backend(features): quota enforcement, PIN reset, /me, original download, toggles

- handlers/me.rs (new): GET /api/v1/me/context (profile + role + privacy_note
  + quota toggle state, fetched once on app bootstrap) and GET /api/v1/me/quota
  (live used / limit / active uploaders / free disk).
- handlers/upload.rs:
  - quota enforcement via the dynamic formula
    floor((free_disk * tolerance) / max(active_uploaders, 1)),
    gated by quota_enabled + storage_quota_enabled toggles
  - new GET /api/v1/upload/{id}/original — unauthed by design
    (matches /media/previews/* — URL is the secret) so it works as
    <img src> / <video src> / window.open
  - rate-limit toggle wiring (rate_limits_enabled + upload_rate_enabled)
- handlers/host.rs:
  - POST /api/v1/host/users/{id}/pin-reset — Host may reset guest PINs,
    Admin may reset guest + host PINs (never another admin or self).
    Returns the freshly-generated plaintext PIN once; emits a global
    pin-reset SSE so the affected user's device can clear its localStorage.
  - set_role guard expanded so hosts can demote other hosts (not self,
    never admins) — backend match for the doc'd permission model.
- handlers/admin.rs: ALLOWED_KEYS split into NUMERIC_KEYS / BOOL_KEYS /
  TEXT_KEYS with per-kind validation; saving privacy_note broadcasts an
  event-updated SSE so other clients refresh live.
- handlers/feed.rs, handlers/admin.rs (export), auth/handlers.rs:
  rate-limit toggle wiring at every limiter call site.
- auth/handlers.rs: when an expired PIN lockout is detected on /recover,
  reset failed_pin_attempts to zero before the bcrypt check — without
  this every wrong PIN re-locked the user after the cooldown.
- main.rs: wire startup_recovery + spawn_periodic_tasks, register the
  new /me/context, /me/quota, /upload/{id}/original, and
  /host/users/{id}/pin-reset routes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/handlers/upload.rs

@@ -11,24 +11,32 @@ use crate::error::AppError;
 use crate::models::hashtag::{self, Hashtag};
 use crate::models::upload::{Upload, UploadDto};
 use crate::models::user::User;
+use crate::services::config;
 use crate::state::AppState;
 
+const MAX_CAPTION_LENGTH: usize = 2000;
+
 pub async fn upload(
     State(state): State<AppState>,
     auth: AuthUser,
     mut multipart: Multipart,
 ) -> Result<(StatusCode, Json<UploadDto>), AppError> {
-    // Rate limit: N uploads per hour per user
-    let upload_rate = get_config_i64(&state.pool, "upload_rate_per_hour", 10).await as usize;
-    if let Err(retry_after_secs) = state
-        .rate_limiter
-        .check_with_retry(format!("upload:{}", auth.user_id), upload_rate, Duration::from_secs(3600))
-    {
-        drain_multipart(multipart).await;
-        return Err(AppError::TooManyRequests(
-            "Du hast dein Upload-Limit für diese Stunde erreicht.".into(),
-            Some(retry_after_secs),
-        ));
+    // Rate limit: N uploads per hour per user. Gated by master + per-endpoint toggles.
+    let rate_limits_on = config::get_bool(&state.pool, "rate_limits_enabled", true).await;
+    let upload_rate_on = config::get_bool(&state.pool, "upload_rate_enabled", true).await;
+    if rate_limits_on && upload_rate_on {
+        let upload_rate = config::get_i64(&state.pool, "upload_rate_per_hour", 10).await as usize;
+        if let Err(retry_after_secs) = state.rate_limiter.check_with_retry(
+            format!("upload:{}", auth.user_id),
+            upload_rate,
+            Duration::from_secs(3600),
+        ) {
+            drain_multipart(multipart).await;
+            return Err(AppError::TooManyRequests(
+                "Du hast dein Upload-Limit für diese Stunde erreicht.".into(),
+                Some(retry_after_secs),
+            ));
+        }
     }
 
     // Check if user is banned
@@ -50,8 +58,8 @@ pub async fn upload(
     }
 
     // Read config limits from DB
-    let max_image_mb: i64 = get_config_i64(&state.pool, "max_image_size_mb", 20).await;
-    let max_video_mb: i64 = get_config_i64(&state.pool, "max_video_size_mb", 500).await;
+    let max_image_mb: i64 = config::get_i64(&state.pool, "max_image_size_mb", 20).await;
+    let max_video_mb: i64 = config::get_i64(&state.pool, "max_video_size_mb", 500).await;
 
     let mut file_data: Option<Vec<u8>> = None;
     let mut file_name: Option<String> = None;
@@ -91,6 +99,33 @@ pub async fn upload(
     let mime = content_type.unwrap_or_else(|| "application/octet-stream".to_string());
     let size = data.len() as i64;
 
+    // Validate caption length
+    if let Some(ref cap) = caption {
+        if cap.len() > MAX_CAPTION_LENGTH {
+            return Err(AppError::BadRequest(format!(
+                "Beschreibung ist zu lang. Maximum: {} Zeichen.",
+                MAX_CAPTION_LENGTH
+            )));
+        }
+    }
+
+    // Validate file MIME type using magic bytes
+    let detected_mime = infer::get(&data);
+    if let Some(detected) = detected_mime {
+        let detected_type = detected.mime_type();
+        // Ensure detected type is compatible with declared MIME type
+        let declared_category = mime.split('/').next().unwrap_or("");
+        let detected_category = detected_type.split('/').next().unwrap_or("");
+
+        // Only reject if categories don't match (e.g., image vs video)
+        if declared_category != "application" && declared_category != detected_category {
+            return Err(AppError::BadRequest(format!(
+                "Dateiinhalt entspricht nicht dem deklarierten Typ. Erwartet: {}, erkannt: {}",
+                mime, detected_type
+            )));
+        }
+    }
+
     // Validate file size
     let max_bytes = if mime.starts_with("video/") {
         max_video_mb * 1024 * 1024
@@ -104,6 +139,24 @@ pub async fn upload(
         )));
     }
 
+    // Per-user storage quota — dynamic formula based on available disk space and the
+    // number of active uploaders. Gated by master + per-area toggles so the admin can
+    // disable it on trusted instances.
+    let quota_on = config::get_bool(&state.pool, "quota_enabled", true).await;
+    let storage_quota_on = config::get_bool(&state.pool, "storage_quota_enabled", true).await;
+    if quota_on && storage_quota_on {
+        let estimate = compute_storage_quota(&state).await;
+        if let Some(limit) = estimate.limit_bytes {
+            let prospective_total = user.total_upload_bytes.saturating_add(size);
+            if prospective_total > limit {
+                return Err(AppError::TooManyRequests(
+                    "Du hast dein Upload-Limit für dieses Event erreicht.".into(),
+                    None,
+                ));
+            }
+        }
+    }
+
     // Determine file extension
     let ext = file_name
         .as_deref()
@@ -182,10 +235,10 @@ pub async fn upload(
         created_at: upload.created_at,
     };
 
-    let _ = state.sse_tx.send(crate::state::SseEvent {
-        event_type: "new-upload".to_string(),
-        data: serde_json::to_string(&dto).unwrap_or_default(),
-    });
+    let _ = state.sse_tx.send(crate::state::SseEvent::new(
+        "new-upload",
+        serde_json::to_string(&dto).unwrap_or_default(),
+    ));
 
     Ok((StatusCode::CREATED, Json(dto)))
 }
@@ -252,12 +305,107 @@ async fn drain_multipart(mut mp: Multipart) {
     }
 }
 
-async fn get_config_i64(pool: &sqlx::PgPool, key: &str, default: i64) -> i64 {
-    let row: Option<(String,)> =
-        sqlx::query_as("SELECT value FROM config WHERE key = $1")
-            .bind(key)
-            .fetch_optional(pool)
-            .await
-            .unwrap_or(None);
-    row.and_then(|r| r.0.parse().ok()).unwrap_or(default)
+/// Snapshot of the dynamic per-user quota used both by the upload pre-check and the
+/// `GET /me/quota` endpoint. `limit_bytes = None` means quota enforcement is currently
+/// off (the frontend hides the widget in that case).
+pub struct QuotaEstimate {
+    pub limit_bytes: Option<i64>,
+    pub active_uploaders: i64,
+    pub free_disk_bytes: i64,
+    pub tolerance: f64,
+}
+
+/// Computes the per-user storage quota using
+/// `floor((free_disk * tolerance) / max(active_uploaders, 1))`. Returns `limit_bytes =
+/// None` whenever the storage quota is currently disabled — callers should skip the
+/// check (upload handler) or hide the UI (quota endpoint).
+pub async fn compute_storage_quota(state: &AppState) -> QuotaEstimate {
+    let quota_on = config::get_bool(&state.pool, "quota_enabled", true).await;
+    let storage_quota_on = config::get_bool(&state.pool, "storage_quota_enabled", true).await;
+    let tolerance = config::get_f64(&state.pool, "quota_tolerance", 0.75).await;
+
+    let (active_count,): (i64,) = sqlx::query_as(
+        "SELECT COUNT(DISTINCT user_id) FROM upload WHERE deleted_at IS NULL",
+    )
+    .fetch_one(&state.pool)
+    .await
+    .unwrap_or((0,));
+    let active = active_count.max(1);
+
+    let media_path = state.config.media_path.to_string_lossy().to_string();
+    let free_disk = sysinfo::Disks::new_with_refreshed_list()
+        .iter()
+        .find(|d| media_path.starts_with(d.mount_point().to_string_lossy().as_ref()))
+        .map(|d| d.available_space())
+        .unwrap_or_else(|| {
+            sysinfo::Disks::new_with_refreshed_list()
+                .iter()
+                .find(|d| d.mount_point().to_string_lossy() == "/")
+                .map(|d| d.available_space())
+                .unwrap_or(0)
+        }) as i64;
+
+    let limit_bytes = if quota_on && storage_quota_on {
+        Some(((free_disk as f64 * tolerance) / active as f64).floor() as i64)
+    } else {
+        None
+    };
+
+    QuotaEstimate {
+        limit_bytes,
+        active_uploaders: active,
+        free_disk_bytes: free_disk,
+        tolerance,
+    }
+}
+
+/// Streaming download of the original file behind an upload. Used by:
+///   - the per-post "Original anzeigen" context action (`window.open`)
+///   - `<img src>` / `<video src>` in the feed, lightbox, and diashow when the user is in
+///     Data Mode = Original
+///
+/// **Auth model:** the route is intentionally unauthenticated, matching how the rest of
+/// `/media/*` is served (preview + thumbnail variants). The URL contains the upload's
+/// UUID, which is unguessable — same security posture as `/media/originals/{slug}/{id}`.
+/// Adding `Authorization: Bearer` here would make the endpoint unusable from `<img src>`
+/// and `window.open`, defeating the purpose of having the alias.
+pub async fn get_original(
+    State(state): State<AppState>,
+    Path(upload_id): Path<Uuid>,
+) -> Result<axum::response::Response, AppError> {
+    let upload = Upload::find_by_id(&state.pool, upload_id)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Upload nicht gefunden.".into()))?;
+
+    let absolute = state.config.media_path.join(&upload.original_path);
+    if !absolute.exists() {
+        return Err(AppError::NotFound("Datei nicht gefunden.".into()));
+    }
+
+    use axum::body::Body;
+    use axum::http::{header, Response, StatusCode};
+    use tokio_util::io::ReaderStream;
+
+    let file = tokio::fs::File::open(&absolute)
+        .await
+        .map_err(|e| AppError::Internal(e.into()))?;
+    let metadata = file
+        .metadata()
+        .await
+        .map_err(|e| AppError::Internal(e.into()))?;
+    let stream = ReaderStream::new(file);
+
+    let filename = absolute
+        .file_name()
+        .and_then(|n| n.to_str())
+        .unwrap_or("original");
+    let disposition = format!("attachment; filename=\"{filename}\"");
+
+    Response::builder()
+        .status(StatusCode::OK)
+        .header(header::CONTENT_TYPE, upload.mime_type)
+        .header(header::CONTENT_DISPOSITION, disposition)
+        .header(header::CONTENT_LENGTH, metadata.len())
+        .body(Body::from_stream(stream))
+        .map_err(|e| AppError::Internal(e.into()))
 }