2026-03-06 15:08:30 +01:00
|
|
|
import { existsSync, createReadStream } from 'fs'
|
2026-05-12 12:42:07 +02:00
|
|
|
import { join, resolve } from 'path'
|
|
|
|
|
import { sendStream, createError } from 'h3'
|
2026-03-06 15:08:30 +01:00
|
|
|
|
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
|
|
|
const url = event.path
|
2026-05-12 12:42:07 +02:00
|
|
|
|
2026-03-06 15:08:30 +01:00
|
|
|
const filename = url.replace('/scores/', '')
|
2026-05-12 12:42:07 +02:00
|
|
|
|
|
|
|
|
const requestedPath = resolve(join(process.cwd(), 'public/scores', filename))
|
|
|
|
|
const allowedBase = resolve(process.cwd(), 'public/scores')
|
|
|
|
|
|
|
|
|
|
if (!requestedPath.startsWith(allowedBase)) {
|
|
|
|
|
throw createError({ statusCode: 403, statusMessage: 'Forbidden' })
|
2026-03-06 15:08:30 +01:00
|
|
|
}
|
2026-05-12 12:42:07 +02:00
|
|
|
|
|
|
|
|
if (!existsSync(requestedPath)) {
|
|
|
|
|
throw createError({ statusCode: 404, statusMessage: 'Not Found' })
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-06 15:08:30 +01:00
|
|
|
event.node.res.statusCode = 200
|
2026-05-12 12:42:07 +02:00
|
|
|
return sendStream(event, createReadStream(requestedPath))
|
2026-03-06 15:08:30 +01:00
|
|
|
})
|
