web-agent-bridge 2.3.1 → 2.4.0

package/server/routes/universal.js

@@ -0,0 +1,177 @@
+/**
+ * WAB Universal Agent — Server Routes
+ * ═══════════════════════════════════════════════════════════════════
+ * API endpoints for the Universal Agent mode.
+ * Used by: WAB Browser, Chrome Extension, direct API calls.
+ *
+ * All endpoints work WITHOUT requiring the target site to install any script.
+ */
+
+const express = require('express');
+const router = express.Router();
+const scraper = require('../services/universal-scraper');
+const priceIntel = require('../services/price-intelligence');
+const fairness = require('../services/fairness-engine');
+
+// ─── POST /api/universal/extract ─────────────────────────────────────
+// Extract prices/products from a URL (server-side fetch)
+router.post('/extract', async (req, res) => {
+  const { url } = req.body;
+  if (!url) return res.status(400).json({ error: 'URL required' });
+
+  try {
+    const result = await scraper.fetchAndExtract(url);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── POST /api/universal/analyze ─────────────────────────────────────
+// Full analysis: extract + fraud detection + trust score
+// Accepts either a URL (server-side fetch) or pre-extracted data (from browser)
+router.post('/analyze', async (req, res) => {
+  const { url, extraction } = req.body;
+
+  try {
+    let result;
+
+    if (extraction) {
+      // Data already extracted by browser/extension
+      const processed = scraper.processBrowserExtraction(extraction);
+      result = await priceIntel.analyzePrice(extraction.url || url || '', processed);
+
+      // Add dark pattern detection if text available
+      if (extraction.darkPatterns) {
+        result.darkPatterns = extraction.darkPatterns;
+      }
+    } else if (url) {
+      // Server-side fetch and analyze
+      result = await priceIntel.analyzePrice(url);
+    } else {
+      return res.status(400).json({ error: 'URL or extraction data required' });
+    }
+
+    // Add fairness score for the domain
+    if (result.domain) {
+      result.fairness = fairness.calculateFairnessScore(result.domain, {
+        fraudAlerts: (result.alerts || []).length,
+      });
+    }
+
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── POST /api/universal/compare ─────────────────────────────────────
+// Compare prices across multiple sources
+router.post('/compare', async (req, res) => {
+  const { query, category, maxSources } = req.body;
+  if (!query) return res.status(400).json({ error: 'Query required' });
+
+  try {
+    const result = await priceIntel.compareAcrossSources(
+      query,
+      category || 'product',
+      { maxSources: maxSources || 8 }
+    );
+
+    // Apply fairness ranking
+    if (result.results && result.results.length > 0) {
+      result.results = fairness.rankWithFairness(result.results, {
+        avgPrice: result.avgPrice,
+      });
+    }
+
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── POST /api/universal/deals ───────────────────────────────────────
+// Find best deals with fairness ranking + fraud detection
+router.post('/deals', async (req, res) => {
+  const { query, category, lang } = req.body;
+  if (!query) return res.status(400).json({ error: 'Query required' });
+
+  try {
+    const result = await priceIntel.findBestDeals(
+      query,
+      category || 'product',
+      { lang: lang || 'en' }
+    );
+
+    // Apply fairness ranking to deals
+    if (result.deals && result.deals.length > 0) {
+      result.deals = fairness.rankWithFairness(result.deals, {
+        avgPrice: result.deals.reduce((s, d) => s + (d.priceUsd || 0), 0) / result.deals.length,
+      });
+    }
+
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── POST /api/universal/fairness ────────────────────────────────────
+// Get fairness score for a domain
+router.post('/fairness', (req, res) => {
+  const { domain, url } = req.body;
+  const d = domain || (url ? (() => { try { return new URL(url).hostname; } catch (_) { return ''; } })() : '');
+  if (!d) return res.status(400).json({ error: 'Domain or URL required' });
+
+  const score = fairness.calculateFairnessScore(d);
+  res.json(score);
+});
+
+// ─── POST /api/universal/dark-patterns ───────────────────────────────
+// Detect dark patterns in page text
+router.post('/dark-patterns', (req, res) => {
+  const { text, lang } = req.body;
+  if (!text) return res.status(400).json({ error: 'Text required' });
+
+  const patterns = fairness.detectDarkPatterns(text, lang || 'en');
+  res.json({ patterns, count: patterns.length });
+});
+
+// ─── GET /api/universal/history ──────────────────────────────────────
+// Get price history for a URL
+router.get('/history', (req, res) => {
+  const { url } = req.query;
+  if (!url) return res.status(400).json({ error: 'URL required' });
+
+  const history = scraper.getPriceHistory(url, 30);
+  res.json({ url, history });
+});
+
+// ─── GET /api/universal/top-fair ─────────────────────────────────────
+// Get top fairness-ranked sites
+router.get('/top-fair', (req, res) => {
+  const limit = parseInt(req.query.limit) || 20;
+  const sites = fairness.getTopFairSites(limit);
+  res.json({ sites });
+});
+
+// ─── GET /api/universal/extraction-script ────────────────────────────
+// Get the browser extraction script (for dynamic injection)
+router.get('/extraction-script', (req, res) => {
+  res.set('Content-Type', 'application/javascript');
+  res.send(scraper.getBrowserExtractionScript());
+});
+
+// ─── GET /api/universal/sources ──────────────────────────────────────
+// List all competing sources by category
+router.get('/sources', (req, res) => {
+  const { category } = req.query;
+  if (category && priceIntel.COMPETING_SOURCES[category]) {
+    res.json({ category, sources: priceIntel.COMPETING_SOURCES[category] });
+  } else {
+    res.json(priceIntel.COMPETING_SOURCES);
+  }
+});
+
+module.exports = router;

package/server/routes/wab-api.js

@@ -9,8 +9,11 @@
 
 const express = require('express');
 const router = express.Router();
+const crypto = require('crypto');
 const { findSiteById, findSiteByLicense, recordAnalytic, db } = require('../models/db');
 const { broadcastAnalytic } = require('../ws');
+const { wabAuthenticateLimiter, wabActionLimiter, searchLimiter } = require('../middleware/rateLimits');
+const { auditLog } = require('../services/security');
 const {
   calculateNeutralityScore,
   fairnessWeightedSearch,
@@ -82,7 +85,7 @@ function buildErrorResponse(id, code, message) {
 // POST /api/wab/authenticate — session token exchange
 // ═════════════════════════════════════════════════════════════════════
 
-router.post('/authenticate', (req, res) => {
+router.post('/authenticate', wabAuthenticateLimiter, (req, res) => {
   try {
     const { siteId, apiKey, meta } = req.body;
     if (!siteId && !apiKey) {
@@ -91,12 +94,22 @@ router.post('/authenticate', (req, res) => {
 
     let site;
     if (apiKey) {
-      site = db.prepare('SELECT * FROM sites WHERE api_key = ? AND active = 1').get(apiKey);
+      // Timing-safe API key lookup: hash the provided key and compare against stored hashes
+      // to prevent timing attacks on the raw key comparison
+      const allActive = db.prepare('SELECT * FROM sites WHERE active = 1 AND api_key IS NOT NULL').all();
+      site = allActive.find(s => {
+        if (!s.api_key) return false;
+        const a = Buffer.from(s.api_key);
+        const b = Buffer.from(apiKey);
+        if (a.length !== b.length) return false;
+        return crypto.timingSafeEqual(a, b);
+      }) || null;
     } else {
       site = findSiteById.get(siteId);
     }
 
     if (!site) {
+      auditLog({ actorType: 'agent', action: 'wab_auth_failed', details: { siteId }, ip: req.ip, outcome: 'denied', severity: 'warning' });
       return res.status(404).json(buildErrorResponse(null, 'not_found', 'Site not found or invalid credentials'));
     }
 
@@ -105,7 +118,9 @@ router.post('/authenticate', (req, res) => {
       try {
         const reqDomain = new URL(origin).hostname.replace(/^www\./, '');
         const siteDomain = site.domain.replace(/^www\./, '');
-        if (reqDomain !== siteDomain && reqDomain !== 'localhost' && reqDomain !== '127.0.0.1') {
+        const isProduction = process.env.NODE_ENV === 'production';
+        const isLocalhost = reqDomain === 'localhost' || reqDomain === '127.0.0.1';
+        if (reqDomain !== siteDomain && !(isLocalhost && !isProduction)) {
           return res.status(403).json(buildErrorResponse(null, 'origin_mismatch', 'Origin does not match site domain'));
         }
       } catch (_) {}
@@ -193,7 +208,7 @@ router.get('/actions', (req, res) => {
 // POST /api/wab/actions/:name — execute action (with tracking)
 // ═════════════════════════════════════════════════════════════════════
 
-router.post('/actions/:name', requireSession, (req, res) => {
+router.post('/actions/:name', requireSession, wabActionLimiter, (req, res) => {
   try {
     const actionName = req.params.name;
     const site = findSiteById.get(req.wabSession.siteId);
@@ -333,7 +348,7 @@ router.get('/page-info', (req, res) => {
 // GET /api/wab/search — fairness-weighted search (MCP adapter uses this)
 // ═════════════════════════════════════════════════════════════════════
 
-router.get('/search', (req, res) => {
+router.get('/search', searchLimiter, (req, res) => {
   try {
     const query = req.query.q || '';
     const category = req.query.category || null;