SecMPS/api_sqlsugar/VolPro.WebApi/Controllers/Warehouse/FileServiceController.cs

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Options;
using System;
using System.IO;

namespace VolPro.WebApi.Controllers.Warehouse;

/// <summary>
/// 文件服务。对外暴露 VolPro 文件系统中的静态文件（截图、导出等）。
/// 不走 VolPro JWT 认证体系——网关 B 组接口直接调用。
/// </summary>
[ApiController]
[AllowAnonymous]
public class FileServiceController : Controller
{
    /// <summary>
    /// 获取截图文件。
    /// 文件存放于 VolPro.WebApi/Download/Screenshots/ 目录。
    /// </summary>
    /// <param name="filename">文件名（含扩展名，如 abc.png）</param>
    [HttpGet("api/gateway/screenshots/{filename}")]
    public IActionResult GetScreenshot(string filename)
    {
        // 安全检查：禁止路径穿越（.., /, \）
        if (string.IsNullOrWhiteSpace(filename) ||
            filename.Contains("..") ||
            filename.Contains('/') ||
            filename.Contains('\\'))
            return BadRequest(new { error = "非法文件名" });

        var folder = Path.Combine(AppContext.BaseDirectory, "Download", "Screenshots");
        var filePath = Path.Combine(folder, filename);

        if (!System.IO.File.Exists(filePath))
            return NotFound(new { error = "文件不存在" });

        var ext = Path.GetExtension(filename).ToLowerInvariant();
        var contentType = ext switch
        {
            ".png" => "image/png",
            ".jpg" or ".jpeg" => "image/jpeg",
            ".gif" => "image/gif",
            _ => "application/octet-stream"
        };

        return PhysicalFile(filePath, contentType);
    }
}