Fix authenticated media flows and upload preflight handling

backend/app/main.py

@@ -1,6 +1,8 @@
 """FastAPI entrypoint for the DMS backend service."""
 
-from fastapi import FastAPI, Request
+from typing import Awaitable, Callable
+
+from fastapi import FastAPI, Request, Response
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import JSONResponse
 
@@ -14,6 +16,18 @@ from app.services.typesense_index import ensure_typesense_collection
 
 
 settings = get_settings()
+UPLOAD_ENDPOINT_PATH = "/api/v1/documents/upload"
+UPLOAD_ENDPOINT_METHOD = "POST"
+
+
+def _is_upload_size_guard_target(request: Request) -> bool:
+    """Returns whether upload request-size enforcement applies to this request.
+
+    Upload-size validation is intentionally scoped to the upload POST endpoint so CORS
+    preflight OPTIONS requests can pass through CORSMiddleware.
+    """
+
+    return request.method.upper() == UPLOAD_ENDPOINT_METHOD and request.url.path == UPLOAD_ENDPOINT_PATH
 
 
 def create_app() -> FastAPI:
@@ -30,10 +44,13 @@ def create_app() -> FastAPI:
     app.include_router(api_router, prefix="/api/v1")
 
     @app.middleware("http")
-    async def enforce_upload_request_size(request: Request, call_next):
-        """Rejects upload requests without deterministic length or exceeding configured limits."""
+    async def enforce_upload_request_size(
+        request: Request,
+        call_next: Callable[[Request], Awaitable[Response]],
+    ) -> Response:
+        """Rejects only POST upload bodies without deterministic length or with oversized request totals."""
 
-        if request.url.path.endswith("/api/v1/documents/upload"):
+        if _is_upload_size_guard_target(request):
             content_length = request.headers.get("content-length", "").strip()
             if not content_length:
                 return JSONResponse(