2026-06-20 20:59:03 -04:00
|
|
|
import { Readable } from "node:stream";
|
2026-06-07 17:54:30 -04:00
|
|
|
import { NextRequest } from "next/server";
|
|
|
|
|
import { prisma } from "@/lib/db";
|
2026-06-20 20:59:03 -04:00
|
|
|
import { rateLimit, LIMITS } from "@/lib/ratelimit";
|
2026-06-07 17:54:30 -04:00
|
|
|
import { storage } from "@/lib/storage";
|
|
|
|
|
|
|
|
|
|
export const dynamic = "force-dynamic";
|
|
|
|
|
|
2026-06-20 20:59:03 -04:00
|
|
|
/** Best-effort client IP for anonymous rate limiting. */
|
|
|
|
|
function clientKey(req: NextRequest): string {
|
|
|
|
|
const fwd = req.headers.get("x-forwarded-for");
|
|
|
|
|
if (fwd) return fwd.split(",")[0].trim();
|
|
|
|
|
return req.headers.get("x-real-ip") ?? "anon";
|
|
|
|
|
}
|
|
|
|
|
|
2026-06-07 17:54:30 -04:00
|
|
|
/**
|
|
|
|
|
* Stream an episode's MP3 to anonymous visitors, authorized purely by a valid,
|
|
|
|
|
* still-enabled public `shareId` (NOT a session). Returns 404 when the share is
|
|
|
|
|
* disabled or the audio is missing so we never disclose private episode state.
|
|
|
|
|
*
|
2026-06-20 20:59:03 -04:00
|
|
|
* Supports HTTP Range requests so the audio element can seek/scrub. The file is
|
|
|
|
|
* streamed off disk (never buffered whole) to avoid memory-amplification DoS.
|
2026-06-07 17:54:30 -04:00
|
|
|
*/
|
|
|
|
|
export async function GET(
|
|
|
|
|
req: NextRequest,
|
|
|
|
|
{ params }: { params: Promise<{ shareId: string }> }
|
|
|
|
|
) {
|
2026-06-20 20:59:03 -04:00
|
|
|
// Rate-limit by client IP (never by shareId alone).
|
|
|
|
|
const rl = await rateLimit("public-audio", clientKey(req), LIMITS.publicMedia);
|
|
|
|
|
if (!rl.ok) {
|
|
|
|
|
return new Response("Too many requests", {
|
|
|
|
|
status: 429,
|
|
|
|
|
headers: { "Retry-After": String(rl.retryAfterSec ?? 1) },
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2026-06-07 17:54:30 -04:00
|
|
|
const { shareId } = await params;
|
|
|
|
|
|
|
|
|
|
const episode = await prisma.episode.findUnique({
|
|
|
|
|
where: { shareId },
|
|
|
|
|
select: { audioAsset: { select: { storageKey: true } } },
|
|
|
|
|
});
|
|
|
|
|
const key = episode?.audioAsset?.storageKey;
|
|
|
|
|
if (!key) return new Response("Not found", { status: 404 });
|
|
|
|
|
|
2026-06-20 20:59:03 -04:00
|
|
|
const total = await storage().size(key);
|
|
|
|
|
if (total === null) return new Response("Not found", { status: 404 });
|
2026-06-07 17:54:30 -04:00
|
|
|
|
|
|
|
|
const contentType = "audio/mpeg";
|
|
|
|
|
|
|
|
|
|
const range = req.headers.get("range");
|
|
|
|
|
if (range) {
|
|
|
|
|
const match = /bytes=(\d+)-(\d*)/.exec(range);
|
|
|
|
|
if (match) {
|
|
|
|
|
const start = Number(match[1]);
|
|
|
|
|
const end = match[2] ? Math.min(Number(match[2]), total - 1) : total - 1;
|
|
|
|
|
if (start <= end && start < total) {
|
2026-06-20 20:59:03 -04:00
|
|
|
const node = storage().createReadStream!(key, { start, end });
|
|
|
|
|
const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
|
|
|
|
|
return new Response(body, {
|
2026-06-07 17:54:30 -04:00
|
|
|
status: 206,
|
|
|
|
|
headers: {
|
|
|
|
|
"Content-Type": contentType,
|
2026-06-20 20:59:03 -04:00
|
|
|
"Content-Length": String(end - start + 1),
|
2026-06-07 17:54:30 -04:00
|
|
|
"Content-Range": `bytes ${start}-${end}/${total}`,
|
|
|
|
|
"Accept-Ranges": "bytes",
|
|
|
|
|
"Cache-Control": "public, max-age=3600",
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-06-20 20:59:03 -04:00
|
|
|
const node = storage().createReadStream!(key);
|
|
|
|
|
const body = Readable.toWeb(node as Readable) as unknown as BodyInit;
|
|
|
|
|
return new Response(body, {
|
2026-06-07 17:54:30 -04:00
|
|
|
headers: {
|
|
|
|
|
"Content-Type": contentType,
|
|
|
|
|
"Content-Length": String(total),
|
|
|
|
|
"Accept-Ranges": "bytes",
|
|
|
|
|
"Cache-Control": "public, max-age=3600",
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
}
|
