web-agent-bridge 1.1.2 → 2.0.0

package/server/config/secrets.js

@@ -1,92 +1,94 @@
-/**
- * Central JWT and startup secret checks.
- * User tokens and admin tokens use different secrets and audiences in production.
- */
-
-const jwt = require('jsonwebtoken');
-
-const JWT_ISSUER = 'wab';
-const JWT_AUD_USER = 'wab:user';
-const JWT_AUD_ADMIN = 'wab:admin';
-
-const jwtVerifyUser = { issuer: JWT_ISSUER, audience: JWT_AUD_USER };
-const jwtVerifyAdmin = { issuer: JWT_ISSUER, audience: JWT_AUD_ADMIN };
-
-function isTest() {
-  return process.env.NODE_ENV === 'test';
-}
-
-function isProd() {
-  return process.env.NODE_ENV === 'production';
-}
-
-function assertSecretsAtStartup() {
-  if (isTest()) return;
-  if (isProd()) {
-    if (!process.env.JWT_SECRET) {
-      throw new Error('FATAL: JWT_SECRET is required in production');
-    }
-    if (!process.env.JWT_SECRET_ADMIN) {
-      throw new Error('FATAL: JWT_SECRET_ADMIN is required in production');
-    }
-  }
-}
-
-function getJwtUserSecret() {
-  if (isTest()) {
-    return process.env.JWT_SECRET || 'test-secret-key-for-testing';
-  }
-  if (isProd()) {
-    return process.env.JWT_SECRET;
-  }
-  return process.env.JWT_SECRET || 'dev-user-secret-change-in-development';
-}
-
-function getJwtAdminSecret() {
-  if (isTest()) {
-    return process.env.JWT_SECRET_ADMIN || process.env.JWT_SECRET || 'test-secret-key-for-testing-admin';
-  }
-  if (isProd()) {
-    return process.env.JWT_SECRET_ADMIN;
-  }
-  return process.env.JWT_SECRET_ADMIN || process.env.JWT_SECRET || 'dev-admin-secret-change-in-development';
-}
-
-function signUserToken(payload, options = {}) {
-  return jwt.sign(
-    { ...payload },
-    getJwtUserSecret(),
-    { expiresIn: options.expiresIn || '7d', issuer: JWT_ISSUER, audience: JWT_AUD_USER }
-  );
-}
-
-function signAdminToken(payload, options = {}) {
-  return jwt.sign(
-    { ...payload },
-    getJwtAdminSecret(),
-    { expiresIn: options.expiresIn || '12h', issuer: JWT_ISSUER, audience: JWT_AUD_ADMIN }
-  );
-}
-
-function verifyUserToken(token) {
-  return jwt.verify(token, getJwtUserSecret(), jwtVerifyUser);
-}
-
-function verifyAdminToken(token) {
-  return jwt.verify(token, getJwtAdminSecret(), jwtVerifyAdmin);
-}
-
-module.exports = {
-  assertSecretsAtStartup,
-  getJwtUserSecret,
-  getJwtAdminSecret,
-  signUserToken,
-  signAdminToken,
-  verifyUserToken,
-  verifyAdminToken,
-  JWT_ISSUER,
-  JWT_AUD_USER,
-  JWT_AUD_ADMIN,
-  jwtVerifyUser,
-  jwtVerifyAdmin
-};
+/**
+ * Central JWT and startup secret checks.
+ * User tokens and admin tokens use different secrets and audiences in production.
+ */
+
+const crypto = require('crypto');
+const jwt = require('jsonwebtoken');
+
+const JWT_ISSUER = 'wab';
+const JWT_AUD_USER = 'wab:user';
+const JWT_AUD_ADMIN = 'wab:admin';
+
+const jwtVerifyUser = { issuer: JWT_ISSUER, audience: JWT_AUD_USER };
+const jwtVerifyAdmin = { issuer: JWT_ISSUER, audience: JWT_AUD_ADMIN };
+
+let _autoUserSecret = null;
+let _autoAdminSecret = null;
+
+function generateAutoSecret(label) {
+  const secret = crypto.randomBytes(48).toString('base64url');
+  console.warn(`[WAB] WARNING: ${label} not set — generated ephemeral secret. Tokens will not survive restarts. Set ${label} env var for persistent sessions.`);
+  return secret;
+}
+
+function isTest() {
+  return process.env.NODE_ENV === 'test';
+}
+
+function isProd() {
+  return process.env.NODE_ENV === 'production';
+}
+
+function assertSecretsAtStartup() {
+  if (isTest()) return;
+  if (isProd() && !process.env.JWT_SECRET) {
+    _autoUserSecret = generateAutoSecret('JWT_SECRET');
+  }
+  if (isProd() && !process.env.JWT_SECRET_ADMIN) {
+    _autoAdminSecret = generateAutoSecret('JWT_SECRET_ADMIN');
+  }
+}
+
+function getJwtUserSecret() {
+  if (isTest()) {
+    return process.env.JWT_SECRET || 'test-secret-key-for-testing';
+  }
+  return process.env.JWT_SECRET || _autoUserSecret || 'dev-user-secret-change-in-development';
+}
+
+function getJwtAdminSecret() {
+  if (isTest()) {
+    return process.env.JWT_SECRET_ADMIN || process.env.JWT_SECRET || 'test-secret-key-for-testing-admin';
+  }
+  return process.env.JWT_SECRET_ADMIN || process.env.JWT_SECRET || _autoAdminSecret || _autoUserSecret || 'dev-admin-secret-change-in-development';
+}
+
+function signUserToken(payload, options = {}) {
+  return jwt.sign(
+    { ...payload },
+    getJwtUserSecret(),
+    { expiresIn: options.expiresIn || '7d', issuer: JWT_ISSUER, audience: JWT_AUD_USER }
+  );
+}
+
+function signAdminToken(payload, options = {}) {
+  return jwt.sign(
+    { ...payload },
+    getJwtAdminSecret(),
+    { expiresIn: options.expiresIn || '12h', issuer: JWT_ISSUER, audience: JWT_AUD_ADMIN }
+  );
+}
+
+function verifyUserToken(token) {
+  return jwt.verify(token, getJwtUserSecret(), jwtVerifyUser);
+}
+
+function verifyAdminToken(token) {
+  return jwt.verify(token, getJwtAdminSecret(), jwtVerifyAdmin);
+}
+
+module.exports = {
+  assertSecretsAtStartup,
+  getJwtUserSecret,
+  getJwtAdminSecret,
+  signUserToken,
+  signAdminToken,
+  verifyUserToken,
+  verifyAdminToken,
+  JWT_ISSUER,
+  JWT_AUD_USER,
+  JWT_AUD_ADMIN,
+  jwtVerifyUser,
+  jwtVerifyAdmin
+};

package/server/index.js

@@ -18,9 +18,6 @@ const apiRoutes = require('./routes/api');
 const licenseRoutes = require('./routes/license');
 const adminRoutes = require('./routes/admin');
 const billingRoutes = require('./routes/billing');
-const noscriptRoutes = require('./routes/noscript');
-const discoveryRoutes = require('./routes/discovery');
-const wabApiRoutes = require('./routes/wab-api');
 const { handleWebhookRequest } = require('./services/stripe');
 
 const app = express();
@@ -114,9 +111,6 @@ app.use('/api', apiLimiter, apiRoutes);
 app.use('/api/license', licenseLimiter, licenseRoutes);
 app.use('/api/admin', apiLimiter, adminRoutes);
 app.use('/api/billing', apiLimiter, billingRoutes);
-app.use('/api/noscript', noscriptRoutes);
-app.use('/api/wab', wabApiRoutes);
-app.use('/', discoveryRoutes);
 
 app.get('/dashboard', (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'dashboard.html'));
@@ -136,9 +130,6 @@ app.get('/admin/login', (req, res) => {
 app.get('/admin', (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'admin', 'dashboard.html'));
 });
-app.get('/premium', (req, res) => {
-  res.sendFile(path.join(__dirname, '..', 'public', 'premium.html'));
-});
 app.get('/privacy', (req, res) => {
   res.sendFile(path.join(__dirname, '..', 'public', 'privacy.html'));
 });

package/server/middleware/adminAuth.js

@@ -1,30 +1,30 @@
-const { signAdminToken, verifyAdminToken } = require('../config/secrets');
-
-function generateAdminToken(admin) {
-  return signAdminToken(
-    { id: admin.id, email: admin.email, name: admin.name, role: admin.role, isAdmin: true },
-    { expiresIn: '12h' }
-  );
-}
-
-function authenticateAdmin(req, res, next) {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (!token) {
-    return res.status(401).json({ error: 'Admin access token required' });
-  }
-
-  try {
-    const decoded = verifyAdminToken(token);
-    if (!decoded.isAdmin) {
-      return res.status(403).json({ error: 'Admin privileges required' });
-    }
-    req.admin = decoded;
-    next();
-  } catch (err) {
-    return res.status(403).json({ error: 'Invalid or expired admin token' });
-  }
-}
-
-module.exports = { generateAdminToken, authenticateAdmin };
+const { signAdminToken, verifyAdminToken } = require('../config/secrets');
+
+function generateAdminToken(admin) {
+  return signAdminToken(
+    { id: admin.id, email: admin.email, name: admin.name, role: admin.role, isAdmin: true },
+    { expiresIn: '12h' }
+  );
+}
+
+function authenticateAdmin(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (!token) {
+    return res.status(401).json({ error: 'Admin access token required' });
+  }
+
+  try {
+    const decoded = verifyAdminToken(token);
+    if (!decoded.isAdmin) {
+      return res.status(403).json({ error: 'Admin privileges required' });
+    }
+    req.admin = decoded;
+    next();
+  } catch (err) {
+    return res.status(403).json({ error: 'Invalid or expired admin token' });
+  }
+}
+
+module.exports = { generateAdminToken, authenticateAdmin };

package/server/middleware/auth.js

@@ -1,41 +1,41 @@
-const { signUserToken, verifyUserToken } = require('../config/secrets');
-
-function generateToken(user) {
-  return signUserToken(
-    { id: user.id, email: user.email, name: user.name },
-    { expiresIn: '7d' }
-  );
-}
-
-function authenticateToken(req, res, next) {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (!token) {
-    return res.status(401).json({ error: 'Access token required' });
-  }
-
-  try {
-    const decoded = verifyUserToken(token);
-    req.user = decoded;
-    next();
-  } catch (err) {
-    return res.status(403).json({ error: 'Invalid or expired token' });
-  }
-}
-
-function optionalAuth(req, res, next) {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (token) {
-    try {
-      req.user = verifyUserToken(token);
-    } catch (e) {
-      // ignore invalid tokens for optional auth
-    }
-  }
-  next();
-}
-
-module.exports = { generateToken, authenticateToken, optionalAuth };
+const { signUserToken, verifyUserToken } = require('../config/secrets');
+
+function generateToken(user) {
+  return signUserToken(
+    { id: user.id, email: user.email, name: user.name },
+    { expiresIn: '7d' }
+  );
+}
+
+function authenticateToken(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (!token) {
+    return res.status(401).json({ error: 'Access token required' });
+  }
+
+  try {
+    const decoded = verifyUserToken(token);
+    req.user = decoded;
+    next();
+  } catch (err) {
+    return res.status(403).json({ error: 'Invalid or expired token' });
+  }
+}
+
+function optionalAuth(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (token) {
+    try {
+      req.user = verifyUserToken(token);
+    } catch (e) {
+      // ignore invalid tokens for optional auth
+    }
+  }
+  next();
+}
+
+module.exports = { generateToken, authenticateToken, optionalAuth };

package/server/middleware/rateLimits.js

@@ -1,24 +1,24 @@
-/**
- * Stricter rate limits for license token / track endpoints (used inside license router).
- */
-
-const rateLimit = require('express-rate-limit');
-
-const licenseTokenLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 30,
-  standardHeaders: true,
-  legacyHeaders: false,
-  message: { error: 'Too many token requests, please try again later' }
-});
-
-const licenseTrackLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 300,
-  standardHeaders: true,
-  legacyHeaders: false,
-  keyGenerator: (req) => `${req.ip}:${req.body?.sessionToken || req.body?.siteId || 'anon'}`,
-  message: { error: 'Too many track requests, please try again later' }
-});
-
-module.exports = { licenseTokenLimiter, licenseTrackLimiter };
+/**
+ * Stricter rate limits for license token / track endpoints (used inside license router).
+ */
+
+const rateLimit = require('express-rate-limit');
+
+const licenseTokenLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 30,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many token requests, please try again later' }
+});
+
+const licenseTrackLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 300,
+  standardHeaders: true,
+  legacyHeaders: false,
+  keyGenerator: (req) => `${req.ip}:${req.body?.sessionToken || req.body?.siteId || 'anon'}`,
+  message: { error: 'Too many track requests, please try again later' }
+});
+
+module.exports = { licenseTokenLimiter, licenseTrackLimiter };

package/server/migrations/001_add_analytics_indexes.sql

@@ -1,7 +1,7 @@
--- Migration 001: Add composite indexes for analytics performance
--- Created: 2024-12-01
-
-CREATE INDEX IF NOT EXISTS idx_analytics_site_action ON analytics(site_id, action_name);
-CREATE INDEX IF NOT EXISTS idx_analytics_site_created ON analytics(site_id, created_at);
-CREATE INDEX IF NOT EXISTS idx_subscriptions_user ON subscriptions(user_id);
-CREATE INDEX IF NOT EXISTS idx_subscriptions_status ON subscriptions(status);
+-- Migration 001: Add composite indexes for analytics performance
+-- Created: 2024-12-01
+
+CREATE INDEX IF NOT EXISTS idx_analytics_site_action ON analytics(site_id, action_name);
+CREATE INDEX IF NOT EXISTS idx_analytics_site_created ON analytics(site_id, created_at);
+CREATE INDEX IF NOT EXISTS idx_subscriptions_user ON subscriptions(user_id);
+CREATE INDEX IF NOT EXISTS idx_subscriptions_status ON subscriptions(status);