aird 0.4.22__tar.gz → 0.4.23.dev2__tar.gz

{aird-0.4.22 → aird-0.4.23.dev2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aird
-Version: 0.4.22
+Version: 0.4.23.dev2
 Summary: Aird - A lightweight web-based file browser, editor, and streamer with real-time capabilities
 Home-page: https://github.com/blinkerbit/aird
 Author: Viswantha Srinivas P

{aird-0.4.22 → aird-0.4.23.dev2}/aird/config.py

@@ -16,7 +16,9 @@ from aird.constants import (
     ALLOWED_UPLOAD_EXTENSIONS as _ALLOWED_UPLOAD_EXTENSIONS,
     MMAP_MIN_SIZE as _MMAP_MIN_SIZE,
     CHUNK_SIZE as _CHUNK_SIZE,
-    MAX_UPLOAD_FILE_SIZE_HARD_LIMIT as _MAX_UPLOAD_FILE_SIZE_HARD_LIMIT,
+    UPLOAD_CHUNK_SIZE_BYTES as _UPLOAD_CHUNK_SIZE_BYTES,
+    UPLOAD_REQUEST_MAX_BODY_SIZE as _UPLOAD_REQUEST_MAX_BODY_SIZE,
+    UPLOAD_MAX_PARALLEL_CHUNKS as _UPLOAD_MAX_PARALLEL_CHUNKS,
 )
 
 # Module-level variables to hold configuration
@@ -46,7 +48,9 @@ MAX_READABLE_FILE_SIZE = _MAX_READABLE_FILE_SIZE
 ALLOWED_UPLOAD_EXTENSIONS = _ALLOWED_UPLOAD_EXTENSIONS
 MMAP_MIN_SIZE = _MMAP_MIN_SIZE
 CHUNK_SIZE = _CHUNK_SIZE
-MAX_UPLOAD_FILE_SIZE_HARD_LIMIT = _MAX_UPLOAD_FILE_SIZE_HARD_LIMIT
+UPLOAD_CHUNK_SIZE_BYTES = _UPLOAD_CHUNK_SIZE_BYTES
+UPLOAD_REQUEST_MAX_BODY_SIZE = _UPLOAD_REQUEST_MAX_BODY_SIZE
+UPLOAD_MAX_PARALLEL_CHUNKS = _UPLOAD_MAX_PARALLEL_CHUNKS
 
 
 def _configure_google_drive(cloud_config: dict) -> None:

{aird-0.4.22 → aird-0.4.23.dev2}/aird/constants/__init__.py

@@ -59,8 +59,10 @@ UPLOAD_CONFIG = {
     "allow_all_file_types": 0,  # 0 = use whitelist below, 1 = allow any extension
 }
 
-# Hard ceiling for Tornado server — admin cannot exceed this
-MAX_UPLOAD_FILE_SIZE_HARD_LIMIT = 10 * 1024 * 1024 * 1024  # 10 GB
+# Per-request body limit (Cloudflare-compatible chunked uploads; admin sets total file cap separately)
+UPLOAD_CHUNK_SIZE_BYTES = 90 * 1024 * 1024  # 90 MiB per HTTP request
+UPLOAD_REQUEST_MAX_BODY_SIZE = UPLOAD_CHUNK_SIZE_BYTES + (1024 * 1024)  # chunk + slack
+UPLOAD_MAX_PARALLEL_CHUNKS = 5  # max concurrent chunk requests from the browser
 
 # File operation constants (derived from UPLOAD_CONFIG at startup)
 MAX_FILE_SIZE = UPLOAD_CONFIG["max_file_size_mb"] * 1024 * 1024

{aird-0.4.22 → aird-0.4.23.dev2}/aird/constants/file_ops.py

@@ -35,6 +35,11 @@ UNSUPPORTED_FILE_TYPE = (
 )
 UPLOAD_SAVE_FAILED = "Failed to save upload. Please try again."
 UPLOAD_SUCCESSFUL = "Upload successful"
+MISSING_UPLOAD_CHUNK_HEADERS = "Missing chunked upload headers"
+INVALID_UPLOAD_CHUNK_HEADERS = "Invalid chunked upload headers"
+UPLOAD_CHUNK_OUT_OF_ORDER = "Upload chunk out of order"
+UPLOAD_SESSION_NOT_FOUND = "Upload session not found or expired"
+UPLOAD_CHUNK_RECEIVED = '{"status":"chunk_received"}'
 
 # CreateFolderHandler
 FOLDER_CREATE_DISABLED = (

{aird-0.4.22 → aird-0.4.23.dev2}/aird/handlers/admin_handlers.py

@@ -202,9 +202,7 @@ class AdminHandler(BaseHandler):
 
         # Update upload configuration
         try:
-            max_file_size_mb = max(
-                1, min(10240, int(self.get_argument("max_file_size_mb", "512")))
-            )
+            max_file_size_mb = max(1, int(self.get_argument("max_file_size_mb", "512")))
             UPLOAD_CONFIG["max_file_size_mb"] = max_file_size_mb
             constants_module.MAX_FILE_SIZE = max_file_size_mb * 1024 * 1024
             UPLOAD_CONFIG["allow_all_file_types"] = (

{aird-0.4.22 → aird-0.4.23.dev2}/aird/handlers/file_op_handlers.py

@@ -5,6 +5,9 @@ import tempfile
 import json
 import logging
 import pathlib
+import hashlib
+import re
+import secrets
 from collections import deque
 from urllib.parse import unquote
 import asyncio
@@ -81,6 +84,11 @@ from aird.constants.file_ops import (
     UPLOAD_SAVE_FAILED,
     UPLOAD_SUCCESSFUL,
     MISSING_UPLOAD_FILENAME_HEADER,
+    MISSING_UPLOAD_CHUNK_HEADERS,
+    INVALID_UPLOAD_CHUNK_HEADERS,
+    UPLOAD_CHUNK_OUT_OF_ORDER,
+    UPLOAD_SESSION_NOT_FOUND,
+    UPLOAD_CHUNK_RECEIVED,
 )
 from aird.config import (
     ALLOWED_UPLOAD_EXTENSIONS,
@@ -125,6 +133,182 @@ def _validate_upload_destination(upload_dir, filename, root_dir):
     return (final_path_abs, None)
 
 
+_UPLOAD_ID_RE = re.compile(r"^[a-zA-Z0-9\-]{1,64}$")
+
+
+def _upload_parts_dir() -> str:
+    path = os.path.join(tempfile.gettempdir(), "aird_upload_parts")
+    os.makedirs(path, exist_ok=True)
+    return path
+
+
+def _upload_session_dir(username: str, upload_id: str) -> str:
+    user_hash = hashlib.sha256(username.encode("utf-8")).hexdigest()[:16]
+    return os.path.join(_upload_parts_dir(), f"{user_hash}_{upload_id}")
+
+
+def _chunk_file_path(session_dir: str, offset: int) -> str:
+    return os.path.join(session_dir, f"{offset}.part")
+
+
+def _iter_expected_chunks(total_size: int) -> list[tuple[int, int]]:
+    """Return (byte_offset, chunk_length) for each upload part."""
+    chunk_size = constants_module.UPLOAD_CHUNK_SIZE_BYTES
+    parts: list[tuple[int, int]] = []
+    offset = 0
+    while offset < total_size:
+        length = min(chunk_size, total_size - offset)
+        parts.append((offset, length))
+        offset += length
+    return parts
+
+
+def _upload_chunks_complete(session_dir: str, total_size: int) -> bool:
+    for offset, expected_len in _iter_expected_chunks(total_size):
+        path = _chunk_file_path(session_dir, offset)
+        if not os.path.isfile(path):
+            return False
+        try:
+            if os.path.getsize(path) != expected_len:
+                return False
+        except OSError:
+            return False
+    return True
+
+
+def _stitch_upload_session(session_dir: str, dest_path: str, total_size: int) -> None:
+    """Concatenate per-offset chunk files into one file."""
+    with open(dest_path, "wb") as out:
+        for offset, _length in _iter_expected_chunks(total_size):
+            part_path = _chunk_file_path(session_dir, offset)
+            with open(part_path, "rb") as part_file:
+                shutil.copyfileobj(part_file, out)
+
+
+def _stitch_lock_path(session_dir: str) -> str:
+    return os.path.join(session_dir, ".stitching")
+
+
+def _try_acquire_stitch_lock(session_dir: str) -> bool:
+    try:
+        fd = os.open(_stitch_lock_path(session_dir), os.O_CREAT | os.O_EXCL | os.O_WRONLY)
+        os.close(fd)
+        return True
+    except FileExistsError:
+        return False
+
+
+def _release_stitch_lock(session_dir: str) -> None:
+    try:
+        os.remove(_stitch_lock_path(session_dir))
+    except OSError:
+        logging.debug("stitch lock remove failed", exc_info=True)
+
+
+def _remove_upload_session(session_dir: str) -> None:
+    if not session_dir or not os.path.isdir(session_dir):
+        return
+    try:
+        shutil.rmtree(session_dir)
+    except OSError:
+        logging.debug("upload session remove failed", exc_info=True)
+
+
+def _sanitize_upload_id(upload_id: str | None) -> str | None:
+    if not upload_id or not _UPLOAD_ID_RE.fullmatch(upload_id):
+        return None
+    return upload_id
+
+
+def _parse_positive_int(value: str | None) -> int | None:
+    if value is None or value == "":
+        return None
+    try:
+        parsed = int(value)
+    except ValueError:
+        return None
+    if parsed < 0:
+        return None
+    return parsed
+
+
+def _query_arg(query_args: dict, name: str) -> str | None:
+    """First value for a Tornado query argument name."""
+    if not query_args:
+        return None
+    raw_list = query_args.get(name)
+    if raw_list is None:
+        raw_list = query_args.get(name.encode("utf-8"))
+    if not raw_list:
+        return None
+    raw = raw_list[0]
+    if isinstance(raw, bytes):
+        return raw.decode("utf-8", errors="replace")
+    return str(raw)
+
+
+def _chunk_field(
+    headers, query_args: dict, header_name: str, query_name: str
+) -> str | None:
+    """Read chunked-upload metadata from header with query-string fallback (Cloudflare-safe)."""
+    value = headers.get(header_name)
+    if value:
+        return value
+    return _query_arg(query_args, query_name)
+
+
+def _parse_chunk_headers(
+    headers, query_args: dict | None = None,
+) -> tuple[dict | None, str | None]:
+    """Return (chunk_info, error_message). chunk_info keys: upload_id, offset, total_size, is_last."""
+    query_args = query_args or {}
+    upload_id = _sanitize_upload_id(
+        _chunk_field(headers, query_args, "X-Upload-Id", "upload_id")
+    )
+    offset = _parse_positive_int(
+        _chunk_field(headers, query_args, "X-Chunk-Offset", "chunk_offset")
+    )
+    total_size = _parse_positive_int(
+        _chunk_field(headers, query_args, "X-Upload-Total-Size", "total_size")
+    )
+    last_raw = (
+        _chunk_field(headers, query_args, "X-Chunk-Last", "chunk_last") or ""
+    ).strip().lower()
+    def _has_query(name: str) -> bool:
+        return name in query_args or name.encode("utf-8") in query_args
+
+    has_chunk_request = any(
+        [
+            headers.get("X-Upload-Id"),
+            headers.get("X-Chunk-Offset"),
+            headers.get("X-Upload-Total-Size"),
+            headers.get("X-Chunk-Last"),
+            _has_query("upload_id"),
+            _has_query("chunk_offset"),
+            _has_query("total_size"),
+            _has_query("chunk_last"),
+        ]
+    )
+    if not has_chunk_request:
+        return (None, None)
+    if not upload_id or offset is None or total_size is None or not last_raw:
+        return (None, MISSING_UPLOAD_CHUNK_HEADERS)
+    if total_size == 0:
+        return (None, INVALID_UPLOAD_CHUNK_HEADERS)
+    is_last = last_raw in ("1", "true", "yes")
+    if offset >= total_size and not is_last:
+        return (None, INVALID_UPLOAD_CHUNK_HEADERS)
+    return (
+        {
+            "upload_id": upload_id,
+            "offset": offset,
+            "total_size": total_size,
+            "is_last": is_last,
+        },
+        None,
+    )
+
+
 # ---------------------------------------------------------------------------
 # Helpers for bulk actions (reduce cognitive complexity)
 # ---------------------------------------------------------------------------
@@ -275,6 +459,22 @@ def _process_bulk_action(
 
 @tornado.web.stream_request_body
 class UploadHandler(BaseHandler):
+    def check_xsrf_cookie(self) -> None:
+        """Streamed uploads send raw body; accept X-XSRFToken header or ?_xsrf= query param."""
+        cookie_token = self.get_cookie("_xsrf")
+        if not cookie_token:
+            raise tornado.web.HTTPError(403, "'_xsrf' cookie missing")
+        provided = self.request.headers.get("X-XSRFToken")
+        if not provided:
+            provided = _query_arg(self.request.arguments, "_xsrf")
+        if not provided or not secrets.compare_digest(provided, cookie_token):
+            raise tornado.web.HTTPError(403, "XSRF validation failed")
+
+    def _request_body_limit(self) -> int:
+        if getattr(self, "_chunk_mode", False):
+            return constants_module.UPLOAD_CHUNK_SIZE_BYTES
+        return constants_module.MAX_FILE_SIZE
+
     async def prepare(self):
         # Defaults for safety
         self._reject: bool = False
@@ -287,6 +487,10 @@ class UploadHandler(BaseHandler):
         self._moved: bool = False
         self._bytes_received: int = 0
         self._too_large: bool = False
+        self._chunk_mode: bool = False
+        self._keep_session: bool = False
+        self._chunk_info: dict | None = None
+        self._session_dir: str | None = None
 
         # Feature flag check (using SQLite-backed flags)
         # Deferred to post() for clear response, but avoid heavy work if disabled
@@ -295,9 +499,17 @@ class UploadHandler(BaseHandler):
             self._reject_reason = FILE_UPLOAD_DISABLED
             return
 
-        # Read and URL-decode headers provided by client (frontend uses encodeURIComponent)
-        raw_dir = self.request.headers.get("X-Upload-Dir") or ""
-        raw_filename = self.request.headers.get("X-Upload-Filename") or ""
+        # Headers with query fallback (proxies such as Cloudflare may strip custom X-* headers)
+        raw_dir = (
+            self.request.headers.get("X-Upload-Dir")
+            or _query_arg(self.request.arguments, "upload_dir")
+            or ""
+        )
+        raw_filename = (
+            self.request.headers.get("X-Upload-Filename")
+            or _query_arg(self.request.arguments, "upload_filename")
+            or ""
+        )
         self.upload_dir = unquote(raw_dir)
         self.filename = unquote(raw_filename)
 
@@ -307,23 +519,52 @@ class UploadHandler(BaseHandler):
             self._reject_reason = MISSING_UPLOAD_FILENAME_HEADER
             return
 
-        # Create temporary file for streamed writes
+        chunk_info, chunk_err = _parse_chunk_headers(
+            self.request.headers, self.request.arguments
+        )
+        if chunk_err:
+            self._reject = True
+            self._reject_reason = chunk_err
+            return
+        if chunk_info:
+            if not self.get_current_user():
+                self._reject = True
+                self._reject_reason = ACCESS_DENIED
+                return
+            if chunk_info["total_size"] > constants_module.MAX_FILE_SIZE:
+                self._reject = True
+                self._reject_reason = FILE_TOO_LARGE
+                return
+            self._chunk_mode = True
+            self._chunk_info = chunk_info
+            username = self.get_display_username()
+            self._session_dir = _upload_session_dir(username, chunk_info["upload_id"])
+            offset = chunk_info["offset"]
+            if offset == 0 and os.path.isdir(self._session_dir):
+                _remove_upload_session(self._session_dir)
+            os.makedirs(self._session_dir, exist_ok=True)
+            self._temp_path = _chunk_file_path(self._session_dir, offset)
+            self._aiofile = await aiofiles.open(self._temp_path, "wb")
+            return
+
+        # Single-request upload (legacy / small files)
         fd, self._temp_path = tempfile.mkstemp(prefix="aird_upload_")
-        # Close the low-level fd; we'll use aiofiles on the path
         os.close(fd)
         self._aiofile = await aiofiles.open(self._temp_path, "wb")
 
     def data_received(self, chunk: bytes) -> None:
         if self._reject:
             return
-        # Track size to enforce limit at the end
         self._bytes_received += len(chunk)
-        if self._bytes_received > constants_module.MAX_FILE_SIZE:
+        if self._bytes_received > self._request_body_limit():
             self._too_large = True
-            # We still accept the stream but won't persist it
             return
+        if self._chunk_mode and self._chunk_info:
+            end_offset = self._chunk_info["offset"] + self._bytes_received
+            if end_offset > self._chunk_info["total_size"]:
+                self._too_large = True
+                return
 
-        # Queue the chunk and ensure a writer task is draining
         self._buffer.append(chunk)
         if not self._writing:
             self._writing = True
@@ -351,7 +592,7 @@ class UploadHandler(BaseHandler):
             except Exception:
                 logging.debug("upload aiofile close failed", exc_info=True)
 
-    def _check_quota_exceeded(self) -> bool:
+    def _check_quota_exceeded(self, upload_bytes: int) -> bool:
         """Return True and set error response if storage quota would be exceeded."""
         if not is_feature_enabled("storage_quotas", False):
             return False
@@ -359,13 +600,47 @@ class UploadHandler(BaseHandler):
         quota = self.get_service("quota_service").get_quota(self.db_conn, username)
         if (
             quota["quota_bytes"] is not None
-            and quota["used_bytes"] + self._bytes_received > quota["quota_bytes"]
+            and quota["used_bytes"] + upload_bytes > quota["quota_bytes"]
         ):
             self.set_status(413)
             self.write("Storage quota exceeded")
             return True
         return False
 
+    def _remove_upload_session_dir(self) -> None:
+        if getattr(self, "_session_dir", None):
+            _remove_upload_session(self._session_dir)
+
+    async def _finalize_chunked_upload(self) -> bool:
+        """Stitch chunk files when complete. Return True if upload finished."""
+        session_dir = self._session_dir
+        total_size = self._chunk_info["total_size"]
+        if not _upload_chunks_complete(session_dir, total_size):
+            self._keep_session = True
+            self.set_status(200)
+            self.write(UPLOAD_CHUNK_RECEIVED)
+            return False
+        if not _try_acquire_stitch_lock(session_dir):
+            self._keep_session = True
+            self.set_status(200)
+            self.write(UPLOAD_CHUNK_RECEIVED)
+            return False
+        stitched_path = os.path.join(session_dir, "assembled.part")
+        try:
+            await asyncio.to_thread(
+                _stitch_upload_session, session_dir, stitched_path, total_size
+            )
+        except Exception:
+            logging.exception("Upload stitch failed")
+            self.set_status(500)
+            self.write(UPLOAD_SAVE_FAILED)
+            _remove_upload_session(session_dir)
+            return False
+        finally:
+            _release_stitch_lock(session_dir)
+        self._temp_path = stitched_path
+        return True
+
     @tornado.web.authenticated
     @require_action("file.write")
     @require_modify_access()
@@ -383,15 +658,45 @@ class UploadHandler(BaseHandler):
 
         await self._finalize_stream()
 
-        # Enforce size limit
         if self._too_large:
             limit_mb = constants_module.UPLOAD_CONFIG.get("max_file_size_mb", 512)
             self.set_status(413)
             self.write(FILE_TOO_LARGE_TEMPLATE.format(limit_mb=limit_mb))
+            if self._chunk_mode:
+                self._remove_upload_session_dir()
             return
 
-        # Check storage quota if enabled
-        if self._check_quota_exceeded():
+        if self._chunk_mode and self._chunk_info:
+            chunk_end = self._chunk_info["offset"] + self._bytes_received
+            if chunk_end > self._chunk_info["total_size"]:
+                self.set_status(400)
+                self.write(INVALID_UPLOAD_CHUNK_HEADERS)
+                self._remove_upload_session_dir()
+                return
+            try:
+                chunk_size = os.path.getsize(self._temp_path)
+            except OSError:
+                chunk_size = -1
+            if chunk_size != self._bytes_received:
+                self.set_status(400)
+                self.write(UPLOAD_CHUNK_OUT_OF_ORDER)
+                self._remove_upload_session_dir()
+                return
+            finished = await self._finalize_chunked_upload()
+            if not finished:
+                return
+            upload_bytes = self._chunk_info["total_size"]
+        else:
+            if self._bytes_received > constants_module.MAX_FILE_SIZE:
+                limit_mb = constants_module.UPLOAD_CONFIG.get("max_file_size_mb", 512)
+                self.set_status(413)
+                self.write(FILE_TOO_LARGE_TEMPLATE.format(limit_mb=limit_mb))
+                return
+            upload_bytes = self._bytes_received
+
+        if self._check_quota_exceeded(upload_bytes):
+            if self._chunk_mode:
+                self._remove_upload_session_dir()
             return
 
         final_path_abs, upload_err = _validate_upload_destination(
@@ -400,6 +705,8 @@ class UploadHandler(BaseHandler):
         if upload_err is not None:
             self.set_status(upload_err[0])
             self.write(upload_err[1])
+            if self._chunk_mode:
+                self._remove_upload_session_dir()
             return
 
         os.makedirs(os.path.dirname(final_path_abs), exist_ok=True)
@@ -407,16 +714,19 @@ class UploadHandler(BaseHandler):
         try:
             shutil.move(self._temp_path, final_path_abs)
             self._moved = True
+            if self._chunk_mode and self._session_dir:
+                _remove_upload_session(self._session_dir)
         except Exception:
             logging.exception("Upload save failed")
             self.set_status(500)
             self.write(UPLOAD_SAVE_FAILED)
+            if self._chunk_mode:
+                self._remove_upload_session_dir()
             return
 
-        # Update used bytes
         if is_feature_enabled("storage_quotas", False):
             self.get_service("quota_service").update_used_bytes(
-                self.db_conn, self.get_display_username(), self._bytes_received
+                self.db_conn, self.get_display_username(), upload_bytes
             )
 
         self.get_service("audit_service").log(
@@ -430,8 +740,9 @@ class UploadHandler(BaseHandler):
         self.write(UPLOAD_SUCCESSFUL)
 
     def on_finish(self) -> None:
-        # Clean up temp file on failures
         try:
+            if getattr(self, "_keep_session", False) or getattr(self, "_chunk_mode", False):
+                return
             if getattr(self, "_temp_path", None) and not getattr(self, "_moved", False):
                 if os.path.exists(self._temp_path):
                     try:

{aird-0.4.22 → aird-0.4.23.dev2}/aird/handlers/share_handlers.py

@@ -76,10 +76,15 @@ def _add_local_path(ap, path_str, share_type, valid_paths, dynamic_folders):
         else:
             try:
                 all_files = get_all_files_recursive(ap, path_str)
-                valid_paths.extend(all_files)
-                logging.debug(
-                    "Added %s files from directory: %s", len(all_files), path_str
-                )
+                if all_files:
+                    valid_paths.extend(all_files)
+                    logging.debug(
+                        "Added %s files from directory: %s", len(all_files), path_str
+                    )
+                else:
+                    # Keep empty directories so static shares can be created for them.
+                    valid_paths.append(path_str)
+                    logging.debug("Added empty directory: %s", path_str)
             except Exception:
                 logging.exception("Error scanning directory %s", path_str)
 
@@ -304,7 +309,18 @@ def _get_share_file_list(share, db_conn=None):
                 )
         return filter_files_by_patterns(dynamic_files, allow_list, avoid_list)
 
-    return filter_files_by_patterns(share.get("paths") or [], allow_list, avoid_list)
+    static_paths = []
+    for rel_path in share.get("paths") or []:
+        try:
+            full_path = os.path.abspath(os.path.join(root, rel_path))
+            if os.path.isdir(full_path):
+                continue
+        except Exception:
+            logging.debug(
+                "Skipping static share path check for %r", rel_path, exc_info=True
+            )
+        static_paths.append(rel_path)
+    return filter_files_by_patterns(static_paths, allow_list, avoid_list)
 
 
 def _is_path_in_share(share, path, db_conn=None):

{aird-0.4.22 → aird-0.4.23.dev2}/aird/handlers/view_handlers.py

@@ -196,6 +196,8 @@ class MainHandler(BaseHandler):
             get_file_icon=get_file_icon,
             features=flags_for_template,
             max_file_size=constants_module.MAX_FILE_SIZE,
+            upload_chunk_size=constants_module.UPLOAD_CHUNK_SIZE_BYTES,
+            upload_max_parallel=constants_module.UPLOAD_MAX_PARALLEL_CHUNKS,
             user_favorites=user_favorites,
             file_tags_map=file_tags_map,
         )

{aird-0.4.22 → aird-0.4.23.dev2}/aird/main.py

@@ -154,8 +154,8 @@ def make_app(
     settings.setdefault("static_url_prefix", "/static/")
     # Limit request size to avoid Tornado rejecting large uploads with
     # "Content-Length too long" before our handler can respond.
-    settings.setdefault("max_body_size", constants.MAX_UPLOAD_FILE_SIZE_HARD_LIMIT)
-    settings.setdefault("max_buffer_size", constants.MAX_UPLOAD_FILE_SIZE_HARD_LIMIT)
+    settings.setdefault("max_body_size", constants.UPLOAD_REQUEST_MAX_BODY_SIZE)
+    settings.setdefault("max_buffer_size", constants.UPLOAD_REQUEST_MAX_BODY_SIZE)
 
     if ldap_enabled:
         settings["ldap_server"] = ldap_server
@@ -495,8 +495,8 @@ def _start_server(app, ssl_options, port: int, hostname: str) -> None:
                 app.listen(
                     port,
                     ssl_options=ssl_options,
-                    max_body_size=constants.MAX_UPLOAD_FILE_SIZE_HARD_LIMIT,
-                    max_buffer_size=constants.MAX_UPLOAD_FILE_SIZE_HARD_LIMIT,
+                    max_body_size=constants.UPLOAD_REQUEST_MAX_BODY_SIZE,
+                    max_buffer_size=constants.UPLOAD_REQUEST_MAX_BODY_SIZE,
                 )
                 logger.info(
                     f"Serving HTTPS on 0.0.0.0 port {port} ({proto}://0.0.0.0:{port}/) ..."
@@ -505,8 +505,8 @@ def _start_server(app, ssl_options, port: int, hostname: str) -> None:
                 proto = "http"
                 app.listen(
                     port,
-                    max_body_size=constants.MAX_UPLOAD_FILE_SIZE_HARD_LIMIT,
-                    max_buffer_size=constants.MAX_UPLOAD_FILE_SIZE_HARD_LIMIT,
+                    max_body_size=constants.UPLOAD_REQUEST_MAX_BODY_SIZE,
+                    max_buffer_size=constants.UPLOAD_REQUEST_MAX_BODY_SIZE,
                 )
                 logger.info(
                     f"Serving HTTP on 0.0.0.0 port {port} ({proto}://0.0.0.0:{port}/) ..."