makearmy-app/app/api/files/list/route.ts

// /var/www/makearmy.io/app/app/api/files/list/route.ts
import { NextResponse } from "next/server";
import { promises as fs } from "fs";
import { join, normalize } from "path";

const ROOT = "/app/files";

export async function GET(req: Request) {
  const { searchParams } = new URL(req.url);
  const input = searchParams.get("path") || "/";

  // Normalize and lock to ROOT to prevent traversal
  const safeInput = input.startsWith("/") ? input : `/${input}`;
  const fullPath = normalize(join(ROOT, `.${safeInput}`));
  if (!fullPath.startsWith(ROOT)) {
    return NextResponse.json({ error: "Invalid path" }, { status: 400 });
  }

  try {
    const entries = await fs.readdir(fullPath, { withFileTypes: true });

    const items = await Promise.all(
      entries.map(async (d) => {
        const p = join(fullPath, d.name);
        const s = await fs.stat(p);
        return {
          name: d.name,
          isDir: d.isDirectory(),
          size: s.size,
          mtime: s.mtimeMs,
        };
      })
    );

    return NextResponse.json({ path: safeInput, items });
  } catch (err: any) {
    return NextResponse.json(
      { error: err?.message ?? String(err) },
      { status: 404 }
    );
  }
}