refactor(api): consolidate health check endpoints to /health

Removes the redundant `/healthz` and `/api/v1/health` endpoints, leaving `/health` as the sole health check endpoint. - Update router to return 404 Not Found for the removed endpoints - Update admin log filtering to only ignore `/health` - Remove health URL from API documentation data - Update tests to verify `/health` returns 200 and others return 404 - Update README documentation to reflect the change
feat: add emoji reaction support for files
2026-06-02 11:54:38 +03:00 · 2026-06-02 11:30:33 +03:00 · 2026-06-01 15:23:28 +03:00 · 2026-06-01 12:30:59 +03:00
28 changed files with 1277 additions and 117 deletions
--- a/.env.example
+++ b/.env.example
@@ -27,7 +27,8 @@ WARPBOX_SHORT_WINDOW_REQUESTS=60
 WARPBOX_SHORT_WINDOW_SECONDS=60
 WARPBOX_ANONYMOUS_STORAGE_BACKEND=local
 WARPBOX_USER_STORAGE_BACKEND=local
-WARPBOX_READ_TIMEOUT=15s
-WARPBOX_WRITE_TIMEOUT=60s
+WARPBOX_READ_HEADER_TIMEOUT=15s
+WARPBOX_READ_TIMEOUT=0s
+WARPBOX_WRITE_TIMEOUT=0s
 WARPBOX_IDLE_TIMEOUT=120s
 WARPBOX_TRUSTED_PROXIES=
--- a/README.md
+++ b/README.md
@@ -38,6 +38,11 @@ Upload policy defaults are also configured in megabytes and can later be changed
 Runtime data is configured with `WARPBOX_DATA_DIR` and defaults to `./data` in the dev environment.
 The dev script resolves that path from the repository root.

+Large uploads are expected to take minutes on normal home/server connections. Keep
+`WARPBOX_READ_TIMEOUT=0s` and `WARPBOX_WRITE_TIMEOUT=0s` so Go does not close the connection
+mid-upload; `WARPBOX_READ_HEADER_TIMEOUT=15s` still protects header reads from slowloris-style
+connections.
+
 Background jobs are enabled with `WARPBOX_JOBS_ENABLED=true`. Individual jobs can be toggled with
 `WARPBOX_CLEANUP_ENABLED` and `WARPBOX_THUMBNAIL_ENABLED`, and their schedules are configured with
 `WARPBOX_CLEANUP_EVERY` and `WARPBOX_THUMBNAIL_EVERY`.
@@ -49,6 +54,37 @@ links from `/admin/users`.
 The env admin token still exists as emergency fallback access. Set `WARPBOX_ADMIN_TOKEN` and use it
 at `/admin/login` if you need to recover access without a user session.

+## Emoji reaction packs
+
+File reactions use emoji packs from the runtime data directory, not from the application code. By
+default that means `./data/emoji`; if you change `WARPBOX_DATA_DIR`, use
+`$WARPBOX_DATA_DIR/emoji` instead.
+
+Each folder under `./data/emoji` becomes one emoji tab in the reaction picker. Put image files
+directly inside the pack folder:
+
+```text
+data/
+├── db/
+├── files/
+├── logs/
+└── emoji/
+    ├── openmoji/
+    │   ├── 1F600.svg
+    │   ├── 1F44D.svg
+    │   └── 2764.svg
+    ├── pixel-pack/
+    │   ├── happy.webp
+    │   ├── fire.webp
+    │   └── star.webp
+    └── custom-work/
+        ├── approved.png
+        └── shipped.png
+```
+
+In this example, the picker shows tabs named `Openmoji`, `Pixel pack`, and `Custom work`.
+Supported emoji image extensions are `.svg`, `.webp`, `.png`, `.jpg`, `.jpeg`, and `.gif`.
+
 For one-off Go commands, run them from the backend module:

 ```bash
@@ -72,8 +108,7 @@ The compose example also works with Podman compatible compose tools. Its data vo
 `./data:/data:Z` for SELinux relabeling, and the container overrides runtime paths to use
 `/data`, `/app/static`, and `/app/templates`.

-The image exposes `/health`, `/healthz`, and `/api/v1/health`. Docker and compose healthchecks
-use `/health`.
+The image exposes the health endpoint: `/health`. Docker and compose healthchecks use it.

 ## Reverse Proxy Security

@@ -106,6 +141,9 @@ WARPBOX_DATA_DIR=/var/lib/warpbox
 WARPBOX_STATIC_DIR=/opt/warpbox-dev/backend/static
 WARPBOX_TEMPLATE_DIR=/opt/warpbox-dev/backend/templates
 WARPBOX_TRUSTED_PROXIES=127.0.0.1,::1
+WARPBOX_READ_HEADER_TIMEOUT=15s
+WARPBOX_READ_TIMEOUT=0s
+WARPBOX_WRITE_TIMEOUT=0s
 ```

 Example `/etc/systemd/system/warpbox.service`:
--- a/SECURITY_PROXY.md
+++ b/SECURITY_PROXY.md
@@ -54,6 +54,24 @@ network edge, or set it to a value that does not include public clients. Direct
 public exposure is not recommended; use a reverse proxy for TLS and request
 normalization.

+## Large Uploads
+
+Multi-GB uploads must not use whole-body read/write deadlines. Keep these
+Warpbox values for production unless you intentionally want a hard wall-clock
+upload limit:
+
+```env
+WARPBOX_READ_HEADER_TIMEOUT=15s
+WARPBOX_READ_TIMEOUT=0s
+WARPBOX_WRITE_TIMEOUT=0s
+```
+
+`WARPBOX_READ_HEADER_TIMEOUT` protects request headers. `WARPBOX_READ_TIMEOUT`
+and `WARPBOX_WRITE_TIMEOUT` cover the whole upload/response lifetime in Go, so
+small values can cause browser errors such as `NS_ERROR_NET_INTERRUPT` during
+large transfers. Upload size, daily, storage, and box limits still enforce abuse
+controls independently of these timeout values.
+
 ## Ban Behavior

 Active bans return:
--- a/backend/libs/config/config.go
+++ b/backend/libs/config/config.go
@@ -11,26 +11,27 @@ import (
 )

 type Config struct {
-	AppName          string
-	AppVersion       string
-	Environment      string
-	Addr             string
-	BaseURL          string
-	DataDir          string
-	AdminToken       string
-	StaticDir        string
-	TemplateDir      string
-	ReadTimeout      time.Duration
-	WriteTimeout     time.Duration
-	IdleTimeout      time.Duration
-	TrustedProxies   []string
-	JobsEnabled      bool
-	CleanupEnabled   bool
-	CleanupEvery     time.Duration
-	ThumbnailEnabled bool
-	ThumbnailEvery   time.Duration
-	MaxUploadSize    int64
-	DefaultSettings  SettingsDefaults
+	AppName           string
+	AppVersion        string
+	Environment       string
+	Addr              string
+	BaseURL           string
+	DataDir           string
+	AdminToken        string
+	StaticDir         string
+	TemplateDir       string
+	ReadHeaderTimeout time.Duration
+	ReadTimeout       time.Duration
+	WriteTimeout      time.Duration
+	IdleTimeout       time.Duration
+	TrustedProxies    []string
+	JobsEnabled       bool
+	CleanupEnabled    bool
+	CleanupEvery      time.Duration
+	ThumbnailEnabled  bool
+	ThumbnailEvery    time.Duration
+	MaxUploadSize     int64
+	DefaultSettings   SettingsDefaults
 }

 type SettingsDefaults struct {
@@ -55,25 +56,26 @@ type SettingsDefaults struct {

 func Load() (Config, error) {
 	cfg := Config{
-		AppName:          envString("WARPBOX_APP_NAME", "warpbox.dev"),
-		AppVersion:       envString("APP_VERSION", "dev"),
-		Environment:      envString("WARPBOX_ENV", "development"),
-		Addr:             envString("WARPBOX_ADDR", ":8080"),
-		BaseURL:          strings.TrimRight(envString("WARPBOX_BASE_URL", "http://localhost:8080"), "/"),
-		DataDir:          envString("WARPBOX_DATA_DIR", defaultPath("data")),
-		AdminToken:       envString("WARPBOX_ADMIN_TOKEN", ""),
-		StaticDir:        envString("WARPBOX_STATIC_DIR", defaultPath("static")),
-		TemplateDir:      envString("WARPBOX_TEMPLATE_DIR", defaultPath("templates")),
-		ReadTimeout:      envDuration("WARPBOX_READ_TIMEOUT", 15*time.Second),
-		WriteTimeout:     envDuration("WARPBOX_WRITE_TIMEOUT", 60*time.Second),
-		IdleTimeout:      envDuration("WARPBOX_IDLE_TIMEOUT", 120*time.Second),
-		TrustedProxies:   envCSV("WARPBOX_TRUSTED_PROXIES"),
-		JobsEnabled:      envBool("WARPBOX_JOBS_ENABLED", true),
-		CleanupEnabled:   envBool("WARPBOX_CLEANUP_ENABLED", true),
-		CleanupEvery:     envDuration("WARPBOX_CLEANUP_EVERY", time.Hour),
-		ThumbnailEnabled: envBool("WARPBOX_THUMBNAIL_ENABLED", true),
-		ThumbnailEvery:   envDuration("WARPBOX_THUMBNAIL_EVERY", time.Minute),
-		MaxUploadSize:    envMegabytes("WARPBOX_MAX_UPLOAD_SIZE_MB", 2048), // 2 GiB default.
+		AppName:           envString("WARPBOX_APP_NAME", "warpbox.dev"),
+		AppVersion:        envString("APP_VERSION", "dev"),
+		Environment:       envString("WARPBOX_ENV", "development"),
+		Addr:              envString("WARPBOX_ADDR", ":8080"),
+		BaseURL:           strings.TrimRight(envString("WARPBOX_BASE_URL", "http://localhost:8080"), "/"),
+		DataDir:           envString("WARPBOX_DATA_DIR", defaultPath("data")),
+		AdminToken:        envString("WARPBOX_ADMIN_TOKEN", ""),
+		StaticDir:         envString("WARPBOX_STATIC_DIR", defaultPath("static")),
+		TemplateDir:       envString("WARPBOX_TEMPLATE_DIR", defaultPath("templates")),
+		ReadHeaderTimeout: envDuration("WARPBOX_READ_HEADER_TIMEOUT", 15*time.Second),
+		ReadTimeout:       envDuration("WARPBOX_READ_TIMEOUT", 0),
+		WriteTimeout:      envDuration("WARPBOX_WRITE_TIMEOUT", 0),
+		IdleTimeout:       envDuration("WARPBOX_IDLE_TIMEOUT", 120*time.Second),
+		TrustedProxies:    envCSV("WARPBOX_TRUSTED_PROXIES"),
+		JobsEnabled:       envBool("WARPBOX_JOBS_ENABLED", true),
+		CleanupEnabled:    envBool("WARPBOX_CLEANUP_ENABLED", true),
+		CleanupEvery:      envDuration("WARPBOX_CLEANUP_EVERY", time.Hour),
+		ThumbnailEnabled:  envBool("WARPBOX_THUMBNAIL_ENABLED", true),
+		ThumbnailEvery:    envDuration("WARPBOX_THUMBNAIL_EVERY", time.Minute),
+		MaxUploadSize:     envMegabytes("WARPBOX_MAX_UPLOAD_SIZE_MB", 2048), // 2 GiB default.
 		DefaultSettings: SettingsDefaults{
 			AnonymousUploadsEnabled: envBool("WARPBOX_ANONYMOUS_UPLOADS_ENABLED", true),
 			AnonymousMaxUploadMB:    envMegabytesLimitFloat("WARPBOX_ANONYMOUS_MAX_UPLOAD_MB", 512),
--- a/backend/libs/config/config_test.go
+++ b/backend/libs/config/config_test.go
@@ -1,6 +1,9 @@
 package config

-import "testing"
+import (
+	"testing"
+	"time"
+)

 func TestParseMegabytes(t *testing.T) {
 	tests := map[string]int64{
@@ -49,3 +52,20 @@ func TestEnvBool(t *testing.T) {
 		t.Fatalf("envBool() did not fall back to true")
 	}
 }
+
+func TestLoadDefaultsUseLargeUploadFriendlyTimeouts(t *testing.T) {
+	t.Setenv("WARPBOX_BASE_URL", "http://example.test")
+	cfg, err := Load()
+	if err != nil {
+		t.Fatalf("Load returned error: %v", err)
+	}
+	if cfg.ReadHeaderTimeout != 15*time.Second {
+		t.Fatalf("ReadHeaderTimeout = %s, want 15s", cfg.ReadHeaderTimeout)
+	}
+	if cfg.ReadTimeout != 0 {
+		t.Fatalf("ReadTimeout = %s, want 0 for long uploads", cfg.ReadTimeout)
+	}
+	if cfg.WriteTimeout != 0 {
+		t.Fatalf("WriteTimeout = %s, want 0 for long uploads", cfg.WriteTimeout)
+	}
+}
--- a/backend/libs/handlers/accounts_test.go
+++ b/backend/libs/handlers/accounts_test.go
@@ -707,24 +707,60 @@ func TestAdminOverviewChartsUseZeroAndFullHeights(t *testing.T) {
 	for i, bar := range overview.UploadDays {
 		want := 0
 		if i == len(overview.UploadDays)-1 {
-			want = 100
+			want = 150
 		}
-		if bar.Height != want {
-			t.Fatalf("upload bar %d height = %d, want %d", i, bar.Height, want)
+		if bar.HeightPx != want {
+			t.Fatalf("upload bar %d height = %d, want %d", i, bar.HeightPx, want)
 		}
 	}
 	for i, bar := range overview.StorageDays {
 		want := 0
 		if i == len(overview.StorageDays)-1 {
-			want = 100
+			want = 150
 		}
-		if bar.Height != want {
-			t.Fatalf("storage bar %d height = %d, want %d", i, bar.Height, want)
+		if bar.HeightPx != want {
+			t.Fatalf("storage bar %d height = %d, want %d", i, bar.HeightPx, want)
 		}
 	}
+	if overview.StatusBars[0].WidthPercent != 100 {
+		t.Fatalf("active status width = %d, want 100", overview.StatusBars[0].WidthPercent)
+	}
 }

-func TestAdminOverviewRendersBarHeightVariables(t *testing.T) {
+func TestAdminOverviewChartsScaleRelativeToVisibleRange(t *testing.T) {
+	now := time.Now().UTC()
+	today := time.Date(now.Year(), now.Month(), now.Day(), 12, 0, 0, 0, time.UTC)
+	yesterday := today.AddDate(0, 0, -1)
+	twoDaysAgo := today.AddDate(0, 0, -2)
+	boxes := []services.AdminBox{
+		{ID: "today-1", CreatedAt: today, TotalSize: 30},
+		{ID: "today-2", CreatedAt: today, TotalSize: 30},
+		{ID: "today-3", CreatedAt: today, TotalSize: 30},
+		{ID: "yesterday-1", CreatedAt: yesterday, TotalSize: 20},
+		{ID: "yesterday-2", CreatedAt: yesterday, TotalSize: 20},
+		{ID: "two-days-ago", CreatedAt: twoDaysAgo, TotalSize: 10},
+	}
+	overview := buildAdminOverview(boxes, services.AdminStats{TotalBoxes: 6, ExpiredBoxes: 2, ProtectedBoxes: 1})
+
+	last := len(overview.UploadDays) - 1
+	if overview.UploadDays[last].HeightPx != 150 {
+		t.Fatalf("3-upload day height = %d, want 150", overview.UploadDays[last].HeightPx)
+	}
+	if overview.UploadDays[last-1].HeightPx != 100 {
+		t.Fatalf("2-upload day height = %d, want 100", overview.UploadDays[last-1].HeightPx)
+	}
+	if overview.UploadDays[last-2].HeightPx != 50 {
+		t.Fatalf("1-upload day height = %d, want 50", overview.UploadDays[last-2].HeightPx)
+	}
+	if overview.StorageDays[last].HeightPx != 150 || overview.StorageDays[last-1].HeightPx != 66 || overview.StorageDays[last-2].HeightPx != 16 {
+		t.Fatalf("storage heights = %d/%d/%d, want 150/66/16", overview.StorageDays[last].HeightPx, overview.StorageDays[last-1].HeightPx, overview.StorageDays[last-2].HeightPx)
+	}
+	if overview.StatusBars[0].WidthPercent != 100 || overview.StatusBars[1].WidthPercent != 50 || overview.StatusBars[2].WidthPercent != 25 {
+		t.Fatalf("status widths = %d/%d/%d, want 100/50/25", overview.StatusBars[0].WidthPercent, overview.StatusBars[1].WidthPercent, overview.StatusBars[2].WidthPercent)
+	}
+}
+
+func TestAdminOverviewRendersInlineBarDimensions(t *testing.T) {
 	app, cleanup := newTestApp(t)
 	defer cleanup()
 	adminToken := createAdminSession(t, app)
@@ -738,11 +774,26 @@ func TestAdminOverviewRendersBarHeightVariables(t *testing.T) {
 		t.Fatalf("AdminDashboard status = %d, body = %s", response.Code, response.Body.String())
 	}
 	body := response.Body.String()
-	if !strings.Contains(body, "--bar-height: 100%") {
-		t.Fatalf("admin overview did not render a full-height bar: %s", body)
+	if !strings.Contains(body, `style="height: 150px"`) {
+		t.Fatalf("admin overview did not render a full-height pixel bar: %s", body)
 	}
-	if strings.Contains(body, `style="height:`) {
-		t.Fatalf("admin overview still uses fragile percent height styles: %s", body)
+	if !strings.Contains(body, `data-height-px="150"`) || !strings.Contains(body, `data-chart-value=`) {
+		t.Fatalf("admin overview did not render chart fallback data attributes: %s", body)
+	}
+	if !strings.Contains(body, `style="height: 0px"`) {
+		t.Fatalf("admin overview did not render zero pixel bars: %s", body)
+	}
+	if !strings.Contains(body, `style="width: 100%"`) {
+		t.Fatalf("admin overview did not render a full-width status bar: %s", body)
+	}
+	if !strings.Contains(body, `data-width-percent="100"`) || !strings.Contains(body, `data-stat-value=`) {
+		t.Fatalf("admin overview did not render status fallback data attributes: %s", body)
+	}
+	if strings.Contains(body, "--bar-height") {
+		t.Fatalf("admin overview still uses css variable bar heights: %s", body)
+	}
+	if !strings.Contains(body, "/static/js/25-admin-charts.js?version=test") {
+		t.Fatalf("admin overview did not load chart fallback script: %s", body)
 	}
 }

--- a/backend/libs/handlers/admin.go
+++ b/backend/libs/handlers/admin.go
@@ -159,15 +159,17 @@ type adminOverview struct {
 }

 type adminChartBar struct {
-	Label  string
-	Value  string
-	Height int // 0-100, percent of the tallest bar
+	Label    string
+	Value    string
+	HeightPx int
+	RawValue int64
 }

 type adminStatBar struct {
-	Label   string
-	Value   string
-	Percent int
+	Label        string
+	Value        string
+	RawValue     int
+	WidthPercent int
 }

 type adminBoxView struct {
@@ -336,6 +338,7 @@ func (a *App) recentBoxViews(boxes []services.AdminBox, limit int) []adminBoxVie
 // status distributions for the overview dashboard.
 func buildAdminOverview(boxes []services.AdminBox, stats services.AdminStats) adminOverview {
 	const days = 14
+	const chartMaxHeightPx = 150
 	now := time.Now().UTC()
 	today := time.Date(now.Year(), now.Month(), now.Day(), 0, 0, 0, 0, time.UTC)

@@ -374,14 +377,16 @@ func buildAdminOverview(boxes []services.AdminBox, stats services.AdminStats) ad
 	storageDays := make([]adminChartBar, days)
 	for i := 0; i < days; i++ {
 		uploadDays[i] = adminChartBar{
-			Label:  labels[i],
-			Value:  strconv.Itoa(counts[i]),
-			Height: scaleHeight(int64(counts[i]), int64(maxCount)),
+			Label:    labels[i],
+			Value:    strconv.Itoa(counts[i]),
+			HeightPx: scaleHeightPx(int64(counts[i]), int64(maxCount), chartMaxHeightPx),
+			RawValue: int64(counts[i]),
 		}
 		storageDays[i] = adminChartBar{
-			Label:  labels[i],
-			Value:  helpers.FormatBytes(bytes[i]),
-			Height: scaleHeight(bytes[i], maxBytes),
+			Label:    labels[i],
+			Value:    helpers.FormatBytes(bytes[i]),
+			HeightPx: scaleHeightPx(bytes[i], maxBytes, chartMaxHeightPx),
+			RawValue: bytes[i],
 		}
 	}

@@ -389,10 +394,11 @@ func buildAdminOverview(boxes []services.AdminBox, stats services.AdminStats) ad
 	if activeBoxes < 0 {
 		activeBoxes = 0
 	}
+	maxStatusValue := maxInt(activeBoxes, stats.ExpiredBoxes, stats.ProtectedBoxes)
 	statusBars := []adminStatBar{
-		{Label: "Active", Value: strconv.Itoa(activeBoxes), Percent: percentOf(activeBoxes, stats.TotalBoxes)},
-		{Label: "Expired", Value: strconv.Itoa(stats.ExpiredBoxes), Percent: percentOf(stats.ExpiredBoxes, stats.TotalBoxes)},
-		{Label: "Password-protected", Value: strconv.Itoa(stats.ProtectedBoxes), Percent: percentOf(stats.ProtectedBoxes, stats.TotalBoxes)},
+		{Label: "Active", Value: strconv.Itoa(activeBoxes), RawValue: activeBoxes, WidthPercent: percentOf(activeBoxes, maxStatusValue)},
+		{Label: "Expired", Value: strconv.Itoa(stats.ExpiredBoxes), RawValue: stats.ExpiredBoxes, WidthPercent: percentOf(stats.ExpiredBoxes, maxStatusValue)},
+		{Label: "Password-protected", Value: strconv.Itoa(stats.ProtectedBoxes), RawValue: stats.ProtectedBoxes, WidthPercent: percentOf(stats.ProtectedBoxes, maxStatusValue)},
 	}

 	return adminOverview{
@@ -402,13 +408,16 @@ func buildAdminOverview(boxes []services.AdminBox, stats services.AdminStats) ad
 	}
 }

-func scaleHeight(value, max int64) int {
+func scaleHeightPx(value, max int64, maxHeightPx int) int {
 	if max <= 0 || value <= 0 {
 		return 0
 	}
-	height := int(value * 100 / max)
-	if height < 4 {
-		height = 4
+	height := int(value * int64(maxHeightPx) / max)
+	if height < 8 {
+		height = 8
+	}
+	if height > maxHeightPx {
+		return maxHeightPx
 	}
 	return height
 }
@@ -420,6 +429,16 @@ func percentOf(value, total int) int {
 	return value * 100 / total
 }

+func maxInt(values ...int) int {
+	max := 0
+	for _, value := range values {
+		if value > max {
+			max = value
+		}
+	}
+	return max
+}
+
 func (a *App) AdminUsers(w http.ResponseWriter, r *http.Request) {
 	if !a.requireAdmin(w, r) {
 		return
@@ -1751,7 +1770,7 @@ func isHealthCheckLogEntry(raw map[string]any) bool {
 	if idx := strings.IndexByte(path, '?'); idx >= 0 {
 		path = path[:idx]
 	}
-	return path == "/health" || path == "/healthz" || path == "/api/v1/health"
+	return path == "/health"
 }

 func logEntryFromMap(raw map[string]any) adminLogEntry {
--- a/backend/libs/handlers/api_docs.go
+++ b/backend/libs/handlers/api_docs.go
@@ -10,7 +10,6 @@ import (
 type apiDocsData struct {
 	BaseURL             string
 	UploadURL           string
-	HealthURL           string
 	RequestSchemaURL    string
 	ResponseSchemaURL   string
 	ShareXExamplePath   string
@@ -39,7 +38,6 @@ func (a *App) APIDocs(w http.ResponseWriter, r *http.Request) {
 		Data: apiDocsData{
 			BaseURL:             a.cfg.BaseURL,
 			UploadURL:           a.cfg.BaseURL + "/api/v1/upload",
-			HealthURL:           a.cfg.BaseURL + "/api/v1/health",
 			RequestSchemaURL:    a.cfg.BaseURL + "/api/v1/schemas/upload-request.json",
 			ResponseSchemaURL:   a.cfg.BaseURL + "/api/v1/schemas/upload-response.json",
 			ShareXExamplePath:   "examples/sharex/warpbox-anonymous.sxcu",
--- a/backend/libs/handlers/app.go
+++ b/backend/libs/handlers/app.go
@@ -16,12 +16,13 @@ type App struct {
 	uploadService   *services.UploadService
 	authService     *services.AuthService
 	settingsService *services.SettingsService
+	reactionService *services.ReactionService
 	banService      *services.BanService
 	rateLimiter     *rateLimiter
 	uploadGroups    *uploadGrouper
 }

-func NewApp(cfg config.Config, logger *slog.Logger, renderer *web.Renderer, uploadService *services.UploadService, authService *services.AuthService, settingsService *services.SettingsService, banService *services.BanService) *App {
+func NewApp(cfg config.Config, logger *slog.Logger, renderer *web.Renderer, uploadService *services.UploadService, authService *services.AuthService, settingsService *services.SettingsService, reactionService *services.ReactionService, banService *services.BanService) *App {
 	return &App{
 		cfg:             cfg,
 		logger:          logger,
@@ -29,6 +30,7 @@ func NewApp(cfg config.Config, logger *slog.Logger, renderer *web.Renderer, uplo
 		uploadService:   uploadService,
 		authService:     authService,
 		settingsService: settingsService,
+		reactionService: reactionService,
 		banService:      banService,
 		rateLimiter:     newRateLimiter(),
 		uploadGroups:    newUploadGrouper(),
@@ -121,16 +123,22 @@ func (a *App) RegisterRoutes(mux *http.ServeMux) {
 	mux.HandleFunc("GET /d/{boxID}/manage/{token}/delete", a.ManageDeleteBox)
 	mux.HandleFunc("POST /d/{boxID}/unlock", a.UnlockBox)
 	mux.HandleFunc("GET /d/{boxID}/zip", a.DownloadZip)
+	mux.HandleFunc("POST /d/{boxID}/f/{fileID}/react", a.ReactToFile)
 	mux.HandleFunc("GET /d/{boxID}/f/{fileID}", a.DownloadFile)
 	mux.HandleFunc("GET /d/{boxID}/f/{fileID}/download", a.DownloadFileContent)
 	mux.HandleFunc("GET /d/{boxID}/thumb/{fileID}", a.Thumbnail)
 	mux.HandleFunc("GET /d/{boxID}/og-image.jpg", a.BoxOGImage)
 	mux.HandleFunc("GET /health", a.Health)
-	mux.HandleFunc("GET /healthz", a.Health)
-	mux.HandleFunc("GET /api/v1/health", a.Health)
+	mux.HandleFunc("GET /healthz", notFound)
+	mux.HandleFunc("GET /api/v1/health", notFound)
 	mux.HandleFunc("GET /api/v1/sharex/warpbox-anonymous.sxcu", a.ShareXAnonymousConfig)
 	mux.HandleFunc("GET /api/v1/schemas/upload-request.json", a.UploadRequestSchema)
 	mux.HandleFunc("GET /api/v1/schemas/upload-response.json", a.UploadResponseSchema)
 	mux.HandleFunc("POST /api/v1/upload", a.Upload)
+	mux.HandleFunc("GET /emoji/{pack}/{file}", a.EmojiAsset)
 	mux.Handle("GET /static/", a.Static())
 }
+
+func notFound(w http.ResponseWriter, r *http.Request) {
+	http.NotFound(w, r)
+}
--- a/backend/libs/handlers/download.go
+++ b/backend/libs/handlers/download.go
@@ -2,12 +2,15 @@ package handlers

 import (
 	"bytes"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"time"

@@ -26,6 +29,7 @@ type downloadPageData struct {
 	DownloadCount int
 	MaxDownloads  int
 	ExpiresLabel  string
+	EmojiTabs     []emojiTabView
 }

 type boxView struct {
@@ -41,6 +45,28 @@ type fileView struct {
 	URL          string
 	DownloadURL  string
 	ThumbnailURL string
+	ReactURL     string
+	Reactions    []reactionView
+	Reacted      bool
+}
+
+type reactionView struct {
+	EmojiID string `json:"emojiId"`
+	URL     string `json:"url"`
+	Label   string `json:"label"`
+	Count   int    `json:"count"`
+}
+
+type emojiTabView struct {
+	ID     string
+	Label  string
+	Emojis []emojiOptionView
+}
+
+type emojiOptionView struct {
+	ID    string `json:"id"`
+	URL   string `json:"url"`
+	Label string `json:"label"`
 }

 type previewPageData struct {
@@ -70,13 +96,22 @@ func (a *App) DownloadPage(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	locked := a.uploadService.IsProtected(box) && !a.isBoxUnlocked(r, box)
+	visitorID := a.reactionVisitorID(w, r)
+	reactionsByFile, reactedByFile, err := a.reactionService.SummaryForBox(box.ID, visitorID)
+	if err != nil {
+		a.logger.Warn("failed to load file reactions", withRequestLogAttrs(r, "source", "reactions", "severity", "warn", "code", 4300, "box_id", box.ID, "error", err.Error())...)
+	}

 	files := make([]fileView, 0, len(box.Files))
 	if !(locked && box.Obfuscate) {
 		for _, file := range box.Files {
-			files = append(files, a.fileView(box, file))
+			files = append(files, a.fileViewWithReactions(box, file, reactionsByFile[file.ID], reactedByFile[file.ID]))
 		}
 	}
+	emojiTabs, err := a.emojiTabs()
+	if err != nil {
+		a.logger.Warn("failed to load emoji tabs", withRequestLogAttrs(r, "source", "reactions", "severity", "warn", "code", 4301, "box_id", box.ID, "error", err.Error())...)
+	}

 	expiresLabel := boxExpiryLabel(box.ExpiresAt, "Jan 2, 2006 15:04 MST")
 	title := "Shared files on Warpbox"
@@ -99,6 +134,7 @@ func (a *App) DownloadPage(w http.ResponseWriter, r *http.Request) {
 			DownloadCount: box.DownloadCount,
 			MaxDownloads:  box.MaxDownloads,
 			ExpiresLabel:  expiresLabel,
+			EmojiTabs:     emojiTabs,
 		},
 	})
 	a.logger.Info("download page viewed", withRequestLogAttrs(r, "source", "download", "severity", "user_activity", "code", 2003, "box_id", box.ID, "locked", locked)...)
@@ -310,6 +346,10 @@ func (a *App) DownloadZip(w http.ResponseWriter, r *http.Request) {
 }

 func (a *App) fileView(box services.Box, file services.File) fileView {
+	return a.fileViewWithReactions(box, file, nil, false)
+}
+
+func (a *App) fileViewWithReactions(box services.Box, file services.File, reactions []services.ReactionSummary, reacted bool) fileView {
 	return fileView{
 		ID:           file.ID,
 		Name:         file.Name,
@@ -319,9 +359,171 @@ func (a *App) fileView(box services.Box, file services.File) fileView {
 		URL:          fmt.Sprintf("/d/%s/f/%s", box.ID, file.ID),
 		DownloadURL:  fmt.Sprintf("/d/%s/f/%s/download", box.ID, file.ID),
 		ThumbnailURL: fmt.Sprintf("/d/%s/thumb/%s", box.ID, file.ID),
+		ReactURL:     fmt.Sprintf("/d/%s/f/%s/react", box.ID, file.ID),
+		Reactions:    a.reactionViews(reactions),
+		Reacted:      reacted,
 	}
 }

+func (a *App) ReactToFile(w http.ResponseWriter, r *http.Request) {
+	box, file, ok := a.loadFileForRequest(w, r)
+	if !ok {
+		return
+	}
+	if a.uploadService.IsProtected(box) && !a.isBoxUnlocked(r, box) {
+		http.Error(w, "password required", http.StatusUnauthorized)
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "invalid reaction", http.StatusBadRequest)
+		return
+	}
+	emojiID := strings.TrimSpace(r.FormValue("emoji_id"))
+	if !a.validEmojiID(emojiID) {
+		http.Error(w, "unknown emoji", http.StatusBadRequest)
+		return
+	}
+
+	visitorID := a.reactionVisitorID(w, r)
+	reactions, err := a.reactionService.Add(box.ID, file.ID, visitorID, emojiID)
+	if errors.Is(err, os.ErrExist) {
+		writeJSON(w, http.StatusConflict, map[string]any{"error": "already reacted"})
+		return
+	}
+	if err != nil {
+		a.logger.Warn("file reaction failed", withRequestLogAttrs(r, "source", "reactions", "severity", "warn", "code", 4302, "box_id", box.ID, "file_id", file.ID, "error", err.Error())...)
+		http.Error(w, "could not save reaction", http.StatusInternalServerError)
+		return
+	}
+
+	a.logger.Info("file reaction added", withRequestLogAttrs(r, "source", "reactions", "severity", "user_activity", "code", 2301, "box_id", box.ID, "file_id", file.ID, "emoji_id", emojiID)...)
+	writeJSON(w, http.StatusCreated, map[string]any{
+		"reactions": a.reactionViews(reactions),
+		"reacted":   true,
+	})
+}
+
+func (a *App) reactionViews(reactions []services.ReactionSummary) []reactionView {
+	views := make([]reactionView, 0, len(reactions))
+	for _, reaction := range reactions {
+		views = append(views, reactionView{
+			EmojiID: reaction.EmojiID,
+			URL:     emojiURL(reaction.EmojiID),
+			Label:   emojiLabel(reaction.EmojiID),
+			Count:   reaction.Count,
+		})
+	}
+	return views
+}
+
+func (a *App) emojiTabs() ([]emojiTabView, error) {
+	root := a.emojiRoot()
+	entries, err := os.ReadDir(root)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	tabs := make([]emojiTabView, 0, len(entries))
+	for _, entry := range entries {
+		if !entry.IsDir() {
+			continue
+		}
+		tabID := entry.Name()
+		files, err := os.ReadDir(filepath.Join(root, tabID))
+		if err != nil {
+			return nil, err
+		}
+		tab := emojiTabView{ID: tabID, Label: emojiTabLabel(tabID)}
+		for _, file := range files {
+			if file.IsDir() || !isEmojiFile(file.Name()) {
+				continue
+			}
+			emojiID := tabID + "/" + file.Name()
+			tab.Emojis = append(tab.Emojis, emojiOptionView{
+				ID:    emojiID,
+				URL:   emojiURL(emojiID),
+				Label: emojiLabel(emojiID),
+			})
+		}
+		sort.Slice(tab.Emojis, func(i, j int) bool { return tab.Emojis[i].ID < tab.Emojis[j].ID })
+		if len(tab.Emojis) > 0 {
+			tabs = append(tabs, tab)
+		}
+	}
+	sort.Slice(tabs, func(i, j int) bool { return tabs[i].ID < tabs[j].ID })
+	return tabs, nil
+}
+
+func (a *App) validEmojiID(id string) bool {
+	id = strings.TrimSpace(id)
+	if id == "" || strings.Contains(id, "\\") || strings.Contains(id, "..") || strings.HasPrefix(id, "/") {
+		return false
+	}
+	parts := strings.Split(id, "/")
+	if len(parts) != 2 || parts[0] == "" || parts[1] == "" || !isEmojiFile(parts[1]) {
+		return false
+	}
+	info, err := os.Stat(filepath.Join(a.emojiRoot(), parts[0], parts[1]))
+	return err == nil && !info.IsDir()
+}
+
+func (a *App) emojiRoot() string {
+	return filepath.Join(a.cfg.DataDir, "emoji")
+}
+
+func (a *App) reactionVisitorID(w http.ResponseWriter, r *http.Request) string {
+	const cookieName = "warpbox_reactor"
+	if cookie, err := r.Cookie(cookieName); err == nil && strings.TrimSpace(cookie.Value) != "" {
+		return cookie.Value
+	}
+	visitorID := services.RandomPublicToken(32)
+	http.SetCookie(w, &http.Cookie{
+		Name:     cookieName,
+		Value:    visitorID,
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		Secure:   r.TLS != nil,
+		Expires:  time.Now().AddDate(1, 0, 0),
+	})
+	return visitorID
+}
+
+func isEmojiFile(name string) bool {
+	ext := strings.ToLower(filepath.Ext(name))
+	return ext == ".svg" || ext == ".webp" || ext == ".png" || ext == ".jpg" || ext == ".jpeg" || ext == ".gif"
+}
+
+func emojiTabLabel(id string) string {
+	label := strings.NewReplacer("-", " ", "_", " ").Replace(id)
+	if label == "" {
+		return "Emoji"
+	}
+	return strings.ToUpper(label[:1]) + label[1:]
+}
+
+func emojiLabel(id string) string {
+	base := strings.TrimSuffix(filepath.Base(id), filepath.Ext(id))
+	return strings.ReplaceAll(base, "-", " ")
+}
+
+func emojiURL(id string) string {
+	parts := strings.Split(id, "/")
+	if len(parts) != 2 {
+		return ""
+	}
+	return "/emoji/" + url.PathEscape(parts[0]) + "/" + url.PathEscape(parts[1])
+}
+
+func writeJSON(w http.ResponseWriter, status int, value any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(status)
+	_ = json.NewEncoder(w).Encode(value)
+}
+
 func (a *App) isBoxUnlocked(r *http.Request, box services.Box) bool {
 	if !a.uploadService.IsProtected(box) {
 		return true
--- a/backend/libs/handlers/health.go
+++ b/backend/libs/handlers/health.go
@@ -13,6 +13,10 @@ type healthResponse struct {
 }

 func (a *App) Health(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Path != "/health" {
+		http.NotFound(w, r)
+		return
+	}
 	helpers.WriteJSON(w, http.StatusOK, healthResponse{
 		Status: "ok",
 		Time:   time.Now().UTC().Format(time.RFC3339),
--- a/backend/libs/handlers/health_test.go
+++ b/backend/libs/handlers/health_test.go
@@ -13,16 +13,20 @@ func TestHealthRoutes(t *testing.T) {
 	mux := http.NewServeMux()
 	app.RegisterRoutes(mux)

-	for _, path := range []string{"/health", "/healthz", "/api/v1/health"} {
-		t.Run(path, func(t *testing.T) {
-			request := httptest.NewRequest(http.MethodGet, path, nil)
-			response := httptest.NewRecorder()
+	request := httptest.NewRequest(http.MethodGet, "/health", nil)
+	response := httptest.NewRecorder()

-			mux.ServeHTTP(response, request)
+	mux.ServeHTTP(response, request)

-			if response.Code != http.StatusOK {
-				t.Fatalf("status = %d, body = %s", response.Code, response.Body.String())
-			}
-		})
+	if response.Code != http.StatusOK {
+		t.Fatalf("status = %d, body = %s", response.Code, response.Body.String())
+	}
+	for _, path := range []string{"/healthz", "/api/v1/health"} {
+		request := httptest.NewRequest(http.MethodGet, path, nil)
+		response := httptest.NewRecorder()
+		mux.ServeHTTP(response, request)
+		if response.Code != http.StatusNotFound {
+			t.Fatalf("%s status = %d, want 404", path, response.Code)
+		}
 	}
 }
--- a/backend/libs/handlers/static.go
+++ b/backend/libs/handlers/static.go
@@ -2,6 +2,7 @@ package handlers

 import (
 	"net/http"
+	"os"
 	"path/filepath"
 	"strings"
 )
@@ -15,6 +16,24 @@ func (a *App) Static() http.Handler {
 	})
 }

+func (a *App) EmojiAsset(w http.ResponseWriter, r *http.Request) {
+	pack := strings.TrimSpace(r.PathValue("pack"))
+	file := strings.TrimSpace(r.PathValue("file"))
+	if pack == "" || file == "" || strings.Contains(pack, "/") || strings.Contains(pack, "\\") || strings.Contains(pack, "..") || strings.Contains(file, "/") || strings.Contains(file, "\\") || strings.Contains(file, "..") || !isEmojiFile(file) {
+		http.NotFound(w, r)
+		return
+	}
+
+	path := filepath.Join(a.emojiRoot(), pack, file)
+	info, err := os.Stat(path)
+	if err != nil || info.IsDir() {
+		http.NotFound(w, r)
+		return
+	}
+	setStaticCacheHeaders(w, r.URL.Path)
+	http.ServeFile(w, r, path)
+}
+
 func setStaticCacheHeaders(w http.ResponseWriter, path string) {
 	ext := strings.ToLower(filepath.Ext(path))

--- a/backend/libs/handlers/upload_stage3_test.go
+++ b/backend/libs/handlers/upload_stage3_test.go
@@ -46,6 +46,42 @@ func TestUploadJSONIncludesManageURLsAndAcceptsShareXField(t *testing.T) {
 	}
 }

+func TestFileReactionCanBeAddedOncePerVisitor(t *testing.T) {
+	app, cleanup := newTestApp(t)
+	defer cleanup()
+
+	payload := uploadThroughApp(t, app)
+	if len(payload.Files) != 1 {
+		t.Fatalf("uploaded files = %d", len(payload.Files))
+	}
+
+	request := httptest.NewRequest(http.MethodPost, "/d/"+payload.BoxID+"/f/"+payload.Files[0].ID+"/react", strings.NewReader("emoji_id=openmoji/1F600.svg"))
+	request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	request.SetPathValue("boxID", payload.BoxID)
+	request.SetPathValue("fileID", payload.Files[0].ID)
+	response := httptest.NewRecorder()
+	app.ReactToFile(response, request)
+	if response.Code != http.StatusCreated {
+		t.Fatalf("first reaction status = %d, body = %s", response.Code, response.Body.String())
+	}
+	if !strings.Contains(response.Body.String(), `"count":1`) {
+		t.Fatalf("reaction response missing count: %s", response.Body.String())
+	}
+
+	retry := httptest.NewRequest(http.MethodPost, "/d/"+payload.BoxID+"/f/"+payload.Files[0].ID+"/react", strings.NewReader("emoji_id=openmoji/1F600.svg"))
+	retry.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	retry.SetPathValue("boxID", payload.BoxID)
+	retry.SetPathValue("fileID", payload.Files[0].ID)
+	for _, cookie := range response.Result().Cookies() {
+		retry.AddCookie(cookie)
+	}
+	retryResponse := httptest.NewRecorder()
+	app.ReactToFile(retryResponse, retry)
+	if retryResponse.Code != http.StatusConflict {
+		t.Fatalf("second reaction status = %d, body = %s", retryResponse.Code, retryResponse.Body.String())
+	}
+}
+
 func TestUploadTextResponseReturnsOnlyBoxURL(t *testing.T) {
 	app, cleanup := newTestApp(t)
 	defer cleanup()
@@ -198,6 +234,14 @@ func newTestApp(t *testing.T) (*App, func()) {
 	if err != nil {
 		t.Fatalf("NewUploadService returned error: %v", err)
 	}
+	if err := os.MkdirAll(filepath.Join(cfg.DataDir, "emoji", "openmoji"), 0o755); err != nil {
+		service.Close()
+		t.Fatalf("create emoji test dir: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(cfg.DataDir, "emoji", "openmoji", "1F600.svg"), []byte(`<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1 1"></svg>`), 0o644); err != nil {
+		service.Close()
+		t.Fatalf("write emoji test file: %v", err)
+	}
 	renderer, err := web.NewRenderer(cfg.TemplateDir, cfg.AppName, cfg.AppVersion, cfg.BaseURL)
 	if err != nil {
 		service.Close()
@@ -213,12 +257,17 @@ func newTestApp(t *testing.T) (*App, func()) {
 		service.Close()
 		t.Fatalf("NewSettingsService returned error: %v", err)
 	}
+	reactionService, err := services.NewReactionService(service.DB())
+	if err != nil {
+		service.Close()
+		t.Fatalf("NewReactionService returned error: %v", err)
+	}
 	banService, err := services.NewBanService(service.DB())
 	if err != nil {
 		service.Close()
 		t.Fatalf("NewBanService returned error: %v", err)
 	}
-	return NewApp(cfg, logger, renderer, service, authService, settingsService, banService), func() {
+	return NewApp(cfg, logger, renderer, service, authService, settingsService, reactionService, banService), func() {
 		if err := service.Close(); err != nil {
 			t.Fatalf("Close returned error: %v", err)
 		}
--- a/backend/libs/httpserver/server.go
+++ b/backend/libs/httpserver/server.go
@@ -32,13 +32,18 @@ func New(cfg config.Config, logger *slog.Logger) (*http.Server, error) {
 		uploadService.Close()
 		return nil, err
 	}
+	reactionService, err := services.NewReactionService(uploadService.DB())
+	if err != nil {
+		uploadService.Close()
+		return nil, err
+	}
 	banService, err := services.NewBanService(uploadService.DB())
 	if err != nil {
 		uploadService.Close()
 		return nil, err
 	}
 	stopJobs := jobs.StartAll(cfg, logger, uploadService, banService)
-	app := handlers.NewApp(cfg, logger, renderer, uploadService, authService, settingsService, banService)
+	app := handlers.NewApp(cfg, logger, renderer, uploadService, authService, settingsService, reactionService, banService)

 	router := http.NewServeMux()
 	app.RegisterRoutes(router)
@@ -54,11 +59,12 @@ func New(cfg config.Config, logger *slog.Logger) (*http.Server, error) {
 	)

 	server := &http.Server{
-		Addr:         cfg.Addr,
-		Handler:      handler,
-		ReadTimeout:  cfg.ReadTimeout,
-		WriteTimeout: cfg.WriteTimeout,
-		IdleTimeout:  cfg.IdleTimeout,
+		Addr:              cfg.Addr,
+		Handler:           handler,
+		ReadHeaderTimeout: cfg.ReadHeaderTimeout,
+		ReadTimeout:       cfg.ReadTimeout,
+		WriteTimeout:      cfg.WriteTimeout,
+		IdleTimeout:       cfg.IdleTimeout,
 	}
 	server.RegisterOnShutdown(func() {
 		stopJobs()
--- a/backend/libs/services/bans.go
+++ b/backend/libs/services/bans.go
@@ -472,7 +472,7 @@ func (s *BanService) MaliciousPattern(path string) (string, error) {
 }

 func shouldSkipMaliciousPath(path string) bool {
-	return path == "/health" || path == "/healthz" || path == "/api/v1/health" || strings.HasPrefix(path, "/static/")
+	return path == "/health" || strings.HasPrefix(path, "/static/")
 }

 func (s *BanService) RecordAbuse(ip, kind, detail string, threshold int, now time.Time) (AbuseResult, error) {
--- a/backend/libs/services/reactions.go
+++ b/backend/libs/services/reactions.go
@@ -0,0 +1,166 @@
+package services
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"os"
+	"sort"
+	"strings"
+	"time"
+
+	"go.etcd.io/bbolt"
+)
+
+var reactionsBucket = []byte("file_reactions")
+
+type ReactionService struct {
+	db *bbolt.DB
+}
+
+type FileReaction struct {
+	BoxID       string    `json:"boxId"`
+	FileID      string    `json:"fileId"`
+	EmojiID     string    `json:"emojiId"`
+	VisitorHash string    `json:"visitorHash"`
+	CreatedAt   time.Time `json:"createdAt"`
+}
+
+type ReactionSummary struct {
+	EmojiID string `json:"emojiId"`
+	Count   int    `json:"count"`
+}
+
+func NewReactionService(db *bbolt.DB) (*ReactionService, error) {
+	if err := db.Update(func(tx *bbolt.Tx) error {
+		_, err := tx.CreateBucketIfNotExists(reactionsBucket)
+		return err
+	}); err != nil {
+		return nil, err
+	}
+	return &ReactionService{db: db}, nil
+}
+
+func (s *ReactionService) Add(boxID, fileID, visitorID, emojiID string) ([]ReactionSummary, error) {
+	boxID = strings.TrimSpace(boxID)
+	fileID = strings.TrimSpace(fileID)
+	visitorHash := reactionVisitorHash(visitorID)
+	emojiID = strings.TrimSpace(emojiID)
+	if boxID == "" || fileID == "" || visitorHash == "" || emojiID == "" {
+		return nil, errors.New("missing reaction data")
+	}
+
+	reaction := FileReaction{
+		BoxID:       boxID,
+		FileID:      fileID,
+		EmojiID:     emojiID,
+		VisitorHash: visitorHash,
+		CreatedAt:   time.Now().UTC(),
+	}
+	data, err := json.Marshal(reaction)
+	if err != nil {
+		return nil, err
+	}
+
+	key := reactionKey(boxID, fileID, visitorHash)
+	if err := s.db.Update(func(tx *bbolt.Tx) error {
+		bucket := tx.Bucket(reactionsBucket)
+		if bucket.Get([]byte(key)) != nil {
+			return os.ErrExist
+		}
+		return bucket.Put([]byte(key), data)
+	}); err != nil {
+		return nil, err
+	}
+	return s.SummaryForFile(boxID, fileID)
+}
+
+func (s *ReactionService) SummaryForBox(boxID, visitorID string) (map[string][]ReactionSummary, map[string]bool, error) {
+	visitorHash := reactionVisitorHash(visitorID)
+	summaries := make(map[string]map[string]int)
+	viewerReacted := make(map[string]bool)
+	err := s.db.View(func(tx *bbolt.Tx) error {
+		bucket := tx.Bucket(reactionsBucket)
+		if bucket == nil {
+			return nil
+		}
+		return bucket.ForEach(func(_, data []byte) error {
+			var reaction FileReaction
+			if err := json.Unmarshal(data, &reaction); err != nil {
+				return err
+			}
+			if reaction.BoxID != boxID {
+				return nil
+			}
+			if summaries[reaction.FileID] == nil {
+				summaries[reaction.FileID] = make(map[string]int)
+			}
+			summaries[reaction.FileID][reaction.EmojiID]++
+			if visitorHash != "" && reaction.VisitorHash == visitorHash {
+				viewerReacted[reaction.FileID] = true
+			}
+			return nil
+		})
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	result := make(map[string][]ReactionSummary, len(summaries))
+	for fileID, counts := range summaries {
+		result[fileID] = reactionCountsToSummaries(counts)
+	}
+	return result, viewerReacted, nil
+}
+
+func (s *ReactionService) SummaryForFile(boxID, fileID string) ([]ReactionSummary, error) {
+	counts := make(map[string]int)
+	err := s.db.View(func(tx *bbolt.Tx) error {
+		bucket := tx.Bucket(reactionsBucket)
+		if bucket == nil {
+			return nil
+		}
+		return bucket.ForEach(func(_, data []byte) error {
+			var reaction FileReaction
+			if err := json.Unmarshal(data, &reaction); err != nil {
+				return err
+			}
+			if reaction.BoxID == boxID && reaction.FileID == fileID {
+				counts[reaction.EmojiID]++
+			}
+			return nil
+		})
+	})
+	if err != nil {
+		return nil, err
+	}
+	return reactionCountsToSummaries(counts), nil
+}
+
+func reactionCountsToSummaries(counts map[string]int) []ReactionSummary {
+	summaries := make([]ReactionSummary, 0, len(counts))
+	for emojiID, count := range counts {
+		summaries = append(summaries, ReactionSummary{EmojiID: emojiID, Count: count})
+	}
+	sort.Slice(summaries, func(i, j int) bool {
+		if summaries[i].Count == summaries[j].Count {
+			return summaries[i].EmojiID < summaries[j].EmojiID
+		}
+		return summaries[i].Count > summaries[j].Count
+	})
+	return summaries
+}
+
+func reactionKey(boxID, fileID, visitorHash string) string {
+	return boxID + "\x00" + fileID + "\x00" + visitorHash
+}
+
+func reactionVisitorHash(visitorID string) string {
+	visitorID = strings.TrimSpace(visitorID)
+	if visitorID == "" {
+		return ""
+	}
+	sum := sha256.Sum256([]byte(visitorID))
+	return hex.EncodeToString(sum[:])
+}
--- a/backend/libs/services/upload.go
+++ b/backend/libs/services/upload.go
@@ -137,6 +137,9 @@ func NewUploadService(maxUploadSize int64, dataDir, baseURL string, logger *slog
 	if err := os.MkdirAll(dbDir, 0o755); err != nil {
 		return nil, err
 	}
+	if err := os.MkdirAll(filepath.Join(dataDir, "emoji"), 0o755); err != nil {
+		return nil, err
+	}

 	db, err := bbolt.Open(filepath.Join(dbDir, "warpbox.bbolt"), 0o600, &bbolt.Options{Timeout: time.Second})
 	if err != nil {
@@ -957,6 +960,10 @@ func randomID(byteCount int) string {
 	return base64.RawURLEncoding.EncodeToString(data)
 }

+func RandomPublicToken(byteCount int) string {
+	return randomID(byteCount)
+}
+
 func hashPassword(password string) (string, string) {
 	salt := randomID(18)
 	return salt, passwordHash(salt, password)
--- a/backend/static/css/30-download.css
+++ b/backend/static/css/30-download.css
@@ -65,6 +65,242 @@

 .file-card {
  position: relative;
+  padding-bottom: 2.6rem;
+}
+
+.file-reaction-dock {
+  position: absolute;
+  right: 0.65rem;
+  bottom: 0.55rem;
+  z-index: 2;
+  display: inline-flex;
+  align-items: center;
+  justify-content: flex-end;
+  max-width: calc(100% - 1.3rem);
+  gap: 0.35rem;
+  pointer-events: none;
+}
+
+.file-reactions {
+  display: inline-flex;
+  align-items: center;
+  justify-content: flex-end;
+  min-width: 0;
+  gap: 0.25rem;
+  flex-wrap: wrap;
+}
+
+.reaction-pill {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.2rem;
+  min-height: 1.6rem;
+  padding: 0.16rem 0.38rem;
+  border: 1px solid color-mix(in srgb, var(--border) 84%, var(--primary));
+  border-radius: 999px;
+  background: color-mix(in srgb, var(--card) 88%, #000);
+  color: var(--foreground);
+  font-size: 0.75rem;
+  font-weight: 700;
+  box-shadow: 0 8px 22px rgba(0, 0, 0, 0.24);
+  pointer-events: auto;
+}
+
+.reaction-pill img {
+  width: 1rem;
+  height: 1rem;
+  display: block;
+}
+
+.reaction-button {
+  width: 2.1rem;
+  height: 2.1rem;
+  display: inline-grid;
+  place-items: center;
+  border: 1px solid var(--border);
+  border-radius: 999px;
+  background: color-mix(in srgb, var(--card) 92%, #000);
+  color: var(--foreground);
+  opacity: 0;
+  transform: translateY(0.3rem) scale(0.94);
+  box-shadow: 0 12px 30px rgba(0, 0, 0, 0.32);
+  transition: opacity 150ms ease, transform 150ms ease, border-color 150ms ease, background 150ms ease;
+  pointer-events: auto;
+}
+
+.reaction-button svg {
+  width: 1.15rem;
+  height: 1.15rem;
+  fill: none;
+  stroke: currentColor;
+  stroke-width: 1.9;
+  stroke-linecap: round;
+  stroke-linejoin: round;
+}
+
+.file-card:hover .reaction-button,
+.file-card:focus-within .reaction-button,
+.reaction-button:focus-visible {
+  opacity: 1;
+  transform: translateY(0) scale(1);
+}
+
+.reaction-button:hover,
+.reaction-button:focus-visible {
+  border-color: var(--primary);
+  background: var(--primary);
+  color: var(--primary-foreground);
+}
+
+.reaction-picker {
+  position: fixed;
+  top: 0;
+  left: 0;
+  z-index: 70;
+  width: min(21rem, calc(100vw - 1rem));
+}
+
+html.reaction-picker-open,
+html.reaction-picker-open body {
+  overflow: hidden;
+  touch-action: none;
+}
+
+.reaction-picker[hidden] {
+  display: none;
+}
+
+.reaction-picker.is-mobile {
+  inset: 0;
+  width: auto;
+  height: 100dvh;
+  display: grid;
+  place-items: end center;
+  overflow: hidden;
+  padding: 0.75rem 0.75rem max(1.5rem, env(safe-area-inset-bottom));
+  background: rgba(0, 0, 0, 0.54);
+}
+
+.reaction-picker-panel {
+  overflow: hidden;
+  border: 1px solid var(--border);
+  border-radius: var(--radius);
+  background: color-mix(in srgb, var(--card) 97%, #000);
+  box-shadow: 0 26px 70px rgba(0, 0, 0, 0.52);
+}
+
+.reaction-picker.is-mobile .reaction-picker-panel {
+  width: min(100%, 34rem);
+  height: 75dvh;
+  max-height: 75dvh;
+  display: flex;
+  flex-direction: column;
+}
+
+.reaction-picker-head {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 0.75rem;
+  padding: 0.7rem;
+  border-bottom: 1px solid var(--border);
+}
+
+.reaction-picker-close {
+  min-height: 2rem;
+  padding: 0.3rem 0.55rem;
+  font-size: 0.75rem;
+}
+
+.reaction-picker-tabs {
+  display: flex;
+  gap: 0.35rem;
+  overflow-x: auto;
+  padding: 0.55rem 0.7rem 0;
+}
+
+.reaction-tab {
+  flex: 0 0 auto;
+  min-height: 1.8rem;
+  padding: 0.25rem 0.55rem;
+  border: 1px solid var(--border);
+  border-radius: 999px;
+  background: var(--muted);
+  color: var(--muted-foreground);
+  font-size: 0.75rem;
+  font-weight: 700;
+}
+
+.reaction-tab.is-active {
+  border-color: var(--primary);
+  background: var(--primary);
+  color: var(--primary-foreground);
+}
+
+.reaction-search {
+  display: block;
+  padding: 0.55rem 0.7rem;
+}
+
+.reaction-search input {
+  width: 100%;
+  min-height: 2.15rem;
+  padding: 0.35rem 0.55rem;
+}
+
+.reaction-grid-wrap {
+  max-height: 18rem;
+  overflow: auto;
+  padding: 0 0.7rem 0.7rem;
+}
+
+.reaction-picker.is-mobile .reaction-grid-wrap {
+  max-height: none;
+  flex: 1;
+  overscroll-behavior: contain;
+  -webkit-overflow-scrolling: touch;
+}
+
+.reaction-grid {
+  display: none;
+  grid-template-columns: repeat(8, minmax(0, 1fr));
+  gap: 0.25rem;
+}
+
+.reaction-grid.is-active {
+  display: grid;
+}
+
+.reaction-picker.is-mobile .reaction-grid {
+  grid-template-columns: repeat(6, minmax(0, 1fr));
+}
+
+.reaction-emoji {
+  aspect-ratio: 1;
+  display: grid;
+  place-items: center;
+  min-width: 0;
+  padding: 0.18rem;
+  border: 1px solid transparent;
+  border-radius: calc(var(--radius) - 0.25rem);
+  background: transparent;
+}
+
+.reaction-emoji:hover,
+.reaction-emoji:focus-visible {
+  border-color: var(--border);
+  background: var(--accent);
+}
+
+.reaction-emoji[hidden] {
+  display: none;
+}
+
+.reaction-emoji img {
+  width: 100%;
+  height: 100%;
+  display: block;
+  object-fit: contain;
 }

 .thumb-link {
--- a/backend/static/css/50-admin.css
+++ b/backend/static/css/50-admin.css
@@ -198,9 +198,9 @@
 .bar-chart {
  display: grid;
  grid-template-columns: repeat(14, minmax(0, 1fr));
-  align-items: stretch;
+  align-items: end;
  gap: 0.4rem;
-  min-height: 15rem;
+  min-height: 13rem;
  margin-top: 1.25rem;
  padding-top: 0.5rem;
 }
@@ -214,11 +214,13 @@
 }

 .bar-chart-track {
-  position: relative;
+  display: flex;
+  align-items: flex-end;
+  justify-content: center;
  flex: 1 1 auto;
  width: 100%;
  max-width: 1.8rem;
-  min-height: 9rem;
+  height: 150px;
  margin: 0 auto;
  border-bottom: 2px solid color-mix(in srgb, var(--primary, #8b5cf6) 75%, transparent);
  border-radius: 0.45rem 0.45rem 0 0;
@@ -228,12 +230,8 @@

 .bar-chart-bar {
  display: block;
-  position: absolute;
-  left: 0;
-  right: 0;
-  bottom: 0;
  width: 100%;
-  height: var(--bar-height, 0%);
+  min-height: 0;
  border-radius: 6px 6px 0 0;
  background: linear-gradient(180deg, var(--primary-hover, #7c3aed), var(--primary, #8b5cf6));
  box-shadow: 0 0 18px color-mix(in srgb, var(--primary, #8b5cf6) 35%, transparent);
@@ -278,6 +276,8 @@
 }

 .stat-bar-track {
+  display: block;
+  width: 100%;
  margin-top: 0.35rem;
  height: 0.55rem;
  border-radius: 999px;
@@ -288,6 +288,7 @@
 .stat-bar-fill {
  display: block;
  height: 100%;
+  min-width: 0;
  border-radius: 999px;
  background: var(--primary, #8b5cf6);
 }
--- a/backend/static/css/90-responsive.css
+++ b/backend/static/css/90-responsive.css
@@ -220,6 +220,16 @@
    grid-template-columns: 1fr;
  }

+  .file-reaction-dock {
+    right: 0.5rem;
+    bottom: 0.45rem;
+  }
+
+  .reaction-button {
+    opacity: 1;
+    transform: none;
+  }
+
  .file-progress-side {
    width: 100%;
  }
--- a/backend/static/js/12-reactions.js
+++ b/backend/static/js/12-reactions.js
@@ -0,0 +1,198 @@
+(function () {
+  const picker = document.querySelector("[data-reaction-picker]");
+  const panel = picker ? picker.querySelector(".reaction-picker-panel") : null;
+  const search = picker ? picker.querySelector("[data-reaction-search]") : null;
+  const closeButton = picker ? picker.querySelector("[data-reaction-close]") : null;
+  const tabs = picker ? Array.from(picker.querySelectorAll("[data-reaction-tab]")) : [];
+  const panels = picker ? Array.from(picker.querySelectorAll("[data-reaction-panel]")) : [];
+
+  let activeButton = null;
+  let activeCard = null;
+
+  document.querySelectorAll("[data-reaction-button]").forEach((button) => {
+    button.addEventListener("click", (event) => {
+      event.preventDefault();
+      event.stopPropagation();
+      openPicker(button);
+    });
+  });
+
+  if (!picker || !panel) {
+    return;
+  }
+
+  // Aurora's glass card uses backdrop-filter, and the main content animates
+  // with transform. Both can create a containing block for fixed descendants,
+  // so keep the floating picker at body level where viewport coordinates mean
+  // what they say.
+  document.body.appendChild(picker);
+
+  picker.addEventListener("click", (event) => {
+    if (event.target === picker) {
+      closePicker();
+    }
+  });
+
+  panel.addEventListener("click", async (event) => {
+    const emoji = event.target.closest("[data-emoji-id]");
+    if (!emoji || !activeButton || !activeCard) {
+      return;
+    }
+    await submitReaction(emoji);
+  });
+
+  tabs.forEach((tab) => {
+    tab.addEventListener("click", () => {
+      setActiveTab(tab.dataset.reactionTab);
+    });
+  });
+
+  if (search) {
+    search.addEventListener("input", () => filterEmoji(search.value));
+  }
+
+  if (closeButton) {
+    closeButton.addEventListener("click", closePicker);
+  }
+
+  document.addEventListener("click", (event) => {
+    if (picker.hidden) {
+      return;
+    }
+    if (panel.contains(event.target) || event.target.closest("[data-reaction-button]")) {
+      return;
+    }
+    closePicker();
+  });
+
+  document.addEventListener("keydown", (event) => {
+    if (event.key === "Escape") {
+      closePicker();
+    }
+  });
+
+  window.addEventListener("resize", () => {
+    if (activeButton && !picker.hidden) {
+      positionPicker(activeButton);
+    }
+  });
+
+  function openPicker(button) {
+    activeButton = button;
+    activeCard = button.closest("[data-reaction-card]");
+    picker.hidden = false;
+    picker.classList.add("is-open");
+    if (search) {
+      search.value = "";
+      filterEmoji("");
+    }
+    positionPicker(button);
+  }
+
+  function closePicker() {
+    picker.hidden = true;
+    picker.classList.remove("is-open", "is-mobile");
+    document.documentElement.classList.remove("reaction-picker-open");
+    picker.style.left = "";
+    picker.style.top = "";
+    activeButton = null;
+    activeCard = null;
+  }
+
+  function positionPicker(button) {
+    if (isMobilePicker()) {
+      picker.classList.add("is-mobile");
+      document.documentElement.classList.add("reaction-picker-open");
+      picker.style.left = "0px";
+      picker.style.top = "0px";
+      return;
+    }
+
+    picker.classList.remove("is-mobile");
+    document.documentElement.classList.remove("reaction-picker-open");
+    picker.style.left = "0px";
+    picker.style.top = "0px";
+    const buttonRect = button.getBoundingClientRect();
+    const pickerRect = panel.getBoundingClientRect();
+    const margin = 10;
+    const preferredLeft = buttonRect.left + (buttonRect.width / 2) - (pickerRect.width / 2);
+    const preferredTop = buttonRect.bottom + 8;
+    const left = Math.min(Math.max(margin, preferredLeft), window.innerWidth - pickerRect.width - margin);
+    const top = Math.min(Math.max(margin, preferredTop), window.innerHeight - pickerRect.height - margin);
+    picker.style.left = `${left}px`;
+    picker.style.top = `${top}px`;
+  }
+
+  function isMobilePicker() {
+    return window.matchMedia("(max-width: 820px), (pointer: coarse)").matches;
+  }
+
+  function setActiveTab(tabID) {
+    tabs.forEach((tab) => {
+      const active = tab.dataset.reactionTab === tabID;
+      tab.classList.toggle("is-active", active);
+      tab.setAttribute("aria-selected", active ? "true" : "false");
+    });
+    panels.forEach((item) => {
+      item.classList.toggle("is-active", item.dataset.reactionPanel === tabID);
+    });
+  }
+
+  function filterEmoji(value) {
+    const query = value.trim().toLowerCase();
+    picker.querySelectorAll("[data-emoji-id]").forEach((button) => {
+      const haystack = `${button.dataset.emojiId} ${button.dataset.emojiLabel}`.toLowerCase();
+      button.hidden = query !== "" && !haystack.includes(query);
+    });
+  }
+
+  async function submitReaction(emoji) {
+    const body = new URLSearchParams();
+    body.set("emoji_id", emoji.dataset.emojiId);
+
+    activeButton.disabled = true;
+    const response = await fetch(activeButton.dataset.reactUrl, {
+      method: "POST",
+      headers: {
+        "Accept": "application/json",
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body,
+    });
+
+    if (!response.ok) {
+      activeButton.disabled = false;
+      closePicker();
+      return;
+    }
+
+    const payload = await response.json();
+    renderReactions(activeCard, payload.reactions || []);
+    activeButton.remove();
+    closePicker();
+  }
+
+  function renderReactions(card, reactions) {
+    const list = card.querySelector("[data-reaction-list]");
+    if (!list) {
+      return;
+    }
+    list.replaceChildren();
+    reactions.forEach((reaction) => {
+      const pill = document.createElement("span");
+      pill.className = "reaction-pill";
+      pill.title = reaction.label || reaction.emojiId;
+
+      const image = document.createElement("img");
+      image.src = reaction.url;
+      image.alt = reaction.label || reaction.emojiId;
+      image.loading = "lazy";
+
+      const count = document.createElement("span");
+      count.textContent = reaction.count;
+
+      pill.append(image, count);
+      list.append(pill);
+    });
+  }
+})();
--- a/backend/static/js/25-admin-charts.js
+++ b/backend/static/js/25-admin-charts.js
@@ -0,0 +1,57 @@
+(function () {
+  const maxBarHeight = 150;
+
+  function numberAttr(element, name) {
+    const value = Number(element.getAttribute(name));
+    return Number.isFinite(value) ? value : 0;
+  }
+
+  function applyChartBars() {
+    document.querySelectorAll(".bar-chart").forEach((chart) => {
+      const bars = Array.from(chart.querySelectorAll(".bar-chart-col"));
+      const maxValue = Math.max(0, ...bars.map((bar) => numberAttr(bar, "data-chart-value")));
+
+      bars.forEach((bar) => {
+        const fill = bar.querySelector(".bar-chart-bar");
+        if (!fill) {
+          return;
+        }
+        const value = numberAttr(bar, "data-chart-value");
+        let height = numberAttr(fill, "data-height-px");
+        if (maxValue > 0) {
+          height = value <= 0 ? 0 : Math.max(8, Math.round((value / maxValue) * maxBarHeight));
+        }
+        fill.style.height = `${Math.min(maxBarHeight, height)}px`;
+      });
+    });
+  }
+
+  function applyStatusBars() {
+    const rows = Array.from(document.querySelectorAll(".stat-bar"));
+    const maxValue = Math.max(0, ...rows.map((row) => numberAttr(row, "data-stat-value")));
+
+    rows.forEach((row) => {
+      const fill = row.querySelector(".stat-bar-fill");
+      if (!fill) {
+        return;
+      }
+      const value = numberAttr(row, "data-stat-value");
+      let width = numberAttr(fill, "data-width-percent");
+      if (maxValue > 0) {
+        width = value <= 0 ? 0 : Math.round((value / maxValue) * 100);
+      }
+      fill.style.width = `${Math.max(0, Math.min(100, width))}%`;
+    });
+  }
+
+  function init() {
+    applyChartBars();
+    applyStatusBars();
+  }
+
+  if (document.readyState === "loading") {
+    document.addEventListener("DOMContentLoaded", init);
+  } else {
+    init();
+  }
+})();
--- a/backend/templates/layouts/base.html
+++ b/backend/templates/layouts/base.html
@@ -31,7 +31,9 @@
  <link rel="stylesheet" href="/static/css/90-responsive.css?version={{.AppVersion}}">
  <script defer src="/static/js/00-utils.js?version={{.AppVersion}}"></script>
  <script defer src="/static/js/10-file-browser.js?version={{.AppVersion}}"></script>
+  <script defer src="/static/js/12-reactions.js?version={{.AppVersion}}"></script>
  <script defer src="/static/js/20-storage-admin.js?version={{.AppVersion}}"></script>
+  <script defer src="/static/js/25-admin-charts.js?version={{.AppVersion}}"></script>
  <script defer src="/static/js/30-token-copy.js?version={{.AppVersion}}"></script>
  <script defer src="/static/js/35-pagination.js?version={{.AppVersion}}"></script>
  <script defer src="/static/js/40-upload.js?version={{.AppVersion}}"></script>
--- a/backend/templates/pages/admin.html
+++ b/backend/templates/pages/admin.html
@@ -65,9 +65,9 @@
        <p class="muted-copy">New boxes created over the last 14 days.</p>
        <div class="bar-chart" role="img" aria-label="Uploads per day for the last 14 days">
          {{range .Data.Overview.UploadDays}}
-          <div class="bar-chart-col" title="{{.Label}}: {{.Value}}">
+          <div class="bar-chart-col" title="{{.Label}}: {{.Value}}" data-chart-value="{{.RawValue}}">
            <span class="bar-chart-value">{{.Value}}</span>
-            <span class="bar-chart-track"><span class="bar-chart-bar" style="--bar-height: {{.Height}}%"></span></span>
+            <span class="bar-chart-track"><span class="bar-chart-bar" data-height-px="{{.HeightPx}}" style="height: {{.HeightPx}}px"></span></span>
            <span class="bar-chart-label">{{.Label}}</span>
          </div>
          {{end}}
@@ -81,9 +81,9 @@
        <p class="muted-copy">Share of all {{.Data.Stats.TotalBoxes}} boxes.</p>
        <div class="stat-bars">
          {{range .Data.Overview.StatusBars}}
-          <div class="stat-bar">
+          <div class="stat-bar" data-stat-value="{{.RawValue}}">
            <span>{{.Label}} <strong>{{.Value}}</strong></span>
-            <span class="stat-bar-track"><span class="stat-bar-fill" style="width: {{.Percent}}%"></span></span>
+            <span class="stat-bar-track"><span class="stat-bar-fill" data-width-percent="{{.WidthPercent}}" style="width: {{.WidthPercent}}%"></span></span>
          </div>
          {{end}}
        </div>
@@ -97,9 +97,9 @@
      <p class="muted-copy">Bytes uploaded over the last 14 days.</p>
      <div class="bar-chart" role="img" aria-label="Storage added per day for the last 14 days">
        {{range .Data.Overview.StorageDays}}
-        <div class="bar-chart-col" title="{{.Label}}: {{.Value}}">
+        <div class="bar-chart-col" title="{{.Label}}: {{.Value}}" data-chart-value="{{.RawValue}}">
          <span class="bar-chart-value">{{.Value}}</span>
-          <span class="bar-chart-track"><span class="bar-chart-bar" style="--bar-height: {{.Height}}%"></span></span>
+          <span class="bar-chart-track"><span class="bar-chart-bar" data-height-px="{{.HeightPx}}" style="height: {{.HeightPx}}px"></span></span>
          <span class="bar-chart-label">{{.Label}}</span>
        </div>
        {{end}}
--- a/backend/templates/pages/api.html
+++ b/backend/templates/pages/api.html
@@ -14,7 +14,7 @@
        <h2>Endpoints</h2>
        <dl class="endpoint-list">
          <div><dt>Upload</dt><dd><code>POST /api/v1/upload</code></dd></div>
-          <div><dt>Health</dt><dd><code>GET /api/v1/health</code></dd></div>
+          <div><dt>Health</dt><dd><code>GET /health</code></dd></div>
          <div><dt>Request schema</dt><dd><a href="/api/v1/schemas/upload-request.json"><code>/api/v1/schemas/upload-request.json</code></a></dd></div>
          <div><dt>Response schema</dt><dd><a href="/api/v1/schemas/upload-response.json"><code>/api/v1/schemas/upload-response.json</code></a></dd></div>
        </dl>
--- a/backend/templates/pages/download.html
+++ b/backend/templates/pages/download.html
@@ -44,7 +44,7 @@

        <div class="download-list file-browser is-list" data-file-browser>
          {{range .Data.Files}}
-            <article class="download-item file-card" data-kind="{{.PreviewKind}}" data-file-context data-preview-url="{{.URL}}" data-view-url="{{.DownloadURL}}?inline=1" data-download-url="{{.DownloadURL}}" data-file-name="{{.Name}}">
+            <article class="download-item file-card" data-kind="{{.PreviewKind}}" data-file-context data-preview-url="{{.URL}}" data-view-url="{{.DownloadURL}}?inline=1" data-download-url="{{.DownloadURL}}" data-file-name="{{.Name}}" data-reaction-card>
              <a class="thumb-link" href="{{.DownloadURL}}?inline=1" aria-label="View {{.Name}}">
                <img src="{{.ThumbnailURL}}" alt="" loading="lazy">
              </a>
@@ -64,11 +64,54 @@
                    Download
                  </a>
                </div>
+                <div class="file-reaction-dock" data-reaction-dock>
+                  <div class="file-reactions" data-reaction-list>
+                    {{range .Reactions}}
+                      <span class="reaction-pill" title="{{.Label}}">
+                        <img src="{{.URL}}" alt="{{.Label}}" loading="lazy">
+                        <span>{{.Count}}</span>
+                      </span>
+                    {{end}}
+                  </div>
+                  {{if not .Reacted}}
+                    <button class="reaction-button" type="button" data-reaction-button data-react-url="{{.ReactURL}}" aria-label="React to {{.Name}}" title="React">
+                      <svg viewBox="0 0 24 24" role="img" focusable="false" aria-hidden="true"><path d="M12 21a9 9 0 1 0-9-9 9 9 0 0 0 9 9Z" /><path d="M8 14s1.4 2 4 2 4-2 4-2" /><path d="M9 9h.01M15 9h.01" /></svg>
+                    </button>
+                  {{end}}
+                </div>
              {{end}}
            </article>
          {{end}}
        </div>
        {{if not .Data.Locked}}
+          <div class="reaction-picker" data-reaction-picker hidden>
+            <div class="reaction-picker-panel" role="dialog" aria-modal="false" aria-label="Choose a reaction">
+              <div class="reaction-picker-head">
+                <strong>React</strong>
+                <button class="button button-ghost reaction-picker-close" type="button" data-reaction-close aria-label="Close reaction picker">Close</button>
+              </div>
+              <div class="reaction-picker-tabs" role="tablist" aria-label="Emoji themes">
+                {{range $index, $tab := .Data.EmojiTabs}}
+                  <button type="button" class="reaction-tab {{if eq $index 0}}is-active{{end}}" data-reaction-tab="{{$tab.ID}}" role="tab" aria-selected="{{if eq $index 0}}true{{else}}false{{end}}">{{$tab.Label}}</button>
+                {{end}}
+              </div>
+              <label class="reaction-search">
+                <span class="sr-only">Search emoji</span>
+                <input type="search" data-reaction-search placeholder="Search emoji">
+              </label>
+              <div class="reaction-grid-wrap">
+                {{range $index, $tab := .Data.EmojiTabs}}
+                  <div class="reaction-grid {{if eq $index 0}}is-active{{end}}" data-reaction-panel="{{$tab.ID}}" role="tabpanel">
+                    {{range $tab.Emojis}}
+                      <button class="reaction-emoji" type="button" data-emoji-id="{{.ID}}" data-emoji-label="{{.Label}}" title="{{.Label}}" aria-label="{{.Label}}">
+                        <img src="{{.URL}}" alt="" loading="lazy">
+                      </button>
+                    {{end}}
+                  </div>
+                {{end}}
+              </div>
+            </div>
+          </div>
          <div class="context-menu" data-file-context-menu role="menu" aria-label="File actions" hidden>
            <div class="context-menu-top">
              <small>File actions</small>
--- a/scripts/env/dev.env.example
+++ b/scripts/env/dev.env.example
@@ -27,7 +27,8 @@ WARPBOX_SHORT_WINDOW_REQUESTS=60
 WARPBOX_SHORT_WINDOW_SECONDS=60
 WARPBOX_ANONYMOUS_STORAGE_BACKEND=local
 WARPBOX_USER_STORAGE_BACKEND=local
-WARPBOX_READ_TIMEOUT=15s
-WARPBOX_WRITE_TIMEOUT=60s
+WARPBOX_READ_HEADER_TIMEOUT=15s
+WARPBOX_READ_TIMEOUT=0s
+WARPBOX_WRITE_TIMEOUT=0s
 WARPBOX_IDLE_TIMEOUT=120s
 WARPBOX_TRUSTED_PROXIES=
Author	SHA1	Message	Date
Daniel Legt	6c87187c6d	refactor(api): consolidate health check endpoints to /health All checks were successful Build and Publish Docker Image / deploy (push) Successful in 1m44s Details Removes the redundant `/healthz` and `/api/v1/health` endpoints, leaving `/health` as the sole health check endpoint. - Update router to return 404 Not Found for the removed endpoints - Update admin log filtering to only ignore `/health` - Remove health URL from API documentation data - Update tests to verify `/health` returns 200 and others return 404 - Update README documentation to reflect the change	2026-06-02 11:54:38 +03:00
Daniel Legt	f628b489af	feat: add emoji reaction support for files All checks were successful Build and Publish Docker Image / deploy (push) Successful in 1m46s Details - Implement `ReactionService` to manage file reactions in the database. - Add `POST /d/{boxID}/f/{fileID}/react` endpoint to handle user reactions. - Add `GET /emoji/{pack}/{file}` endpoint to serve custom emoji assets. - Support loading custom emoji packs dynamically from the data directory. - Update README with instructions on configuring emoji reaction packs.	2026-06-02 11:30:33 +03:00
Daniel Legt	1ab5021667	feat(config): support large uploads with read header timeout All checks were successful Build and Publish Docker Image / deploy (push) Successful in 1m40s Details Disable default read and write timeouts (set to 0s) to prevent Go from prematurely closing connections during large multi-GB uploads. Introduce `WARPBOX_READ_HEADER_TIMEOUT` (defaulting to 15s) to protect against slowloris-style attacks while still allowing long-running uploads to complete. Update documentation and example configurations accordingly.	2026-06-01 15:23:28 +03:00
Daniel Legt	c9f865cd85	refactor(admin): use inline pixel heights for overview charts All checks were successful Build and Publish Docker Image / deploy (push) Successful in 1m40s Details Refactors the admin overview dashboard charts to use inline pixel heights (up to 150px) instead of CSS variables and percentage-based heights. This provides more robust rendering and layout control. Changes include: - Replacing `Height` with `HeightPx` in chart bar structures. - Rendering inline styles for height and width on charts and status bars. - Adding fallback data attributes (`data-height-px`, `data-chart-value`, etc.) and loading a new fallback script (`25-admin-charts.js`). - Updating and expanding test coverage to assert correct scaling and HTML rendering.	2026-06-01 12:30:59 +03:00