upfynai-code 3.0.3 → 3.0.4

package/server/index.js

@@ -88,6 +88,7 @@ import keysRoutes from './routes/keys.js';
 import assistantRoutes from './routes/vapi-chat.js';
 import canvasRoutes from './routes/canvas.js';
 import composioRoutes from './routes/composio.js';
+import browserRoutes from './routes/browser.js';
 import sessionRoutes from './routes/sessions.js';
 import { handleSandboxWebSocketCommand } from './middleware/sandboxRouter.js';
 import { createRelayMiddleware } from './middleware/relayHelpers.js';
@@ -582,13 +583,8 @@ app.locals.wss = wss;
 // Security headers — protect against common web attacks
 app.use((req, res, next) => {
   res.setHeader('X-Content-Type-Options', 'nosniff');
-  // Allow framing from our own frontend domains (Vercel embeds Railway in an iframe)
-  const allowedFrameOrigins = (process.env.CORS_ORIGINS || '').split(',').map(s => s.trim()).filter(Boolean);
-  if (allowedFrameOrigins.length > 0) {
-    res.setHeader('Content-Security-Policy', `frame-ancestors 'self' ${allowedFrameOrigins.join(' ')}`);
-  } else {
-    res.setHeader('X-Frame-Options', 'SAMEORIGIN');
-  }
+  // No iframe embedding — app is served directly via Vercel reverse proxy
+  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
   res.setHeader('X-XSS-Protection', '1; mode=block');
   res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
   if (process.env.NODE_ENV === 'production') {
@@ -752,6 +748,7 @@ app.use('/api/keys', authenticateToken, keysRoutes);
 app.use('/api/assistant', assistantRoutes);
 app.use('/api/canvas', authenticateToken, canvasRoutes);
 app.use('/api/composio', authenticateToken, composioRoutes);
+app.use('/api/browser', authenticateToken, browserRoutes);
 app.use('/api/vapi', assistantRoutes); // Alias: VAPI dashboard webhook points to /api/vapi/webhook
 
 // Voice call history endpoints (per-user isolated)
@@ -912,7 +909,7 @@ app.post('/api/system/update', authenticateToken, async (req, res) => {
         if (IS_LOCAL) {
             // Self-hosted: run locally
             const { execSync } = await import('child_process');
-            const output = execSync('npm install -g upfynai-code@latest', { encoding: 'utf8', timeout: 120000 });
+            const output = execSync('npm install -g @upfynai-code/app@latest', { encoding: 'utf8', timeout: 120000 });
             res.json({ output, exitCode: 0 });
         } else {
             // Platform mode: server is managed by Railway, no user action needed
@@ -1084,12 +1081,12 @@ app.get('/api/auth/connection-status', authenticateToken, async (req, res) => {
 // Serve public files (like api-docs.html)
 app.use(express.static(path.join(__dirname, '../client/public')));
 
-// Static files served after API routes
-// Add cache control: HTML files should not be cached, but assets can be cached
-app.use(express.static(path.join(__dirname, '../client/dist'), {
+// Static files served after API routes at /app/ prefix
+// Assets are built with Vite base: '/app/' so all URLs are /app/assets/...
+app.use('/app', express.static(path.join(__dirname, '../client/dist'), {
+  index: false, // Don't serve index.html directly — catch-all injects runtime config
   setHeaders: (res, filePath) => {
     if (filePath.endsWith('.html')) {
-      // Prevent HTML caching to avoid service worker issues after builds
       res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
       res.setHeader('Pragma', 'no-cache');
       res.setHeader('Expires', '0');
@@ -3605,13 +3602,12 @@ app.get('/api/projects/:projectName/sessions/:sessionId/token-usage', authentica
   }
 });
 
-// Serve React app for all other routes (excluding static files and API routes)
-app.get('*', (req, res) => {
-  // Skip API routes — they should be handled by their own routers
-  if (req.path.startsWith('/api/') || req.path === '/mcp' || req.path === '/relay' || req.path === '/health') {
-    return res.status(404).json({ error: 'Not found' });
-  }
-  // Skip requests for static assets (files with extensions)
+// Root redirect → /app/
+app.get('/', (req, res) => res.redirect('/app/'));
+
+// Serve React app for /app/* routes (SPA catch-all)
+app.get('/app/*', (req, res) => {
+  // Skip requests for static assets (files with extensions) — already handled by express.static
   if (path.extname(req.path)) {
     return res.status(404).send('Not found');
   }
@@ -3623,12 +3619,14 @@ app.get('*', (req, res) => {
       const decoded = jwt.verify(req.query.token, JWT_SECRET);
       if (decoded?.userId) {
         const isSecure = process.env.NODE_ENV === 'production' || !!process.env.RAILWAY_ENVIRONMENT;
+        const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
         res.cookie('session', req.query.token, {
           httpOnly: true,
           secure: isSecure,
-          sameSite: isSecure ? 'none' : 'strict',
+          sameSite: isSecure ? 'lax' : 'strict',
           maxAge: 30 * 24 * 60 * 60 * 1000,
           path: '/',
+          ...(isSecure && cookieDomain ? { domain: cookieDomain } : {}),
         });
       }
     } catch (e) {
@@ -3636,27 +3634,28 @@ app.get('*', (req, res) => {
     }
   }
 
-  // Only serve index.html for HTML routes, not for static assets
-  // Static assets should already be handled by express.static middleware above
   const indexPath = path.join(__dirname, '../client/dist/index.html');
 
-  // Check if dist/index.html exists (production build available)
   if (fs.existsSync(indexPath)) {
     // Set no-cache headers for HTML to prevent service worker issues
     res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
     res.setHeader('Pragma', 'no-cache');
     res.setHeader('Expires', '0');
 
-    // Inject runtime config so the frontend knows the server mode
-    // (VITE_IS_PLATFORM is a build-time var that may not match the runtime)
+    // Inject runtime config so the frontend knows the server mode and base path
     let html = fs.readFileSync(indexPath, 'utf8');
-    const runtimeConfig = JSON.stringify({ isPlatform: IS_PLATFORM, isLocal: IS_LOCAL });
+    const runtimeConfig = JSON.stringify({
+      isPlatform: IS_PLATFORM,
+      isLocal: IS_LOCAL,
+      basename: '/app',
+      wsUrl: process.env.APP_WS_URL || '',
+    });
     html = html.replace('</head>', `<script>window.__UPFYN_CONFIG__=${runtimeConfig}</script>\n</head>`);
     res.setHeader('Content-Type', 'text/html; charset=utf-8');
     res.send(html);
   } else {
-    // In development, redirect to Vite dev server only if dist doesn't exist
-    res.redirect(`http://localhost:${process.env.VITE_PORT || 5173}`);
+    // In development, redirect to Vite dev server
+    res.redirect(`http://localhost:${process.env.VITE_PORT || 5173}/app/`);
   }
 });
 

package/server/middleware/auth.js

@@ -88,14 +88,17 @@ const generateToken = (user) => {
 // Cookie config for httpOnly session
 // Works for both self-hosted (same origin) and split deploy (Vercel proxy → Railway)
 const isSecureEnv = process.env.NODE_ENV === 'production' || !!process.env.VERCEL || !!process.env.RAILWAY_ENVIRONMENT;
+const cookieDomain = process.env.COOKIE_DOMAIN || undefined;
 const COOKIE_OPTIONS = {
   httpOnly: true,
   secure: isSecureEnv,
-  // 'none' required for cross-origin iframe embedding (Vercel frontend → Railway backend)
+  // 'lax' — Vercel reverse-proxies to Railway (same domain from browser's perspective)
   // 'strict' used in local/dev mode where everything is same-origin
-  sameSite: isSecureEnv ? 'none' : 'strict',
+  sameSite: isSecureEnv ? 'lax' : 'strict',
   maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
   path: '/',
+  // Set domain for cross-subdomain cookie sharing (e.g., '.upfyn.com')
+  ...(isSecureEnv && cookieDomain ? { domain: cookieDomain } : {}),
 };
 
 // Set session cookie on response

package/server/routes/browser.js

@@ -0,0 +1,419 @@
+/**
+ * Browser Routes — REST API for Steel browser sessions + Stagehand AI.
+ * Cloud-only (browser service runs on Railway).
+ */
+
+import { Router } from 'express';
+import { browserClient } from '../browser.js';
+
+const router = Router();
+
+// ── SSRF protection ─────────────────────────────────────────────────────────
+
+function isUrlSafe(url) {
+  try {
+    const parsed = new URL(url);
+    if (!['http:', 'https:'].includes(parsed.protocol)) return false;
+    // Strip brackets from IPv6 literals
+    const hostname = parsed.hostname.toLowerCase().replace(/^\[|\]$/g, '');
+    // Block localhost and loopback (IPv4 + IPv6)
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '0.0.0.0') return false;
+    if (hostname === '::1' || hostname === '0000:0000:0000:0000:0000:0000:0000:0001') return false;
+    if (hostname.startsWith('::ffff:127.') || hostname.startsWith('::ffff:0.')) return false;
+    // Block metadata endpoints (IPv4 + IPv6-mapped)
+    if (hostname === '169.254.169.254' || hostname === '::ffff:a9fe:a9fe') return false;
+    // Block RFC1918 private ranges
+    if (hostname.startsWith('10.') || hostname.startsWith('192.168.')) return false;
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(hostname)) return false;
+    // Block IPv6 private ranges (fc00::/7, fe80::/10)
+    if (/^f[cd][0-9a-f]{2}:/.test(hostname)) return false; // fc00::/7 unique local
+    if (/^fe[89ab][0-9a-f]:/.test(hostname)) return false; // fe80::/10 link-local
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// Allow sandbox-internal URLs (these are safe — same Railway network)
+function isUrlSafeOrSandbox(url) {
+  if (isUrlSafe(url)) return true;
+  // Allow sandbox service URLs — compare origins, not string prefix
+  const sandboxUrl = process.env.SANDBOX_SERVICE_URL || '';
+  if (sandboxUrl) {
+    try {
+      const parsedUrl = new URL(url);
+      const parsedSandbox = new URL(sandboxUrl);
+      if (parsedUrl.origin === parsedSandbox.origin) return true;
+    } catch { /* invalid URL */ }
+  }
+  return false;
+}
+
+// ── Lazy imports for cloud-only deps ─────────────────────────────────────────
+
+let browserAI = null;
+const loadBrowserAI = async () => {
+  if (browserAI) return browserAI;
+  try {
+    browserAI = await import('../services/browser-ai.js');
+    return browserAI;
+  } catch {
+    return null;
+  }
+};
+
+let browserSessionDb = null;
+const loadDb = async () => {
+  if (browserSessionDb) return browserSessionDb;
+  try {
+    const mod = await import('../database/db.js');
+    browserSessionDb = mod.browserSessionDb;
+    return browserSessionDb;
+  } catch {
+    return null;
+  }
+};
+
+// ── Status ──────────────────────────────────────────────────────────────────
+
+router.get('/status', async (req, res) => {
+  const available = await browserClient.isAvailable();
+  const ai = await loadBrowserAI();
+  const aiAvailable = ai ? await ai.isAvailable() : false;
+
+  res.json({
+    available,
+    aiAvailable,
+    serviceUrl: available ? '(connected)' : '(not reachable)',
+  });
+});
+
+// ── Session Management ──────────────────────────────────────────────────────
+
+// POST /api/browser/sessions — create a new browser session
+router.post('/sessions', async (req, res) => {
+  const userId = req.user.id;
+  const db = await loadDb();
+
+  try {
+    // Check for existing active session
+    if (db) {
+      const existing = await db.getActive(userId);
+      if (existing) {
+        // Return existing session instead of creating new one
+        return res.json({
+          sessionId: existing.steel_session_id,
+          viewerUrl: existing.viewer_url,
+          cdpUrl: existing.cdp_url,
+          status: 'active',
+          reused: true,
+        });
+      }
+    }
+
+    const { blockAds, dimensions, timeout } = req.body || {};
+    const session = await browserClient.createSession(userId, {
+      blockAds,
+      dimensions,
+      timeout,
+    });
+
+    const viewerUrl = browserClient.getSessionViewerUrl(session.id);
+    const cdpUrl = browserClient.getCdpWsUrl(session.id);
+
+    // Save to DB
+    if (db) {
+      await db.create(userId, session.id, viewerUrl, cdpUrl);
+    }
+
+    res.json({
+      sessionId: session.id,
+      viewerUrl,
+      cdpUrl,
+      status: 'active',
+    });
+  } catch {
+    res.status(500).json({ error: 'Failed to create browser session' });
+  }
+});
+
+// GET /api/browser/sessions — list user's sessions
+router.get('/sessions', async (req, res) => {
+  const db = await loadDb();
+  if (!db) return res.json({ sessions: [] });
+
+  try {
+    const sessions = await db.listByUser(req.user.id);
+    res.json({ sessions });
+  } catch {
+    res.status(500).json({ error: 'Failed to list sessions' });
+  }
+});
+
+// GET /api/browser/sessions/:id — get session details
+router.get('/sessions/:id', async (req, res) => {
+  const db = await loadDb();
+  if (!db) return res.status(404).json({ error: 'Session not found' });
+
+  try {
+    const session = await db.getBySessionId(req.user.id, req.params.id);
+    if (!session) return res.status(404).json({ error: 'Session not found' });
+
+    await db.updateAccess(req.user.id, req.params.id);
+
+    res.json({
+      sessionId: session.steel_session_id,
+      viewerUrl: session.viewer_url,
+      cdpUrl: session.cdp_url,
+      status: session.status,
+      createdAt: session.created_at,
+      lastAccessed: session.last_accessed,
+    });
+  } catch {
+    res.status(500).json({ error: 'Failed to get session' });
+  }
+});
+
+// DELETE /api/browser/sessions/:id — release session
+router.delete('/sessions/:id', async (req, res) => {
+  const userId = req.user.id;
+  const sessionId = req.params.id;
+
+  try {
+    // Verify ownership first
+    const db = await loadDb();
+    if (db) {
+      const session = await db.getBySessionId(userId, sessionId);
+      if (!session) return res.status(404).json({ error: 'Session not found' });
+    }
+
+    // Release Stagehand instance
+    const ai = await loadBrowserAI();
+    if (ai) await ai.release(sessionId);
+
+    // Release Steel session
+    await browserClient.releaseSession(userId, sessionId).catch(() => {});
+
+    // Deactivate in DB (user-scoped)
+    if (db) await db.deactivate(userId, sessionId);
+
+    res.json({ success: true });
+  } catch {
+    res.status(500).json({ error: 'Failed to close session' });
+  }
+});
+
+// ── Navigation ──────────────────────────────────────────────────────────────
+
+// POST /api/browser/sessions/:id/navigate
+router.post('/sessions/:id/navigate', async (req, res) => {
+  const { url } = req.body;
+  if (!url || !isUrlSafeOrSandbox(url)) {
+    return res.status(400).json({ error: 'Invalid or blocked URL' });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (db && !session) return res.status(404).json({ error: 'Session not found' });
+
+    if (db) await db.updateAccess(req.user.id, req.params.id);
+
+    // Use Stagehand/Playwright to navigate
+    const ai = await loadBrowserAI();
+    if (ai && await ai.isAvailable() && session?.cdp_url) {
+      await ai.act(req.params.id, session.cdp_url, `Navigate to ${url}`);
+      return res.json({ success: true, url });
+    }
+
+    res.json({ success: true, url, note: 'Navigation sent — viewer will update' });
+  } catch {
+    res.status(500).json({ error: 'Navigation failed' });
+  }
+});
+
+// POST /api/browser/sessions/:id/sandbox-preview — open sandbox dev server
+router.post('/sessions/:id/sandbox-preview', async (req, res) => {
+  const portNum = parseInt(req.body?.port, 10);
+  if (!portNum || portNum < 1 || portNum > 65535) {
+    return res.status(400).json({ error: 'Invalid port number' });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (db && !session) return res.status(404).json({ error: 'Session not found' });
+
+    const sandboxUrl = browserClient.getSandboxPreviewUrl(req.user.id, portNum);
+
+    const ai = await loadBrowserAI();
+    if (ai && await ai.isAvailable() && session?.cdp_url) {
+      await ai.act(req.params.id, session.cdp_url, `Navigate to ${sandboxUrl}`);
+    }
+
+    if (db) await db.updateAccess(req.user.id, req.params.id);
+
+    res.json({ success: true, url: sandboxUrl, port: portNum });
+  } catch {
+    res.status(500).json({ error: 'Failed to open sandbox preview' });
+  }
+});
+
+// POST /api/browser/sessions/:id/screenshot
+router.post('/sessions/:id/screenshot', async (req, res) => {
+  try {
+    // Verify ownership
+    const db = await loadDb();
+    if (db) {
+      const session = await db.getBySessionId(req.user.id, req.params.id);
+      if (!session) return res.status(404).json({ error: 'Session not found' });
+    }
+    const result = await browserClient.screenshot(req.user.id, req.params.id);
+    res.json(result);
+  } catch {
+    res.status(500).json({ error: 'Screenshot failed' });
+  }
+});
+
+// ── AI Actions ──────────────────────────────────────────────────────────────
+
+// POST /api/browser/sessions/:id/ai/act — single AI action (chat mode)
+router.post('/sessions/:id/ai/act', async (req, res) => {
+  const { instruction } = req.body;
+  if (!instruction) return res.status(400).json({ error: 'instruction is required' });
+
+  const ai = await loadBrowserAI();
+  if (!ai || !(await ai.isAvailable())) {
+    return res.status(503).json({ error: 'Browser AI not available' });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (!session?.cdp_url) return res.status(404).json({ error: 'Session not found or missing CDP URL' });
+
+    if (db) await db.updateAccess(req.user.id, req.params.id);
+
+    const result = await ai.act(req.params.id, session.cdp_url, instruction);
+    res.json(result);
+  } catch {
+    res.status(500).json({ error: 'AI action failed' });
+  }
+});
+
+// POST /api/browser/sessions/:id/ai/extract
+router.post('/sessions/:id/ai/extract', async (req, res) => {
+  const { instruction, schema } = req.body;
+  if (!instruction) return res.status(400).json({ error: 'instruction is required' });
+
+  const ai = await loadBrowserAI();
+  if (!ai || !(await ai.isAvailable())) {
+    return res.status(503).json({ error: 'Browser AI not available' });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (!session?.cdp_url) return res.status(404).json({ error: 'Session not found' });
+
+    if (db) await db.updateAccess(req.user.id, req.params.id);
+
+    const result = await ai.extract(req.params.id, session.cdp_url, instruction, schema);
+    res.json(result);
+  } catch {
+    res.status(500).json({ error: 'AI extraction failed' });
+  }
+});
+
+// POST /api/browser/sessions/:id/ai/observe
+router.post('/sessions/:id/ai/observe', async (req, res) => {
+  const { instruction } = req.body;
+
+  const ai = await loadBrowserAI();
+  if (!ai || !(await ai.isAvailable())) {
+    return res.status(503).json({ error: 'Browser AI not available' });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (!session?.cdp_url) return res.status(404).json({ error: 'Session not found' });
+
+    const result = await ai.observe(req.params.id, session.cdp_url, instruction);
+    res.json(result);
+  } catch {
+    res.status(500).json({ error: 'AI observation failed' });
+  }
+});
+
+// GET /api/browser/sessions/:id/ai/autonomous — autonomous agent with SSE streaming
+router.get('/sessions/:id/ai/autonomous', async (req, res) => {
+  const { goal, maxSteps } = req.query;
+  if (!goal) {
+    res.status(400).json({ error: 'goal is required' });
+    return;
+  }
+
+  const ai = await loadBrowserAI();
+  if (!ai || !(await ai.isAvailable())) {
+    res.status(503).json({ error: 'Browser AI not available' });
+    return;
+  }
+
+  const db = await loadDb();
+  const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+  if (!session?.cdp_url) {
+    res.status(404).json({ error: 'Session not found' });
+    return;
+  }
+
+  // SSE setup
+  res.setHeader('Content-Type', 'text/event-stream');
+  res.setHeader('Cache-Control', 'no-cache');
+  res.setHeader('Connection', 'keep-alive');
+  res.flushHeaders();
+
+  const sendEvent = (data) => {
+    res.write(`data: ${JSON.stringify(data)}\n\n`);
+  };
+
+  try {
+    if (db) await db.updateAccess(req.user.id, req.params.id);
+
+    const steps = Math.min(Math.max(parseInt(maxSteps) || 10, 1), 25);
+    await ai.autonomousGoal(
+      req.params.id,
+      session.cdp_url,
+      goal.slice(0, 500), // Truncate goal to prevent prompt injection via excessively long input
+      steps,
+      (stepData) => sendEvent(stepData)
+    );
+
+    sendEvent({ type: 'done' });
+  } catch {
+    sendEvent({ type: 'error', message: 'Autonomous run failed' });
+  }
+
+  res.end();
+});
+
+// GET /api/browser/sessions/:id/console-errors — get browser console errors
+router.get('/sessions/:id/console-errors', async (req, res) => {
+  const ai = await loadBrowserAI();
+  if (!ai || !(await ai.isAvailable())) {
+    return res.json({ errors: [] });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (!session?.cdp_url) return res.json({ errors: [] });
+
+    const errors = await ai.getConsoleErrors(req.params.id, session.cdp_url);
+    res.json({ errors });
+  } catch {
+    res.json({ errors: [] });
+  }
+});
+
+export default router;