Scope app passwords for uploading to a specific folder (Alternative 2 of 2)

[Kharonus]

As a developer integrating a Web application with Nextcloud
I want to offer direct file uploads to specific folders in Nextcloud right from my application's frontend
so that I don't need to use my backend as a proxy and save resources (connections, band-width, ...)

Alternative to: #35260

Description

• From any authorized instance (e.g. backend server with OAuth 2 connection to NC)
  • Create an application password, with the restriction of only allowing to upload a file to a specific folder.
• Share the application password and the username with any unauthorized client (e.g. some frontend application running in a browser).
• Use the credentials from this client to perform the upload
  • e.g. pick a file from within the browser's file picker
  • use WebDAV upload endpoint in private API to upload the file
• revoke the generated application password

Requirements

• There is the possibility to scope an application password to perform only an upload at a specific folder at creation time.
• The user is able to set an expiration date for application password.
• If revocation of the application password fails or is not requested, the application password must expire.
• The application password must not authorize the user for any other action except the defined upload.

Known advantages over alternative #35260

• possible to use WebDAV chunked uploads

Known disadvantages over alternative #35260

• restricting the private API to specific actions is a complex endeavor
• app passwords are currently not supposed to expire, which means after using the app password (either on success or failure both), it must be revoked.

for the attention of

@julien-nc
@PVince81

How to use GitHub

• Please use the 👍 reaction to show that you are interested into the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

[sunjam]

Also see

• Scoped Access for Oauth Tokens #26233

Closed because I grew tired of fighting the bot

[joshtrichards]

Related: #17339