2026-03-28 21:36:12 +01:00
|
|
|
package agent
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/json"
|
2026-05-27 16:50:16 +02:00
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
2026-03-28 21:36:12 +01:00
|
|
|
"os"
|
|
|
|
|
"path/filepath"
|
|
|
|
|
"time"
|
|
|
|
|
|
2026-03-30 13:06:07 +02:00
|
|
|
"github.com/torrentclaw/unarr/internal/config"
|
2026-03-28 21:36:12 +01:00
|
|
|
)
|
|
|
|
|
|
2026-05-27 16:50:16 +02:00
|
|
|
// ErrDaemonNotRunning is returned by callers that need a running daemon but
|
|
|
|
|
// find no state file on disk. Sentinel so user-facing commands (stop/reload)
|
|
|
|
|
// can wrap it and Sentry can filter it out as a non-bug.
|
|
|
|
|
var ErrDaemonNotRunning = errors.New("daemon does not appear to be running (state file not found)")
|
|
|
|
|
|
2026-03-28 21:36:12 +01:00
|
|
|
// DaemonState is written to disk every heartbeat for external tools to read.
|
|
|
|
|
type DaemonState struct {
|
|
|
|
|
AgentID string `json:"agentId"`
|
|
|
|
|
Status string `json:"status"` // running | upgrading | shutting_down
|
|
|
|
|
Version string `json:"version"`
|
|
|
|
|
PID int `json:"pid"`
|
|
|
|
|
StartedAt time.Time `json:"startedAt"`
|
|
|
|
|
LastHeartbeat time.Time `json:"lastHeartbeat"`
|
|
|
|
|
ActiveTasks int `json:"activeTasks"`
|
|
|
|
|
CompletedCount int `json:"completedCount"`
|
|
|
|
|
FailedCount int `json:"failedCount"`
|
|
|
|
|
TotalDownloaded int64 `json:"totalDownloaded"`
|
|
|
|
|
MethodStats map[string]int `json:"methodStats,omitempty"`
|
2026-05-22 08:33:02 +02:00
|
|
|
|
|
|
|
|
// Managed-VPN split-tunnel state, so `unarr vpn status` can report whether
|
|
|
|
|
// torrent traffic is actually being routed through the tunnel (vs. the daemon
|
|
|
|
|
// running but the tunnel having failed to come up → downloading in the clear).
|
|
|
|
|
VPNActive bool `json:"vpnActive,omitempty"`
|
|
|
|
|
VPNMode string `json:"vpnMode,omitempty"` // managed | self-hosted
|
|
|
|
|
VPNServer string `json:"vpnServer,omitempty"` // WireGuard endpoint (ip:port)
|
2026-05-26 20:39:57 +02:00
|
|
|
|
|
|
|
|
// CloudFlare Quick Tunnel state, so `unarr funnel status` can report the
|
|
|
|
|
// HTTPS hostname the daemon is reachable at from anywhere on the internet.
|
|
|
|
|
// Empty when the funnel is off or hasn't registered yet.
|
|
|
|
|
FunnelURL string `json:"funnelUrl,omitempty"`
|
2026-03-28 21:36:12 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// stateFilePathFn is overridable for testing.
|
|
|
|
|
var stateFilePathFn = func() string {
|
|
|
|
|
return filepath.Join(config.DataDir(), "daemon.state.json")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// StateFilePath returns the path to the daemon state file.
|
|
|
|
|
func StateFilePath() string {
|
|
|
|
|
return stateFilePathFn()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// WriteState writes the daemon state to disk (best-effort, never errors).
|
|
|
|
|
func WriteState(state *DaemonState) {
|
|
|
|
|
path := StateFilePath()
|
|
|
|
|
dir := filepath.Dir(path)
|
|
|
|
|
os.MkdirAll(dir, 0o755)
|
|
|
|
|
|
|
|
|
|
data, err := json.MarshalIndent(state, "", " ")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs
Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.
Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.
URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.
State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.
ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.
Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.
Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00
|
|
|
// Write to temp file then rename for atomicity. 0o600 keeps the file
|
|
|
|
|
// readable only by the owning user — the state contains agentID, PID
|
|
|
|
|
// and counters which are useful to a co-tenant on a shared host for
|
|
|
|
|
// fingerprinting the daemon, and we already use 0o600 for the config
|
|
|
|
|
// file. No need for cross-user readability here.
|
2026-03-28 21:36:12 +01:00
|
|
|
tmp := path + ".tmp"
|
fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs
Phase 3 security audit follow-up. Medium and low-severity hardenings
plus a deferred-work plan for the cross-repo stream-token rollout.
Stream server CORS: replace the wildcard Access-Control-Allow-Origin
with an allowlist that echoes back only torrentclaw.com,
app.torrentclaw.com, the local Next dev port (3030 — matches the web
repo package.json) and any extras the operator adds via the new
downloads.cors_extra_origins TOML key. A Vary: Origin header is now
emitted whenever the request carries an Origin header so an
intermediate cache cannot serve a stale ACAO to a different origin.
URL scheme guard: openBrowser and OpenPlayer refuse any URL that is
not http(s). Combined with passing the URL after "--" wherever the
launched helper supports it (open, mpv, vlc, cvlc), this stops a
leading "-" from being parsed as a switch by the spawned process.
State file permissions: WriteState now writes 0o600 so the agent ID,
PID and counters cannot be enumerated by another local user on a
shared host. Matches the existing config file mode.
ZIP slip defense-in-depth: extractZip extracts the safety check into
safeZipPath, which canonicalises the entry name (normalising
backslashes to "/"), rejects "..", "../" prefix and "/../" interior
components, and verifies the final destination stays inside destDir
before opening any file.
Mirror fallback: documented the design for multi-provider
mirrors.json hosting in the comment block on DefaultStaticFallbackURLs
and added a follow-up note about signing it with the same ed25519
release key. The list is kept at one provider until the second host
is provisioned and added to torrentclaw-web's STATIC_FALLBACKS.
Deferred work: a new plan document Docs/plans/security-stream-token.md
covers the per-task stream token (Phase 2.2 of the original audit)
which requires coordinated web + CLI work and ships separately.
2026-05-15 18:48:59 +02:00
|
|
|
if err := os.WriteFile(tmp, data, 0o600); err != nil {
|
2026-03-28 21:36:12 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
os.Rename(tmp, path)
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-27 16:50:16 +02:00
|
|
|
// ReadState reads the daemon state from disk. Returns nil if not found or
|
|
|
|
|
// unreadable. Use LoadState when callers need to distinguish "not running"
|
|
|
|
|
// from "state file corrupted".
|
2026-03-28 21:36:12 +01:00
|
|
|
func ReadState() *DaemonState {
|
2026-05-27 16:50:16 +02:00
|
|
|
state, _ := LoadState()
|
|
|
|
|
return state
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// LoadState reads the daemon state and returns explicit errors:
|
|
|
|
|
// - ErrDaemonNotRunning when the state file does not exist
|
|
|
|
|
// - a wrapped json error when the file exists but cannot be decoded
|
|
|
|
|
// (a real bug worth reporting to Sentry)
|
|
|
|
|
func LoadState() (*DaemonState, error) {
|
2026-03-28 21:36:12 +01:00
|
|
|
data, err := os.ReadFile(StateFilePath())
|
|
|
|
|
if err != nil {
|
2026-05-27 16:50:16 +02:00
|
|
|
if errors.Is(err, os.ErrNotExist) {
|
|
|
|
|
return nil, ErrDaemonNotRunning
|
|
|
|
|
}
|
|
|
|
|
return nil, err
|
2026-03-28 21:36:12 +01:00
|
|
|
}
|
|
|
|
|
var state DaemonState
|
2026-05-27 16:50:16 +02:00
|
|
|
if err := json.Unmarshal(data, &state); err != nil {
|
|
|
|
|
return nil, fmt.Errorf("decode daemon state %s: %w", StateFilePath(), err)
|
2026-03-28 21:36:12 +01:00
|
|
|
}
|
2026-05-27 16:50:16 +02:00
|
|
|
return &state, nil
|
2026-03-28 21:36:12 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// RemoveState deletes the state file (called on clean shutdown).
|
|
|
|
|
func RemoveState() {
|
|
|
|
|
os.Remove(StateFilePath())
|
|
|
|
|
}
|