angee.storage.views
HTTP views for the storage proxy: upload (PUT) and download (GET).
upload
@csrf_exempt
@require_http_methods(["PUT"])
def upload(request: HttpRequest) -> JsonResponseAccept one raw upload body for a DRAFT file row.
Proxy mode only: the body is raw bytes, never multipart. The one-shot signed token (?token=, the X-Angee-Upload-Token header, or Authorization: Bearer) binds the PUT to a single draft row and is unforgeable + single-use — the CSRF property this endpoint relies on in place of the cookie token. Identity is still the request actor: :meth:File.receive_bytes requires an authenticated uploader (the row's created_by) or a drive writer, so the request must carry the session cookie (or a credential the actor middleware resolves).
download
@require_http_methods(["GET"])
def download(request: HttpRequest, filename: str) -> HttpResponseBaseStream one READY file's bytes for a signed proxy download token.
The mirror of :func:upload: the token (?token=, the X-Angee-Download-Token header, or Authorization: Bearer) is the capability — minted on the file's url field for a reader, unforgeable, and TTL-bound — so no session is needed. The filename in the path is the save-as name only; the authoritative name and content type come from the row.