59 lines
1.9 KiB
TypeScript
59 lines
1.9 KiB
TypeScript
import { NextResponse } from "next/server";
|
|
import { stat } from "fs/promises";
|
|
import { createReadStream } from "fs";
|
|
import path from "path";
|
|
import mime from "mime";
|
|
import { getUserBearerFromRequest } from "@/lib/directus";
|
|
|
|
export const runtime = "nodejs";
|
|
export const dynamic = "force-dynamic";
|
|
export const revalidate = 0;
|
|
|
|
const ROOT = process.env.FILES_ROOT || "/app/files";
|
|
|
|
function safeJoin(root: string, p: string) {
|
|
const rootResolved = path.resolve(root);
|
|
const raw = path.normalize("/" + (p || "/")); // always absolute-ish
|
|
const abs = path.resolve(rootResolved, "." + raw); // stays under root
|
|
if (abs === rootResolved) return abs; // allow root
|
|
if (abs.startsWith(rootResolved + path.sep)) return abs;
|
|
throw new Error("Invalid path");
|
|
}
|
|
|
|
export async function GET(req: Request) {
|
|
try {
|
|
// Auth gate: require ma_at
|
|
const bearer = getUserBearerFromRequest(req);
|
|
if (!bearer) {
|
|
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
|
}
|
|
|
|
const { searchParams } = new URL(req.url);
|
|
const p = searchParams.get("path");
|
|
if (!p) {
|
|
return NextResponse.json({ error: "Missing path" }, { status: 400 });
|
|
}
|
|
|
|
const abs = safeJoin(ROOT, p);
|
|
const s = await stat(abs);
|
|
if (!s.isFile()) {
|
|
return NextResponse.json({ error: "Not found" }, { status: 404 });
|
|
}
|
|
|
|
const stream = createReadStream(abs);
|
|
const type = mime.getType(abs) || "application/octet-stream";
|
|
|
|
return new Response(stream as any, {
|
|
headers: {
|
|
"Content-Type": type,
|
|
"Content-Length": String(s.size),
|
|
// cache only for the requesting user/agent
|
|
"Cache-Control": "private, max-age=3600",
|
|
},
|
|
});
|
|
} catch (err: any) {
|
|
const msg = err?.message || "Error";
|
|
const code = msg === "Invalid path" ? 400 : 404;
|
|
return NextResponse.json({ error: msg }, { status: code });
|
|
}
|
|
}
|