package api import ( "log/slog" "net/http" "os" "path/filepath" "strings" "time" "github.com/alexei/tinyforge/internal/store" "github.com/go-chi/chi/v5" ) // listBackups handles GET /api/backups. func (s *Server) listBackups(w http.ResponseWriter, r *http.Request) { if s.backupEngine == nil { respondError(w, http.StatusServiceUnavailable, "backup engine not initialized") return } backups, err := s.backupEngine.ListBackups() if err != nil { respondError(w, http.StatusInternalServerError, "failed to list backups: "+err.Error()) return } if backups == nil { backups = []store.Backup{} } respondJSON(w, http.StatusOK, backups) } // triggerBackup handles POST /api/backups. func (s *Server) triggerBackup(w http.ResponseWriter, r *http.Request) { if s.backupEngine == nil { respondError(w, http.StatusServiceUnavailable, "backup engine not initialized") return } backup, err := s.backupEngine.CreateBackup("manual") if err != nil { respondError(w, http.StatusInternalServerError, "failed to create backup: "+err.Error()) return } // Prune after manual backup too. settings, err := s.store.GetSettings() if err == nil && settings.BackupRetentionCount > 0 { s.backupEngine.Prune(settings.BackupRetentionCount) } respondJSON(w, http.StatusCreated, backup) } // downloadBackup handles GET /api/backups/{id}/download. func (s *Server) downloadBackup(w http.ResponseWriter, r *http.Request) { if s.backupEngine == nil { respondError(w, http.StatusServiceUnavailable, "backup engine not initialized") return } id := chi.URLParam(r, "id") backup, err := s.backupEngine.GetBackup(id) if err != nil { respondError(w, http.StatusNotFound, "backup not found") return } filePath := s.backupEngine.FilePath(backup) // Validate the resolved path stays within the backup directory to prevent path traversal. absPath, err := filepath.Abs(filePath) if err != nil { respondError(w, http.StatusInternalServerError, "failed to resolve backup path") return } absBackupDir, _ := filepath.Abs(s.backupEngine.BackupDir()) if !strings.HasPrefix(absPath, absBackupDir+string(filepath.Separator)) { respondError(w, http.StatusForbidden, "access denied") return } f, err := os.Open(absPath) if err != nil { respondError(w, http.StatusNotFound, "backup file not found on disk") return } defer f.Close() stat, err := f.Stat() if err != nil { respondError(w, http.StatusInternalServerError, "failed to read backup file") return } w.Header().Set("Content-Type", "application/octet-stream") w.Header().Set("Content-Disposition", "attachment; filename=\""+filepath.Base(backup.Filename)+"\"") http.ServeContent(w, r, filepath.Base(backup.Filename), stat.ModTime(), f) } // deleteBackup handles DELETE /api/backups/{id}. func (s *Server) deleteBackup(w http.ResponseWriter, r *http.Request) { if s.backupEngine == nil { respondError(w, http.StatusServiceUnavailable, "backup engine not initialized") return } id := chi.URLParam(r, "id") if err := s.backupEngine.DeleteBackup(id); err != nil { respondError(w, http.StatusInternalServerError, "failed to delete backup: "+err.Error()) return } respondJSON(w, http.StatusOK, map[string]string{"status": "deleted"}) } // restoreBackup handles POST /api/backups/{id}/restore. // // Restore happens in three documented stages so a failure at any stage // leaves the live DB intact: // // 1. PRE-FLIGHT (sync, before the HTTP response): PrepareRestore opens // the candidate read-only and runs `PRAGMA integrity_check`. If it // fails the live DB is untouched and we return 400 with the reason. // // 2. SAFETY NET: a pre-restore backup of the LIVE DB is created so the // operator can roll back even if the candidate is later discovered // to be missing data. // // 3. SWAP (async, after the response is flushed): close the live DB, // atomic-rename the candidate over the live path, wipe WAL/SHM, // trigger graceful shutdown. supervisord / systemd / docker // restart=on-failure brings the process back with the new DB. func (s *Server) restoreBackup(w http.ResponseWriter, r *http.Request) { if s.backupEngine == nil { respondError(w, http.StatusServiceUnavailable, "backup engine not initialized") return } id := chi.URLParam(r, "id") // CSRF / accidental-fire guard: the restore endpoint is the most // destructive surface in the API (replaces the whole DB). Even // though it sits behind AdminOnly + Bearer JWT, a blind cross-site // POST or a misclicked button in any open admin tab can fire it. // Require the operator's client to echo X-Confirm-Restore: // — matching the path param — so a CSRF post-form / image-src // trick can't trigger restore (browsers don't let cross-origin // requests set custom headers without a preflight). if confirm := r.Header.Get("X-Confirm-Restore"); confirm != id { respondError(w, http.StatusBadRequest, "missing or mismatched X-Confirm-Restore header (must equal backup id)") return } // Single-flight guard: a rapid double-click would otherwise spawn // two goroutines racing s.store.Close() and the candidate-over- // live rename. CAS to true here; if someone else won, return 409. if !s.restoreInFlight.CompareAndSwap(false, true) { respondError(w, http.StatusConflict, "a restore is already in progress") return } // Do NOT release the flag — the restore path triggers shutdown. // A failed restore is also terminal (the DB may be closed); a // fresh process boot is the recovery path. // PRE-FLIGHT: refuse before touching anything if the candidate is // not a valid SQLite database or fails integrity_check. This is the // guard the prior code lacked — a corrupt backup would silently // overwrite a healthy live DB. restorePath, err := s.backupEngine.PrepareRestore(id) if err != nil { respondError(w, http.StatusBadRequest, err.Error()) return } // SAFETY NET: pre-restore snapshot of the live DB. A failure here // is logged but does not abort — the integrity-checked candidate // is still safer than refusing to restore. if _, err := s.backupEngine.CreateBackup("pre-restore"); err != nil { slog.Warn("failed to create pre-restore backup", "error", err) } // Send the response BEFORE closing the DB so the client gets confirmation. respondJSON(w, http.StatusOK, map[string]any{ "status": "restoring", "message": "Database restore initiated. The server will restart shortly.", }) // Flush the response. if f, ok := w.(http.Flusher); ok { f.Flush() } // Perform the destructive restore in a goroutine with a brief delay // to allow the HTTP response to be fully sent. go func() { time.Sleep(500 * time.Millisecond) // Once we begin closing the live DB the process can no longer serve // requests against a sane store, so EVERY exit path from here must // trigger shutdown. Returning early would leave the server limping // on a closed/half-swapped database with no path to recovery except // an external kill. shutdownFunc → graceful shutdown → main returns // → deferred releaseLock()/db.Close() run, and the supervisor reopens // whatever DB is on disk on the next boot. triggerShutdown := func() { if s.shutdownFunc != nil { s.shutdownFunc() } } // Close the current database to release locks. AtomicReplaceDB // expects the live file to be unmapped before swap (especially // important on Windows where open files cannot be renamed over). if err := s.store.Close(); err != nil { slog.Error("restore: failed to close database, restarting", "error", err) triggerShutdown() return } if err := s.backupEngine.AtomicReplaceDB(restorePath, s.dbPath); err != nil { slog.Error("restore: atomic replace failed, restarting", "error", err) triggerShutdown() return } slog.Info("restore: database replaced, triggering shutdown") // Signal the server to shut down gracefully so it can be restarted. triggerShutdown() }() }