sexy/packages/backend/src/index.ts

import Fastify, { type FastifyRequest, type FastifyReply } from "fastify";
import fastifyCookie from "@fastify/cookie";
import fastifyCors from "@fastify/cors";
import fastifyMultipart from "@fastify/multipart";
import fastifyStatic from "@fastify/static";
import { createYoga } from "graphql-yoga";
import { eq } from "drizzle-orm";
import { files } from "./db/schema/index";
import path from "path";
import { existsSync, mkdirSync } from "fs";
import { writeFile, rm } from "fs/promises";
import sharp from "sharp";
import { schema } from "./graphql/index";
import { buildContext } from "./graphql/context";
import { db } from "./db/connection";
import { redis } from "./lib/auth";
import { logger } from "./lib/logger";
import { migrate } from "drizzle-orm/node-postgres/migrator";
import { startMailWorker } from "./queues/workers/mail";
import { startGamificationWorker } from "./queues/workers/gamification";

const PORT = parseInt(process.env.PORT || "4000");
const UPLOAD_DIR = process.env.UPLOAD_DIR || "/data/uploads";
const CORS_ORIGIN = process.env.CORS_ORIGIN || "http://localhost:3000";

async function main() {
  // Run pending DB migrations before starting the server
  const migrationsFolder = path.join(__dirname, "migrations");
  logger.info(`Running migrations from ${migrationsFolder}`);
  await migrate(db, { migrationsFolder });
  logger.info("Migrations complete");

  // Start background workers
  startMailWorker();
  startGamificationWorker();
  logger.info("Queue workers started");

  const fastify = Fastify({ loggerInstance: logger });

  await fastify.register(fastifyCookie, {
    secret: process.env.COOKIE_SECRET || "change-me-in-production",
  });

  await fastify.register(fastifyCors, {
    origin: CORS_ORIGIN,
    credentials: true,
    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
  });

  await fastify.register(fastifyMultipart, {
    limits: {
      fileSize: 5 * 1024 * 1024 * 1024, // 5 GB
    },
  });

  // fastify-static provides reply.sendFile(); files are stored as <UPLOAD_DIR>/<id>/<filename>
  await fastify.register(fastifyStatic, {
    root: path.resolve(UPLOAD_DIR),
    prefix: "/assets/",
    serve: false, // disable auto-serving; we use a custom route below
    decorateReply: true,
  });

  const yoga = createYoga<{
    req: FastifyRequest;
    reply: FastifyReply;
    db: typeof db;
    redis: typeof redis;
  }>({
    schema,
    context: buildContext,
    graphqlEndpoint: "/graphql",
    healthCheckEndpoint: "/health",
    logging: {
      debug: (...args) => args.forEach((arg) => fastify.log.debug(arg)),
      info: (...args) => args.forEach((arg) => fastify.log.info(arg)),
      warn: (...args) => args.forEach((arg) => fastify.log.warn(arg)),
      error: (...args) => args.forEach((arg) => fastify.log.error(arg)),
    },
  });

  fastify.route({
    url: "/graphql",
    method: ["GET", "POST", "OPTIONS"],
    handler: (req, reply) =>
      yoga.handleNodeRequestAndResponse(req, reply, { req, reply, db, redis }),
  });

  // Transform presets — only banner/thumbnail force a crop; others preserve aspect ratio
  const TRANSFORMS: Record<string, { width: number; height?: number; fit?: "cover" | "inside" }> = {
    mini: { width: 80, height: 80, fit: "cover" },
    thumbnail: { width: 300, height: 300, fit: "cover" },
    preview: { width: 800, fit: "inside" },
    medium: { width: 1400, fit: "inside" },
    banner: { width: 1600, height: 480, fit: "cover" },
  };

  // Serve uploaded files: GET /assets/:id?transform=<preset>
  // Files are stored as <UPLOAD_DIR>/<id>/<filename> — look up filename in DB
  fastify.get("/assets/:id", async (request, reply) => {
    const { id } = request.params as { id: string };
    const { transform } = request.query as { transform?: string };

    const result = await db
      .select({ filename: files.filename, mime_type: files.mime_type })
      .from(files)
      .where(eq(files.id, id))
      .limit(1);

    if (!result[0]) return reply.status(404).send({ error: "File not found" });

    const { filename, mime_type } = result[0];
    reply.header("Cache-Control", "public, max-age=31536000, immutable");

    const preset = transform ? TRANSFORMS[transform] : null;
    if (preset && mime_type?.startsWith("image/")) {
      const cacheFile = path.join(UPLOAD_DIR, id, `${transform}.webp`);
      if (!existsSync(cacheFile)) {
        const originalPath = path.join(UPLOAD_DIR, id, filename);
        await sharp(originalPath)
          .resize({
            width: preset.width,
            height: preset.height,
            fit: preset.fit ?? "inside",
            withoutEnlargement: true,
          })
          .webp({ quality: 92 })
          .toFile(cacheFile);
      }
      reply.header("Content-Type", "image/webp");
      return reply.sendFile(path.join(id, `${transform}.webp`));
    }

    reply.header("Content-Type", mime_type);
    return reply.sendFile(path.join(id, filename));
  });

  // Upload a file: POST /upload (multipart, requires session)
  fastify.post("/upload", async (request, reply) => {
    const token = request.cookies["session_token"];
    if (!token) return reply.status(401).send({ error: "Unauthorized" });

    const sessionData = await redis.get(`session:${token}`);
    if (!sessionData) return reply.status(401).send({ error: "Unauthorized" });
    const { id: userId } = JSON.parse(sessionData);

    const data = await request.file();
    if (!data) return reply.status(400).send({ error: "No file provided" });

    const id = crypto.randomUUID();
    const filename = data.filename;
    const mime_type = data.mimetype;
    const dir = path.join(UPLOAD_DIR, id);

    mkdirSync(dir, { recursive: true });
    const buffer = await data.toBuffer();
    await writeFile(path.join(dir, filename), buffer);

    const [file] = await db
      .insert(files)
      .values({ id, filename, mime_type, filesize: buffer.byteLength, uploaded_by: userId })
      .returning();

    return reply.status(201).send(file);
  });

  // Delete a file: DELETE /assets/:id (requires session)
  fastify.delete("/assets/:id", async (request, reply) => {
    const token = request.cookies["session_token"];
    if (!token) return reply.status(401).send({ error: "Unauthorized" });

    const sessionData = await redis.get(`session:${token}`);
    if (!sessionData) return reply.status(401).send({ error: "Unauthorized" });

    const { id } = request.params as { id: string };
    const result = await db.select().from(files).where(eq(files.id, id)).limit(1);
    if (!result[0]) return reply.status(404).send({ error: "File not found" });

    await db.delete(files).where(eq(files.id, id));
    const dir = path.join(UPLOAD_DIR, id);
    await rm(dir, { recursive: true, force: true });

    return reply.status(200).send({ ok: true });
  });

  fastify.get("/health", async (_request, reply) => {
    return reply.send({ status: "ok", timestamp: new Date().toISOString() });
  });

  try {
    await fastify.listen({ port: PORT, host: "0.0.0.0" });
    fastify.log.info(`Backend running at http://0.0.0.0:${PORT}`);
    fastify.log.info(`GraphQL at http://0.0.0.0:${PORT}/graphql`);
  } catch (err) {
    fastify.log.error(err);
    process.exit(1);
  }
}

main().catch((err) => {
  console.error("Fatal error:", err);
  process.exit(1);
});