import { existsSync, createReadStream } from 'fs'
import { join, resolve } from 'path'
import { sendStream, createError } from 'h3'

export default defineEventHandler(async (event) => {
  const url = event.path

  const filename = url.replace('/scores/', '')

  const requestedPath = resolve(join(process.cwd(), 'public/scores', filename))
  const allowedBase = resolve(process.cwd(), 'public/scores')

  if (!requestedPath.startsWith(allowedBase)) {
    throw createError({ statusCode: 403, statusMessage: 'Forbidden' })
  }

  if (!existsSync(requestedPath)) {
    throw createError({ statusCode: 404, statusMessage: 'Not Found' })
  }

  event.node.res.statusCode = 200
  return sendStream(event, createReadStream(requestedPath))
})