Buriburizaemon/nodewarden
1
0
Fork 0
mirror of https://github.com/shuaiplus/nodewarden.git synced 2026-06-20 13:00:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add remote backup restore and attachment download functionality

Browse Source
This commit is contained in:
shuaiplus
2026-06-07 21:06:34 +08:00
parent af70cab766
commit 5ed7c949c1
2 changed files with 400 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/durable/backup-transfer-runner.ts
+175 -3
View File
@@ -2,15 +2,25 @@ import type { Env } from '../types';
import type { BackupDestinationRecord } from '../services/backup-config'; import type { BackupDestinationRecord } from '../services/backup-config';
import { import {
BACKUP_SCHEDULER_WINDOW_MINUTES, BACKUP_SCHEDULER_WINDOW_MINUTES,
requireBackupDestination,
hasBackupSlotBetween, hasBackupSlotBetween,
isBackupDueNow, isBackupDueNow,
loadBackupSettings, loadBackupSettings,
} from '../services/backup-config'; } from '../services/backup-config';
import { createRemoteBackupTransferSession } from '../services/backup-uploader'; import {
createRemoteBackupTransferSession,
downloadRemoteBackupFile,
ensureRemoteRestoreCandidate,
} from '../services/backup-uploader';
import { getBlobObject } from '../services/blob-store'; import { getBlobObject } from '../services/blob-store';
import { StorageService } from '../services/storage'; import { StorageService } from '../services/storage';
import { notifyUserBackupProgress } from './notifications-hub'; import { notifyUserBackupProgress, notifyUserBackupRestoreProgress } from './notifications-hub';
import { executeConfiguredBackup } from '../handlers/backup'; import {
executeConfiguredBackup,
importAndAuditRemoteBackupFile,
} from '../handlers/backup';
import { verifyBackupArchiveFileNameChecksum } from '../services/backup-archive';
import { zipSync } from 'fflate';
const BACKUP_JOB_STATE_KEY = 'backup.job.state.v1'; const BACKUP_JOB_STATE_KEY = 'backup.job.state.v1';
const BACKUP_JOB_LEASE_MS = 10 * 60 * 1000; const BACKUP_JOB_LEASE_MS = 10 * 60 * 1000;
@@ -31,6 +41,16 @@ interface RemoteAttachmentChunkRequest {
}>; }>;
} }
interface RemoteAttachmentDownloadRequest {
destination: BackupDestinationRecord;
blobName?: string | null;
}
interface RemoteAttachmentBatchDownloadRequest {
destination: BackupDestinationRecord;
blobNames?: string[] | null;
}
interface ConfiguredBackupRunRequest { interface ConfiguredBackupRunRequest {
actorUserId?: string | null; actorUserId?: string | null;
auditMetadata?: Record<string, unknown> | null; auditMetadata?: Record<string, unknown> | null;
@@ -39,6 +59,16 @@ interface ConfiguredBackupRunRequest {
trigger?: 'manual' | 'scheduled'; trigger?: 'manual' | 'scheduled';
} }
interface RemoteBackupRestoreRequest {
actorUserId?: string | null;
allowChecksumMismatch?: boolean;
auditMetadata?: Record<string, unknown> | null;
destinationId?: string | null;
path?: string | null;
replaceExisting?: boolean;
targetDeviceIdentifier?: string | null;
}
function badRequest(message: string, status: number = 400): Response { function badRequest(message: string, status: number = 400): Response {
return new Response(JSON.stringify({ error: message }), { return new Response(JSON.stringify({ error: message }), {
status, status,
@@ -229,6 +259,82 @@ export class BackupTransferRunner {
} }
} }
private async restoreRemoteBackup(request: Request): Promise<Response> {
let body: RemoteBackupRestoreRequest;
try {
body = await request.json<RemoteBackupRestoreRequest>();
} catch {
return badRequest('Remote restore payload is invalid');
}
const actorUserId = String(body.actorUserId || '').trim() || null;
if (!actorUserId) {
return badRequest('Remote restore requires an actor');
}
const token = await this.acquireJob(`restore:${actorUserId}`);
if (!token) {
return badRequest('Another backup or restore run is already in progress', 409);
}
try {
await this.touchJob(token);
const storage = new StorageService(this.env.DB);
const settings = await loadBackupSettings(storage, this.env, 'UTC');
const destination = requireBackupDestination(settings, body.destinationId || null);
const path = ensureRemoteRestoreCandidate(String(body.path || ''));
const restoreFileNameFromPath = path.split('/').pop() || path;
const targetDeviceIdentifier = String(body.targetDeviceIdentifier || '').trim() || null;
const replaceExisting = !!body.replaceExisting;
await notifyUserBackupRestoreProgress(
this.env,
actorUserId,
{
operation: 'backup-restore',
source: 'remote',
step: 'remote_fetch_archive',
fileName: restoreFileNameFromPath,
stageTitle: 'txt_backup_restore_progress_remote_fetch_title',
stageDetail: 'txt_backup_restore_progress_remote_fetch_detail',
replaceExisting,
},
targetDeviceIdentifier
);
const remoteFile = await downloadRemoteBackupFile(destination, path);
const checksumOk = await verifyBackupArchiveFileNameChecksum(remoteFile.bytes, remoteFile.fileName || path);
if (!checksumOk && !body.allowChecksumMismatch) {
return badRequest('Remote backup file checksum does not match its filename');
}
const result = await importAndAuditRemoteBackupFile(
this.env,
storage,
actorUserId,
remoteFile,
destination,
path,
replaceExisting,
!checksumOk,
body.auditMetadata || null,
targetDeviceIdentifier
);
return new Response(JSON.stringify(result.result), {
status: 200,
headers: {
'Content-Type': 'application/json; charset=utf-8',
'Cache-Control': 'no-store',
},
});
} catch (error) {
return badRequest(error instanceof Error ? error.message : 'Remote backup restore failed', 500);
} finally {
await this.releaseJob(token);
}
}
async fetch(request: Request): Promise<Response> { async fetch(request: Request): Promise<Response> {
const url = new URL(request.url); const url = new URL(request.url);
if (request.method !== 'POST') { if (request.method !== 'POST') {
@@ -243,6 +349,72 @@ export class BackupTransferRunner {
return this.runScheduledBackups(); return this.runScheduledBackups();
} }
if (url.pathname === '/internal/restore-remote-backup') {
return this.restoreRemoteBackup(request);
}
if (url.pathname === '/internal/download-remote-attachment') {
let body: RemoteAttachmentDownloadRequest;
try {
body = await request.json<RemoteAttachmentDownloadRequest>();
} catch {
return badRequest('Remote attachment download payload is invalid');
}
const blobName = String(body?.blobName || '').trim();
if (!body?.destination || !blobName) {
return badRequest('Remote attachment download payload is invalid');
}
const file = await downloadRemoteBackupFile(body.destination, `attachments/${blobName}`).catch(() => null);
if (!file) {
return badRequest('Remote attachment not found', 404);
}
return new Response(file.bytes, {
status: 200,
headers: {
'Content-Type': file.contentType || 'application/octet-stream',
'Cache-Control': 'no-store',
},
});
}
if (url.pathname === '/internal/download-remote-attachment-batch') {
let body: RemoteAttachmentBatchDownloadRequest;
try {
body = await request.json<RemoteAttachmentBatchDownloadRequest>();
} catch {
return badRequest('Remote attachment batch download payload is invalid');
}
const blobNames = Array.from(new Set(
(Array.isArray(body?.blobNames) ? body.blobNames : [])
.map((blobName) => String(blobName || '').trim())
.filter(Boolean)
));
if (!body?.destination || !blobNames.length || blobNames.length > 40) {
return badRequest('Remote attachment batch download payload is invalid');
}
const encoder = new TextEncoder();
const entries: Array<{ blobName: string; path: string }> = [];
const files: Record<string, Uint8Array> = {};
for (let i = 0; i < blobNames.length; i += 1) {
const blobName = blobNames[i];
const file = await downloadRemoteBackupFile(body.destination, `attachments/${blobName}`).catch(() => null);
if (!file) continue;
const path = `files/${i}.bin`;
entries.push({ blobName, path });
files[path] = file.bytes;
}
files['manifest.json'] = encoder.encode(JSON.stringify({ version: 1, entries }));
return new Response(zipSync(files), {
status: 200,
headers: {
'Content-Type': 'application/zip',
'Cache-Control': 'no-store',
},
});
}
if (url.pathname !== '/internal/upload-attachment-chunk') { if (url.pathname !== '/internal/upload-attachment-chunk') {
return badRequest('Not found', 404); return badRequest('Not found', 404);
} }
src/handlers/backup.ts
+224 -65
View File
@@ -4,6 +4,7 @@ import {
type BackupArchiveBundle, type BackupArchiveBundle,
buildBackupArchive, buildBackupArchive,
inspectBackupArchiveFileNameChecksum, inspectBackupArchiveFileNameChecksum,
parseBackupArchive,
verifyBackupArchiveFileNameChecksum, verifyBackupArchiveFileNameChecksum,
} from '../services/backup-archive'; } from '../services/backup-archive';
import { import {
@@ -29,6 +30,7 @@ import {
} from '../services/backup-import'; } from '../services/backup-import';
import { import {
type RemoteBackupTransferSession, type RemoteBackupTransferSession,
type RemoteBackupFile,
createRemoteBackupTransferSession, createRemoteBackupTransferSession,
deleteRemoteBackupFile, deleteRemoteBackupFile,
downloadRemoteBackupFile, downloadRemoteBackupFile,
@@ -41,6 +43,7 @@ import { StorageService } from '../services/storage';
import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events'; import { auditRequestMetadata, writeAuditEvent } from '../services/audit-events';
import { getBlobObject } from '../services/blob-store'; import { getBlobObject } from '../services/blob-store';
import { notifyUserBackupProgress, notifyUserBackupRestoreProgress } from '../durable/notifications-hub'; import { notifyUserBackupProgress, notifyUserBackupRestoreProgress } from '../durable/notifications-hub';
import { unzipSync } from 'fflate';
function isAdmin(user: User): boolean { function isAdmin(user: User): boolean {
return user.role === 'admin' && user.status === 'active'; return user.role === 'admin' && user.status === 'active';
@@ -107,6 +110,7 @@ const REMOTE_ATTACHMENT_SYNC_EXTERNAL_SUBREQUEST_LIMIT = 50;
const REMOTE_ATTACHMENT_SYNC_SUBREQUEST_RESERVE = 6; const REMOTE_ATTACHMENT_SYNC_SUBREQUEST_RESERVE = 6;
const REMOTE_ATTACHMENT_SYNC_MAX_WEB_DAV_BATCH_SIZE = 18; const REMOTE_ATTACHMENT_SYNC_MAX_WEB_DAV_BATCH_SIZE = 18;
const REMOTE_ATTACHMENT_SYNC_MAX_S3_BATCH_SIZE = 40; const REMOTE_ATTACHMENT_SYNC_MAX_S3_BATCH_SIZE = 40;
const REMOTE_ATTACHMENT_RESTORE_BATCH_SIZE = 40;
function countRemotePathSegments(value: string): number { function countRemotePathSegments(value: string): number {
return String(value || '').replace(/\\/g, '/').split('/').filter(Boolean).length; return String(value || '').replace(/\\/g, '/').split('/').filter(Boolean).length;
@@ -503,14 +507,223 @@ async function runScheduledBackupsInDurableObject(env: Env): Promise<void> {
} }
} }
async function downloadRemoteAttachmentViaDurableObject(
env: Env,
destination: BackupDestinationRecord,
blobName: string
): Promise<Uint8Array | null> {
const id = env.BACKUP_TRANSFER_RUNNER.idFromName('remote-attachment-restore');
const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
const response = await stub.fetch('https://backup-transfer/internal/download-remote-attachment', {
method: 'POST',
headers: {
'Content-Type': 'application/json; charset=utf-8',
},
body: JSON.stringify({
destination,
blobName,
}),
});
if (response.status === 404) {
return null;
}
if (!response.ok) {
throw new Error(`Remote attachment download failed: ${response.status}`);
}
return new Uint8Array(await response.arrayBuffer());
}
async function downloadRemoteAttachmentBatchViaDurableObject(
env: Env,
destination: BackupDestinationRecord,
blobNames: string[]
): Promise<Map<string, Uint8Array>> {
const names = Array.from(new Set(blobNames.map((blobName) => String(blobName || '').trim()).filter(Boolean)));
const result = new Map<string, Uint8Array>();
if (!names.length) return result;
const id = env.BACKUP_TRANSFER_RUNNER.idFromName('remote-attachment-restore');
const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
const response = await stub.fetch('https://backup-transfer/internal/download-remote-attachment-batch', {
method: 'POST',
headers: {
'Content-Type': 'application/json; charset=utf-8',
},
body: JSON.stringify({
destination,
blobNames: names,
}),
});
if (!response.ok) {
throw new Error(`Remote attachment batch download failed: ${response.status}`);
}
const files = unzipSync(new Uint8Array(await response.arrayBuffer()));
const manifestBytes = files['manifest.json'];
if (!manifestBytes) return result;
const manifest = JSON.parse(new TextDecoder().decode(manifestBytes)) as {
entries?: Array<{ blobName?: string; path?: string }>;
};
for (const entry of manifest.entries || []) {
const blobName = String(entry.blobName || '').trim();
const path = String(entry.path || '').trim();
const bytes = path ? files[path] : null;
if (blobName && bytes) {
result.set(blobName, bytes);
}
}
return result;
}
function collectExternalRemoteAttachmentBlobNames(archiveBytes: Uint8Array): string[] {
const parsed = parseBackupArchive(archiveBytes, { allowExternalAttachmentBlobs: true });
const refs = new Map(
(parsed.payload.manifest.attachmentBlobs || [])
.map((item) => [`${String(item.cipherId || '').trim()}/${String(item.attachmentId || '').trim()}`, item])
);
const names: string[] = [];
const seen = new Set<string>();
for (const row of parsed.payload.db.attachments || []) {
const cipherId = String(row.cipher_id || '').trim();
const attachmentId = String(row.id || '').trim();
const inlinePath = `attachments/${cipherId}/${attachmentId}.bin`;
if (parsed.files[inlinePath]) continue;
const ref = refs.get(`${cipherId}/${attachmentId}`);
const blobName = String(ref?.blobName || '').trim();
if (blobName && !seen.has(blobName)) {
seen.add(blobName);
names.push(blobName);
}
}
return names;
}
function toImportStatusCode(message: string): number { function toImportStatusCode(message: string): number {
const lower = message.toLowerCase(); const lower = message.toLowerCase();
if (lower.includes('checksum')) return 400;
if (lower.includes('invalid backup') || lower.includes('invalid json')) return 400; if (lower.includes('invalid backup') || lower.includes('invalid json')) return 400;
if (lower.includes('fresh instance')) return 409; if (lower.includes('fresh instance')) return 409;
if (lower.includes('not configured') || lower.includes('kv')) return 409; if (lower.includes('not configured') || lower.includes('kv')) return 409;
return 500; return 500;
} }
export async function importAndAuditRemoteBackupFile(
env: Env,
storage: StorageService,
actorUserId: string,
remoteFile: RemoteBackupFile,
destination: BackupDestinationRecord,
remotePath: string,
replaceExisting: boolean,
checksumMismatchAccepted: boolean,
auditMetadata: Record<string, unknown> | null = null,
targetDeviceIdentifier: string | null = null
): Promise<BackupImportExecutionResult> {
const restoreFileName = remoteFile.fileName || remotePath.split('/').pop() || remotePath;
const externalAttachmentBlobNames = collectExternalRemoteAttachmentBlobNames(remoteFile.bytes);
const externalAttachmentCache = new Map<string, Uint8Array | null>();
const progress: BackupRestoreProgressReporter = async (event) => {
await notifyUserBackupRestoreProgress(
env,
actorUserId,
{
operation: 'backup-restore',
...event,
},
targetDeviceIdentifier
);
};
const result = await importRemoteBackupArchiveBytes(
remoteFile.bytes,
env,
actorUserId,
replaceExisting,
{
loadAttachment: async (blobName) => {
const normalized = String(blobName || '').trim();
if (!normalized) return null;
if (externalAttachmentCache.has(normalized)) {
return externalAttachmentCache.get(normalized) || null;
}
const start = Math.max(0, externalAttachmentBlobNames.indexOf(normalized));
const batchNames = externalAttachmentBlobNames
.slice(start, start + REMOTE_ATTACHMENT_RESTORE_BATCH_SIZE)
.filter((name) => !externalAttachmentCache.has(name));
if (!batchNames.includes(normalized)) {
batchNames.unshift(normalized);
}
try {
const batch = await downloadRemoteAttachmentBatchViaDurableObject(env, destination, batchNames);
for (const name of batchNames) {
externalAttachmentCache.set(name, batch.get(name) || null);
}
} catch {
externalAttachmentCache.set(normalized, await downloadRemoteAttachmentViaDurableObject(env, destination, normalized).catch(() => null));
}
return externalAttachmentCache.get(normalized) || null;
},
},
progress,
restoreFileName
);
await writeAuditLog(storage, result.auditActorUserId, 'admin.backup.import', 'backup', null, {
users: result.result.imported.users,
ciphers: result.result.imported.ciphers,
attachments: result.result.imported.attachmentFiles,
skippedAttachments: result.result.skipped.attachments,
skippedReason: result.result.skipped.reason,
replaceExisting,
...getBackupDestinationSummary(destination),
remotePath,
bytes: remoteFile.bytes.byteLength,
trigger: 'remote',
checksumMismatchAccepted,
...(auditMetadata || {}),
});
return result;
}
async function restoreRemoteBackupInDurableObject(
env: Env,
payload: {
actorUserId: string;
allowChecksumMismatch?: boolean;
auditMetadata?: Record<string, unknown> | null;
destinationId?: string | null;
path: string;
replaceExisting?: boolean;
targetDeviceIdentifier?: string | null;
}
): Promise<BackupImportExecutionResult['result'] | null> {
const id = env.BACKUP_TRANSFER_RUNNER.idFromName('configured-backup-runner');
const stub = env.BACKUP_TRANSFER_RUNNER.get(id);
const response = await stub.fetch('https://backup-transfer/internal/restore-remote-backup', {
method: 'POST',
headers: {
'Content-Type': 'application/json; charset=utf-8',
},
body: JSON.stringify(payload),
});
if (response.status === 409) {
return null;
}
if (!response.ok) {
let message = `Remote backup restore failed: ${response.status}`;
try {
const body = await response.json<{ error?: string }>();
if (body?.error) message = body.error;
} catch {
// Preserve the status-based message when the DO returns a non-JSON error.
}
throw new Error(message);
}
return response.json<BackupImportExecutionResult['result']>();
}
async function runImportAndAudit( async function runImportAndAudit(
env: Env, env: Env,
request: Request, request: Request,
@@ -788,76 +1001,22 @@ export async function handleRestoreAdminRemoteBackup(request: Request, env: Env,
return errorResponse('Remote restore payload is invalid', 400); return errorResponse('Remote restore payload is invalid', 400);
} }
const storage = new StorageService(env.DB);
try { try {
const settings = await loadBackupSettings(storage, env, 'UTC');
const destination = requireBackupDestination(settings, body.destinationId || null);
const path = ensureRemoteRestoreCandidate(String(body.path || '')); const path = ensureRemoteRestoreCandidate(String(body.path || ''));
const targetDeviceIdentifier = String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null; const targetDeviceIdentifier = String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null;
const restoreFileNameFromPath = path.split('/').pop() || path; const imported = await restoreRemoteBackupInDurableObject(env, {
await notifyUserBackupRestoreProgress( actorUserId: actorUser.id,
env, allowChecksumMismatch: !!body.allowChecksumMismatch,
actorUser.id, auditMetadata: auditRequestMetadata(request),
{ destinationId: body.destinationId || null,
operation: 'backup-restore', path,
source: 'remote',
step: 'remote_fetch_archive',
fileName: restoreFileNameFromPath,
stageTitle: 'txt_backup_restore_progress_remote_fetch_title',
stageDetail: 'txt_backup_restore_progress_remote_fetch_detail',
replaceExisting: !!body.replaceExisting, replaceExisting: !!body.replaceExisting,
}, targetDeviceIdentifier,
targetDeviceIdentifier });
); if (!imported) {
const remoteFile = await downloadRemoteBackupFile(destination, path); return errorResponse('Another backup or restore run is already in progress', 409);
const checksumOk = await verifyBackupArchiveFileNameChecksum(remoteFile.bytes, remoteFile.fileName || path);
if (!checksumOk && !body.allowChecksumMismatch) {
return errorResponse('Remote backup file checksum does not match its filename', 400);
} }
const restoreFileName = remoteFile.fileName || path.split('/').pop() || path; return jsonResponse(imported);
const progress: BackupRestoreProgressReporter = async (event) => {
await notifyUserBackupRestoreProgress(
env,
actorUser.id,
{
operation: 'backup-restore',
...event,
},
targetDeviceIdentifier
);
};
const imported = await (async () => {
const storage = new StorageService(env.DB);
const result = await importRemoteBackupArchiveBytes(
remoteFile.bytes,
env,
actorUser.id,
!!body.replaceExisting,
{
loadAttachment: async (blobName) => {
const file = await downloadRemoteBackupFile(destination, `attachments/${blobName}`).catch(() => null);
return file?.bytes || null;
},
},
progress,
restoreFileName
);
await writeAuditLog(storage, result.auditActorUserId, 'admin.backup.import', 'backup', null, {
users: result.result.imported.users,
ciphers: result.result.imported.ciphers,
attachments: result.result.imported.attachmentFiles,
skippedAttachments: result.result.skipped.attachments,
skippedReason: result.result.skipped.reason,
replaceExisting: !!body.replaceExisting,
...getBackupDestinationSummary(destination),
remotePath: path,
bytes: remoteFile.bytes.byteLength,
trigger: 'remote',
checksumMismatchAccepted: !checksumOk,
}, request);
return result;
})();
return jsonResponse(imported.result);
} catch (error) { } catch (error) {
const message = error instanceof Error ? error.message : 'Remote backup restore failed'; const message = error instanceof Error ? error.message : 'Remote backup restore failed';
return errorResponse(message, toImportStatusCode(message)); return errorResponse(message, toImportStatusCode(message));