Requirements:

* Authenticates and authorizes Begin of the deletion (basic auth) with aEnd of the deletion token Begin of the insertionas a parameter in the URLEnd of the insertion
* Check that token is still valid
* Check to which user it belongs and act on behalf of that user. Begin of the deletion But also allow uploads to public folders that allow anonymous uploads.End of the deletion
* Check that folder with that _file ID_ exists.
* Check Begin of the insertionif file with same name exists inEnd of the insertion that Begin of the insertionfolder
* If true:
* overwrite parameter present?
* if true
* check that you have write accessEnd of the insertion Begin of the deletion the user has the permission to upload (write)End of the deletion on that Begin of the insertionfile
End of the insertion Begin of the deletion _file ID._
End of the deletion * Begin of the insertionif write allowed
* update file
* if write not allow
* return "Not allowed"End of the insertion Begin of the deletion else: respond with the rightEnd of the deletion error Begin of the insertion
End of the insertion Begin of the deletion
End of the deletion * Begin of the insertionif false
End of the insertion Begin of the deletion Accepts PUT/POST(?) on /direct-upload
End of the deletion * Begin of the insertioncheck that you (still) allowed to create the file
End of the insertion Begin of the deletion Multipart form? <mention class="mention" data-id="71476" data-type="user" data-text="@Eric Schubert">@Eric Schubert</mention> , why multipart?
End of the deletion * Begin of the insertionfind a unique fileEnd of the insertion Begin of the deletion Handle duplicateEnd of the deletion name Begin of the insertionthat is similar (suffix withEnd of the insertion Begin of the deletion conflicts by appendingEnd of the deletion a Begin of the insertionnumber)
* writeEnd of the insertion Begin of the deletion number &quot; (1)&quot; toEnd of the deletion the file Begin of the insertion
* return
* `file_name`
* `file_id`
* overwrite parameter not present
* fileEnd of the insertion Begin of the deletion name. If thereEnd of the deletion already Begin of the insertionexists?
* if true:
* Cancel request and tell the client that we haveEnd of the insertion Begin of the deletion isEnd of the deletion a Begin of the insertionconflict
* if false:
* check that you (still) allowed to create theEnd of the insertion file Begin of the insertion
* write the file
* return
* `file_name`
* `file_id`
* if false:
* checkEnd of the insertion Begin of the deletion withEnd of the deletion that Begin of the insertionyou (still) allowed to createEnd of the insertion Begin of the deletion number, takeEnd of the deletion the Begin of the insertionfile
* write the file
* return
* `file_name`
* `file_id`End of the insertion Begin of the deletion next number, etc...End of the deletion
* Begin of the insertionAccepts POST(?)End of the insertion Begin of the deletion ReturnsEnd of the deletion
* Begin of the insertionRoute: `direct-upload/<token>`
End of the insertion Begin of the deletion `path` (of that file)
End of the deletion * Begin of the insertionMultipart form
* `overwrite` (optional)End of the insertion Begin of the deletion `fileId`End of the deletion
* Allow CORS preflights (HTTP OPTION) requests (see [https://docs.nextcloud.com/server/latest/developer\_manual/digging\_deeper/rest\_apis.html#rest-apis)](https://docs.nextcloud.com/server/latest/developer_manual/digging_deeper/rest_apis.html#rest-apis))
* Begin of the insertion Revoke the token after successful upload.End of the insertion