.ts

@@ -0,0 +1,95 @@
+import { FastifyInstance } from "fastify";
+import { z } from "zod";
+
+import { FilesystemController } from "./controller";
+
+export async function downloadQueueRoutes(app: FastifyInstance) {
+  const filesystemController = new FilesystemController();
+
+  app.get(
+    "/filesystem/download-queue/status",
+    {
+      schema: {
+        tags: ["Download Queue"],
+        operationId: "getDownloadQueueStatus",
+        summary: "Get download queue status",
+        description: "Get current status of the download queue including active downloads and queue length",
+        response: {
+          200: z.object({
+            status: z.string(),
+            data: z.object({
+              queueLength: z.number(),
+              maxQueueSize: z.number(),
+              activeDownloads: z.number(),
+              maxConcurrent: z.number(),
+              queuedDownloads: z.array(
+                z.object({
+                  downloadId: z.string(),
+                  position: z.number(),
+                  waitTime: z.number(),
+                  fileName: z.string().optional(),
+                  fileSize: z.number().optional(),
+                })
+              ),
+            }),
+          }),
+          500: z.object({
+            error: z.string(),
+          }),
+        },
+      },
+    },
+    filesystemController.getQueueStatus.bind(filesystemController)
+  );
+
+  app.delete(
+    "/filesystem/download-queue/:downloadId",
+    {
+      schema: {
+        tags: ["Download Queue"],
+        operationId: "cancelQueuedDownload",
+        summary: "Cancel a queued download",
+        description: "Cancel a specific download that is waiting in the queue",
+        params: z.object({
+          downloadId: z.string().describe("Download ID"),
+        }),
+        response: {
+          200: z.object({
+            message: z.string(),
+            downloadId: z.string(),
+          }),
+          404: z.object({
+            error: z.string(),
+            downloadId: z.string(),
+          }),
+          500: z.object({
+            error: z.string(),
+          }),
+        },
+      },
+    },
+    filesystemController.cancelQueuedDownload.bind(filesystemController)
+  );
+
+  app.delete(
+    "/filesystem/download-queue",
+    {
+      schema: {
+        tags: ["Download Queue"],
+        operationId: "clearDownloadQueue",
+        summary: "Clear entire download queue",
+        description: "Cancel all downloads waiting in the queue (admin operation)",
+        response: {
+          200: z.object({
+            message: z.string(),
+            clearedCount: z.number(),
+          }),
+          500: z.object({
+            error: z.string(),
+          }),
+        },
+      },
+    },
+    filesystemController.clearDownloadQueue.bind(filesystemController)
+  );
+}

apps/server/src/modules/filesystem/routes.ts

@@ -67,4 +67,57 @@ export async function filesystemRoutes(app: FastifyInstance) {
     },
     filesystemController.download.bind(filesystemController)
   );
+
+  app.get(
+    "/filesystem/upload-progress/:fileId",
+    {
+      schema: {
+        tags: ["Filesystem"],
+        operationId: "getUploadProgress",
+        summary: "Get chunked upload progress",
+        description: "Get the progress of a chunked upload",
+        params: z.object({
+          fileId: z.string().describe("File ID"),
+        }),
+        response: {
+          200: z.object({
+            uploaded: z.number(),
+            total: z.number(),
+            percentage: z.number(),
+          }),
+          404: z.object({
+            error: z.string(),
+          }),
+          500: z.object({
+            error: z.string(),
+          }),
+        },
+      },
+    },
+    filesystemController.getUploadProgress.bind(filesystemController)
+  );
+
+  app.delete(
+    "/filesystem/cancel-upload/:fileId",
+    {
+      schema: {
+        tags: ["Filesystem"],
+        operationId: "cancelUpload",
+        summary: "Cancel chunked upload",
+        description: "Cancel an ongoing chunked upload",
+        params: z.object({
+          fileId: z.string().describe("File ID"),
+        }),
+        response: {
+          200: z.object({
+            message: z.string(),
+          }),
+          500: z.object({
+            error: z.string(),
+          }),
+        },
+      },
+    },
+    filesystemController.cancelUpload.bind(filesystemController)
+  );
 }

apps/server/src/modules/folder/controller.ts

@@ -0,0 +1,412 @@
+import { FastifyReply, FastifyRequest } from "fastify";
+
+import { env } from "../../env";
+import { prisma } from "../../shared/prisma";
+import { ConfigService } from "../config/service";
+import {
+  CheckFolderSchema,
+  ListFoldersSchema,
+  MoveFolderSchema,
+  RegisterFolderSchema,
+  UpdateFolderSchema,
+} from "./dto";
+import { FolderService } from "./service";
+
+export class FolderController {
+  private folderService = new FolderService();
+  private configService = new ConfigService();
+
+  async registerFolder(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      await request.jwtVerify();
+      const userId = (request as any).user?.userId;
+      if (!userId) {
+        return reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
+      }
+
+      const input = RegisterFolderSchema.parse(request.body);
+
+      if (input.parentId) {
+        const parentFolder = await prisma.folder.findFirst({
+          where: { id: input.parentId, userId },
+        });
+        if (!parentFolder) {
+          return reply.status(400).send({ error: "Parent folder not found or access denied" });
+        }
+      }
+
+      const existingFolder = await prisma.folder.findFirst({
+        where: {
+          name: input.name,
+          parentId: input.parentId || null,
+          userId,
+        },
+      });
+
+      if (existingFolder) {
+        return reply.status(400).send({ error: "A folder with this name already exists in this location" });
+      }
+
+      const folderRecord = await prisma.folder.create({
+        data: {
+          name: input.name,
+          description: input.description,
+          objectName: input.objectName,
+          parentId: input.parentId,
+          userId,
+        },
+        include: {
+          _count: {
+            select: {
+              files: true,
+              children: true,
+            },
+          },
+        },
+      });
+
+      const totalSize = await this.folderService.calculateFolderSize(folderRecord.id, userId);
+
+      const folderResponse = {
+        id: folderRecord.id,
+        name: folderRecord.name,
+        description: folderRecord.description,
+        objectName: folderRecord.objectName,
+        parentId: folderRecord.parentId,
+        userId: folderRecord.userId,
+        createdAt: folderRecord.createdAt,
+        updatedAt: folderRecord.updatedAt,
+        totalSize: totalSize.toString(),
+        _count: folderRecord._count,
+      };
+
+      return reply.status(201).send({
+        folder: folderResponse,
+        message: "Folder registered successfully.",
+      });
+    } catch (error: any) {
+      console.error("Error in registerFolder:", error);
+      return reply.status(400).send({ error: error.message });
+    }
+  }
+
+  async checkFolder(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      await request.jwtVerify();
+      const userId = (request as any).user?.userId;
+      if (!userId) {
+        return reply.status(401).send({
+          error: "Unauthorized: a valid token is required to access this resource.",
+          code: "unauthorized",
+        });
+      }
+
+      const input = CheckFolderSchema.parse(request.body);
+
+      if (input.name.length > 100) {
+        return reply.status(400).send({
+          code: "folderNameTooLong",
+          error: "Folder name exceeds maximum length of 100 characters",
+          details: "100",
+        });
+      }
+
+      const existingFolder = await prisma.folder.findFirst({
+        where: {
+          name: input.name,
+          parentId: input.parentId || null,
+          userId,
+        },
+      });
+
+      if (existingFolder) {
+        return reply.status(400).send({
+          error: "A folder with this name already exists in this location",
+          code: "duplicateFolderName",
+        });
+      }
+
+      return reply.status(201).send({
+        message: "Folder checks succeeded.",
+      });
+    } catch (error: any) {
+      console.error("Error in checkFolder:", error);
+      return reply.status(400).send({ error: error.message });
+    }
+  }
+
+  async listFolders(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      await request.jwtVerify();
+      const userId = (request as any).user?.userId;
+      if (!userId) {
+        return reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
+      }
+
+      const input = ListFoldersSchema.parse(request.query);
+      const { parentId, recursive: recursiveStr } = input;
+      const recursive = recursiveStr === "false" ? false : true;
+
+      let folders: any[];
+
+      if (recursive) {
+        folders = await prisma.folder.findMany({
+          where: { userId },
+          include: {
+            _count: {
+              select: {
+                files: true,
+                children: true,
+              },
+            },
+          },
+          orderBy: [{ name: "asc" }],
+        });
+      } else {
+        // Get only direct children of specified parent
+        const targetParentId = parentId === "null" || parentId === "" || !parentId ? null : parentId;
+        folders = await prisma.folder.findMany({
+          where: {
+            userId,
+            parentId: targetParentId,
+          },
+          include: {
+            _count: {
+              select: {
+                files: true,
+                children: true,
+              },
+            },
+          },
+          orderBy: [{ name: "asc" }],
+        });
+      }
+
+      const foldersResponse = await Promise.all(
+        folders.map(async (folder) => {
+          const totalSize = await this.folderService.calculateFolderSize(folder.id, userId);
+          return {
+            id: folder.id,
+            name: folder.name,
+            description: folder.description,
+            objectName: folder.objectName,
+            parentId: folder.parentId,
+            userId: folder.userId,
+            createdAt: folder.createdAt,
+            updatedAt: folder.updatedAt,
+            totalSize: totalSize.toString(),
+            _count: folder._count,
+          };
+        })
+      );
+
+      return reply.send({ folders: foldersResponse });
+    } catch (error: any) {
+      console.error("Error in listFolders:", error);
+      return reply.status(500).send({ error: error.message });
+    }
+  }
+
+  async updateFolder(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      await request.jwtVerify();
+      const { id } = request.params as { id: string };
+      const userId = (request as any).user?.userId;
+
+      if (!userId) {
+        return reply.status(401).send({
+          error: "Unauthorized: a valid token is required to access this resource.",
+        });
+      }
+
+      const updateData = UpdateFolderSchema.parse(request.body);
+
+      const folderRecord = await prisma.folder.findUnique({ where: { id } });
+
+      if (!folderRecord) {
+        return reply.status(404).send({ error: "Folder not found." });
+      }
+
+      if (folderRecord.userId !== userId) {
+        return reply.status(403).send({ error: "Access denied." });
+      }
+
+      if (updateData.name && updateData.name !== folderRecord.name) {
+        const duplicateFolder = await prisma.folder.findFirst({
+          where: {
+            name: updateData.name,
+            parentId: folderRecord.parentId,
+            userId,
+            id: { not: id },
+          },
+        });
+
+        if (duplicateFolder) {
+          return reply.status(400).send({ error: "A folder with this name already exists in this location" });
+        }
+      }
+
+      const updatedFolder = await prisma.folder.update({
+        where: { id },
+        data: updateData,
+        include: {
+          _count: {
+            select: {
+              files: true,
+              children: true,
+            },
+          },
+        },
+      });
+
+      const totalSize = await this.folderService.calculateFolderSize(updatedFolder.id, userId);
+
+      const folderResponse = {
+        id: updatedFolder.id,
+        name: updatedFolder.name,
+        description: updatedFolder.description,
+        objectName: updatedFolder.objectName,
+        parentId: updatedFolder.parentId,
+        userId: updatedFolder.userId,
+        createdAt: updatedFolder.createdAt,
+        updatedAt: updatedFolder.updatedAt,
+        totalSize: totalSize.toString(),
+        _count: updatedFolder._count,
+      };
+
+      return reply.send({
+        folder: folderResponse,
+        message: "Folder updated successfully.",
+      });
+    } catch (error: any) {
+      console.error("Error in updateFolder:", error);
+      return reply.status(400).send({ error: error.message });
+    }
+  }
+
+  async moveFolder(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      await request.jwtVerify();
+      const userId = (request as any).user?.userId;
+
+      if (!userId) {
+        return reply.status(401).send({ error: "Unauthorized: a valid token is required to access this resource." });
+      }
+
+      const { id } = request.params as { id: string };
+      const body = request.body as any;
+
+      const input = {
+        parentId: body.parentId === undefined ? null : body.parentId,
+      };
+
+      const validatedInput = MoveFolderSchema.parse(input);
+
+      const existingFolder = await prisma.folder.findFirst({
+        where: { id, userId },
+      });
+
+      if (!existingFolder) {
+        return reply.status(404).send({ error: "Folder not found." });
+      }
+
+      if (validatedInput.parentId) {
+        const parentFolder = await prisma.folder.findFirst({
+          where: { id: validatedInput.parentId, userId },
+        });
+        if (!parentFolder) {
+          return reply.status(400).send({ error: "Parent folder not found or access denied" });
+        }
+
+        if (await this.isDescendantOf(validatedInput.parentId, id, userId)) {
+          return reply.status(400).send({ error: "Cannot move a folder into itself or its subfolders" });
+        }
+      }
+
+      const updatedFolder = await prisma.folder.update({
+        where: { id },
+        data: { parentId: validatedInput.parentId },
+        include: {
+          _count: {
+            select: {
+              files: true,
+              children: true,
+            },
+          },
+        },
+      });
+
+      const totalSize = await this.folderService.calculateFolderSize(updatedFolder.id, userId);
+
+      const folderResponse = {
+        id: updatedFolder.id,
+        name: updatedFolder.name,
+        description: updatedFolder.description,
+        objectName: updatedFolder.objectName,
+        parentId: updatedFolder.parentId,
+        userId: updatedFolder.userId,
+        createdAt: updatedFolder.createdAt,
+        updatedAt: updatedFolder.updatedAt,
+        totalSize: totalSize.toString(),
+        _count: updatedFolder._count,
+      };
+
+      return reply.send({
+        folder: folderResponse,
+        message: "Folder moved successfully.",
+      });
+    } catch (error: any) {
+      console.error("Error in moveFolder:", error);
+      const statusCode = error.message === "Folder not found" ? 404 : 400;
+      return reply.status(statusCode).send({ error: error.message });
+    }
+  }
+
+  async deleteFolder(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      await request.jwtVerify();
+      const { id } = request.params as { id: string };
+      if (!id) {
+        return reply.status(400).send({ error: "The 'id' parameter is required." });
+      }
+
+      const folderRecord = await prisma.folder.findUnique({ where: { id } });
+      if (!folderRecord) {
+        return reply.status(404).send({ error: "Folder not found." });
+      }
+
+      const userId = (request as any).user?.userId;
+      if (folderRecord.userId !== userId) {
+        return reply.status(403).send({ error: "Access denied." });
+      }
+
+      await this.folderService.deleteObject(folderRecord.objectName);
+
+      await prisma.folder.delete({ where: { id } });
+
+      return reply.send({ message: "Folder deleted successfully." });
+    } catch (error) {
+      console.error("Error in deleteFolder:", error);
+      return reply.status(500).send({ error: "Internal server error." });
+    }
+  }
+
+  private async isDescendantOf(potentialDescendantId: string, ancestorId: string, userId: string): Promise<boolean> {
+    let currentId: string | null = potentialDescendantId;
+
+    while (currentId) {
+      if (currentId === ancestorId) {
+        return true;
+      }
+
+      const folder: { parentId: string | null } | null = await prisma.folder.findFirst({
+        where: { id: currentId, userId },
+      });
+
+      if (!folder) break;
+      currentId = folder.parentId;
+    }
+
+    return false;
+  }
+}

apps/server/src/modules/folder/dto.ts

@@ -0,0 +1,56 @@
+import { z } from "zod";
+
+export const RegisterFolderSchema = z.object({
+  name: z.string().min(1, "O nome da pasta é obrigatório"),
+  description: z.string().optional(),
+  objectName: z.string().min(1, "O objectName é obrigatório"),
+  parentId: z.string().optional(),
+});
+
+export const UpdateFolderSchema = z.object({
+  name: z.string().optional(),
+  description: z.string().optional().nullable(),
+});
+
+export const MoveFolderSchema = z.object({
+  parentId: z.string().nullable(),
+});
+
+export const FolderResponseSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  description: z.string().nullable(),
+  parentId: z.string().nullable(),
+  userId: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  totalSize: z
+    .bigint()
+    .transform((val) => val.toString())
+    .optional(),
+  _count: z
+    .object({
+      files: z.number(),
+      children: z.number(),
+    })
+    .optional(),
+});
+
+export const CheckFolderSchema = z.object({
+  name: z.string().min(1, "O nome da pasta é obrigatório"),
+  description: z.string().optional(),
+  objectName: z.string().min(1, "O objectName é obrigatório"),
+  parentId: z.string().optional(),
+});
+
+export const ListFoldersSchema = z.object({
+  parentId: z.string().optional(),
+  recursive: z.string().optional().default("true"),
+});
+
+export type RegisterFolderInput = z.infer<typeof RegisterFolderSchema>;
+export type UpdateFolderInput = z.infer<typeof UpdateFolderSchema>;
+export type MoveFolderInput = z.infer<typeof MoveFolderSchema>;
+export type CheckFolderInput = z.infer<typeof CheckFolderSchema>;
+export type ListFoldersInput = z.infer<typeof ListFoldersSchema>;
+export type FolderResponse = z.infer<typeof FolderResponseSchema>;

apps/server/src/modules/folder/routes.ts

@@ -0,0 +1,245 @@
+import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
+import { z } from "zod";
+
+import { FolderController } from "./controller";
+import {
+  CheckFolderSchema,
+  FolderResponseSchema,
+  ListFoldersSchema,
+  MoveFolderSchema,
+  RegisterFolderSchema,
+  UpdateFolderSchema,
+} from "./dto";
+
+export async function folderRoutes(app: FastifyInstance) {
+  const folderController = new FolderController();
+
+  const preValidation = async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      await request.jwtVerify();
+    } catch (err) {
+      console.error(err);
+      reply.status(401).send({ error: "Token inválido ou ausente." });
+    }
+  };
+
+  app.post(
+    "/folders",
+    {
+      schema: {
+        tags: ["Folder"],
+        operationId: "registerFolder",
+        summary: "Register Folder Metadata",
+        description: "Registers folder metadata in the database",
+        body: RegisterFolderSchema,
+        response: {
+          201: z.object({
+            folder: z.object({
+              id: z.string().describe("The folder ID"),
+              name: z.string().describe("The folder name"),
+              description: z.string().nullable().describe("The folder description"),
+              parentId: z.string().nullable().describe("The parent folder ID"),
+              userId: z.string().describe("The user ID"),
+              createdAt: z.date().describe("The folder creation date"),
+              updatedAt: z.date().describe("The folder last update date"),
+              totalSize: z.string().optional().describe("The total size of the folder"),
+              _count: z
+                .object({
+                  files: z.number().describe("Number of files in folder"),
+                  children: z.number().describe("Number of subfolders"),
+                })
+                .optional()
+                .describe("Count statistics"),
+            }),
+            message: z.string().describe("The folder registration message"),
+          }),
+          400: z.object({ error: z.string().describe("Error message") }),
+          401: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    folderController.registerFolder.bind(folderController)
+  );
+
+  app.post(
+    "/folders/check",
+    {
+      preValidation,
+      schema: {
+        tags: ["Folder"],
+        operationId: "checkFolder",
+        summary: "Check Folder validity",
+        description: "Checks if the folder meets all requirements",
+        body: CheckFolderSchema,
+        response: {
+          201: z.object({
+            message: z.string().describe("The folder check success message"),
+          }),
+          400: z.object({
+            error: z.string().describe("Error message"),
+            code: z.string().optional().describe("Error code"),
+            details: z.string().optional().describe("Error details"),
+          }),
+          401: z.object({
+            error: z.string().describe("Error message"),
+            code: z.string().optional().describe("Error code"),
+          }),
+        },
+      },
+    },
+    folderController.checkFolder.bind(folderController)
+  );
+
+  app.get(
+    "/folders",
+    {
+      preValidation,
+      schema: {
+        tags: ["Folder"],
+        operationId: "listFolders",
+        summary: "List Folders",
+        description: "Lists user folders recursively by default, optionally filtered by folder",
+        querystring: ListFoldersSchema,
+        response: {
+          200: z.object({
+            folders: z.array(
+              z.object({
+                id: z.string().describe("The folder ID"),
+                name: z.string().describe("The folder name"),
+                description: z.string().nullable().describe("The folder description"),
+                parentId: z.string().nullable().describe("The parent folder ID"),
+                userId: z.string().describe("The user ID"),
+                createdAt: z.date().describe("The folder creation date"),
+                updatedAt: z.date().describe("The folder last update date"),
+                totalSize: z.string().optional().describe("The total size of the folder"),
+                _count: z
+                  .object({
+                    files: z.number().describe("Number of files in folder"),
+                    children: z.number().describe("Number of subfolders"),
+                  })
+                  .optional()
+                  .describe("Count statistics"),
+              })
+            ),
+          }),
+          500: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    folderController.listFolders.bind(folderController)
+  );
+
+  app.patch(
+    "/folders/:id",
+    {
+      preValidation,
+      schema: {
+        tags: ["Folder"],
+        operationId: "updateFolder",
+        summary: "Update Folder Metadata",
+        description: "Updates folder metadata in the database",
+        params: z.object({
+          id: z.string().min(1, "The folder id is required").describe("The folder ID"),
+        }),
+        body: UpdateFolderSchema,
+        response: {
+          200: z.object({
+            folder: z.object({
+              id: z.string().describe("The folder ID"),
+              name: z.string().describe("The folder name"),
+              description: z.string().nullable().describe("The folder description"),
+              parentId: z.string().nullable().describe("The parent folder ID"),
+              userId: z.string().describe("The user ID"),
+              createdAt: z.date().describe("The folder creation date"),
+              updatedAt: z.date().describe("The folder last update date"),
+              totalSize: z.string().optional().describe("The total size of the folder"),
+              _count: z
+                .object({
+                  files: z.number().describe("Number of files in folder"),
+                  children: z.number().describe("Number of subfolders"),
+                })
+                .optional()
+                .describe("Count statistics"),
+            }),
+            message: z.string().describe("Success message"),
+          }),
+          400: z.object({ error: z.string().describe("Error message") }),
+          401: z.object({ error: z.string().describe("Error message") }),
+          403: z.object({ error: z.string().describe("Error message") }),
+          404: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    folderController.updateFolder.bind(folderController)
+  );
+
+  app.put(
+    "/folders/:id/move",
+    {
+      preValidation,
+      schema: {
+        tags: ["Folder"],
+        operationId: "moveFolder",
+        summary: "Move Folder",
+        description: "Moves a folder to a different parent folder",
+        params: z.object({
+          id: z.string().min(1, "The folder id is required").describe("The folder ID"),
+        }),
+        body: MoveFolderSchema,
+        response: {
+          200: z.object({
+            folder: z.object({
+              id: z.string().describe("The folder ID"),
+              name: z.string().describe("The folder name"),
+              description: z.string().nullable().describe("The folder description"),
+              parentId: z.string().nullable().describe("The parent folder ID"),
+              userId: z.string().describe("The user ID"),
+              createdAt: z.date().describe("The folder creation date"),
+              updatedAt: z.date().describe("The folder last update date"),
+              totalSize: z.string().optional().describe("The total size of the folder"),
+              _count: z
+                .object({
+                  files: z.number().describe("Number of files in folder"),
+                  children: z.number().describe("Number of subfolders"),
+                })
+                .optional()
+                .describe("Count statistics"),
+            }),
+            message: z.string().describe("Success message"),
+          }),
+          400: z.object({ error: z.string().describe("Error message") }),
+          401: z.object({ error: z.string().describe("Error message") }),
+          403: z.object({ error: z.string().describe("Error message") }),
+          404: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    folderController.moveFolder.bind(folderController)
+  );
+
+  app.delete(
+    "/folders/:id",
+    {
+      preValidation,
+      schema: {
+        tags: ["Folder"],
+        operationId: "deleteFolder",
+        summary: "Delete Folder",
+        description: "Deletes a folder and all its contents",
+        params: z.object({
+          id: z.string().min(1, "The folder id is required").describe("The folder ID"),
+        }),
+        response: {
+          200: z.object({
+            message: z.string().describe("The folder deletion message"),
+          }),
+          400: z.object({ error: z.string().describe("Error message") }),
+          401: z.object({ error: z.string().describe("Error message") }),
+          404: z.object({ error: z.string().describe("Error message") }),
+          500: z.object({ error: z.string().describe("Error message") }),
+        },
+      },
+    },
+    folderController.deleteFolder.bind(folderController)
+  );
+}

apps/server/src/modules/folder/service.ts

@@ -0,0 +1,93 @@
+import { isS3Enabled } from "../../config/storage.config";
+import { FilesystemStorageProvider } from "../../providers/filesystem-storage.provider";
+import { S3StorageProvider } from "../../providers/s3-storage.provider";
+import { prisma } from "../../shared/prisma";
+import { StorageProvider } from "../../types/storage";
+
+export class FolderService {
+  private storageProvider: StorageProvider;
+
+  constructor() {
+    if (isS3Enabled) {
+      this.storageProvider = new S3StorageProvider();
+    } else {
+      this.storageProvider = FilesystemStorageProvider.getInstance();
+    }
+  }
+
+  async getPresignedPutUrl(objectName: string, expires: number): Promise<string> {
+    try {
+      return await this.storageProvider.getPresignedPutUrl(objectName, expires);
+    } catch (err) {
+      console.error("Erro no presignedPutObject:", err);
+      throw err;
+    }
+  }
+
+  async getPresignedGetUrl(objectName: string, expires: number, folderName?: string): Promise<string> {
+    try {
+      return await this.storageProvider.getPresignedGetUrl(objectName, expires, folderName);
+    } catch (err) {
+      console.error("Erro no presignedGetObject:", err);
+      throw err;
+    }
+  }
+
+  async deleteObject(objectName: string): Promise<void> {
+    try {
+      await this.storageProvider.deleteObject(objectName);
+    } catch (err) {
+      console.error("Erro no removeObject:", err);
+      throw err;
+    }
+  }
+
+  isFilesystemMode(): boolean {
+    return !isS3Enabled;
+  }
+
+  async getAllFilesInFolder(folderId: string, userId: string, basePath: string = ""): Promise<any[]> {
+    const files = await prisma.file.findMany({
+      where: { folderId, userId },
+    });
+
+    const subfolders = await prisma.folder.findMany({
+      where: { parentId: folderId, userId },
+      select: { id: true, name: true },
+    });
+
+    let allFiles = files.map((file: any) => ({
+      ...file,
+      relativePath: basePath + file.name,
+    }));
+
+    for (const subfolder of subfolders) {
+      const subfolderPath = basePath + subfolder.name + "/";
+      const subfolderFiles = await this.getAllFilesInFolder(subfolder.id, userId, subfolderPath);
+      allFiles = [...allFiles, ...subfolderFiles];
+    }
+
+    return allFiles;
+  }
+
+  async calculateFolderSize(folderId: string, userId: string): Promise<bigint> {
+    const files = await prisma.file.findMany({
+      where: { folderId, userId },
+      select: { size: true },
+    });
+
+    const subfolders = await prisma.folder.findMany({
+      where: { parentId: folderId, userId },
+      select: { id: true },
+    });
+
+    let totalSize = files.reduce((sum, file) => sum + file.size, BigInt(0));
+
+    for (const subfolder of subfolders) {
+      const subfolderSize = await this.calculateFolderSize(subfolder.id, userId);
+      totalSize += subfolderSize;
+    }
+
+    return totalSize;
+  }
+}

apps/server/src/modules/reverse-share/controller.ts

@@ -2,7 +2,6 @@ import { FastifyReply, FastifyRequest } from "fastify";
 
 import {
   CreateReverseShareSchema,
-  GetPresignedUrlSchema,
   ReverseSharePasswordSchema,
   UpdateReverseSharePasswordSchema,
   UpdateReverseShareSchema,
@@ -319,8 +318,60 @@ export class ReverseShareController {
       }
 
       const { fileId } = request.params as { fileId: string };
-      const result = await this.reverseShareService.downloadReverseShareFile(fileId, userId);
-      return reply.send(result);
+
+      const fileInfo = await this.reverseShareService.getFileInfo(fileId, userId);
+      const downloadId = `reverse-${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;
+
+      const { DownloadMemoryManager } = await import("../../utils/download-memory-manager.js");
+      const memoryManager = DownloadMemoryManager.getInstance();
+
+      const fileSizeMB = Number(fileInfo.size) / (1024 * 1024);
+      console.log(
+        `[REVERSE-DOWNLOAD] Requesting slot for ${downloadId}: ${fileInfo.name} (${fileSizeMB.toFixed(1)}MB)`
+      );
+
+      try {
+        await memoryManager.requestDownloadSlot(downloadId, {
+          fileName: fileInfo.name,
+          fileSize: Number(fileInfo.size),
+          objectName: fileInfo.objectName,
+        });
+      } catch (error: any) {
+        console.warn(`[REVERSE-DOWNLOAD] Queued ${downloadId}: ${error.message}`);
+        return reply.status(202).send({
+          queued: true,
+          downloadId: downloadId,
+          message: "Download queued due to memory constraints",
+          estimatedWaitTime: error.estimatedWaitTime || 60,
+        });
+      }
+
+      console.log(`[REVERSE-DOWNLOAD] Starting ${downloadId}: ${fileInfo.name} (${fileSizeMB.toFixed(1)}MB)`);
+      memoryManager.startDownload(downloadId);
+
+      try {
+        const result = await this.reverseShareService.downloadReverseShareFile(fileId, userId);
+
+        const originalUrl = result.url;
+        reply.header("X-Download-ID", downloadId);
+
+        reply.raw.on("finish", () => {
+          memoryManager.endDownload(downloadId);
+        });
+
+        reply.raw.on("close", () => {
+          memoryManager.endDownload(downloadId);
+        });
+
+        reply.raw.on("error", () => {
+          memoryManager.endDownload(downloadId);
+        });
+
+        return reply.send(result);
+      } catch (downloadError) {
+        memoryManager.endDownload(downloadId);
+        throw downloadError;
+      }
     } catch (error: any) {
       if (error.message === "File not found") {
         return reply.status(404).send({ error: error.message });
@@ -454,6 +505,7 @@ export class ReverseShareController {
   async copyFileToUserFiles(request: FastifyRequest, reply: FastifyReply) {
     try {
       await request.jwtVerify();
+
       const { fileId } = request.params as { fileId: string };
       const userId = (request as any).user?.userId;
 
@@ -461,9 +513,16 @@ export class ReverseShareController {
         return reply.status(401).send({ error: "Unauthorized" });
       }
 
+      console.log(`Copy to my files: User ${userId} copying file ${fileId}`);
+
       const file = await this.reverseShareService.copyReverseShareFileToUserFiles(fileId, userId);
+
+      console.log(`Copy to my files: Successfully copied file ${fileId}`);
+
       return reply.send({ file, message: "File copied to your files successfully" });
     } catch (error: any) {
+      console.error(`Copy to my files: Error:`, error.message);
+
       if (error.message === "File not found") {
         return reply.status(404).send({ error: "File not found" });
       }

apps/server/src/modules/reverse-share/routes.ts

@@ -401,6 +401,12 @@ export async function reverseShareRoutes(app: FastifyInstance) {
             url: z.string().describe("Presigned download URL - expires after 1 hour"),
             expiresIn: z.number().describe("URL expiration time in seconds (3600 = 1 hour)"),
           }),
+          202: z.object({
+            queued: z.boolean().describe("Download was queued due to memory constraints"),
+            downloadId: z.string().describe("Download identifier for tracking"),
+            message: z.string().describe("Queue status message"),
+            estimatedWaitTime: z.number().describe("Estimated wait time in seconds"),
+          }),
           401: z.object({ error: z.string() }),
           404: z.object({ error: z.string() }),
         },