k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 06:11:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(backup): restore from Docker, fail-fast on shadowed /app, bundle encryption key (#1193) (#1197)

Browse Source 
* fix(backup): restore uploads through symlinked dir and bundle encryption key (#1193)

Restoring a backup inside Docker threw ERR_FS_CP_DIR_TO_NON_DIR because
/app/server/uploads is a symlink to the mounted /app/uploads volume and
cpSync (dereference:false) refuses to overwrite the symlink node with a
directory. The DB was swapped before this failing copy, so users saw
restored data but missing upload files (trip covers). Resolve the symlink
with realpathSync before copying so the merge targets the real directory;
no-op on a plain dir, so non-Docker behavior is unchanged.

Also bundle the at-rest encryption key (data/.encryption_key) into the
backup so a restore onto a different install can decrypt stored secrets
(API keys, MFA, SMTP/OIDC). Skipped when ENCRYPTION_KEY is provided via
env (the file is not the source of truth then). On restore the key is
swapped back if the archive carries one; a restart is required for the
in-memory key to take effect.

* fix(docker): fail fast when a volume shadows /app (#1193)

Mounting an old volume at /app hides the image's node_modules and dist,
so startup crashed with a cryptic "Cannot find module
'tsconfig-paths/register'". Add a CMD preflight that detects the missing
app files and exits with actionable guidance. Document in the README that
only /app/data and /app/uploads should be mounted, never /app.

* fix: ssrf test
This commit is contained in:
jubnl
2026-06-16 07:43:00 +02:00
committed by GitHub
parent 5b41cab898
commit 910631c1ff
5 changed files with 208 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/services/backupService.ts
+27 -1
View File
@@ -155,6 +155,17 @@ export async function createBackup(): Promise<BackupInfo> {
archive.file(dbPath, { name: 'travel.db' });
}
// Bundle the at-rest encryption key so the backup is self-contained: the
// DB stores secrets (API keys, MFA, SMTP/OIDC) encrypted with this key, so
// a restore onto a different install would otherwise be unable to decrypt
// them. NOTE: this makes the backup file as sensitive as the key itself —
// store/transfer it securely. Skipped when ENCRYPTION_KEY is provided via
// env, since in that case the file is not the source of truth.
const encKeyPath = path.join(dataDir, '.encryption_key');
if (!process.env.ENCRYPTION_KEY && fs.existsSync(encKeyPath)) {
archive.file(encKeyPath, { name: '.encryption_key' });
}
if (fs.existsSync(uploadsDir)) {
// Exclude the place-photo and trek-memory caches: both are re-derivable
// (re-fetched on demand, keyed on stable ids) and would otherwise dominate
@@ -252,6 +263,16 @@ export async function restoreFromZip(zipPath: string): Promise<RestoreResult> {
}
fs.copyFileSync(extractedDb, dbDest);
// Restore the bundled at-rest encryption key (if the archive carries one)
// so the restored DB's encrypted secrets can be decrypted. Only the file
// is swapped here; the in-memory key was read at startup, so a restart is
// required for it to take effect (and an explicit ENCRYPTION_KEY env var
// still overrides the file).
const extractedEncKey = path.join(extractDir, '.encryption_key');
if (fs.existsSync(extractedEncKey)) {
fs.copyFileSync(extractedEncKey, path.join(dataDir, '.encryption_key'));
}
const extractedUploads = path.join(extractDir, 'uploads');
if (fs.existsSync(extractedUploads)) {
for (const sub of fs.readdirSync(uploadsDir)) {
@@ -262,7 +283,12 @@ export async function restoreFromZip(zipPath: string): Promise<RestoreResult> {
}
}
}
fs.cpSync(extractedUploads, uploadsDir, { recursive: true, force: true });
// Copy into the real directory behind uploadsDir. In Docker, uploadsDir
// (/app/server/uploads) is a symlink to the mounted /app/uploads volume;
// cpSync(dereference:false) would otherwise try to overwrite the symlink
// node with a directory and throw ERR_FS_CP_DIR_TO_NON_DIR. realpathSync
// is a no-op when uploadsDir is a plain directory (dev/non-Docker).
fs.cpSync(extractedUploads, fs.realpathSync(uploadsDir), { recursive: true, force: true });
}
} finally {
// Reopening the DB must always run (even if the copy above threw) so the