@morphika/andami 0.2.8 → 0.2.10

package/lib/backup/r2-helpers.ts

@@ -0,0 +1,294 @@
+/**
+ * R2 helpers for the backup module.
+ *
+ * Provides S3 client access and credential resolution specifically
+ * for backup operations (GetObjectCommand for export, PutObjectCommand
+ * for restore). Reuses the same credential pattern as the R2 adapter
+ * but exposes the S3 client directly for streaming operations.
+ */
+
+import {
+  S3Client,
+  ListObjectsV2Command,
+  GetObjectCommand,
+  PutObjectCommand,
+  DeleteObjectsCommand,
+} from "@aws-sdk/client-s3";
+import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
+import { adminClient } from "../sanity/client";
+import { decryptToken } from "../security";
+import { logger } from "../logger";
+import { getMimeType } from "../storage/types";
+
+// ============================================
+// Types
+// ============================================
+
+export interface R2BackupConfig {
+  bucketUrl: string;
+  endpoint: string;
+  bucketName: string;
+  accessKeyId: string;
+  secretAccessKey: string;
+}
+
+export interface R2FileEntry {
+  key: string;
+  size: number;
+  mimeType: string;
+}
+
+// ============================================
+// Credential resolution
+// ============================================
+
+/**
+ * Fetch and decrypt R2 credentials from Sanity.
+ * Returns null if R2 is not connected.
+ */
+export async function getR2Config(): Promise<R2BackupConfig | null> {
+  try {
+    const registry = await adminClient.fetch(
+      `*[_type == "assetRegistry"][0]{
+        r2_bucket_url,
+        r2_endpoint,
+        r2_bucket_name,
+        r2_access_key_id,
+        r2_secret_access_key
+      }`
+    );
+
+    if (!registry?.r2_endpoint || !registry?.r2_bucket_name) {
+      return null;
+    }
+
+    if (!registry.r2_access_key_id || !registry.r2_secret_access_key) {
+      return null;
+    }
+
+    const accessKeyId = await decryptToken(registry.r2_access_key_id);
+    const secretAccessKey = await decryptToken(registry.r2_secret_access_key);
+
+    return {
+      bucketUrl: registry.r2_bucket_url || "",
+      endpoint: registry.r2_endpoint,
+      bucketName: registry.r2_bucket_name,
+      accessKeyId,
+      secretAccessKey,
+    };
+  } catch (err) {
+    logger.error("[Backup:R2]", "Failed to get R2 config", err);
+    return null;
+  }
+}
+
+/**
+ * Create an S3 client from the resolved config.
+ */
+export function createS3Client(config: R2BackupConfig): S3Client {
+  return new S3Client({
+    region: "auto",
+    endpoint: config.endpoint,
+    credentials: {
+      accessKeyId: config.accessKeyId,
+      secretAccessKey: config.secretAccessKey,
+    },
+  });
+}
+
+// ============================================
+// File listing
+// ============================================
+
+/**
+ * List ALL files in the R2 bucket for backup.
+ *
+ * No extension filter applied — every non-empty object is captured so the
+ * backup is a true mirror of the bucket. This keeps backup ↔ wipe symmetric:
+ * anything that the wipe would destroy is included in the export, including
+ * fonts (.woff2, .ttf, …), PDFs, and any other files the admin uploads.
+ */
+export async function listAllR2Files(
+  s3: S3Client,
+  bucketName: string
+): Promise<R2FileEntry[]> {
+  const files: R2FileEntry[] = [];
+  let continuationToken: string | undefined;
+
+  do {
+    const response = await s3.send(
+      new ListObjectsV2Command({
+        Bucket: bucketName,
+        ContinuationToken: continuationToken,
+        MaxKeys: 1000,
+      })
+    );
+
+    for (const obj of response.Contents || []) {
+      const key = obj.Key;
+      if (!key || !obj.Size) continue;
+
+      const filename = key.split("/").pop() || key;
+      files.push({
+        key,
+        size: obj.Size,
+        mimeType: getMimeType(filename),
+      });
+    }
+
+    continuationToken = response.NextContinuationToken;
+  } while (continuationToken);
+
+  files.sort((a, b) => a.key.localeCompare(b.key));
+  return files;
+}
+
+// ============================================
+// Presigned upload URL batch generation (for V2 restore)
+// ============================================
+
+/** A presigned PUT URL paired with the Content-Type the client must send. */
+export interface PresignedUpload {
+  key: string;
+  uploadUrl: string;
+  contentType: string;
+}
+
+/**
+ * Generate presigned PUT URLs for a batch of asset keys in one server call.
+ *
+ * This is the piece that keeps Vercel CPU flat during a restore: instead of
+ * the browser invoking `/api/admin/r2/upload-url` once per asset (which also
+ * hits a 60-req/min rate limit and breaks for sites with >60 assets), the
+ * restore endpoint signs every URL in a single invocation and the browser
+ * just PUTs directly to R2.
+ *
+ * Signing is pure HMAC on the local machine — no round-trip to R2 — so
+ * generating hundreds of URLs is a few hundred milliseconds of CPU at most.
+ *
+ * @param ttlSeconds - presigned URL lifetime (default 30 min, to cover slow
+ *                     uploads and retries during a long restore).
+ */
+export async function generatePresignedUploadUrls(
+  s3: S3Client,
+  bucketName: string,
+  keys: string[],
+  ttlSeconds = 1800
+): Promise<PresignedUpload[]> {
+  if (keys.length === 0) return [];
+
+  // Deduplicate to avoid re-signing the same key twice if the client lists it.
+  const uniqueKeys = Array.from(new Set(keys));
+
+  return Promise.all(
+    uniqueKeys.map(async (key): Promise<PresignedUpload> => {
+      const filename = key.split("/").pop() || key;
+      const contentType = getMimeType(filename);
+      const command = new PutObjectCommand({
+        Bucket: bucketName,
+        Key: key,
+        ContentType: contentType,
+      });
+      const uploadUrl = await getSignedUrl(s3, command, {
+        expiresIn: ttlSeconds,
+      });
+      return { key, uploadUrl, contentType };
+    })
+  );
+}
+
+/**
+ * Upload a single file to R2.
+ * Used during restore to push assets back into the bucket.
+ */
+export async function uploadR2File(
+  s3: S3Client,
+  bucketName: string,
+  key: string,
+  body: Buffer | Uint8Array,
+  contentType: string
+): Promise<void> {
+  await s3.send(
+    new PutObjectCommand({
+      Bucket: bucketName,
+      Key: key,
+      Body: body,
+      ContentType: contentType,
+    })
+  );
+}
+
+/**
+ * Delete ALL files in the R2 bucket.
+ * Used during restore to wipe existing assets before uploading.
+ * Processes deletions in batches of 1000 (S3 API limit).
+ */
+export async function deleteAllR2Files(
+  s3: S3Client,
+  bucketName: string
+): Promise<number> {
+  let totalDeleted = 0;
+  let continuationToken: string | undefined;
+
+  do {
+    const listResponse = await s3.send(
+      new ListObjectsV2Command({
+        Bucket: bucketName,
+        ContinuationToken: continuationToken,
+        MaxKeys: 1000,
+      })
+    );
+
+    const objects = listResponse.Contents ?? [];
+    if (objects.length === 0) break;
+
+    const keysToDelete = objects
+      .map((obj) => obj.Key)
+      .filter((key): key is string => !!key);
+
+    if (keysToDelete.length > 0) {
+      await s3.send(
+        new DeleteObjectsCommand({
+          Bucket: bucketName,
+          Delete: {
+            Objects: keysToDelete.map((Key) => ({ Key })),
+            Quiet: true,
+          },
+        })
+      );
+      totalDeleted += keysToDelete.length;
+    }
+
+    continuationToken = listResponse.NextContinuationToken;
+  } while (continuationToken);
+
+  return totalDeleted;
+}
+
+/**
+ * Download a single file from R2 as a readable stream.
+ * Returns the response body stream, or null if the file doesn't exist.
+ */
+export async function downloadR2File(
+  s3: S3Client,
+  bucketName: string,
+  key: string
+): Promise<ReadableStream | null> {
+  try {
+    const response = await s3.send(
+      new GetObjectCommand({
+        Bucket: bucketName,
+        Key: key,
+      })
+    );
+
+    // The AWS SDK v3 returns a Web ReadableStream in Node.js 18+
+    if (response.Body) {
+      return response.Body.transformToWebStream();
+    }
+    return null;
+  } catch (err) {
+    logger.error("[Backup:R2]", `Failed to download ${key}`, err);
+    return null;
+  }
+}

package/lib/backup/restore.ts

@@ -0,0 +1,266 @@
+/**
+ * Backup Restore — core logic.
+ *
+ * Receives a ZIP buffer (the backup archive), validates it, then
+ * performs a full wipe-and-replace of:
+ *   1. All Sanity documents (5 types)
+ *   2. All R2 assets (if R2 is connected)
+ *
+ * This is a destructive operation — it replaces the entire site.
+ * The API route handles auth, CSRF, and rate limiting.
+ */
+
+import * as unzipper from "unzipper";
+import { logger } from "../logger";
+import { getMimeType } from "../storage/types";
+import { validateManifest, type BackupManifest } from "./manifest";
+import { wipeAllDocuments, restoreDocuments, type AndamiDocType } from "./sanity-ops";
+import {
+  getR2Config,
+  createS3Client,
+  deleteAllR2Files,
+  uploadR2File,
+} from "./r2-helpers";
+
+// ============================================
+// Types
+// ============================================
+
+export interface RestoreResult {
+  success: boolean;
+  manifest: BackupManifest;
+  sanity: {
+    wiped: Record<string, number>;
+    restored: Record<string, number>;
+  };
+  assets: {
+    expected: number;
+    uploaded: number;
+    failed: string[];
+    skipped_reason?: string;
+  };
+  duration_ms: number;
+}
+
+// ============================================
+// ZIP parsing
+// ============================================
+
+/**
+ * Parse a ZIP buffer and extract all entries as a map of path → Buffer.
+ * Uses unzipper for streaming extraction.
+ */
+async function parseZipBuffer(
+  zipBuffer: Buffer
+): Promise<Map<string, Buffer>> {
+  const entries = new Map<string, Buffer>();
+
+  const directory = await unzipper.Open.buffer(zipBuffer);
+
+  for (const file of directory.files) {
+    // Skip directories
+    if (file.type === "Directory") continue;
+
+    const content = await file.buffer();
+    entries.set(file.path, content);
+  }
+
+  return entries;
+}
+
+/**
+ * Safely parse a JSON file from the ZIP entries.
+ * Throws if the file is missing or contains invalid JSON.
+ */
+function parseJsonEntry(entries: Map<string, Buffer>, path: string): unknown {
+  const buffer = entries.get(path);
+  if (!buffer) {
+    throw new Error(`Backup archive is missing required file: ${path}`);
+  }
+  try {
+    return JSON.parse(buffer.toString("utf-8"));
+  } catch {
+    throw new Error(`Invalid JSON in backup file: ${path}`);
+  }
+}
+
+/**
+ * Safely parse an optional JSON file from the ZIP entries.
+ * Returns null if the file is missing, throws on invalid JSON.
+ */
+function parseOptionalJsonEntry(
+  entries: Map<string, Buffer>,
+  path: string
+): unknown | null {
+  const buffer = entries.get(path);
+  if (!buffer) return null;
+  try {
+    return JSON.parse(buffer.toString("utf-8"));
+  } catch {
+    throw new Error(`Invalid JSON in backup file: ${path}`);
+  }
+}
+
+// ============================================
+// Core restore logic
+// ============================================
+
+/**
+ * Restore a site from a backup ZIP buffer.
+ *
+ * Steps:
+ *   1. Parse ZIP and validate manifest
+ *   2. Wipe all existing Sanity documents
+ *   3. Restore documents from the backup
+ *   4. If R2 is connected, wipe and re-upload assets
+ *
+ * This is an all-or-nothing operation for Sanity (wipe then restore).
+ * Asset upload is best-effort — failures are logged but don't fail
+ * the entire restore.
+ */
+export async function restoreFromBackup(
+  zipBuffer: Buffer
+): Promise<RestoreResult> {
+  const startTime = Date.now();
+
+  // ── Phase 1: Parse ZIP and validate manifest ──
+  logger.info("[Backup:Restore]", "Parsing backup archive...");
+  const entries = await parseZipBuffer(zipBuffer);
+
+  const manifestRaw = parseJsonEntry(entries, "manifest.json");
+  const manifest = validateManifest(manifestRaw);
+
+  logger.info(
+    "[Backup:Restore]",
+    `Valid backup from ${manifest.created_at} (v${manifest.framework_version}). ` +
+      `${manifest.documents.pages} pages, ${manifest.assets.total_files} assets.`
+  );
+
+  // ── Phase 2: Wipe all existing Sanity documents ──
+  logger.info("[Backup:Restore]", "Wiping existing Sanity documents...");
+  const wiped = await wipeAllDocuments();
+
+  // ── Phase 3: Restore documents from backup ──
+  logger.info("[Backup:Restore]", "Restoring Sanity documents...");
+
+  const restored: Record<string, number> = {};
+
+  // Map of ZIP paths to Sanity document types
+  const docMap: { path: string; type: AndamiDocType }[] = [
+    { path: "sanity/pages.json", type: "page" },
+    { path: "sanity/settings.json", type: "siteSettings" },
+    { path: "sanity/styles.json", type: "siteStyles" },
+    { path: "sanity/asset-registry.json", type: "assetRegistry" },
+    { path: "sanity/custom-sections.json", type: "customSection" },
+  ];
+
+  for (const { path, type } of docMap) {
+    const data = parseOptionalJsonEntry(entries, path);
+    if (data !== null) {
+      restored[type] = await restoreDocuments(type, data);
+    } else {
+      restored[type] = 0;
+      logger.info("[Backup:Restore]", `No ${path} in backup, skipping`);
+    }
+  }
+
+  // ── Phase 4: Restore R2 assets ──
+  const assetResult = {
+    expected: 0,
+    uploaded: 0,
+    failed: [] as string[],
+    skipped_reason: undefined as string | undefined,
+  };
+
+  // Collect asset entries from the ZIP
+  const assetEntries = new Map<string, Buffer>();
+  for (const [path, buffer] of entries) {
+    if (path.startsWith("assets/")) {
+      assetEntries.set(path, buffer);
+    }
+  }
+
+  assetResult.expected = assetEntries.size;
+
+  if (assetEntries.size > 0) {
+    const r2Config = await getR2Config();
+
+    if (!r2Config) {
+      logger.warn(
+        "[Backup:Restore]",
+        `R2 not connected — skipping ${assetEntries.size} asset(s). ` +
+          "Connect R2 and restore again to include assets."
+      );
+      assetResult.skipped_reason = "R2 not connected";
+    } else {
+      const s3 = createS3Client(r2Config);
+
+      // Wipe existing R2 files before uploading
+      logger.info("[Backup:Restore]", "Wiping existing R2 assets...");
+      try {
+        const deletedCount = await deleteAllR2Files(s3, r2Config.bucketName);
+        logger.info(
+          "[Backup:Restore]",
+          `Deleted ${deletedCount} existing R2 file(s)`
+        );
+      } catch (err) {
+        logger.error(
+          "[Backup:Restore]",
+          "Failed to wipe R2 bucket — continuing with upload",
+          err
+        );
+      }
+
+      // Upload assets from the backup
+      logger.info(
+        "[Backup:Restore]",
+        `Uploading ${assetEntries.size} asset(s) to R2...`
+      );
+
+      for (const [zipPath, buffer] of assetEntries) {
+        // Strip the "assets/" prefix to get the R2 key
+        const r2Key = zipPath.replace(/^assets\//, "");
+        const filename = r2Key.split("/").pop() || r2Key;
+        const contentType = getMimeType(filename);
+
+        try {
+          await uploadR2File(s3, r2Config.bucketName, r2Key, buffer, contentType);
+          assetResult.uploaded++;
+        } catch (err) {
+          logger.error(
+            "[Backup:Restore]",
+            `Failed to upload asset: ${r2Key}`,
+            err
+          );
+          assetResult.failed.push(r2Key);
+          // Continue with remaining assets — partial restore > no restore
+        }
+      }
+
+      logger.info(
+        "[Backup:Restore]",
+        `Assets: ${assetResult.uploaded}/${assetResult.expected} uploaded` +
+          (assetResult.failed.length > 0
+            ? `, ${assetResult.failed.length} failed`
+            : "")
+      );
+    }
+  } else {
+    logger.info("[Backup:Restore]", "No assets in backup archive");
+  }
+
+  // ── Done ──
+  const duration = Date.now() - startTime;
+  logger.info(
+    "[Backup:Restore]",
+    `Restore completed in ${(duration / 1000).toFixed(1)}s`
+  );
+
+  return {
+    success: true,
+    manifest,
+    sanity: { wiped, restored },
+    assets: assetResult,
+    duration_ms: duration,
+  };
+}