feat(users): add account limits and API keys

static/js/upload/api.js

@@ -1,7 +1,15 @@
+function authHeaders() {
+    const headers = {};
+    const apiKeyEnabled = Boolean(el.apiKeyMode?.checked);
+    const apiKey = String(el.apiKeyInput?.value || "").trim();
+    if (apiKeyEnabled && apiKey) headers.Authorization = `Bearer ${apiKey}`;
+    return headers;
+}
+
 async function createBox() {
     const response = await fetch("/box", {
         method: "POST",
-        headers: { "Content-Type": "application/json" },
+        headers: { "Content-Type": "application/json", ...authHeaders() },
         body: JSON.stringify({
             retention_key: el.expiry?.value || defaultRetention,
             password: el.password?.value || "",
@@ -28,7 +36,7 @@ async function markFileStatus(item, status) {
     try {
         await fetch(`/box/${item.boxID}/files/${item.boxFile.id}/status`, {
             method: "POST",
-            headers: { "Content-Type": "application/json" },
+            headers: { "Content-Type": "application/json", ...authHeaders() },
             body: JSON.stringify({ status }),
         });
     } catch (_) {
@@ -62,6 +70,8 @@ function uploadFile(item, onComplete) {
         formData.append("file", item.file, item.displayName);
 
         xhr.open("POST", item.boxFile.upload_path);
+        const headers = authHeaders();
+        if (headers.Authorization) xhr.setRequestHeader("Authorization", headers.Authorization);
 
         xhr.upload.addEventListener("loadstart", () => {
             item.loaded = 0;