Refactor Galerie component to use image IDs for keys and update image loading logic; add new scripts for generating previews and migrating public gallery to metadata with authentication checks.

server/api/media/galerie/[id].get.js

@@ -0,0 +1,83 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, verifyToken } from '../../../utils/auth.js'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) return path.join(cwd, '../server/data', filename)
+  return path.join(cwd, 'server/data', filename)
+}
+
+const GALERIE_DIR = getDataPath('galerie')
+const GALERIE_METADATA = getDataPath('galerie-metadata.json')
+
+async function readGalerieMetadata() {
+  try {
+    const data = await fs.readFile(GALERIE_METADATA, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') return []
+    throw error
+  }
+}
+
+async function isLoggedIn(event) {
+  const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+  if (!token) return false
+  const decoded = verifyToken(token)
+  if (!decoded) return false
+  const user = await getUserFromToken(token)
+  return !!(user && user.active)
+}
+
+export default defineEventHandler(async (event) => {
+  const imageId = getRouterParam(event, 'id')
+  const query = getQuery(event)
+  const preview = query.preview === 'true'
+
+  if (!imageId) {
+    throw createError({ statusCode: 400, statusMessage: 'Bild-ID erforderlich' })
+  }
+
+  const metadata = await readGalerieMetadata()
+  const image = metadata.find(img => img.id === imageId)
+  if (!image) {
+    throw createError({ statusCode: 404, statusMessage: 'Bild nicht gefunden' })
+  }
+
+  if (!image.isPublic) {
+    const ok = await isLoggedIn(event)
+    if (!ok) throw createError({ statusCode: 403, statusMessage: 'Keine Berechtigung' })
+  }
+
+  const filename = preview ? image.previewFilename : image.filename
+  const sanitized = path.basename(path.normalize(String(filename || '')))
+  if (!sanitized || sanitized.includes('..')) {
+    throw createError({ statusCode: 400, statusMessage: 'Ungültiger Dateiname' })
+  }
+
+  const subdir = preview ? 'previews' : 'originals'
+  const filePath = path.join(GALERIE_DIR, subdir, sanitized)
+
+  try {
+    await fs.access(filePath)
+  } catch (e) {
+    throw createError({ statusCode: 404, statusMessage: 'Bilddatei nicht gefunden' })
+  }
+
+  const ext = path.extname(sanitized).toLowerCase()
+  const mimeTypes = {
+    '.jpg': 'image/jpeg',
+    '.jpeg': 'image/jpeg',
+    '.png': 'image/png',
+    '.gif': 'image/gif',
+    '.webp': 'image/webp',
+    '.svg': 'image/svg+xml'
+  }
+  const contentType = mimeTypes[ext] || 'application/octet-stream'
+
+  const buf = await fs.readFile(filePath)
+  setHeader(event, 'Content-Type', contentType)
+  setHeader(event, 'Cache-Control', image.isPublic ? 'public, max-age=31536000, immutable' : 'private, max-age=0, no-store')
+  return buf
+})

server/api/media/internal/[...path].get.js

@@ -0,0 +1,66 @@
+import fs from 'fs'
+import fsp from 'fs/promises'
+import path from 'path'
+
+// Minimal auth check using existing auth cookie/session
+function isAuthenticated(event) {
+  try {
+    const token = getCookie(event, 'auth_token') || getCookie(event, 'session_token')
+    return token && String(token).trim() !== ''
+  } catch (e) {
+    return false
+  }
+}
+
+// Resolve file path within a non-public internal media directory
+function resolveInternalPath(reqPath) {
+  const baseDir = path.join(process.cwd(), 'server', 'private', 'gallery-internal')
+  // prevent path traversal
+  const safe = path.normalize(reqPath).replace(/^\/+/, '')
+  return path.join(baseDir, safe)
+}
+
+export default defineEventHandler(async (event) => {
+  // auth gate
+  if (!isAuthenticated(event)) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht autorisiert' })
+  }
+
+  const param = event.context.params?.path
+  const reqPath = Array.isArray(param) ? param.join('/') : String(param || '')
+  if (!reqPath) {
+    throw createError({ statusCode: 400, statusMessage: 'Bildpfad fehlt' })
+  }
+
+  const filePath = resolveInternalPath(reqPath)
+  // check existence and ensure it stays within baseDir
+  const baseDir = path.join(process.cwd(), 'server', 'private', 'gallery-internal')
+  const resolved = path.resolve(filePath)
+  if (!resolved.startsWith(path.resolve(baseDir))) {
+    throw createError({ statusCode: 400, statusMessage: 'Ungültiger Pfad' })
+  }
+
+  try {
+    const stat = await fsp.stat(resolved)
+    if (!stat.isFile()) throw new Error('not a file')
+  } catch (e) {
+    throw createError({ statusCode: 404, statusMessage: 'Datei nicht gefunden' })
+  }
+
+  // determine content type by extension
+  const ext = path.extname(resolved).toLowerCase()
+  const contentType = (
+    ext === '.jpg' || ext === '.jpeg' ? 'image/jpeg' :
+    ext === '.png' ? 'image/png' :
+    ext === '.gif' ? 'image/gif' :
+    ext === '.webp' ? 'image/webp' :
+    ext === '.svg' ? 'image/svg+xml' :
+    'application/octet-stream'
+  )
+
+  // stream the file
+  const stream = fs.createReadStream(resolved)
+  setHeader(event, 'Content-Type', contentType)
+  setHeader(event, 'Cache-Control', 'private, max-age=0, no-store')
+  return sendStream(event, stream)
+})