fix: recover flagged account backups safely

ndycode · ndycode · commit 6b1cb801c188 · 2026-04-05T10:17:22.000+08:00
diff --git a/lib/storage/flagged-storage-io.ts b/lib/storage/flagged-storage-io.ts
@@ -2,6 +2,10 @@ import { existsSync, promises as fs } from "node:fs";
 import { dirname } from "node:path";
 import type { FlaggedAccountStorageV1 } from "../storage.js";
 
+function getFlaggedBackupPaths(path: string): string[] {
+	return [`${path}.bak`, `${path}.bak.1`, `${path}.bak.2`];
+}
+
 export async function loadFlaggedAccountsState(params: {
 	path: string;
 	legacyPath: string;
@@ -12,6 +16,34 @@ export async function loadFlaggedAccountsState(params: {
 	logInfo: (message: string, details: Record<string, unknown>) => void;
 }): Promise<FlaggedAccountStorageV1> {
 	const empty: FlaggedAccountStorageV1 = { version: 1, accounts: [] };
+	if (existsSync(params.resetMarkerPath)) {
+		return empty;
+	}
+	const loadFlaggedBackup = async (): Promise<FlaggedAccountStorageV1 | null> => {
+		for (const backupPath of getFlaggedBackupPaths(params.path)) {
+			if (!existsSync(backupPath)) {
+				continue;
+			}
+			try {
+				const backupContent = await fs.readFile(backupPath, "utf-8");
+				const backupData = JSON.parse(backupContent) as unknown;
+				const recovered = params.normalizeFlaggedStorage(backupData);
+				params.logInfo("Recovered flagged account storage from backup", {
+					from: backupPath,
+					to: params.path,
+					accounts: recovered.accounts.length,
+				});
+				return recovered;
+			} catch (backupError) {
+				params.logError("Failed to recover flagged account storage from backup", {
+					from: backupPath,
+					to: params.path,
+					error: String(backupError),
+				});
+			}
+		}
+		return null;
+	};
 
 	try {
 		const content = await fs.readFile(params.path, "utf-8");
@@ -28,10 +60,15 @@ export async function loadFlaggedAccountsState(params: {
 				path: params.path,
 				error: String(error),
 			});
-			return empty;
+			return (await loadFlaggedBackup()) ?? empty;
 		}
 	}
 
+	const recoveredBackup = await loadFlaggedBackup();
+	if (recoveredBackup) {
+		return recoveredBackup;
+	}
+
 	if (!existsSync(params.legacyPath)) {
 		return empty;
 	}
@@ -129,6 +166,7 @@ export async function clearFlaggedAccountsOnDisk(params: {
 	backupPaths: string[];
 	logError: (message: string, details: Record<string, unknown>) => void;
 }): Promise<void> {
+	let keepResetMarker = false;
 	try {
 		await fs.writeFile(params.markerPath, "reset", {
 			encoding: "utf-8",
@@ -145,7 +183,6 @@ export async function clearFlaggedAccountsOnDisk(params: {
 	for (const candidate of [
 		params.path,
 		...params.backupPaths,
-		params.markerPath,
 	]) {
 		try {
 			await fs.unlink(candidate);
@@ -159,6 +196,21 @@ export async function clearFlaggedAccountsOnDisk(params: {
 				if (candidate === params.path) {
 					throw error;
 				}
+				keepResetMarker = true;
+			}
+		}
+	}
+	if (!keepResetMarker) {
+		try {
+			await fs.unlink(params.markerPath);
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code;
+			if (code !== "ENOENT") {
+				params.logError("Failed to clear flagged account storage", {
+					path: params.markerPath,
+					error: String(error),
+				});
+				throw error;
 			}
 		}
 	}
diff --git a/test/storage-flagged.test.ts b/test/storage-flagged.test.ts
@@ -292,7 +292,7 @@ describe("flagged account storage", () => {
 		unlinkSpy.mockRestore();
 	});
 
-	it("does not recover flagged backups when the primary file exists but read fails", async () => {
+	it("recovers flagged backups when the primary file exists but read fails", async () => {
 		await saveFlaggedAccounts({
 			version: 1,
 			accounts: [
@@ -334,7 +334,8 @@ describe("flagged account storage", () => {
 			});
 
 		const flagged = await loadFlaggedAccounts();
-		expect(flagged.accounts).toHaveLength(0);
+		expect(flagged.accounts).toHaveLength(1);
+		expect(flagged.accounts[0]?.refreshToken).toBe("primary-flagged");
 		expect(existsSync(flaggedPath)).toBe(true);
 
 		readSpy.mockRestore();
diff --git a/test/storage-recovery-paths.test.ts b/test/storage-recovery-paths.test.ts
@@ -6,6 +6,7 @@ import { tmpdir } from "node:os";
 import { removeWithRetry } from "./helpers/remove-with-retry.js";
 import {
 	loadAccounts,
+	loadFlaggedAccounts,
 	getBackupMetadata,
 	saveAccounts,
 	setStorageBackupEnabled,
@@ -109,6 +110,55 @@ describe("storage recovery paths", () => {
 		expect(persisted.accounts?.[0]?.accountId).toBe("from-backup");
 	});
 
+	it("recovers flagged accounts from backup file when primary storage is missing", async () => {
+		const flaggedPath = join(workDir, "openai-codex-flagged-accounts.json");
+		await fs.writeFile(
+			`${flaggedPath}.bak`,
+			JSON.stringify({
+				version: 1,
+				accounts: [
+					{
+						refreshToken: "flagged-refresh",
+						email: "flagged@example.com",
+						addedAt: 7,
+						lastUsed: 7,
+						flaggedAt: 7,
+					},
+				],
+			}),
+			"utf-8",
+		);
+
+		const recovered = await loadFlaggedAccounts();
+		expect(recovered.accounts).toHaveLength(1);
+		expect(recovered.accounts[0]?.email).toBe("flagged@example.com");
+	});
+
+	it("recovers flagged accounts from backup file when primary storage is unreadable", async () => {
+		const flaggedPath = join(workDir, "openai-codex-flagged-accounts.json");
+		await fs.writeFile(flaggedPath, "{broken-primary", "utf-8");
+		await fs.writeFile(
+			`${flaggedPath}.bak`,
+			JSON.stringify({
+				version: 1,
+				accounts: [
+					{
+						refreshToken: "flagged-refresh-2",
+						email: "flagged2@example.com",
+						addedAt: 8,
+						lastUsed: 8,
+						flaggedAt: 8,
+					},
+				],
+			}),
+			"utf-8",
+		);
+
+		const recovered = await loadFlaggedAccounts();
+		expect(recovered.accounts).toHaveLength(1);
+		expect(recovered.accounts[0]?.email).toBe("flagged2@example.com");
+	});
+
 	it("falls back to historical backup snapshots when the latest backup is unreadable", async () => {
 		await fs.writeFile(storagePath, "{broken-primary", "utf-8");
 		await fs.writeFile(`${storagePath}.bak`, "{broken-latest-backup", "utf-8");
