WPB-22814 allow ephemeral users to upload files

[battermann]

https://wearezeta.atlassian.net/browse/WPB-22814

Checklist

• Add a new entry in an appropriate subdirectory of changelog.d
• Read and follow the PR guidelines

Acceptance Criteria

• The temporary guest can upload files
• The temporary guest can download files
• Access for the temporary user to those files shared in the group is limited to the timespan / validity of the temporary account - this is a given, because when the account and access token expire the user has no access anymore to any wire services including any uploaded assets
• Temporary guests should be blocked from uploading files larger than 25MB (same as personal users) - this should be enforced by backend
• Temporary guest accounts will be rate limited for uploading files (on user-basis) - the general rate limiting settings apply here

[Copilot]

Pull request overview

This PR updates Cargohold’s asset upload/download authorization logic to treat ephemeral (temporary guest) accounts as eligible for file transfers, and adds a Brig-side mechanism intended to enforce ephemeral expiry via internal status lookups.

Changes:

• Allow AccountStatus.Ephemeral users to upload and download assets (same allowance as Active).
• Add a shared getUserStatus helper in Cargohold that queries Brig’s internal “user status” endpoint (with a new gc query param).
• Extend integration coverage for ephemeral upload/download and add an expiry-focused test case.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
services/cargohold/src/CargoHold/API/V3.hs	Adds account-status gating to the V3 download flow to allow Ephemeral.
services/cargohold/src/CargoHold/API/Util.hs	Introduces getUserStatus helper calling Brig internal status endpoint with gc=true.
services/cargohold/src/CargoHold/API/Public.hs	Updates upload status checks to allow Ephemeral via getUserStatus.
services/brig/src/Brig/API/Internal.hs	Adds optional gc param handling to enqueue deletion for expired ephemeral users when requested.
libs/wire-api/src/Wire/API/Routes/Internal/Brig.hs	Updates the internal Brig route type to include the new gc query param.
integration/test/Test/Cargohold/AssetUpload.hs	Removes an unverified-user upload test; retains verified/unknown-user coverage.
integration/test/Test/Cargohold/AssetDownload.hs	Adds ephemeral upload/download tests, including an expiry scenario.
changelog.d/2-features/WPB-22814	Changelog entry for allowing ephemeral users to upload/download files.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

services/cargohold/src/CargoHold/Options.hs:158

• maxTotalBytesStrict is a new non-optional Settings field derived via deriveFromJSON defaultOptions, so existing cargohold.yaml configs that only specify maxTotalBytes will fail to parse at startup. To keep backward compatibility, consider parsing maxTotalBytesStrict as optional and defaulting it to maxTotalBytes (or provide a sensible default in the decoder) and update any remaining repo configs accordingly.

data Settings = Settings
  { -- | Maximum allowed size for uploads, in bytes (applies to team users)
    maxTotalBytes :: !Int,
    -- | Maximum allowed size for uploads, in bytes (more restrictive setting, applies to non-team users)
    maxTotalBytesStrict :: !Int,
    -- | TTL for download links, in seconds
    downloadLinkTTL :: !Word,
    -- | Enable audit logging for asset uploads/downloads.
    -- When enabled, the backend will collect and log asset metadata
    -- as part of the asset audit log feature.
    assetAuditLogEnabled :: !Bool,
    -- | FederationDomain is required, even when not wanting to federate with other backends
    -- (in that case the 'allowedDomains' can be set to empty in Federator)
    -- Federation domain is used to qualify local IDs and handles,
    -- e.g. 0c4d8944-70fa-480e-a8b7-9d929862d18c@wire.com and somehandle@wire.com.
    -- It should also match the SRV DNS records under which other wire-server installations can find this backend:
    --    _wire-server-federator._tcp.<federationDomain>
    -- Once set, DO NOT change it: if you do, existing users may have a broken experience and/or stop working
    -- Remember to keep it the same in all services.
    -- This is referred to as the 'backend domain' in the public documentation; See
    -- https://docs.wire.com/how-to/install/configure-federation.html#choose-a-backend-domain-name
    federationDomain :: !Domain,
    disabledAPIVersions :: !(Set VersionExp)
  }
  deriving (Show, Generic)

deriveFromJSON defaultOptions ''Settings

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.