fix: restore file upload override when 'file' param is enabled (fixes #6102)

[octo-patch]

Fixes #6102

Problem

After the security fix in commit c8282c9 ("Fix Parameter Override Bypass", #5667), file uploads via the upsert API stopped being indexed.

Root cause: The fix removed a special case that allowed FILE-STORAGE:: values to bypass the isParameterEnabled check. However, this broke legitimate API file uploads because:

1. Users configure file overrides by enabling the 'file' parameter in the Flowise UI for their File Loader node.
2. When files are uploaded via multipart form data, the server maps them to type-specific keys: 'txtFile', 'pdfFile', 'csvFile', etc.
3. replaceInputsWithConfig then checks isParameterEnabled(nodeLabel, 'txtFile') — but 'txtFile' is never in nodeOverrides; only 'file' is.
4. Since the check fails, the file path is never applied to the node, and nothing gets indexed.

Additional bug: Both upsertVector.ts and buildChatflow.ts had a copy-paste error in the MIME-type fallback branch — fileInputFieldFromExt was used instead of fileInputFieldFromMimeType when the else-if condition was triggered.

Solution

In replaceInputsWithConfig, when a FILE-STORAGE:: value is not directly enabled by name, also check if the generic 'file' parameter is enabled for that node. This restores file upload functionality while keeping the security constraint that at least one override permission must be configured.

The MIME-type copy-paste bug is also fixed in both upsertVector.ts and buildChatflow.ts.

Testing

1. Create a chatflow/ingestion flow with a File Loader node
2. In the override config, enable the File input for override
3. Upload a file via the upsert API using multipart form data:

   POST /api/v1/vector/upsert/{chatflowId}
   Content-Type: multipart/form-data
   files: <your file>
   

4. Verify the file is indexed in the vector store (was broken before this fix)

[gemini-code-assist]

Code Review

This pull request introduces an unauthorized check in the authentication controller and fixes logic errors in file input field assignments within buildChatflow.ts and upsertVector.ts. It also updates the input replacement logic to allow FILE-STORAGE:: overrides when the generic 'file' parameter is enabled. Feedback was provided to improve the precision of the file storage check by using startsWith and to optimize the variable scope.

[gemini-code-assist]

The check for FILE-STORAGE:: values should be more precise to avoid potential false positives and can be optimized by moving it inside the parameter enablement check. Using startsWith instead of includes ensures that we only match actual file storage references, which is consistent with how these values are handled elsewhere in the codebase. Additionally, using an early return with continue is preferred for readability over nested logic.

Suggested change

	const isFileStorageValue =
	typeof overrideConfig[config] === 'string' && overrideConfig[config].includes('FILE-STORAGE::')
	if (!isParameterEnabled(flowNodeData.label, config)) {
	// Only proceed if the parameter is enabled
	continue
	if (!(isFileStorageValue && isParameterEnabled(flowNodeData.label, 'file'))) {
	// Only proceed if the parameter is enabled
	continue
	}
	}
	if (!isParameterEnabled(flowNodeData.label, config)) {
	const isFileStorageValue =
	typeof overrideConfig[config] === 'string' && overrideConfig[config].startsWith('FILE-STORAGE::')
	if (!(isFileStorageValue && isParameterEnabled(flowNodeData.label, 'file'))) {
	// Only proceed if the parameter is enabled
	continue
	}
	}

References

1. Multiple early returns for validation can be preferable to a single error-aggregating block if the latter is considered more confusing or less readable.