From 2700034646fc1f750e249a23a76e01e490a1bdc7 Mon Sep 17 00:00:00 2001
From: MrWaradana <muhammadridhowaradana@gmail.com>
Date: Tue, 4 Nov 2025 08:52:17 +0700
Subject: [PATCH] route for file uploads static

---
 src/api.py | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/api.py b/src/api.py
index 6a55cd6..3f33702 100644
--- a/src/api.py
+++ b/src/api.py
@@ -1,7 +1,8 @@
 from typing import List, Optional
 from fastapi import APIRouter, Depends
-from fastapi.responses import JSONResponse
+from fastapi.responses import JSONResponse, FileResponse
 from pydantic import BaseModel
+import os
 
 
 from src.auth.service import JWTBearer
@@ -75,5 +76,19 @@ authenticated_api_router.include_router(
     yeardata_router, prefix="/yeardata", tags=["yeardata"]
 )
 
+@api_router.get("/uploads/{file_path:path}", include_in_schema=False)
+def uploads(file_path: str):
+    """Endpoint to static folder on backend ."""
+    uploads_dir = os.path.join(os.path.dirname(__file__), "uploads")
+    abs_file_path = os.path.abspath(os.path.join(uploads_dir, file_path))
+
+    # Security check: ensure abs_file_path is inside uploads_dir
+    if not abs_file_path.startswith(os.path.abspath(uploads_dir)):
+        return JSONResponse(status_code=403, content={"detail": [{"msg": "Forbidden"}]})
+
+    if not os.path.isfile(abs_file_path):
+        return JSONResponse(status_code=404, content={"detail": [{"msg": "File not found"}]})
+
+    return FileResponse(abs_file_path)
 
 api_router.include_router(authenticated_api_router)