38 lines
1.3 KiB
TypeScript
38 lines
1.3 KiB
TypeScript
import { NextRequest, NextResponse } from "next/server";
|
|
import { auth } from "@/lib/auth";
|
|
import { sanitizeFilePath } from "@/lib/security/sanitize";
|
|
import * as fs from "node:fs";
|
|
import * as path from "node:path";
|
|
|
|
export async function GET(req: NextRequest) {
|
|
const session = await auth.api.getSession({ headers: req.headers });
|
|
if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
|
|
|
const mcBase = path.resolve(process.env.MC_SERVER_PATH ?? "/opt/minecraft/server");
|
|
const filePath = req.nextUrl.searchParams.get("path") ?? "";
|
|
|
|
let resolvedPath: string;
|
|
try {
|
|
resolvedPath = sanitizeFilePath(filePath, mcBase);
|
|
} catch {
|
|
return NextResponse.json({ error: "Invalid path" }, { status: 400 });
|
|
}
|
|
|
|
if (!fs.existsSync(resolvedPath) || fs.statSync(resolvedPath).isDirectory()) {
|
|
return NextResponse.json({ error: "File not found" }, { status: 404 });
|
|
}
|
|
|
|
const fileName = path.basename(resolvedPath);
|
|
const fileBuffer = fs.readFileSync(resolvedPath);
|
|
|
|
return new NextResponse(fileBuffer, {
|
|
headers: {
|
|
"Content-Disposition": `attachment; filename="${encodeURIComponent(fileName)}"`,
|
|
"Content-Type": "application/octet-stream",
|
|
"Content-Length": String(fileBuffer.length),
|
|
// Prevent XSS via content sniffing
|
|
"X-Content-Type-Options": "nosniff",
|
|
},
|
|
});
|
|
}
|