web-agent-bridge 1.1.2 → 2.0.0

package/server/ws.js

@@ -1,101 +1,101 @@
-const WebSocket = require('ws');
-const { verifyUserToken, verifyAdminToken } = require('./config/secrets');
-const { findSiteById } = require('./models/db');
-
-// Map of siteId → Set of WebSocket clients
-const siteClients = new Map();
-
-function setupWebSocket(server) {
-  const wss = new WebSocket.Server({ server, path: '/ws/analytics' });
-
-  wss.on('connection', (ws, req) => {
-    let authenticatedSiteId = null;
-
-    ws.isAlive = true;
-    ws.on('pong', () => { ws.isAlive = true; });
-
-    ws.on('message', (data) => {
-      try {
-        const msg = JSON.parse(data);
-
-        if (msg.type === 'auth') {
-          if (!msg.token || !msg.siteId) {
-            ws.send(JSON.stringify({ type: 'error', message: 'token and siteId required' }));
-            return;
-          }
-
-          let decoded;
-          let isAdmin = false;
-          try {
-            decoded = verifyUserToken(msg.token);
-          } catch {
-            try {
-              decoded = verifyAdminToken(msg.token);
-              isAdmin = decoded.isAdmin === true;
-            } catch {
-              ws.send(JSON.stringify({ type: 'error', message: 'Invalid message or auth failed' }));
-              return;
-            }
-          }
-
-          if (!isAdmin) {
-            const site = findSiteById.get(msg.siteId);
-            if (!site || site.user_id !== decoded.id) {
-              ws.send(JSON.stringify({ type: 'error', message: 'Forbidden: not your site' }));
-              return;
-            }
-          }
-
-          authenticatedSiteId = msg.siteId;
-          if (!siteClients.has(msg.siteId)) {
-            siteClients.set(msg.siteId, new Set());
-          }
-          siteClients.get(msg.siteId).add(ws);
-          ws.send(JSON.stringify({ type: 'auth:success', siteId: msg.siteId }));
-        }
-      } catch (e) {
-        ws.send(JSON.stringify({ type: 'error', message: 'Invalid message or auth failed' }));
-      }
-    });
-
-    ws.on('close', () => {
-      if (authenticatedSiteId && siteClients.has(authenticatedSiteId)) {
-        siteClients.get(authenticatedSiteId).delete(ws);
-        if (siteClients.get(authenticatedSiteId).size === 0) {
-          siteClients.delete(authenticatedSiteId);
-        }
-      }
-    });
-  });
-
-  const interval = setInterval(() => {
-    wss.clients.forEach((ws) => {
-      if (!ws.isAlive) return ws.terminate();
-      ws.isAlive = false;
-      ws.ping();
-    });
-  }, 30000);
-
-  wss.on('close', () => clearInterval(interval));
-
-  return wss;
-}
-
-function broadcastAnalytic(siteId, eventData) {
-  const clients = siteClients.get(siteId);
-  if (!clients || clients.size === 0) return;
-
-  const message = JSON.stringify({
-    type: 'analytic',
-    timestamp: new Date().toISOString(),
-    ...eventData
-  });
-
-  clients.forEach((ws) => {
-    if (ws.readyState === WebSocket.OPEN) {
-      ws.send(message);
-    }
-  });
-}
-
-module.exports = { setupWebSocket, broadcastAnalytic };
+const WebSocket = require('ws');
+const { verifyUserToken, verifyAdminToken } = require('./config/secrets');
+const { findSiteById } = require('./models/db');
+
+// Map of siteId → Set of WebSocket clients
+const siteClients = new Map();
+
+function setupWebSocket(server) {
+  const wss = new WebSocket.Server({ server, path: '/ws/analytics' });
+
+  wss.on('connection', (ws, req) => {
+    let authenticatedSiteId = null;
+
+    ws.isAlive = true;
+    ws.on('pong', () => { ws.isAlive = true; });
+
+    ws.on('message', (data) => {
+      try {
+        const msg = JSON.parse(data);
+
+        if (msg.type === 'auth') {
+          if (!msg.token || !msg.siteId) {
+            ws.send(JSON.stringify({ type: 'error', message: 'token and siteId required' }));
+            return;
+          }
+
+          let decoded;
+          let isAdmin = false;
+          try {
+            decoded = verifyUserToken(msg.token);
+          } catch {
+            try {
+              decoded = verifyAdminToken(msg.token);
+              isAdmin = decoded.isAdmin === true;
+            } catch {
+              ws.send(JSON.stringify({ type: 'error', message: 'Invalid message or auth failed' }));
+              return;
+            }
+          }
+
+          if (!isAdmin) {
+            const site = findSiteById.get(msg.siteId);
+            if (!site || site.user_id !== decoded.id) {
+              ws.send(JSON.stringify({ type: 'error', message: 'Forbidden: not your site' }));
+              return;
+            }
+          }
+
+          authenticatedSiteId = msg.siteId;
+          if (!siteClients.has(msg.siteId)) {
+            siteClients.set(msg.siteId, new Set());
+          }
+          siteClients.get(msg.siteId).add(ws);
+          ws.send(JSON.stringify({ type: 'auth:success', siteId: msg.siteId }));
+        }
+      } catch (e) {
+        ws.send(JSON.stringify({ type: 'error', message: 'Invalid message or auth failed' }));
+      }
+    });
+
+    ws.on('close', () => {
+      if (authenticatedSiteId && siteClients.has(authenticatedSiteId)) {
+        siteClients.get(authenticatedSiteId).delete(ws);
+        if (siteClients.get(authenticatedSiteId).size === 0) {
+          siteClients.delete(authenticatedSiteId);
+        }
+      }
+    });
+  });
+
+  const interval = setInterval(() => {
+    wss.clients.forEach((ws) => {
+      if (!ws.isAlive) return ws.terminate();
+      ws.isAlive = false;
+      ws.ping();
+    });
+  }, 30000);
+
+  wss.on('close', () => clearInterval(interval));
+
+  return wss;
+}
+
+function broadcastAnalytic(siteId, eventData) {
+  const clients = siteClients.get(siteId);
+  if (!clients || clients.size === 0) return;
+
+  const message = JSON.stringify({
+    type: 'analytic',
+    timestamp: new Date().toISOString(),
+    ...eventData
+  });
+
+  clients.forEach((ws) => {
+    if (ws.readyState === WebSocket.OPEN) {
+      ws.send(message);
+    }
+  });
+}
+
+module.exports = { setupWebSocket, broadcastAnalytic };

package/docs/DEPLOY.md

@@ -1,118 +0,0 @@
-# Deploying Web Agent Bridge to your server
-
-The code is on GitHub (`master`). **You** deploy by SSH-ing into your VPS and pulling + restarting the app.
-
-## Prerequisites
-
-- Ubuntu/Debian (or similar) with Docker **or** Node.js 20+
-- Firewall: open port **3000** (or your reverse proxy port 80/443)
-- Strong `JWT_SECRET` and `JWT_SECRET_ADMIN` in production (never commit them)
-
----
-
-## Option A — Docker Compose (recommended)
-
-On the server, first time:
-
-```bash
-cd /opt   # or your preferred path
-git clone https://github.com/abokenan444/web-agent-bridge.git
-cd web-agent-bridge
-cp .env.example .env   # if present; else create .env with secrets and PORT
-# Edit .env: JWT_SECRET=...  JWT_SECRET_ADMIN=...  PORT=3000
-docker compose up -d --build
-```
-
-Updates:
-
-```bash
-cd /path/to/web-agent-bridge
-git pull origin master
-docker compose up -d --build
-```
-
-Data persists in the Docker volume `wab-data` (SQLite under `/app/data` in the container).
-
----
-
-## Option B — Node.js (no Docker)
-
-```bash
-cd /path/to/web-agent-bridge
-git pull origin master
-npm ci --production
-export NODE_ENV=production
-export JWT_SECRET="your-long-random-secret"
-export JWT_SECRET_ADMIN="your-different-long-random-secret"
-export PORT=3000
-node server/index.js
-```
-
-Use **systemd**, **PM2**, or **screen/tmux** to keep the process running.
-
-Example **PM2**:
-
-```bash
-npm ci --production
-pm2 start server/index.js --name wab
-pm2 save
-```
-
-After `git pull`:
-
-```bash
-npm ci --production
-pm2 restart wab
-```
-
----
-
-## Reverse proxy (HTTPS)
-
-Put **Nginx** or **Caddy** in front of `127.0.0.1:3000` and obtain TLS certificates (Let’s Encrypt).
-
-Example Nginx location:
-
-```nginx
-location / {
-    proxy_pass http://127.0.0.1:3000;
-    proxy_http_version 1.1;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-}
-```
-
----
-
-## WordPress plugin
-
-Upload `web-agent-bridge-wordpress/` to the WordPress server (`wp-content/plugins/`) or sync via SFTP/rsync. Point **WAB API base URL** to your public URL (e.g. `https://wab.example.com`).
-
----
-
-## Why we do **not** recommend auto-deploy from this public repo
-
-This project is **open source**. Wiring GitHub Actions (or similar) so that every push to `main`/`master` deploys to your production server is **high risk**:
-
-| Risk | Why it matters |
-|------|----------------|
-| **Supply chain** | Anyone who can merge code (or bypass reviews) can change what runs on your server. |
-| **Fork / PR abuse** | CI that builds untrusted PRs with secrets in scope has led to credential theft. |
-| **Secret leakage** | Deploy keys and SSH keys in CI are juicy targets; misconfiguration exposes them in logs or artifacts. |
-| **Public visibility** | Attackers see your pipeline definition and know exactly how prod is updated. |
-
-**Recommended for operators:** deploy **manually** after you review changes (SSH → `git pull` → rebuild), or use a **private** deployment path (e.g. internal CI, private mirror, or release artifacts you promote by hand).
-
-**If you must automate** (enterprise, private fork only): use a **private** repo or private runners, **branch protection**, required reviews, **deploy only from signed tags** or approved releases—not raw `main`—and never store production SSH keys in workflows reachable from public PR builds.
-
-This repository intentionally does **not** ship a “deploy to production on push” workflow.
-
----
-
-## Checklist after deploy
-
-- [ ] `curl -s https://your-domain/api/license/verify` returns JSON (POST with body) or app responds on `/`
-- [ ] `https://your-domain/script/ai-agent-bridge.js` loads
-- [ ] `.env` / `JWT_SECRET` / `JWT_SECRET_ADMIN` not exposed in git