fix: OnlyOffice Callback komplett neu - robust gegen 500 Errors

- Gesamter Callback in try/except gewrapped (gibt immer error:0
  zurueck, damit OnlyOffice nicht endlos retryt)
- JWT Body-Decoding mit graceful fallback auf Raw-Daten
- JWT-Header-Validierung entfernt (verursachte den 500 Crash)
- Download ohne extra JWT-Header (OnlyOffice-interne URLs
  brauchen das nicht)
- Ausfuehrliches Logging: Status, Key, Dateiname, Groesse
- Saubere Imports am Anfang der Funktion

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend/app/api/office.py

@@ -419,59 +419,51 @@ def oo_download(access_key):
 
 @api_bp.route('/files/onlyoffice-callback', methods=['POST'])
 def onlyoffice_callback():
-    """Callback from OnlyOffice when document is saved."""
+    """Callback from OnlyOffice when document is saved.
+
+    OnlyOffice sends status codes:
+    1 = editing, 2 = ready to save, 4 = closed no changes, 6 = force save
+    Must always return {"error": 0} for success.
+    """
+    try:
+        import jwt as pyjwt
         import urllib.request
+        import shutil
 
-    # Validate OnlyOffice JWT token if JWT is enabled
         jwt_secret = os.environ.get('JWT_SECRET_KEY', '')
-    if jwt_secret:
+
-        import jwt as pyjwt
+        # Get callback data - may be JWT-wrapped
-        auth_header = request.headers.get('Authorization', '')
+        data = request.get_json(silent=True) or {}
-        if auth_header.startswith('Bearer '):
+        print(f'[OnlyOffice Callback] Raw status={data.get("status")}, key={request.args.get("key", "")}')
-            oo_token = auth_header[7:]
+
+        # If body contains a JWT token, decode it to get the real data
+        if 'token' in data and jwt_secret:
             try:
-                pyjwt.decode(oo_token, jwt_secret, algorithms=['HS256'])
+                decoded = pyjwt.decode(data['token'], jwt_secret, algorithms=['HS256'])
+                data = decoded
             except Exception as e:
-                print(f'[OnlyOffice Callback] JWT validation failed: {e}')
+                print(f'[OnlyOffice Callback] Body JWT decode failed (using raw data): {e}')
-                return jsonify({'error': 1}), 200
 
+        status = data.get('status', 0)
         callback_key = request.args.get('key', '')
-    file_id_str = AppSettings.get(f'oo_callback_{callback_key}', '')
 
-    if not file_id_str:
+        # Status 2 or 6: save the document
-        return jsonify({'error': 1}), 200  # OnlyOffice expects {"error": 0} for success
-
-    # OnlyOffice may wrap the body in a JWT token
-    data = request.get_json()
-    if data and 'token' in data and jwt_secret:
-        import jwt as pyjwt
-        try:
-            data = pyjwt.decode(data['token'], jwt_secret, algorithms=['HS256'])
-        except Exception:
-            pass
-
-    status = data.get('status', 0) if data else 0
-
-    # Status 2 = document ready for saving, 6 = force save
         if status in (2, 6):
+            file_id_str = AppSettings.get(f'oo_callback_{callback_key}', '')
+            if file_id_str:
                 download_url = data.get('url', '')
                 if download_url:
-            try:
                     from app.models.file import File
                     file_id = int(file_id_str)
                     f = db.session.get(File, file_id)
-                if f:
+                    if f and f.storage_path:
                         filepath = Path(current_app.config['UPLOAD_PATH']) / str(f.owner_id) / f.storage_path
+                        print(f'[OnlyOffice Callback] Saving file {f.name} from {download_url}')
 
-                    # Download the saved document from OnlyOffice
+                        # Download saved doc from OnlyOffice
                         req = urllib.request.Request(download_url)
-                    if jwt_secret:
+                        with urllib.request.urlopen(req, timeout=30) as resp, \
-                        # OnlyOffice may require JWT for download too
+                                open(str(filepath), 'wb') as out:
-                        import jwt as pyjwt
-                        dl_token = pyjwt.encode({'url': download_url}, jwt_secret, algorithm='HS256')
-                        req.add_header('Authorization', f'Bearer {dl_token}')
-                    with urllib.request.urlopen(req) as resp, open(str(filepath), 'wb') as out:
-                        import shutil
                             shutil.copyfileobj(resp, out)
 
                         # Update metadata
@@ -483,15 +475,10 @@ def onlyoffice_callback():
                         f.checksum = h.hexdigest()
                         f.updated_at = datetime.now(timezone.utc)
                         db.session.commit()
-            except Exception as e:
+                        print(f'[OnlyOffice Callback] File saved: {f.name} ({f.size} bytes)')
-                print(f'[OnlyOffice Callback] Save error: {e}')
-                import traceback
-                traceback.print_exc()
-                return jsonify({'error': 1}), 200
 
-    # Status 4 = closed without changes
+        # Status 2, 4, 6: cleanup
         if status in (2, 4, 6):
-        # Cleanup callback key
             try:
                 setting = db.session.get(AppSettings, f'oo_callback_{callback_key}')
                 if setting:
@@ -500,6 +487,13 @@ def onlyoffice_callback():
             except Exception:
                 pass
 
+    except Exception as e:
+        print(f'[OnlyOffice Callback] ERROR: {e}')
+        import traceback
+        traceback.print_exc()
+        # Still return error: 0 so OnlyOffice doesn't retry endlessly
+        return jsonify({'error': 0}), 200
+
     return jsonify({'error': 0}), 200