Fantastic article...
I have a specific question regarding the chaining of the flaws in Part 4.
In Part 1, you successfully confirmed the IDOR using GET /api/v1/files/view/{file_id}, which directly downloaded the file content. However, in Part 4, after successfully leaking the file keys, you returned to the POST /api/v2/user/documents endpoint to obtain the pre-signed S3 download URL instead of using the original GET endpoint.
I'm curious if you attempted the direct GET download with the leaked keys and if there was a specific reason to focus entirely on the POST endpoint for the final download step.