import { NextResponse } from "next/server";
import { readFile } from "fs/promises";
import path from "path";

const UPLOADS_DIR = path.join(process.cwd(), "public", "uploads");

const MIME: Record<string, string> = {
  ".png": "image/png",
  ".jpg": "image/jpeg",
  ".jpeg": "image/jpeg",
  ".gif": "image/gif",
  ".webp": "image/webp",
  ".svg": "image/svg+xml",
  ".pdf": "application/pdf",
};

export async function GET(
  _req: Request,
  ctx: { params: Promise<{ path: string[] }> }
) {
  const { path: pathSegments } = await ctx.params;
  const filename = pathSegments?.join("/");
  if (!filename || filename.includes("..") || /[^a-zA-Z0-9._-]/.test(filename)) {
    return NextResponse.json({ error: "Not found" }, { status: 404 });
  }
  const fullPath = path.resolve(UPLOADS_DIR, filename);
  const uploadsResolved = path.resolve(UPLOADS_DIR);
  if (!fullPath.startsWith(uploadsResolved) || fullPath === uploadsResolved) {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }
  try {
    const buf = await readFile(fullPath);
    const ext = path.extname(filename).toLowerCase();
    const mime = MIME[ext] || "application/octet-stream";
    return new NextResponse(buf, {
      headers: {
        "Content-Type": mime,
        "Cache-Control": "public, max-age=31536000, immutable",
      },
    });
  } catch {
    return NextResponse.json({ error: "Not found" }, { status: 404 });
  }
}