The bug was that the upload handler was checking request.session.get('user_id') directly instead of using the proper authenticated user_id from request.state. When API authentication was also active, the middleware would set request.state.user_id which was being ignored.

Now correctly uses:
current_user_id = getattr(request.state, 'user_id', request.session.get('user_id'))

This respects both session authentication and API authentication state while properly identifying the config admin from aisbf.json who has no user_id.