npm - web-agent-bridge - Versions diffs - 1.0.0 → 1.1.1 - Mend

web-agent-bridge 1.0.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/README.ar.md +1 -1
package/README.md +336 -36
package/docs/DEPLOY.md +118 -0
package/docs/SPEC.md +1540 -0
package/examples/mcp-agent.js +94 -0
package/examples/vision-agent.js +12 -0
package/package.json +14 -3
package/public/admin/dashboard.html +848 -0
package/public/admin/login.html +84 -0
package/public/cookies.html +208 -0
package/public/css/premium.css +317 -0
package/public/dashboard.html +138 -0
package/public/docs.html +5 -2
package/public/index.html +54 -28
package/public/js/auth-nav.js +31 -0
package/public/js/auth-redirect.js +12 -0
package/public/js/cookie-consent.js +56 -0
package/public/js/ws-client.js +74 -0
package/public/login.html +4 -2
package/public/premium-dashboard.html +2075 -0
package/public/premium.html +791 -0
package/public/privacy.html +295 -0
package/public/register.html +11 -2
package/public/terms.html +254 -0
package/script/ai-agent-bridge.js +253 -22
package/sdk/index.js +36 -0
package/server/config/secrets.js +92 -0
package/server/index.js +102 -26
package/server/middleware/adminAuth.js +30 -0
package/server/middleware/auth.js +4 -7
package/server/middleware/rateLimits.js +24 -0
package/server/migrations/001_add_analytics_indexes.sql +7 -0
package/server/migrations/002_premium_features.sql +418 -0
package/server/models/db.js +360 -4
package/server/routes/admin.js +247 -0
package/server/routes/api.js +26 -9
package/server/routes/billing.js +45 -0
package/server/routes/discovery.js +329 -0
package/server/routes/license.js +200 -11
package/server/routes/noscript.js +543 -0
package/server/routes/premium.js +724 -0
package/server/routes/wab-api.js +476 -0
package/server/services/email.js +204 -0
package/server/services/fairness.js +420 -0
package/server/services/premium.js +1680 -0
package/server/services/stripe.js +192 -0
package/server/utils/cache.js +125 -0
package/server/utils/migrate.js +81 -0
package/server/utils/secureFields.js +50 -0
package/server/ws.js +33 -13
package/wab-mcp-adapter/README.md +136 -0
package/wab-mcp-adapter/index.js +555 -0
package/wab-mcp-adapter/package.json +17 -0

package/server/index.js CHANGED Viewed

@@ -1,5 +1,8 @@
 require('dotenv').config();
+const { assertSecretsAtStartup } = require('./config/secrets');
+assertSecretsAtStartup();
 const express = require('express');
 const http = require('http');
 const cors = require('cors');
@@ -7,33 +10,81 @@ const helmet = require('helmet');
 const rateLimit = require('express-rate-limit');
 const path = require('path');
 const { setupWebSocket } = require('./ws');
+const { runMigrations } = require('./utils/migrate');
+const { maybeBootstrapAdmin } = require('./models/db');
 const authRoutes = require('./routes/auth');
 const apiRoutes = require('./routes/api');
 const licenseRoutes = require('./routes/license');
+const adminRoutes = require('./routes/admin');
+const billingRoutes = require('./routes/billing');
+const noscriptRoutes = require('./routes/noscript');
+const discoveryRoutes = require('./routes/discovery');
+const wabApiRoutes = require('./routes/wab-api');
+const { handleWebhookRequest } = require('./services/stripe');
 const app = express();
 const PORT = process.env.PORT || 3000;
-// ─── Security & Middleware ──────────────────────────────────────────────
-app.use(helmet({
-  contentSecurityPolicy: {
-    directives: {
-      defaultSrc: ["'self'"],
-      scriptSrc: ["'self'", "'unsafe-inline'"],
-      styleSrc: ["'self'", "'unsafe-inline'"],
-      imgSrc: ["'self'", "data:", "https:"],
-      connectSrc: ["'self'", "ws:", "wss:"],
-      fontSrc: ["'self'", "https:", "data:"],
-      frameSrc: ["'none'"],
-      frameAncestors: ["'none'"],
-      objectSrc: ["'none'"],
-      baseUri: ["'self'"]
-    }
-  },
-  crossOriginEmbedderPolicy: false
-}));
-app.use(cors());
+app.set('trust proxy', 1);
+const corsOrigins = (process.env.ALLOWED_ORIGINS
+  || 'http://localhost:3000,http://127.0.0.1:3000,http://localhost:5173')
+  .split(',')
+  .map((s) => s.trim())
+  .filter(Boolean);
+app.use(
+  cors({
+    origin(origin, callback) {
+      if (!origin) return callback(null, true);
+      if (corsOrigins.includes(origin)) return callback(null, true);
+      if (process.env.NODE_ENV !== 'production' && /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/i.test(origin)) {
+        return callback(null, true);
+      }
+      return callback(null, false);
+    },
+    credentials: true
+  })
+);
+const scriptSrc = process.env.CSP_ALLOW_UNSAFE_INLINE === 'false'
+  ? ["'self'"]
+  : ["'self'", "'unsafe-inline'"];
+const styleSrc = process.env.CSP_ALLOW_UNSAFE_INLINE === 'false'
+  ? ["'self'"]
+  : ["'self'", "'unsafe-inline'"];
+app.use(
+  helmet({
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'self'"],
+        scriptSrc,
+        styleSrc,
+        imgSrc: ["'self'", 'data:', 'https:'],
+        connectSrc: ["'self'", 'ws:', 'wss:'],
+        fontSrc: ["'self'", 'https:', 'data:'],
+        frameSrc: ["'none'"],
+        frameAncestors: ["'none'"],
+        objectSrc: ["'none'"],
+        baseUri: ["'self'"]
+      }
+    },
+    crossOriginEmbedderPolicy: false
+  })
+);
+app.post('/api/billing/webhook', express.raw({ type: 'application/json' }), async (req, res) => {
+  try {
+    await handleWebhookRequest(req);
+    res.json({ received: true });
+  } catch (err) {
+    console.error('Webhook error:', err.message);
+    res.status(400).json({ error: err.message });
+  }
+});
 app.use(express.json());
 const apiLimiter = rateLimit({
@@ -48,19 +99,25 @@ const licenseLimiter = rateLimit({
   windowMs: 60 * 1000,
   max: 120,
   standardHeaders: true,
-  legacyHeaders: false
+  legacyHeaders: false,
+  keyGenerator: (req) => {
+    const key = req.body?.licenseKey || req.body?.siteId || req.ip;
+    return `${req.ip}:${key}`;
+  }
 });
-// ─── Static Files ───────────────────────────────────────────────────────
 app.use(express.static(path.join(__dirname, '..', 'public')));
 app.use('/script', express.static(path.join(__dirname, '..', 'script')));
-// ─── API Routes ─────────────────────────────────────────────────────────
 app.use('/api/auth', apiLimiter, authRoutes);
 app.use('/api', apiLimiter, apiRoutes);
 app.use('/api/license', licenseLimiter, licenseRoutes);
+app.use('/api/admin', apiLimiter, adminRoutes);
+app.use('/api/billing', apiLimiter, billingRoutes);
+app.use('/api/noscript', noscriptRoutes);
+app.use('/api/wab', wabApiRoutes);
+app.use('/', discoveryRoutes);
-// ─── HTML Routes ────────────────────────────────────────────────────────
 app.get('/dashboard', (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'dashboard.html'));
 });
@@ -73,13 +130,29 @@ app.get('/login', (req, res) => {
 app.get('/register', (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'register.html'));
 });
+app.get('/admin/login', (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'admin', 'login.html'));
+});
+app.get('/admin', (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'admin', 'dashboard.html'));
+});
+app.get('/premium', (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'premium.html'));
+});
+app.get('/privacy', (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'privacy.html'));
+});
+app.get('/terms', (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'terms.html'));
+});
+app.get('/cookies', (req, res) => {
+  res.sendFile(path.join(__dirname, '..', 'public', 'cookies.html'));
+});
-// ─── CDN Versioned Script ───────────────────────────────────────────────
 const pkg = require('../package.json');
 app.use(`/v${pkg.version.split('.')[0]}`, express.static(path.join(__dirname, '..', 'script')));
 app.use('/latest', express.static(path.join(__dirname, '..', 'script')));
-// ─── SPA Fallback ───────────────────────────────────────────────────────
 app.get('*', (req, res) => {
   if (req.accepts('html')) {
     res.sendFile(path.join(__dirname, '..', 'public', 'index.html'));
@@ -88,8 +161,11 @@ app.get('*', (req, res) => {
   }
 });
-// ─── Start ──────────────────────────────────────────────────────────────
 if (process.env.NODE_ENV !== 'test') {
+  console.log('Running database migrations...');
+  runMigrations();
+  maybeBootstrapAdmin();
   const server = http.createServer(app);
   setupWebSocket(server);

package/server/middleware/adminAuth.js ADDED Viewed

@@ -0,0 +1,30 @@
+const { signAdminToken, verifyAdminToken } = require('../config/secrets');
+function generateAdminToken(admin) {
+  return signAdminToken(
+    { id: admin.id, email: admin.email, name: admin.name, role: admin.role, isAdmin: true },
+    { expiresIn: '12h' }
+  );
+}
+function authenticateAdmin(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+  if (!token) {
+    return res.status(401).json({ error: 'Admin access token required' });
+  }
+  try {
+    const decoded = verifyAdminToken(token);
+    if (!decoded.isAdmin) {
+      return res.status(403).json({ error: 'Admin privileges required' });
+    }
+    req.admin = decoded;
+    next();
+  } catch (err) {
+    return res.status(403).json({ error: 'Invalid or expired admin token' });
+  }
+}
+module.exports = { generateAdminToken, authenticateAdmin };

package/server/middleware/auth.js CHANGED Viewed

@@ -1,11 +1,8 @@
-const jwt = require('jsonwebtoken');
-const JWT_SECRET = process.env.JWT_SECRET || 'dev-secret-change-in-production';
+const { signUserToken, verifyUserToken } = require('../config/secrets');
 function generateToken(user) {
-  return jwt.sign(
+  return signUserToken(
     { id: user.id, email: user.email, name: user.name },
-    JWT_SECRET,
     { expiresIn: '7d' }
   );
 }
@@ -19,7 +16,7 @@ function authenticateToken(req, res, next) {
   }
   try {
-    const decoded = jwt.verify(token, JWT_SECRET);
+    const decoded = verifyUserToken(token);
     req.user = decoded;
     next();
   } catch (err) {
@@ -33,7 +30,7 @@ function optionalAuth(req, res, next) {
   if (token) {
     try {
-      req.user = jwt.verify(token, JWT_SECRET);
+      req.user = verifyUserToken(token);
     } catch (e) {
       // ignore invalid tokens for optional auth
     }

package/server/middleware/rateLimits.js ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Stricter rate limits for license token / track endpoints (used inside license router).
+ */
+const rateLimit = require('express-rate-limit');
+const licenseTokenLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 30,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many token requests, please try again later' }
+});
+const licenseTrackLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 300,
+  standardHeaders: true,
+  legacyHeaders: false,
+  keyGenerator: (req) => `${req.ip}:${req.body?.sessionToken || req.body?.siteId || 'anon'}`,
+  message: { error: 'Too many track requests, please try again later' }
+});
+module.exports = { licenseTokenLimiter, licenseTrackLimiter };

package/server/migrations/001_add_analytics_indexes.sql ADDED Viewed

@@ -0,0 +1,7 @@
+-- Migration 001: Add composite indexes for analytics performance
+-- Created: 2024-12-01
+CREATE INDEX IF NOT EXISTS idx_analytics_site_action ON analytics(site_id, action_name);
+CREATE INDEX IF NOT EXISTS idx_analytics_site_created ON analytics(site_id, created_at);
+CREATE INDEX IF NOT EXISTS idx_subscriptions_user ON subscriptions(user_id);
+CREATE INDEX IF NOT EXISTS idx_subscriptions_status ON subscriptions(status);