@fontoxml/fontoxml-development-tools/src/modules/editor/dev-cms/connectors-cms-standard/configureOutputAssetGetRouteHandler.js

Development tools for Fonto.

/** @typedef {import('../../src/getAppConfig.js').DevCmsConfig} DevCmsConfig */

/**
 * @param {DevCmsConfig} config
 */
function configureOutputAssetGetRouteHandler(config) {
	return async (req, res) => {
		const correlationIdRepository = req.repositories.correlationId;

		// Because these requests do not originate from the editor, but from another server, we
		// have no edit session token. We do, however, have an correlationId which we may resolve
		// to the editSessionToken used by the corresponding call to the proxy
		const editSessionToken =
			correlationIdRepository.getEditSessionTokenForRequest(req);

		const id = req.query.id;
		if (id && id.indexOf('..') !== -1) {
			res.status(403).end();
			return;
		}

		const filePath = req.cms.getPath(id, editSessionToken);
		if (filePath) {
			res.sendFile(filePath, {
				cacheControl: !config.cacheControlDisabled,
				maxAge: config.cacheControlMaxAge,
			});
		} else {
			res.status(404).end();
		}
	};
}

export default configureOutputAssetGetRouteHandler;