fix: upload body limit, role case, and connection drain (v0.12.1)

- Disable Axum's 2 MB default body limit on the upload route so large
  photos/videos are accepted without HTTP 400
- Serialize UserRole as lowercase in JWT so the frontend role checks
  ('guest'/'host'/'admin') match correctly
- Drain multipart body before returning early upload errors (rate-limit,
  ban, event-lock) to keep the HTTP keep-alive connection clean and
  prevent cascading Netzwerkfehler / empty-500 responses
- Add TraceLayer for request logging and Vite dev proxy config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/handlers/upload.rs

@@ -24,6 +24,7 @@ pub async fn upload(
         .rate_limiter
         .check(format!("upload:{}", auth.user_id), upload_rate, Duration::from_secs(3600))
     {
+        drain_multipart(multipart).await;
         return Err(AppError::TooManyRequests(
             "Du hast dein Upload-Limit für diese Stunde erreicht.".into(),
         ));
@@ -34,6 +35,7 @@ pub async fn upload(
         .await?
         .ok_or_else(|| AppError::NotFound("Benutzer nicht gefunden.".into()))?;
     if user.is_banned {
+        drain_multipart(multipart).await;
         return Err(AppError::Forbidden("Du bist gesperrt.".into()));
     }
 
@@ -42,6 +44,7 @@ pub async fn upload(
         .await?
         .ok_or_else(|| AppError::NotFound("Event nicht gefunden.".into()))?;
     if event.uploads_locked_at.is_some() {
+        drain_multipart(multipart).await;
         return Err(AppError::Forbidden("Uploads sind gesperrt.".into()));
     }
 
@@ -239,6 +242,15 @@ pub async fn delete_upload(
     Ok(StatusCode::NO_CONTENT)
 }
 
+/// Drain a multipart body so the HTTP connection stays clean when returning an early error.
+/// Without draining, the client may still be sending the body after we've sent our response,
+/// which can corrupt the keep-alive connection for subsequent requests.
+async fn drain_multipart(mut mp: Multipart) {
+    while let Ok(Some(mut field)) = mp.next_field().await {
+        while field.chunk().await.ok().flatten().is_some() {}
+    }
+}
+
 async fn get_config_i64(pool: &sqlx::PgPool, key: &str, default: i64) -> i64 {
     let row: Option<(String,)> =
         sqlx::query_as("SELECT value FROM config WHERE key = $1")

backend/src/main.rs

@@ -1,7 +1,9 @@
 use anyhow::Result;
+use axum::extract::DefaultBodyLimit;
 use axum::routing::{delete, get, patch, post};
 use axum::Router;
 use tower_http::services::ServeDir;
+use tower_http::trace::TraceLayer;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
 
 mod auth;
@@ -40,8 +42,9 @@ async fn main() -> Result<()> {
         .route("/api/v1/recover", post(auth::handlers::recover))
         .route("/api/v1/admin/login", post(auth::handlers::admin_login))
         .route("/api/v1/session", delete(auth::handlers::logout))
-        // Upload
-        .route("/api/v1/upload", post(handlers::upload::upload))
+        // Upload — body limit disabled; size validation is done inside the handler
+        .route("/api/v1/upload", post(handlers::upload::upload)
+            .route_layer(DefaultBodyLimit::disable()))
         .route(
             "/api/v1/upload/{id}",
             patch(handlers::upload::edit_upload).delete(handlers::upload::delete_upload),
@@ -89,6 +92,7 @@ async fn main() -> Result<()> {
         .route("/health", get(|| async { "ok" }))
         .merge(api)
         .nest_service("/media", media_service)
+        .layer(TraceLayer::new_for_http())
         .with_state(state);
 
     let listener = tokio::net::TcpListener::bind(("0.0.0.0", config.app_port)).await?;

backend/src/models/user.rs

@@ -4,6 +4,7 @@ use sqlx::PgPool;
 use uuid::Uuid;
 
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, sqlx::Type)]
+#[serde(rename_all = "lowercase")]
 #[sqlx(type_name = "user_role", rename_all = "lowercase")]
 pub enum UserRole {
     Guest,