server: add status REST API polling endpoint

tsuckow · tsuckow · commit f7ea173045de · 2026-04-06T01:16:24.000Z
diff --git a/crates/bonded-server/src/status.rs b/crates/bonded-server/src/status.rs
@@ -3,7 +3,8 @@ use crate::frame_forwarder::{
     UdpSessionTracker,
 };
 use crate::session_registry::SessionRegistry;
-use tokio::io::AsyncWriteExt;
+use serde_json::json;
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpListener;
 use tracing::{error, info};
 
@@ -26,21 +27,67 @@ pub async fn run_status_server(
             }
         };
 
-        let page = render_status_page(
-            &sessions,
-            &udp_tracker.snapshot(),
-            &tcp_tracker.snapshot(),
-            &icmp_tracker.snapshot(),
-        );
-        let response = format!(
-            "HTTP/1.1 200 OK\r\ncontent-type: text/html; charset=utf-8\r\ncache-control: no-store\r\ncontent-length: {}\r\nconnection: close\r\n\r\n{}",
-            page.len(),
-            page
-        );
-
-        if let Err(err) = stream.write_all(response.as_bytes()).await {
-            error!(peer = %peer, error = %err, "failed to write status response");
-        }
+        let sessions = sessions.clone();
+        let udp_tracker = udp_tracker.clone();
+        let tcp_tracker = tcp_tracker.clone();
+        let icmp_tracker = icmp_tracker.clone();
+
+        tokio::spawn(async move {
+            // Drain the request so the kernel can send FIN instead of RST.
+            let mut request = Vec::with_capacity(1024);
+            let mut buf = [0u8; 1024];
+            loop {
+                match stream.read(&mut buf).await {
+                    Ok(0) | Err(_) => break,
+                    Ok(n) => {
+                        request.extend_from_slice(&buf[..n]);
+                        // HTTP headers end with \r\n\r\n; stop reading once seen.
+                        if request.windows(4).any(|w| w == b"\r\n\r\n") || request.len() >= 8192 {
+                            break;
+                        }
+                    }
+                }
+            }
+
+            let target = parse_request_target(&request).unwrap_or("/");
+            let udp_flows = udp_tracker.snapshot();
+            let tcp_flows = tcp_tracker.snapshot();
+            let icmp_probes = icmp_tracker.snapshot();
+
+            let (status_line, content_type, body) = match target {
+                "/" => (
+                    "200 OK",
+                    "text/html; charset=utf-8",
+                    render_status_page(&sessions, &udp_flows, &tcp_flows, &icmp_probes),
+                ),
+                "/api/status" => (
+                    "200 OK",
+                    "application/json; charset=utf-8",
+                    render_status_json(&sessions, &udp_flows, &tcp_flows, &icmp_probes),
+                ),
+                _ => (
+                    "404 Not Found",
+                    "text/plain; charset=utf-8",
+                    "not found".to_owned(),
+                ),
+            };
+
+            let body_bytes = body.as_bytes();
+            let response = format!(
+                "HTTP/1.1 {}\r\ncontent-type: {}\r\ncache-control: no-store\r\ncontent-length: {}\r\nconnection: close\r\n\r\n{}",
+                status_line,
+                content_type,
+                body_bytes.len(),
+                body
+            );
+
+            if let Err(err) = stream.write_all(response.as_bytes()).await {
+                error!(peer = %peer, error = %err, "failed to write status response");
+                return;
+            }
+            let _ = stream.flush().await;
+            let _ = stream.shutdown().await;
+        });
     }
 }
 
@@ -114,12 +161,11 @@ fn render_status_page(
         .join("\n");
 
     format!(
-        "<!doctype html>
+        r#"<!doctype html>
 <html>
 <head>
-<meta charset=\"utf-8\" />
-<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />
-<meta http-equiv=\"refresh\" content=\"2\" />
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>Bonded Server Status</title>
 <style>
 body {{ font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; margin: 24px; background: #f8fafc; color: #111827; }}
@@ -133,37 +179,101 @@ small {{ color: #6b7280; }}
 </head>
 <body>
 <h1>Bonded Server Status</h1>
-<small>Auto-refreshes every 2 seconds.</small>
-<div class=\"card\">
-<h2>Authenticated Sessions ({})</h2>
+<small>Live updates every 2 seconds via <code>/api/status</code>.</small>
+<div class="card">
+<h2 id="sessions-title">Authenticated Sessions ({})</h2>
 <table>
 <thead><tr><th>Session ID</th><th>Client Key</th></tr></thead>
-<tbody>{}</tbody>
+<tbody id="sessions-body">{}</tbody>
 </table>
 </div>
-<div class=\"card\">
-<h2>Active UDP Flows ({})</h2>
+<div class="card">
+<h2 id="udp-title">Active UDP Flows ({})</h2>
 <table>
 <thead><tr><th>Session ID</th><th>Client Source</th><th>Remote Target</th><th>Server UDP Socket</th><th>Created</th><th>Last Client Packet</th><th>Last Remote Packet</th></tr></thead>
-<tbody>{}</tbody>
+<tbody id="udp-body">{}</tbody>
 </table>
 </div>
-<div class=\"card\">
-<h2>Active TCP Flows ({})</h2>
+<div class="card">
+<h2 id="tcp-title">Active TCP Flows ({})</h2>
 <table>
 <thead><tr><th>Session ID</th><th>Client Source</th><th>Remote Target</th><th>Created</th><th>Last Activity</th></tr></thead>
-<tbody>{}</tbody>
+<tbody id="tcp-body">{}</tbody>
 </table>
 </div>
-<div class=\"card\">
-<h2>Recent ICMP Probes ({})</h2>
+<div class="card">
+<h2 id="icmp-title">Recent ICMP Probes ({})</h2>
 <table>
 <thead><tr><th>Session ID</th><th>Client Source</th><th>Remote Target</th><th>Echo ID</th><th>Seq</th><th>Outcome</th><th>Observed</th></tr></thead>
-<tbody>{}</tbody>
+<tbody id="icmp-body">{}</tbody>
 </table>
 </div>
+<script>
+const el = (id) => document.getElementById(id);
+const escapeHtml = (value) => String(value)
+    .replaceAll("&", "&amp;")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll('"', "&quot;")
+    .replaceAll("'", "&#x27;");
+
+function setRows(id, rows, emptyMessage, columns) {{
+    if (!rows.length) {{
+        el(id).innerHTML = `<tr><td colspan="${{columns}}">${{escapeHtml(emptyMessage)}}</td></tr>`;
+        return;
+    }}
+    el(id).innerHTML = rows.join("\n");
+}}
+
+function render(data) {{
+    el("sessions-title").textContent = `Authenticated Sessions (${{data.sessions_count}})`;
+    el("udp-title").textContent = `Active UDP Flows (${{data.udp_flows_count}})`;
+    el("tcp-title").textContent = `Active TCP Flows (${{data.tcp_flows_count}})`;
+    el("icmp-title").textContent = `Recent ICMP Probes (${{data.icmp_probes_count}})`;
+
+    setRows(
+        "sessions-body",
+        data.sessions.map((entry) => `<tr><td>${{escapeHtml(entry.session_id)}}</td><td>${{escapeHtml(entry.client_key_abbrev)}}</td></tr>`),
+        "No active authenticated sessions.",
+        2
+    );
+    setRows(
+        "udp-body",
+        data.udp_flows.map((entry) => `<tr><td>${{escapeHtml(entry.session_id)}}</td><td>${{escapeHtml(entry.client_src)}}</td><td>${{escapeHtml(entry.client_dst)}}</td><td>${{escapeHtml(entry.bound_socket)}}</td><td>${{escapeHtml(entry.created_ago)}}</td><td>${{escapeHtml(entry.last_client_ago)}}</td><td>${{escapeHtml(entry.last_remote_ago ?? "never")}}</td></tr>`),
+        "No active UDP flows.",
+        7
+    );
+    setRows(
+        "tcp-body",
+        data.tcp_flows.map((entry) => `<tr><td>${{escapeHtml(entry.session_id)}}</td><td>${{escapeHtml(entry.client_src)}}</td><td>${{escapeHtml(entry.client_dst)}}</td><td>${{escapeHtml(entry.created_ago)}}</td><td>${{escapeHtml(entry.last_activity_ago)}}</td></tr>`),
+        "No active TCP flows.",
+        5
+    );
+    setRows(
+        "icmp-body",
+        data.icmp_probes.map((entry) => `<tr><td>${{escapeHtml(entry.session_id)}}</td><td>${{escapeHtml(entry.client_src)}}</td><td>${{escapeHtml(entry.client_dst)}}</td><td>${{escapeHtml(entry.echo_identifier)}}</td><td>${{escapeHtml(entry.echo_sequence)}}</td><td>${{escapeHtml(entry.outcome)}}</td><td>${{escapeHtml(entry.observed_ago)}}</td></tr>`),
+        "No recent ICMP probes.",
+        7
+    );
+}}
+
+async function refresh() {{
+    try {{
+        const response = await fetch("/api/status", {{ cache: "no-store" }});
+        if (!response.ok) {{
+            return;
+        }}
+        const data = await response.json();
+        render(data);
+    }} catch (_) {{
+        // Keep the last rendered state on transient failures.
+    }}
+}}
+
+setInterval(refresh, 2000);
+</script>
 </body>
-</html>",
+</html>"#,
         sessions.active_sessions(),
         if session_rows.is_empty() {
             "<tr><td colspan=\"2\">No active authenticated sessions.</td></tr>".to_owned()
@@ -191,6 +301,89 @@ small {{ color: #6b7280; }}
     )
 }
 
+fn render_status_json(
+    sessions: &SessionRegistry,
+    udp_flows: &[UdpFlowSnapshot],
+    tcp_flows: &[TcpFlowSnapshot],
+    icmp_probes: &[IcmpProbeSnapshot],
+) -> String {
+    let sessions = sessions
+        .snapshot()
+        .into_iter()
+        .map(|entry| {
+            json!({
+                "session_id": entry.session_id,
+                "client_key": entry.client_key,
+                "client_key_abbrev": abbreviate_key(&entry.client_key),
+            })
+        })
+        .collect::<Vec<_>>();
+
+    let udp_flows = udp_flows
+        .iter()
+        .map(|entry| {
+            json!({
+                "session_id": entry.session_id,
+                "client_src": entry.client_src,
+                "client_dst": entry.client_dst,
+                "bound_socket": entry.bound_socket,
+                "created_ago": entry.created_ago,
+                "last_client_ago": entry.last_client_ago,
+                "last_remote_ago": entry.last_remote_ago,
+            })
+        })
+        .collect::<Vec<_>>();
+
+    let tcp_flows = tcp_flows
+        .iter()
+        .map(|entry| {
+            json!({
+                "session_id": entry.session_id,
+                "client_src": entry.client_src,
+                "client_dst": entry.client_dst,
+                "created_ago": entry.created_ago,
+                "last_activity_ago": entry.last_activity_ago,
+            })
+        })
+        .collect::<Vec<_>>();
+
+    let icmp_probes = icmp_probes
+        .iter()
+        .take(64)
+        .map(|entry| {
+            json!({
+                "session_id": entry.session_id,
+                "client_src": entry.client_src,
+                "client_dst": entry.client_dst,
+                "echo_identifier": entry.echo_identifier,
+                "echo_sequence": entry.echo_sequence,
+                "outcome": entry.outcome,
+                "observed_ago": entry.observed_ago,
+            })
+        })
+        .collect::<Vec<_>>();
+
+    json!({
+        "sessions_count": sessions.len(),
+        "udp_flows_count": udp_flows.len(),
+        "tcp_flows_count": tcp_flows.len(),
+        "icmp_probes_count": icmp_probes.len(),
+        "sessions": sessions,
+        "udp_flows": udp_flows,
+        "tcp_flows": tcp_flows,
+        "icmp_probes": icmp_probes,
+    })
+    .to_string()
+}
+
+fn parse_request_target(request: &[u8]) -> Option<&str> {
+    let request = std::str::from_utf8(request).ok()?;
+    let request_line = request.lines().next()?;
+    let mut parts = request_line.split_whitespace();
+    let _method = parts.next()?;
+    parts.next()
+}
+
 fn escape_html(value: &str) -> String {
     value
         .replace('&', "&amp;")
diff --git a/docs/design/implementation-plan.md b/docs/design/implementation-plan.md
@@ -1,7 +1,7 @@
 # Implementation Plan — Server, Linux Client, Android Client
 
 **Status:** In Progress
-**Last Updated:** 2026-04-06 (session 23)
+**Last Updated:** 2026-04-06 (session 24)
 
 This is a living document. Update the status column and notes as work progresses.
 
@@ -267,7 +267,7 @@ Build the server binary on top of `bonded-core`.
 | 2.14 | Rust-only localhost E2E HTTP diagnostic harness | completed | Added ignored/manual `bonded-server` integration test that boots `run_server` on localhost, resolves `example.com`, drives synthetic IPv4 TCP handshake + HTTP GET over packet relay, and asserts a valid HTTP status line in returned payload |
 | 2.15 | Rust-only localhost E2E SMTP diagnostic harness | completed | Added ignored/manual `bonded-server` integration test that boots `run_server` on localhost, resolves `smtp.gmail.com:587`, drives synthetic IPv4 TCP handshake, sends SMTP `EHLO` and `QUIT`, and asserts SMTP reply codes in returned payload |
 | 2.16 | UDP flow sessions with idle timeout and async return path | completed | Replaced one-shot UDP forwarding with per-session flow table keyed by 4-tuple; each flow now uses a persistent connected ephemeral UDP socket, stays alive for 4 minutes since last client packet, and forwards all upstream UDP packets back to the client asynchronously while active |
-| 2.17 | Status webpage endpoint for live connection state | completed | Added dedicated status listener (`status_bind`, env override `BONDED_STATUS_BIND`) that serves a live HTML page showing authenticated sessions, active UDP/TCP flows, and recent ICMP probe outcomes for runtime diagnostics |
+| 2.17 | Status webpage endpoint for live connection state | completed | Added dedicated status listener (`status_bind`, env override `BONDED_STATUS_BIND`) with a live HTML dashboard and `/api/status` JSON endpoint; the page now polls REST data every 2s instead of full-page refreshes, while showing authenticated sessions, active UDP/TCP flows, and recent ICMP probe outcomes |
 
 Acceptance gate:
 
