mirror of
https://github.com/xpltdco/media-rip.git
synced 2026-04-03 10:54:00 -06:00
efc2ead796
Full-featured self-hosted yt-dlp web frontend:
- Python 3.12+ / FastAPI backend with async SQLite, SSE transport, session isolation
- Vue 3 / TypeScript / Pinia frontend with real-time progress, theme picker
- 3 built-in themes (cyberpunk/dark/light) + drop-in custom theme system
- Admin auth (bcrypt), purge system, cookie upload, file serving
- Docker multi-stage build, GitHub Actions CI/CD
- 179 backend tests, 29 frontend tests (208 total)
Slices: S01 (Foundation), S02 (SSE+Sessions), S03 (Frontend),
S04 (Admin+Auth), S05 (Themes), S06 (Docker+CI)
39 lines
1.2 KiB
Python
39 lines
1.2 KiB
Python
"""File serving for completed downloads — enables link sharing (R018)."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import logging
|
|
from pathlib import Path
|
|
|
|
from fastapi import APIRouter, HTTPException, Request
|
|
from fastapi.responses import FileResponse
|
|
|
|
logger = logging.getLogger("mediarip.files")
|
|
|
|
router = APIRouter(tags=["files"])
|
|
|
|
|
|
@router.get("/downloads/{filename:path}")
|
|
async def serve_download(filename: str, request: Request) -> FileResponse:
|
|
"""Serve a completed download file.
|
|
|
|
Files are served from the configured output directory.
|
|
Path traversal is prevented by resolving and checking the path
|
|
stays within the output directory.
|
|
"""
|
|
config = request.app.state.config
|
|
output_dir = Path(config.downloads.output_dir).resolve()
|
|
file_path = (output_dir / filename).resolve()
|
|
|
|
# Prevent path traversal
|
|
if not str(file_path).startswith(str(output_dir)):
|
|
raise HTTPException(status_code=403, detail="Access denied")
|
|
|
|
if not file_path.is_file():
|
|
raise HTTPException(status_code=404, detail="File not found")
|
|
|
|
return FileResponse(
|
|
path=file_path,
|
|
filename=file_path.name,
|
|
media_type="application/octet-stream",
|
|
)
|