class AvatarsController < ApplicationController
  def show
    if user = User.find_by(cn: params[:username])
      http_status :not_found and return unless user.avatar.attached?

      sha256_hash = params[:hash]
      format = params[:format]&.to_sym || :png
      size = params[:size]&.to_sym || :original

      unless user.avatar.filename.to_s == "#{sha256_hash}.#{format}"
        http_status :not_found and return
      end

      blob = if size == :original
               user.avatar.blob
             else
               # TODO Variants use the same custom storage key/path, which
               # makes blob downloads always fetch the original version instead
               # of the variant. Needs to be fixed/added in Rails.
               user.avatar_variant(size: size)&.blob
             end

      data = blob.download
      send_data data, type: "image/#{format}", disposition: "inline"
    else
      http_status :not_found
    end
  end
end