[api] file check should be against `attachmentsource` SHA256sum, not hashsum of converted file

[madduck]

If during upload, a file is converted/modified, it will yield a new SHA256sum (see #2327). If the same file is uploaded again, the conversion/modification will likely produce a completely new file with a different SHA256sum (because of timestamps in the generated PDF etc.). Therefore, even with skipDuplicates in metadata, certain duplicates cannot be prevented in the status quo.

The original SHA256sum is kept in the table filemeta. It should be used instead of the hashsum of the converted file.

[eikek]

The code is currently looking against the source file. But due to races between processing files in parallel, duplicates are still possible. Sadly I don't have a good idea to prevent it (without falling back to a single worker only).

[madduck]

It seems you're right, and I cannot reproduce my error test-case anymore. I was thrown off a bit by seeing that the addon JSON interface includes base64-encoded sha256 digests, but the API does seem to use the regular hex digest.