fix: iOS file download via one-time token (no native rebuild needed)

Server generates a single-use download token (POST .../download-token,
300s expiry). Native app opens the download URL with ?token=xxx in the
system browser (SFSafariViewController), which handles save to Files,
Photos, etc. natively.

No Capacitor plugin changes — works with existing @capacitor/browser.
Removes unused @capacitor/filesystem and @capacitor/share deps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: IM.codes

server/src/routes/file-transfer.ts

@@ -13,7 +13,29 @@ import * as path from 'node:path';
 
 export const fileTransferRoutes = new Hono<{ Bindings: Env; Variables: { userId: string; role: string } }>();
 
-fileTransferRoutes.use('/*', requireAuth());
+// ── One-time download tokens (in-memory, 60s expiry) ─────────────────────────
+// Allows native apps (iOS WKWebView) to open download URLs in the system browser
+// without needing auth cookies. Token is single-use and short-lived.
+const downloadTokens = new Map<string, { serverId: string; attachmentId: string; userId: string; expiresAt: number }>();
+
+const authMiddleware = requireAuth();
+fileTransferRoutes.use('/*', async (c, next) => {
+  // Allow token-based auth for download endpoint, otherwise require cookie/bearer auth
+  const token = c.req.query('token');
+  if (token && c.req.method === 'GET' && c.req.path.endsWith('/download')) {
+    const entry = downloadTokens.get(token);
+    if (!entry || Date.now() > entry.expiresAt) {
+      downloadTokens.delete(token ?? '');
+      return c.json({ error: 'invalid_or_expired_token' }, 401);
+    }
+    // Consume token (single-use)
+    downloadTokens.delete(token);
+    // Set userId so downstream handler can proceed
+    c.set('userId' as never, entry.userId as never);
+    return next();
+  }
+  return (authMiddleware as any)(c, next);
+});
 
 // ── POST /api/server/:id/upload ─────────────────────────────────────────────
 
@@ -95,6 +117,35 @@ fileTransferRoutes.post('/:id/upload', async (c) => {
   }
 });
 
+// ── POST /api/server/:id/uploads/:attachmentId/download-token ────────────────
+// Generate a one-time token for downloading without cookies (iOS native app).
+
+fileTransferRoutes.post('/:id/uploads/:attachmentId/download-token', async (c) => {
+  const userId = c.get('userId' as never) as string;
+  const serverId = c.req.param('id')!;
+  const attachmentId = c.req.param('attachmentId')!;
+
+  const role = await resolveServerRole(c.env.DB, serverId, userId);
+  if (role === 'none') return c.json({ error: 'forbidden' }, 403);
+
+  if (!/^[a-f0-9]+(\.[a-zA-Z0-9]+)?$/.test(attachmentId)) {
+    return c.json({ error: 'invalid_attachment_id' }, 400);
+  }
+
+  const token = randomHex(32);
+  downloadTokens.set(token, { serverId, attachmentId, userId, expiresAt: Date.now() + 300_000 });
+
+  // Cleanup expired tokens periodically (max 1000 entries)
+  if (downloadTokens.size > 1000) {
+    const now = Date.now();
+    for (const [k, v] of downloadTokens) {
+      if (now > v.expiresAt) downloadTokens.delete(k);
+    }
+  }
+
+  return c.json({ token, expiresIn: 300 });
+});
+
 // ── GET /api/server/:id/uploads/:attachmentId/download ──────────────────────
 
 fileTransferRoutes.get('/:id/uploads/:attachmentId/download', async (c) => {

web/package-lock.json

@@ -17,11 +17,9 @@
     "@capacitor/app": "^8.0.1",
     "@capacitor/browser": "^8.0.2",
     "@capacitor/core": "^8.2.0",
-    "@capacitor/filesystem": "^8.1.2",
     "@capacitor/ios": "^8.2.0",
     "@capacitor/preferences": "^8.0.1",
     "@capacitor/push-notifications": "^8.0.2",
-    "@capacitor/share": "^8.0.1",
     "@capacitor/splash-screen": "^8.0.1",
     "@capacitor/status-bar": "^8.0.1",
     "@capgo/capacitor-speech-recognition": "^8.0.10",

web/package.json

@@ -928,20 +928,16 @@ export async function downloadAttachment(serverId: string, attachmentId: string)
     }
   }
   // Trigger download — WKWebView (iOS Capacitor) ignores <a download>,
-  // so on native platforms write blob to cache via Filesystem then open
-  // the iOS share sheet (Save to Files, Save Image, AirDrop, etc.).
+  // so on native platforms get a one-time download token and open the URL
+  // in the system browser. No extra native plugins needed.
   const isNative = !!(globalThis as Record<string, unknown>).Capacitor;
   if (isNative) {
-    const { Filesystem, Directory } = await import('@capacitor/filesystem');
-    const base64 = await new Promise<string>((resolve, reject) => {
-      const reader = new FileReader();
-      reader.onload = () => resolve((reader.result as string).split(',')[1] ?? '');
-      reader.onerror = reject;
-      reader.readAsDataURL(blob);
-    });
-    const saved = await Filesystem.writeFile({ path: filename, data: base64, directory: Directory.Cache });
-    const { Share } = await import('@capacitor/share');
-    await Share.share({ url: saved.uri, title: filename });
+    const tokenRes = await apiFetch(`/api/server/${serverId}/uploads/${attachmentId}/download-token`, { method: 'POST' });
+    const downloadToken = (tokenRes as { token: string }).token;
+    const baseUrl = _baseUrl || window.location.origin;
+    const downloadUrl = `${baseUrl}/api/server/${serverId}/uploads/${attachmentId}/download?token=${downloadToken}`;
+    const { Browser } = await import('@capacitor/browser');
+    await Browser.open({ url: downloadUrl });
   } else {
     const url = URL.createObjectURL(blob);
     const a = document.createElement('a');