yt/src/pages/api/download-file.ts

import type { APIRoute } from "astro";
import { getSession, isLoginEnabled } from "../../lib/session";
import { tApi } from "../../lib/i18n";
import { readFile } from "node:fs/promises";
import { existsSync } from "node:fs";
import path from "node:path";

export const GET: APIRoute = async ({ request }) => {
  // Session prüfen (nur wenn Login aktiviert ist)
  const loginEnabled = isLoginEnabled();
  if (loginEnabled) {
    const session = await getSession(request);
    if (!session) {
      return new Response(tApi(request, "api.notAuthenticated"), { status: 401 });
    }
  }

  try {
    const url = new URL(request.url);
    const fileName = url.searchParams.get("file");

    if (!fileName) {
      return new Response(tApi(request, "api.filenameMissing"), { status: 400 });
    }

    // Download-Verzeichnis aus Environment-Variable
    const downloadDir =
      process.env.DOWNLOAD_DIR || path.join(process.cwd(), "downloaded");

    const filePath = path.join(downloadDir, fileName);

    // Sicherheitsprüfung: Verhindere Path Traversal
    if (!filePath.startsWith(downloadDir)) {
      return new Response(tApi(request, "api.invalidFilePath"), { status: 400 });
    }

    if (!existsSync(filePath)) {
      return new Response(tApi(request, "api.fileNotFound"), { status: 404 });
    }

    const fileContent = await readFile(filePath);

    return new Response(fileContent, {
      status: 200,
      headers: {
        "Content-Type": "application/octet-stream",
        "Content-Disposition": `attachment; filename="${fileName}"`,
      },
    });
  } catch (error) {
    console.error("Fehler beim Download der Datei:", error);
    return new Response(
      error instanceof Error ? error.message : tApi(request, "api.errorDownloadingFile"),
      { status: 500 }
    );
  }
};