From 91507cc8f86cc68d56518622eac0ba2627915415 Mon Sep 17 00:00:00 2001
From: Phillip Tarrant <ptarrant@gmail.com>
Date: Thu, 20 Nov 2025 09:32:28 -0600
Subject: [PATCH] Add route to serve scan output files

Output files (JSON, HTML, ZIP) are stored outside the static directory,
so download links in scan_detail.html were broken. This adds a /output/
route that serves files from the output directory using send_from_directory
for secure file access. Route requires authentication.
---
 app/web/routes/main.py | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/web/routes/main.py b/app/web/routes/main.py
index ac15a97..583fdc5 100644
--- a/app/web/routes/main.py
+++ b/app/web/routes/main.py
@@ -5,8 +5,9 @@ Provides dashboard and scan viewing pages.
 """
 
 import logging
+import os
 
-from flask import Blueprint, current_app, redirect, render_template, url_for
+from flask import Blueprint, current_app, redirect, render_template, send_from_directory, url_for
 
 from web.auth.decorators import login_required
 
@@ -244,3 +245,19 @@ def alert_rules():
         'alert_rules.html',
         rules=rules
     )
+
+
+@bp.route('/output/<path:filename>')
+@login_required
+def serve_output_file(filename):
+    """
+    Serve output files (JSON, HTML, ZIP) from the output directory.
+
+    Args:
+        filename: Name of the file to serve
+
+    Returns:
+        The requested file
+    """
+    output_dir = os.environ.get('OUTPUT_DIR', '/app/output')
+    return send_from_directory(output_dir, filename)