The presigned URL is signed with a specific Content-Type (determined by
the server's MIME map). If the browser's file.type doesn't match (common
for broadcast formats like MXF, R3D, BRAW), S3 rejects the PUT with a
signature mismatch. Now the extension uses presigned.contentType from the
server response instead of item.file.type.
Also added console logging for upload requests and detailed error
messages from S3 responses on failure.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- apiFetch() now logs method+URL on start and status code on response
- Added 10s AbortController timeout to prevent infinite hangs
- Added try/catch wrapper in saveSettings() around login() call
- This helps diagnose the "stuck on connecting" issue
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Login failures (wrong password) were caught by the 401 handler in
apiFetch() which threw "Session expired" instead of returning the
actual error message. Now /api/login 401 responses pass through
so the real "Invalid credentials" error is shown.
- Settings panel now shows error messages from login() failures
instead of staying stuck on "Saved — connecting…" forever.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add "alarms" permission to manifest — chrome.alarms.create() was
throwing "Cannot read properties of undefined" because the permission
was missing; also removed invalid "sockets" permission (not a valid MV3 perm)
- Remove all inline event handlers from popup.html (onclick, ondragover,
ondragleave, ondrop, onchange) — MV3 CSP blocks inline JS entirely;
all handlers moved to popup.js addEventListener() calls
- Replace inline onclick="removeFile(i)" on dynamically generated remove
buttons with data-idx attribute + delegated click listener on the list
container — same CSP fix for runtime-generated elements
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add CORS middleware to server.js allowing chrome-extension:// origins
so the popup can make authenticated API requests without browser blocking
- Fix popup.js saveSettings(): require password on save, call login() directly
instead of tryConnect() to avoid password-not-found loop
- Fix init(): open settings panel automatically if no saved token, so users
know they need to enter credentials after first install or session expiry
- Don't persist password to chrome.storage (security), use remove('token')
instead of set({token:null}) to properly clear the old session
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
