feat: add API route for serving images with path validation

frontend/app/api/images/[filename]/route.ts

@@ -0,0 +1,31 @@
+import { NextRequest, NextResponse } from 'next/server';
+import * as fs from 'fs';
+import * as path from 'path';
+
+const IMAGE_DIR = process.env.IMAGE_DIR || '/app/public/images';
+
+export async function GET(
+  _request: NextRequest,
+  { params }: { params: Promise<{ filename: string }> },
+) {
+  const { filename } = await params;
+
+  // Förhindra path traversal
+  if (!filename || filename.includes('..') || filename.includes('/') || filename.includes('\\')) {
+    return new NextResponse('Not found', { status: 404 });
+  }
+
+  const filePath = path.join(IMAGE_DIR, filename);
+
+  if (!fs.existsSync(filePath)) {
+    return new NextResponse('Not found', { status: 404 });
+  }
+
+  const file = fs.readFileSync(filePath);
+  return new NextResponse(file, {
+    headers: {
+      'Content-Type': 'image/jpeg',
+      'Cache-Control': 'public, max-age=31536000, immutable',
+    },
+  });
+}

frontend/next.config.js

@@ -1,6 +1,14 @@
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   output: 'standalone',
+  async rewrites() {
+    return [
+      {
+        source: '/images/:filename',
+        destination: '/api/images/:filename',
+      },
+    ];
+  },
 };
 
 module.exports = nextConfig;