Fix chunked file sharing - files >768KB now decrypt correctly

Author: ehsan6sha

Cargo.lock

@@ -74,7 +74,7 @@ name = "encrypted_upload_test"
 path = "examples/encrypted_upload_test.rs"
 
 [workspace.package]
-version = "0.2.15"
+version = "0.2.16"
 edition = "2021"
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/functionland/fula-api"

Cargo.toml

@@ -1225,18 +1225,21 @@ impl EncryptedClient {
     // ═══════════════════════════════════════════════════════════════════════════
 
     /// Get and decrypt an object using a ShareToken
-    /// 
+    ///
     /// This allows recipients of a share to read encrypted objects without
     /// having the owner's keys. The ShareToken contains a wrapped DEK that
     /// was encrypted for the recipient's public key.
-    /// 
+    ///
     /// # Arguments
     /// * `bucket` - The bucket containing the object
     /// * `storage_key` - The storage key of the object
     /// * `accepted_share` - An accepted share containing the DEK
-    /// 
+    ///
     /// # Returns
     /// The decrypted object data
+    ///
+    /// # Note
+    /// Handles both single-block and chunked files automatically.
     pub async fn get_object_with_share(
         &self,
         bucket: &str,
@@ -1268,7 +1271,7 @@ impl EncryptedClient {
 
         // Fetch the object
         let result = self.inner.get_object_with_metadata(bucket, storage_key).await?;
-        
+
         // Check if encrypted
         let is_encrypted = result.metadata
             .get("x-fula-encrypted")
@@ -1279,6 +1282,12 @@ impl EncryptedClient {
             return Ok(result.data);
         }
 
+        // Check if this is a chunked object
+        let is_chunked = result.metadata
+            .get("x-fula-chunked")
+            .map(|v| v == "true")
+            .unwrap_or(false);
+
         // Parse encryption metadata
         let enc_metadata_str = result.metadata
             .get("x-fula-encryption")
@@ -1291,24 +1300,65 @@ impl EncryptedClient {
                 fula_crypto::CryptoError::Decryption(e.to_string())
             ))?;
 
-        // Extract nonce
-        let nonce_b64 = enc_metadata["nonce"].as_str()
-            .ok_or_else(|| ClientError::Encryption(
-                fula_crypto::CryptoError::Decryption("Missing nonce".to_string())
+        if is_chunked {
+            // CHUNKED DOWNLOAD: Download and decrypt each chunk using the share's DEK
+            self.get_object_chunked_with_share(bucket, storage_key, &enc_metadata, &accepted_share.dek).await
+        } else {
+            // SINGLE OBJECT: Decrypt directly
+            let nonce_b64 = enc_metadata["nonce"].as_str()
+                .ok_or_else(|| ClientError::Encryption(
+                    fula_crypto::CryptoError::Decryption("Missing nonce".to_string())
+                ))?;
+            let nonce_bytes = base64::Engine::decode(
+                &base64::engine::general_purpose::STANDARD,
+                nonce_b64,
+            ).map_err(|e| ClientError::Encryption(
+                fula_crypto::CryptoError::Decryption(e.to_string())
             ))?;
-        let nonce_bytes = base64::Engine::decode(
-            &base64::engine::general_purpose::STANDARD,
-            nonce_b64,
+            let nonce = Nonce::from_bytes(&nonce_bytes)
+                .map_err(ClientError::Encryption)?;
+
+            // Use the DEK from the accepted share (already decrypted for recipient)
+            let aead = Aead::new_default(&accepted_share.dek);
+            let plaintext = aead.decrypt(&nonce, &result.data)
+                .map_err(ClientError::Encryption)?;
+
+            Ok(Bytes::from(plaintext))
+        }
+    }
+
+    /// Internal: Download and decrypt a chunked file using a share's DEK
+    async fn get_object_chunked_with_share(
+        &self,
+        bucket: &str,
+        storage_key: &str,
+        enc_metadata: &serde_json::Value,
+        dek: &fula_crypto::keys::DekKey,
+    ) -> Result<Bytes> {
+        // Parse chunked metadata
+        let chunked_meta: ChunkedFileMetadata = serde_json::from_value(
+            enc_metadata["chunked"].clone()
         ).map_err(|e| ClientError::Encryption(
-            fula_crypto::CryptoError::Decryption(e.to_string())
+            fula_crypto::CryptoError::Decryption(format!("Invalid chunked metadata: {}", e))
         ))?;
-        let nonce = Nonce::from_bytes(&nonce_bytes)
-            .map_err(ClientError::Encryption)?;
 
-        // Use the DEK from the accepted share (already decrypted for recipient)
-        let aead = Aead::new_default(&accepted_share.dek);
-        let plaintext = aead.decrypt(&nonce, &result.data)
-            .map_err(ClientError::Encryption)?;
+        // Create decoder
+        let mut decoder = fula_crypto::ChunkedDecoder::new(dek.clone(), chunked_meta.clone());
+
+        // Pre-allocate result buffer
+        let mut plaintext = Vec::with_capacity(chunked_meta.total_size as usize);
+
+        // Download and decrypt each chunk in order
+        for chunk_index in 0..chunked_meta.num_chunks {
+            let chunk_key = ChunkedFileMetadata::chunk_key(storage_key, chunk_index);
+
+            let chunk_result = self.inner.get_object(bucket, &chunk_key).await?;
+
+            let chunk_plaintext = decoder.decrypt_chunk(chunk_index, &chunk_result)
+                .map_err(ClientError::Encryption)?;
+
+            plaintext.extend_from_slice(&chunk_plaintext);
+        }
 
         Ok(Bytes::from(plaintext))
     }

crates/fula-client/src/encryption.rs

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.16] - 2026-01-13
+
+### Fixed
+
+- **CRITICAL: Share decryption fails for chunked files (files > 768KB)**
+  - `get_object_with_share` was using single-block decryption for all files
+  - Chunked files store each chunk with its own nonce in `{storage_key}.chunks/{index}`
+  - Share flow was ignoring chunked file metadata and trying to decrypt assembled bytes as single block
+  - **Result**: Large shared files (images, videos) returned garbage data instead of correct content
+  - **Fix**: `get_object_with_share` now checks `x-fula-chunked` metadata and uses `ChunkedDecoder` with per-chunk nonces when needed
+
+### Technical Details
+
+- Added `get_object_chunked_with_share()` internal method for chunked file handling in share flow
+- Downloads each chunk from `{storage_key}.chunks/{index}`, decrypts with chunk-specific nonce
+- Concatenates decrypted chunks and returns complete plaintext
+- Works identically to normal `get_object_decrypted_by_storage_key()` but uses share's DEK
+
 ## [0.2.15] - 2026-01-13
 
 ### Fixed

packages/fula_client/CHANGELOG.md

@@ -6,7 +6,7 @@
 
 Pod::Spec.new do |s|
   s.name             = 'fula_client'
-  s.version          = '0.2.12'
+  s.version          = '0.2.16'
   s.summary          = 'Flutter SDK for Fula decentralized storage'
   s.description      = <<-DESC
     A Flutter plugin providing client-side encryption, metadata privacy,

packages/fula_client/ios/fula_client.podspec

@@ -1,6 +1,6 @@
 name: fula_client
 description: Flutter SDK for Fula decentralized storage with client-side encryption, metadata privacy, and secure sharing.
-version: 0.2.15
+version: 0.2.16
 homepage: https://fx.land
 repository: https://github.com/functionland/fula-api
 issue_tracker: https://github.com/functionland/fula-api/issues