only serve public and ui dir (#201)

* only serve public and ui dir

* prevent traversal attack

* remove useless variable

* public dir is optional

* fix parent check

* replace custom logic with fast api APIs

src/chainlit/server.py

@@ -13,6 +13,7 @@
 from watchfiles import awatch
 
 from fastapi import FastAPI, Request
+from fastapi.staticfiles import StaticFiles
 from fastapi.responses import (
     HTMLResponse,
     JSONResponse,
@@ -123,6 +124,14 @@ async def watch_files_for_changes():
 
 app = FastAPI(lifespan=lifespan)
 
+app.mount("/public", StaticFiles(directory="public", check_dir=False), name="public")
+app.mount(
+    "/assets",
+    StaticFiles(packages=[("chainlit", os.path.join(build_dir, "assets"))]),
+    name="assets",
+)
+
+
 app.add_middleware(
     CORSMiddleware,
     allow_origins=["*"],
@@ -131,6 +140,7 @@ async def watch_files_for_changes():
     allow_headers=["*"],
 )
 
+
 # Define max HTTP data size to 100 MB
 max_message_size = 100 * 1024 * 1024
 
@@ -296,19 +306,16 @@ async def serve_file(filename: str):
         return {"error": "File not found"}
 
 
+@app.get("/favicon.svg")
+async def get_favicon():
+    favicon_path = os.path.join(build_dir, "favicon.svg")
+    return FileResponse(favicon_path, media_type="image/svg+xml")
+
+
 def register_wildcard_route_handler():
     @app.get("/{path:path}")
     async def serve(path: str):
-        """Serve the UI and app files."""
-        if path:
-            app_file_path = os.path.join(config.root, path)
-            ui_file_path = os.path.join(build_dir, path)
-            file_paths = [app_file_path, ui_file_path]
-
-            for file_path in file_paths:
-                if os.path.isfile(file_path):
-                    return FileResponse(file_path)
-
+        """Serve the UI files."""
         response = HTMLResponse(content=html_template, status_code=200)
         response.set_cookie(
             key="chainlit-session", value=str(uuid.uuid4()), httponly=True