admin
51 lines
1.8 KiB
TypeScript
51 lines
1.8 KiB
TypeScript
import { NextRequest } from "next/server";
|
|
import path from "node:path";
|
|
import fs from "node:fs/promises";
|
|
import crypto from "node:crypto";
|
|
|
|
export const runtime = "nodejs";
|
|
export const dynamic = "force-dynamic";
|
|
|
|
const COVER_ROOT = path.join(process.cwd(), "data", "category-covers");
|
|
const IMAGE_MIME: Record<string, string> = {
|
|
".png": "image/png",
|
|
".jpg": "image/jpeg",
|
|
".jpeg": "image/jpeg",
|
|
".webp": "image/webp",
|
|
};
|
|
|
|
export async function GET(_req: NextRequest, ctx: { params: Promise<{ file: string }> }) {
|
|
const { file } = await ctx.params;
|
|
const name = decodeURIComponent(file);
|
|
// Stored filenames are always `${id}-${slot}-${sha16}.${ext}`. Reject
|
|
// anything containing path separators or traversal segments before
|
|
// touching the disk.
|
|
if (name.includes("/") || name.includes("\\") || name.includes("..")) {
|
|
return new Response("not found", { status: 404 });
|
|
}
|
|
const abs = path.join(COVER_ROOT, name);
|
|
try {
|
|
const buf = await fs.readFile(abs);
|
|
const ext = path.extname(abs).toLowerCase();
|
|
const etag = `"${crypto.createHash("sha256").update(buf).digest("hex")}"`;
|
|
return new Response(new Uint8Array(buf), {
|
|
headers: {
|
|
"Content-Type": IMAGE_MIME[ext] ?? "application/octet-stream",
|
|
"Content-Disposition": rfc5987Disposition(name),
|
|
"Cache-Control": "public, max-age=0, must-revalidate",
|
|
ETag: etag,
|
|
},
|
|
});
|
|
} catch {
|
|
return new Response("not found", { status: 404 });
|
|
}
|
|
}
|
|
|
|
function rfc5987Disposition(filename: string): string {
|
|
// ASCII-safe fallback: strip non-ASCII + escape quotes/backslashes for
|
|
// the legacy `filename=` token. UTF-8 path uses RFC 5987 percent-encoding.
|
|
const ascii = filename.replace(/[^\x20-\x7e]/g, "_").replace(/["\\]/g, "_");
|
|
const utf8 = encodeURIComponent(filename);
|
|
return `inline; filename="${ascii}"; filename*=UTF-8''${utf8}`;
|
|
}
|