upfynai-code 3.0.2 → 3.0.4

package/server/browser.js

@@ -0,0 +1,131 @@
+/**
+ * Browser Client — connects the backend to the Steel browser service on Railway.
+ * All browser operations are proxied to the Steel service via HTTP.
+ * Mirrors the sandbox.js client pattern.
+ */
+
+const BROWSER_SERVICE_URL = process.env.BROWSER_SERVICE_URL || 'http://localhost:4400';
+const BROWSER_SERVICE_SECRET = process.env.BROWSER_SERVICE_SECRET || '';
+
+// Warn if no secret in production — inter-service calls will be unauthenticated
+if (!BROWSER_SERVICE_SECRET && process.env.NODE_ENV === 'production') {
+  console.error('[browser] WARNING: BROWSER_SERVICE_SECRET not set — browser service calls are unauthenticated');
+}
+
+async function browserFetch(path, userId, body = null, method = null) {
+  const opts = {
+    method: method || (body ? 'POST' : 'GET'),
+    headers: {
+      'Content-Type': 'application/json',
+      'x-browser-secret': BROWSER_SERVICE_SECRET,
+      'x-user-id': String(userId),
+    },
+  };
+  if (body) opts.body = JSON.stringify(body);
+
+  const res = await fetch(`${BROWSER_SERVICE_URL}${path}`, opts);
+  const data = await res.json();
+  if (!res.ok) throw new Error(data.error || data.message || `Browser service error: ${res.status}`);
+  return data;
+}
+
+const browserClient = {
+
+  /**
+   * Check if the browser service is reachable.
+   */
+  async isAvailable() {
+    try {
+      const res = await fetch(`${BROWSER_SERVICE_URL}/api/health`, {
+        signal: AbortSignal.timeout(3000),
+      });
+      return res.ok;
+    } catch {
+      return false;
+    }
+  },
+
+  /**
+   * Create a new browser session.
+   * Returns: { id, wsEndpoint, debugUrl, sessionViewerUrl, ... }
+   */
+  async createSession(userId, options = {}) {
+    const sessionOpts = {
+      sessionTimeout: options.timeout || 1800000, // 30 min default
+      blockAds: options.blockAds !== false,
+      solveCaptchas: options.solveCaptchas || false,
+      useProxy: options.useProxy || false,
+      dimensions: options.dimensions || { width: 1280, height: 800 },
+      userAgent: options.userAgent || undefined,
+      // Tag with userId for isolation
+      sessionContext: {
+        userId: String(userId),
+        createdAt: new Date().toISOString(),
+      },
+    };
+
+    return browserFetch('/v1/sessions', userId, sessionOpts);
+  },
+
+  /**
+   * Get session details.
+   */
+  async getSession(userId, sessionId) {
+    return browserFetch(`/v1/sessions/${sessionId}`, userId);
+  },
+
+  /**
+   * Release (close) a browser session.
+   */
+  async releaseSession(userId, sessionId) {
+    return browserFetch(`/v1/sessions/${sessionId}/release`, userId, {}, 'POST');
+  },
+
+  /**
+   * List active sessions.
+   */
+  async listSessions(userId) {
+    return browserFetch('/v1/sessions', userId);
+  },
+
+  /**
+   * Get the session viewer URL for embedding in an iframe.
+   * Steel's built-in viewer provides an interactive browser view.
+   */
+  getSessionViewerUrl(sessionId) {
+    return `${BROWSER_SERVICE_URL}/v1/sessions/${sessionId}/viewer?interactive=true&showControls=true`;
+  },
+
+  /**
+   * Get the CDP WebSocket URL for connecting Stagehand/Playwright.
+   */
+  getCdpWsUrl(sessionId) {
+    const wsBase = BROWSER_SERVICE_URL.replace(/^http/, 'ws');
+    return `${wsBase}?sessionId=${sessionId}`;
+  },
+
+  /**
+   * Capture a screenshot of the current page.
+   */
+  async screenshot(userId, sessionId) {
+    return browserFetch(`/v1/sessions/${sessionId}/screenshot`, userId, {});
+  },
+
+  /**
+   * Scrape a URL — returns page content.
+   */
+  async scrape(userId, sessionId, url) {
+    return browserFetch('/v1/scrape', userId, { url, sessionId });
+  },
+
+  /**
+   * Get the sandbox dev server URL that the browser can reach internally.
+   * The sandbox and browser share Railway's internal network.
+   */
+  getSandboxPreviewUrl(userId, port) {
+    const sandboxUrl = process.env.SANDBOX_SERVICE_URL || 'http://localhost:4300';
+    return `${sandboxUrl}/proxy/${userId}/${port}`;
+  },
+};
+
+export { browserClient, BROWSER_SERVICE_URL, BROWSER_SERVICE_SECRET };

package/server/database/db.js

@@ -13,10 +13,12 @@ try {
   try {
     const DatabaseMod = await import('libsql');
     const Database = DatabaseMod.default || DatabaseMod;
-    createClient = function createLocalClient({ url }) {
-      const dbPath = url.replace(/^file:/, '');
-      const sqliteDb = new Database(dbPath);
-      sqliteDb.pragma('journal_mode = WAL');
+    createClient = function createLocalClient({ url, authToken }) {
+      const isRemote = url.startsWith('libsql://') || url.startsWith('https://');
+      const dbPath = isRemote ? url : url.replace(/^file:/, '');
+      const sqliteDb = authToken ? new Database(dbPath, { authToken }) : new Database(dbPath);
+      // WAL mode only for local files, not remote Turso
+      if (!isRemote) sqliteDb.pragma('journal_mode = WAL');
       return {
         execute: async (query) => {
           const sql = typeof query === 'string' ? query : query.sql;
@@ -413,6 +415,22 @@ CREATE TABLE IF NOT EXISTS voice_calls (
 
 CREATE INDEX IF NOT EXISTS idx_voice_calls_user ON voice_calls(user_id);
 CREATE INDEX IF NOT EXISTS idx_voice_calls_vapi ON voice_calls(vapi_call_id);
+
+CREATE TABLE IF NOT EXISTS browser_sessions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id INTEGER NOT NULL,
+    steel_session_id TEXT NOT NULL UNIQUE,
+    status TEXT NOT NULL DEFAULT 'active',
+    viewer_url TEXT,
+    cdp_url TEXT,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    last_accessed DATETIME DEFAULT CURRENT_TIMESTAMP,
+    metadata TEXT DEFAULT '{}',
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_browser_sessions_user ON browser_sessions(user_id);
+CREATE INDEX IF NOT EXISTS idx_browser_sessions_status ON browser_sessions(status);
 `;
 
 // ─── Migrations ─────────────────────────────────────────────────────────────────
@@ -510,6 +528,15 @@ const runMigrations = async () => {
       }
     } catch { /* column may already exist */ }
 
+    // Add github_origin column to user_projects if missing
+    try {
+      const upCols = await db.execute("PRAGMA table_info(user_projects)");
+      const upColNames = upCols.rows.map(r => r.name);
+      if (!upColNames.includes('github_origin')) {
+        await db.execute('ALTER TABLE user_projects ADD COLUMN github_origin TEXT');
+      }
+    } catch { /* column may already exist */ }
+
     console.log(`${c.info('[DB]')} Migrations complete`);
   } catch (error) {
     console.error('Migration error:', error.message);
@@ -1305,21 +1332,26 @@ const resetTokenDb = {
 // ─── Projects DB (cloud mode) ─────────────────────────────────────────────────
 
 const projectDb = {
-  upsert: async (userId, originalPath, displayName = null) => {
+  upsert: async (userId, originalPath, displayName = null, githubOrigin = null) => {
     const projectName = originalPath.replace(/[\\/:\s~_]/g, '-');
     const existing = await db.execute({
       sql: 'SELECT id FROM user_projects WHERE user_id = ? AND original_path = ?',
       args: [userId, originalPath]
     });
     if (existing.rows.length > 0) {
-      if (displayName) {
-        await db.execute({ sql: 'UPDATE user_projects SET display_name = ? WHERE id = ?', args: [displayName, existing.rows[0].id] });
+      if (displayName || githubOrigin) {
+        const updates = [];
+        const args = [];
+        if (displayName) { updates.push('display_name = ?'); args.push(displayName); }
+        if (githubOrigin) { updates.push('github_origin = ?'); args.push(githubOrigin); }
+        args.push(existing.rows[0].id);
+        await db.execute({ sql: `UPDATE user_projects SET ${updates.join(', ')} WHERE id = ?`, args });
       }
       return { id: Number(existing.rows[0].id), projectName, originalPath, alreadyExists: true };
     }
     const result = await db.execute({
-      sql: 'INSERT INTO user_projects (user_id, project_name, original_path, display_name) VALUES (?, ?, ?, ?)',
-      args: [userId, projectName, originalPath, displayName]
+      sql: 'INSERT INTO user_projects (user_id, project_name, original_path, display_name, github_origin) VALUES (?, ?, ?, ?, ?)',
+      args: [userId, projectName, originalPath, displayName, githubOrigin]
     });
     return { id: Number(result.lastInsertRowid), projectName, originalPath };
   },
@@ -1346,6 +1378,14 @@ const projectDb = {
       args: [displayName, userId, originalPath]
     });
     return result.rowsAffected > 0;
+  },
+
+  getByName: async (userId, projectName) => {
+    const result = await db.execute({
+      sql: 'SELECT * FROM user_projects WHERE user_id = ? AND project_name = ?',
+      args: [userId, projectName]
+    });
+    return result.rows[0] || null;
   }
 };
 
@@ -1446,4 +1486,62 @@ const voiceCallDb = {
   },
 };
 
-export { db, initializeDatabase, userDb, apiKeysDb, credentialsDb, relayTokensDb, githubTokensDb, subscriptionDb, paymentDb, webhookDb, workflowDb, fileVersionDb, sessionUsageDb, connectionDb, canvasDb, resetTokenDb, projectDb, voiceCallDb, PLAN_DURATIONS };
+// ─── Browser Sessions DB ─────────────────────────────────────────────────────
+
+const browserSessionDb = {
+  create: async (userId, steelSessionId, viewerUrl = null, cdpUrl = null, metadata = {}) => {
+    const result = await db.execute({
+      sql: 'INSERT INTO browser_sessions (user_id, steel_session_id, viewer_url, cdp_url, metadata) VALUES (?, ?, ?, ?, ?)',
+      args: [userId, steelSessionId, viewerUrl, cdpUrl, JSON.stringify(metadata)]
+    });
+    return { id: Number(result.lastInsertRowid), steelSessionId };
+  },
+
+  getActive: async (userId) => {
+    const result = await db.execute({
+      sql: "SELECT * FROM browser_sessions WHERE user_id = ? AND status = 'active' ORDER BY created_at DESC LIMIT 1",
+      args: [userId]
+    });
+    return getRow(result);
+  },
+
+  getBySessionId: async (userId, steelSessionId) => {
+    const result = await db.execute({
+      sql: 'SELECT * FROM browser_sessions WHERE user_id = ? AND steel_session_id = ?',
+      args: [userId, steelSessionId]
+    });
+    return getRow(result);
+  },
+
+  updateAccess: async (userId, steelSessionId) => {
+    await db.execute({
+      sql: "UPDATE browser_sessions SET last_accessed = datetime('now') WHERE user_id = ? AND steel_session_id = ?",
+      args: [userId, steelSessionId]
+    });
+  },
+
+  deactivate: async (userId, steelSessionId) => {
+    await db.execute({
+      sql: "UPDATE browser_sessions SET status = 'closed' WHERE user_id = ? AND steel_session_id = ?",
+      args: [userId, steelSessionId]
+    });
+  },
+
+  listByUser: async (userId) => {
+    const result = await db.execute({
+      sql: 'SELECT * FROM browser_sessions WHERE user_id = ? ORDER BY created_at DESC LIMIT 20',
+      args: [userId]
+    });
+    return result.rows;
+  },
+
+  cleanupStale: async (maxAgeMinutes = 30) => {
+    const result = await db.execute({
+      sql: `UPDATE browser_sessions SET status = 'expired' WHERE status = 'active' AND last_accessed < datetime('now', '-' || ? || ' minutes')`,
+      args: [maxAgeMinutes]
+    });
+    return result.rowsAffected || 0;
+  },
+};
+
+export { db, initializeDatabase, userDb, apiKeysDb, credentialsDb, relayTokensDb, githubTokensDb, subscriptionDb, paymentDb, webhookDb, workflowDb, fileVersionDb, sessionUsageDb, connectionDb, canvasDb, resetTokenDb, projectDb, voiceCallDb, browserSessionDb, PLAN_DURATIONS };

package/server/index.js

@@ -88,6 +88,7 @@ import keysRoutes from './routes/keys.js';
 import assistantRoutes from './routes/vapi-chat.js';
 import canvasRoutes from './routes/canvas.js';
 import composioRoutes from './routes/composio.js';
+import browserRoutes from './routes/browser.js';
 import sessionRoutes from './routes/sessions.js';
 import { handleSandboxWebSocketCommand } from './middleware/sandboxRouter.js';
 import { createRelayMiddleware } from './middleware/relayHelpers.js';
@@ -582,13 +583,8 @@ app.locals.wss = wss;
 // Security headers — protect against common web attacks
 app.use((req, res, next) => {
   res.setHeader('X-Content-Type-Options', 'nosniff');
-  // Allow framing from our own frontend domains (Vercel embeds Railway in an iframe)
-  const allowedFrameOrigins = (process.env.CORS_ORIGINS || '').split(',').map(s => s.trim()).filter(Boolean);
-  if (allowedFrameOrigins.length > 0) {
-    res.setHeader('Content-Security-Policy', `frame-ancestors 'self' ${allowedFrameOrigins.join(' ')}`);
-  } else {
-    res.setHeader('X-Frame-Options', 'SAMEORIGIN');
-  }
+  // No iframe embedding — app is served directly via Vercel reverse proxy
+  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
   res.setHeader('X-XSS-Protection', '1; mode=block');
   res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
   if (process.env.NODE_ENV === 'production') {
@@ -752,6 +748,7 @@ app.use('/api/keys', authenticateToken, keysRoutes);
 app.use('/api/assistant', assistantRoutes);
 app.use('/api/canvas', authenticateToken, canvasRoutes);
 app.use('/api/composio', authenticateToken, composioRoutes);
+app.use('/api/browser', authenticateToken, browserRoutes);
 app.use('/api/vapi', assistantRoutes); // Alias: VAPI dashboard webhook points to /api/vapi/webhook
 
 // Voice call history endpoints (per-user isolated)
@@ -912,7 +909,7 @@ app.post('/api/system/update', authenticateToken, async (req, res) => {
         if (IS_LOCAL) {
             // Self-hosted: run locally
             const { execSync } = await import('child_process');
-            const output = execSync('npm install -g upfynai-code@latest', { encoding: 'utf8', timeout: 120000 });
+            const output = execSync('npm install -g @upfynai-code/app@latest', { encoding: 'utf8', timeout: 120000 });
             res.json({ output, exitCode: 0 });
         } else {
             // Platform mode: server is managed by Railway, no user action needed
@@ -1084,12 +1081,12 @@ app.get('/api/auth/connection-status', authenticateToken, async (req, res) => {
 // Serve public files (like api-docs.html)
 app.use(express.static(path.join(__dirname, '../client/public')));
 
-// Static files served after API routes
-// Add cache control: HTML files should not be cached, but assets can be cached
-app.use(express.static(path.join(__dirname, '../client/dist'), {
+// Static files served after API routes at /app/ prefix
+// Assets are built with Vite base: '/app/' so all URLs are /app/assets/...
+app.use('/app', express.static(path.join(__dirname, '../client/dist'), {
+  index: false, // Don't serve index.html directly — catch-all injects runtime config
   setHeaders: (res, filePath) => {
     if (filePath.endsWith('.html')) {
-      // Prevent HTML caching to avoid service worker issues after builds
       res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
       res.setHeader('Pragma', 'no-cache');
       res.setHeader('Expires', '0');
@@ -3605,13 +3602,12 @@ app.get('/api/projects/:projectName/sessions/:sessionId/token-usage', authentica
   }
 });
 
-// Serve React app for all other routes (excluding static files and API routes)
-app.get('*', (req, res) => {
-  // Skip API routes — they should be handled by their own routers
-  if (req.path.startsWith('/api/') || req.path === '/mcp' || req.path === '/relay' || req.path === '/health') {
-    return res.status(404).json({ error: 'Not found' });
-  }
-  // Skip requests for static assets (files with extensions)
+// Root redirect → /app/
+app.get('/', (req, res) => res.redirect('/app/'));
+
+// Serve React app for /app/* routes (SPA catch-all)
+app.get('/app/*', (req, res) => {
+  // Skip requests for static assets (files with extensions) — already handled by express.static
   if (path.extname(req.path)) {
     return res.status(404).send('Not found');
   }
@@ -3623,12 +3619,14 @@ app.get('*', (req, res) => {
       const decoded = jwt.verify(req.query.token, JWT_SECRET);
       if (decoded?.userId) {
         const isSecure = process.env.NODE_ENV === 'production' || !!process.env.RAILWAY_ENVIRONMENT;
+        const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
         res.cookie('session', req.query.token, {
           httpOnly: true,
           secure: isSecure,
-          sameSite: isSecure ? 'none' : 'strict',
+          sameSite: isSecure ? 'lax' : 'strict',
           maxAge: 30 * 24 * 60 * 60 * 1000,
           path: '/',
+          ...(isSecure && cookieDomain ? { domain: cookieDomain } : {}),
         });
       }
     } catch (e) {
@@ -3636,27 +3634,28 @@ app.get('*', (req, res) => {
     }
   }
 
-  // Only serve index.html for HTML routes, not for static assets
-  // Static assets should already be handled by express.static middleware above
   const indexPath = path.join(__dirname, '../client/dist/index.html');
 
-  // Check if dist/index.html exists (production build available)
   if (fs.existsSync(indexPath)) {
     // Set no-cache headers for HTML to prevent service worker issues
     res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
     res.setHeader('Pragma', 'no-cache');
     res.setHeader('Expires', '0');
 
-    // Inject runtime config so the frontend knows the server mode
-    // (VITE_IS_PLATFORM is a build-time var that may not match the runtime)
+    // Inject runtime config so the frontend knows the server mode and base path
     let html = fs.readFileSync(indexPath, 'utf8');
-    const runtimeConfig = JSON.stringify({ isPlatform: IS_PLATFORM, isLocal: IS_LOCAL });
+    const runtimeConfig = JSON.stringify({
+      isPlatform: IS_PLATFORM,
+      isLocal: IS_LOCAL,
+      basename: '/app',
+      wsUrl: process.env.APP_WS_URL || '',
+    });
     html = html.replace('</head>', `<script>window.__UPFYN_CONFIG__=${runtimeConfig}</script>\n</head>`);
     res.setHeader('Content-Type', 'text/html; charset=utf-8');
     res.send(html);
   } else {
-    // In development, redirect to Vite dev server only if dist doesn't exist
-    res.redirect(`http://localhost:${process.env.VITE_PORT || 5173}`);
+    // In development, redirect to Vite dev server
+    res.redirect(`http://localhost:${process.env.VITE_PORT || 5173}/app/`);
   }
 });
 

package/server/middleware/auth.js

@@ -88,14 +88,17 @@ const generateToken = (user) => {
 // Cookie config for httpOnly session
 // Works for both self-hosted (same origin) and split deploy (Vercel proxy → Railway)
 const isSecureEnv = process.env.NODE_ENV === 'production' || !!process.env.VERCEL || !!process.env.RAILWAY_ENVIRONMENT;
+const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
 const COOKIE_OPTIONS = {
   httpOnly: true,
   secure: isSecureEnv,
-  // 'none' required for cross-origin iframe embedding (Vercel frontend → Railway backend)
+  // 'lax' — Vercel reverse-proxies to Railway (same domain from browser's perspective)
   // 'strict' used in local/dev mode where everything is same-origin
-  sameSite: isSecureEnv ? 'none' : 'strict',
+  sameSite: isSecureEnv ? 'lax' : 'strict',
   maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
   path: '/',
+  // Set domain for cross-subdomain cookie sharing (e.g., '.upfyn.com')
+  ...(isSecureEnv && cookieDomain ? { domain: cookieDomain } : {}),
 };
 
 // Set session cookie on response