el.xwx.moe/pages/api/v1/avatar/[id].ts

import type { NextApiRequest, NextApiResponse } from "next";
import { prisma } from "@/lib/api/db";
import readFile from "@/lib/api/storage/readFile";
import verifyToken from "@/lib/api/verifyToken";

export default async function Index(req: NextApiRequest, res: NextApiResponse) {
  const queryId = Number(req.query.id);

  if (!queryId)
    return res
      .setHeader("Content-Type", "text/plain")
      .status(401)
      .send("Invalid parameters.");

  const token = await verifyToken({ req });
  const userId = typeof token === "string" ? undefined : token?.id;

  if (req.method === "GET") {
    const targetUser = await prisma.user.findUnique({
      where: {
        id: queryId,
      },
      include: {
        whitelistedUsers: true,
      },
    });

    if (!targetUser) {
      return res
        .setHeader("Content-Type", "text/plain")
        .status(400)
        .send("File inaccessible.");
    }

    const isInAPublicCollection = await prisma.collection.findFirst({
      where: {
        ["OR"]: [
          { ownerId: targetUser.id },
          {
            members: {
              some: {
                userId: targetUser.id,
              },
            },
          },
        ],
        isPublic: true,
      },
    });

    if (targetUser?.isPrivate && !isInAPublicCollection) {
      if (!userId) {
        return res
          .setHeader("Content-Type", "text/plain")
          .status(400)
          .send("File inaccessible.");
      }

      const user = await prisma.user.findUnique({
        where: {
          id: userId,
        },
        include: {
          subscriptions: true,
        },
      });

      const whitelistedUsernames = targetUser?.whitelistedUsers.map(
        (whitelistedUsername) => whitelistedUsername.username
      );

      if (!user?.username) {
        return res
          .setHeader("Content-Type", "text/plain")
          .status(400)
          .send("File inaccessible.");
      }

      if (
        user.username &&
        !whitelistedUsernames?.includes(user.username) &&
        targetUser.id !== user.id
      ) {
        return res
          .setHeader("Content-Type", "text/plain")
          .status(400)
          .send("File inaccessible.");
      }
    }

    const { file, contentType, status } = await readFile(
      `uploads/avatar/${queryId}.jpg`
    );

    return res
      .setHeader("Content-Type", contentType)
      .status(status as number)
      .send(file);
  }
}