pihka-al/server/api/files/[name]/index.delete.ts

import { unlink } from "node:fs/promises";
import { resolve } from "node:path";
import { z } from "zod";

const paramsSchema = z.object({
  name: z.string().min(1).regex(/^[^/\\]+$/, "Invalid filename"),
});

export default defineEventHandler(async (event) => {
  const params = await getValidatedRouterParams(event, paramsSchema.parse);
  const dir = resolve(process.cwd(), "public/files");
  const filePath = resolve(dir, params.name);

  if (!filePath.startsWith(dir + "/")) {
    throw createError({ statusCode: 400, message: "Invalid filename" });
  }

  try {
    await unlink(filePath);
    return { success: true };
  } catch {
    throw createError({ statusCode: 404, message: "File not found" });
  }
});