"""Public endpoint for serving portfolio attachment files.

Registered WITHOUT JWT dependency in main.py.
Security: filenames are UUID hex strings (not guessable).
Nginx basic-auth still covers the full site on production.
"""
import os

from fastapi import APIRouter, HTTPException, status
from fastapi.responses import FileResponse

from app.helpers.file_storage import get_full_path

router = APIRouter(tags=["portfolio-files"])


@router.get("/api/portfolio/attachments/{filename}")
async def serve_portfolio_attachment(filename: str):
    # Guard against path traversal
    if "/" in filename or ".." in filename or "\\" in filename:
        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid filename")

    path = get_full_path(filename)
    if not os.path.exists(path):
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="File not found")

    return FileResponse(path, filename=filename)