pollutri
/
captive-portal-cms
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
93 Commits
2 Branches
278 MiB
 
 
Tree: 50c3587f3d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '50c3587f3d'
${ noResults }
captive-portal-cms/app/api/admin/fonts/route.ts

118 lines
4.2 KiB
Raw Blame History 

  1. import { NextResponse } from 'next/server';

  2. import { writeFile, mkdir, unlink } from 'fs/promises';

  3. import path from 'path';

  4. import { fromBuffer as fileTypeFromBuffer } from 'file-type';

  5. import { UPLOAD_LIMITS } from '@/lib/config';

  6. 

  7. export const dynamic = 'force-dynamic';

  8. export const maxDuration = 60;

  9. 

  10. const FONTS_DIR = path.join(process.cwd(), 'data', 'fonts');

  11. const ALLOWED_EXT = new Set(['.woff2', '.woff', '.ttf', '.otf']);

  12. 

  13. // Magic-bytes: ttf e otf condividono il container SFNT, quindi accettiamo entrambi

  14. // per entrambe le estensioni. woff/woff2 hanno header dedicati.

  15. const ALLOWED_DETECTED: Record<string, string[]> = {

  16.   '.woff2': ['woff2'],

  17.   '.woff':  ['woff'],

  18.   '.ttf':   ['ttf', 'otf'],

  19.   '.otf':   ['otf', 'ttf'],

  20. };

  21. 

  22. // Sanitizza il nome del file: solo basename, solo caratteri sicuri, niente path traversal.

  23. // Per i font conviene preservare il nome originale (la logica di lookup italic/bold in

  24. // app/layout.tsx si basa sui pattern `Name-Italic.woff2`, `Name-Bold.woff2`, ecc.).

  25. function sanitizeFontName(rawName: string): string {

  26.   const base = path.basename(rawName);

  27.   // Mantieni lettere, cifre, underscore, hyphen, punto. Tutto il resto → underscore.

  28.   const sanitized = base.replace(/[^a-zA-Z0-9_\-.]/g, '_');

  29.   // Niente percorsi nascosti / nomi vuoti

  30.   if (sanitized.startsWith('.') || sanitized.length === 0) return '';

  31.   return sanitized;

  32. }

  33. 

  34. // POST — upload font

  35. export async function POST(request: Request) {

  36.   try {

  37.     const formData = await request.formData();

  38.     const file = formData.get('file') as File | null;

  39.     if (!file) {

  40.       return NextResponse.json({ error: 'No file received.' }, { status: 400 });

  41.     }

  42. 

  43.     const safeName = sanitizeFontName(file.name);

  44.     const ext = path.extname(safeName).toLowerCase();

  45.     if (!ALLOWED_EXT.has(ext)) {

  46.       return NextResponse.json(

  47.         { error: `Unsupported font extension. Allowed: ${[...ALLOWED_EXT].join(', ')}` },

  48.         { status: 400 },

  49.       );

  50.     }

  51.     if (!safeName || safeName === ext) {

  52.       return NextResponse.json({ error: 'Invalid font filename.' }, { status: 400 });

  53.     }

  54.     if (file.size > UPLOAD_LIMITS.font) {

  55.       const mb = (UPLOAD_LIMITS.font / (1024 * 1024)).toFixed(0);

  56.       return NextResponse.json(

  57.         { error: `Font too large (max ${mb} MB).` },

  58.         { status: 413 },

  59.       );

  60.     }

  61. 

  62.     const buffer = Buffer.from(await file.arrayBuffer());

  63. 

  64.     // Magic-bytes: rifiuta se il contenuto non è davvero un font del tipo dichiarato.

  65.     const detected = await fileTypeFromBuffer(buffer);

  66.     if (!detected) {

  67.       return NextResponse.json(

  68.         { error: 'Font content not recognized (unknown format).' },

  69.         { status: 400 },

  70.       );

  71.     }

  72.     const allowed = ALLOWED_DETECTED[ext] ?? [];

  73.     if (!allowed.includes(detected.ext)) {

  74.       return NextResponse.json(

  75.         { error: `Font content does not match extension (${ext} declared, detected ${detected.ext}).` },

  76.         { status: 400 },

  77.       );

  78.     }

  79. 

  80.     await mkdir(FONTS_DIR, { recursive: true });

  81.     await writeFile(path.join(FONTS_DIR, safeName), buffer);

  82. 

  83.     return NextResponse.json({ ok: true, name: safeName }, { status: 201 });

  84.   } catch (error) {

  85.     console.error('Font upload error:', error);

  86.     return NextResponse.json({ error: 'Failed to upload font.' }, { status: 500 });

  87.   }

  88. }

  89. 

  90. // DELETE — rimuove un font (query ?name=<filename>)

  91. export async function DELETE(request: Request) {

  92.   try {

  93.     const { searchParams } = new URL(request.url);

  94.     const rawName = searchParams.get('name');

  95.     if (!rawName) {

  96.       return NextResponse.json({ error: 'Missing name parameter.' }, { status: 400 });

  97.     }

  98.     const safeName = sanitizeFontName(rawName);

  99.     const ext = path.extname(safeName).toLowerCase();

  100.     if (!ALLOWED_EXT.has(ext) || !safeName) {

  101.       return NextResponse.json({ error: 'Invalid font name.' }, { status: 400 });

  102.     }

  103.     try {

  104.       await unlink(path.join(FONTS_DIR, safeName));

  105.     } catch (err) {

  106.       const e = err as NodeJS.ErrnoException;

  107.       if (e.code === 'ENOENT') {

  108.         return NextResponse.json({ error: 'Font not found.' }, { status: 404 });

  109.       }

  110.       throw err;

  111.     }

  112.     return NextResponse.json({ ok: true });

  113.   } catch (error) {

  114.     console.error('Font delete error:', error);

  115.     return NextResponse.json({ error: 'Failed to delete font.' }, { status: 500 });

  116.   }

  117. }