Initial push

app/api/files/download/route.ts

@@ -0,0 +1,37 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
+import { sanitizeFilePath } from "@/lib/security/sanitize";
+import * as fs from "node:fs";
+import * as path from "node:path";
+
+export async function GET(req: NextRequest) {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const mcBase = path.resolve(process.env.MC_SERVER_PATH ?? "/opt/minecraft/server");
+  const filePath = req.nextUrl.searchParams.get("path") ?? "";
+
+  let resolvedPath: string;
+  try {
+    resolvedPath = sanitizeFilePath(filePath, mcBase);
+  } catch {
+    return NextResponse.json({ error: "Invalid path" }, { status: 400 });
+  }
+
+  if (!fs.existsSync(resolvedPath) || fs.statSync(resolvedPath).isDirectory()) {
+    return NextResponse.json({ error: "File not found" }, { status: 404 });
+  }
+
+  const fileName = path.basename(resolvedPath);
+  const fileBuffer = fs.readFileSync(resolvedPath);
+
+  return new NextResponse(fileBuffer, {
+    headers: {
+      "Content-Disposition": `attachment; filename="${encodeURIComponent(fileName)}"`,
+      "Content-Type": "application/octet-stream",
+      "Content-Length": String(fileBuffer.length),
+      // Prevent XSS via content sniffing
+      "X-Content-Type-Options": "nosniff",
+    },
+  });
+}