web-agent-bridge 3.16.0 → 3.20.0

package/server/models/db.js

@@ -12,7 +12,8 @@ const DATA_DIR = isTest
   : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
 if (!fs.existsSync(DATA_DIR)) fs.mkdirSync(DATA_DIR, { recursive: true });
 
-const dbFile = isTest ? 'wab-test.db' : 'wab.db';
+// In test mode, isolate per Jest worker so parallel suites can't trample each other's data.
+const dbFile = isTest ? `wab-test-${process.env.JEST_WORKER_ID || '1'}.db` : 'wab.db';
 const db = new Database(path.join(DATA_DIR, dbFile));
 
 db.pragma('journal_mode = WAL');

package/server/routes/admin-shieldlink.js

@@ -25,7 +25,7 @@ router.use(authenticateAdmin);
 const DATA_DIR = process.env.NODE_ENV === 'test'
   ? path.join(__dirname, '..', '..', 'data-test')
   : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+const DB_FILE = process.env.NODE_ENV === 'test' ? `wab-test-${process.env.JEST_WORKER_ID || '1'}.db` : 'wab.db';
 let _db = null;
 function db() { if (!_db) _db = new Database(path.join(DATA_DIR, DB_FILE)); return _db; }
 

package/server/routes/admin-shieldqr.js

@@ -19,7 +19,7 @@ router.use(authenticateAdmin);
 const DATA_DIR = process.env.NODE_ENV === 'test'
   ? path.join(__dirname, '..', '..', 'data-test')
   : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+const DB_FILE = process.env.NODE_ENV === 'test' ? `wab-test-${process.env.JEST_WORKER_ID || '1'}.db` : 'wab.db';
 
 let _db = null;
 function db() {

package/server/routes/admin-trust-monitor.js

@@ -22,7 +22,7 @@ router.use(authenticateAdmin);
 const DATA_DIR = process.env.NODE_ENV === 'test'
   ? path.join(__dirname, '..', '..', 'data-test')
   : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+const DB_FILE = process.env.NODE_ENV === 'test' ? `wab-test-${process.env.JEST_WORKER_ID || '1'}.db` : 'wab.db';
 
 let _db = null;
 function db() { if (!_db) { _db = new Database(path.join(DATA_DIR, DB_FILE)); } return _db; }

package/server/routes/api-keys.js

@@ -38,9 +38,10 @@ function issueOk(ip) {
 }
 
 function adminGate(req, res, next) {
+  const { safeEqual } = require('../utils/safe-compare');
   const expected = process.env.WAB_API_KEYS_ADMIN_TOKEN || process.env.WAB_RING4_ADMIN_TOKEN;
   if (!expected) return res.status(503).json({ error: 'admin_disabled' });
-  if ((req.headers['x-admin-token'] || '') !== expected) return res.status(401).json({ error: 'unauthorized' });
+  if (!safeEqual(req.headers['x-admin-token'] || '', expected)) return res.status(401).json({ error: 'unauthorized' });
   next();
 }
 

package/server/routes/customer-shieldlink.js

@@ -26,7 +26,7 @@ const router = express.Router();
 const DATA_DIR = process.env.NODE_ENV === 'test'
   ? path.join(__dirname, '..', '..', 'data-test')
   : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+const DB_FILE = process.env.NODE_ENV === 'test' ? `wab-test-${process.env.JEST_WORKER_ID || '1'}.db` : 'wab.db';
 let _db = null;
 function db() { if (!_db) _db = new Database(path.join(DATA_DIR, DB_FILE)); return _db; }
 

package/server/routes/enterprise-mesh.js

@@ -26,9 +26,10 @@ const { db }  = require('../models/db');
 const router = express.Router();
 
 function adminGate(req, res, next) {
+  const { safeEqual } = require('../utils/safe-compare');
   const expected = process.env.WAB_LICENSE_ADMIN_TOKEN || process.env.WAB_RING4_ADMIN_TOKEN;
   if (!expected) return res.status(503).json({ error: 'admin_disabled' });
-  if ((req.headers['x-admin-token'] || '') !== expected) return res.status(401).json({ error: 'unauthorized' });
+  if (!safeEqual(req.headers['x-admin-token'] || '', expected)) return res.status(401).json({ error: 'unauthorized' });
   next();
 }
 

package/server/routes/genius-bridge.js

@@ -0,0 +1,256 @@
+/**
+ * Genius Platform Payment Bridge (v1.0.0)
+ *
+ * Backend-only proxy — genius-platform sends billing requests here using a
+ * shared internal secret. WAB owns the Stripe keys; genius never needs them.
+ *
+ * Endpoints:
+ *   POST /api/genius/checkout       — create Stripe checkout session
+ *   POST /api/genius/portal         — create Stripe customer portal session
+ *   POST /api/genius/stripe-webhook — Stripe webhook for genius-tagged events
+ *
+ * WAB env vars required:
+ *   GENIUS_BRIDGE_SECRET        — shared secret (also in genius as WAB_GENIUS_SECRET)
+ *   GENIUS_APP_URL              — https://thecodegenius.com
+ *   GENIUS_CALLBACK_URL         — http://localhost:3004 (internal only)
+ *   STRIPE_GENIUS_WEBHOOK_SECRET — separate Stripe webhook secret for this endpoint
+ *   STRIPE_GENIUS_PRICE_PRO      — Stripe price ID for genius PRO (falls back to STRIPE_PRICE_PRO)
+ *   STRIPE_GENIUS_PRICE_BUSINESS — Stripe price ID for genius BUSINESS (falls back to STRIPE_PRICE_BUSINESS)
+ *   STRIPE_GENIUS_PRICE_STARTER  — (optional) Stripe price ID for genius STARTER
+ */
+
+'use strict';
+
+const express = require('express');
+const router  = express.Router();
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+const BRIDGE_SECRET       = () => process.env.GENIUS_BRIDGE_SECRET;
+const GENIUS_APP_URL      = () => process.env.GENIUS_APP_URL      || 'https://thecodegenius.com';
+const GENIUS_CALLBACK_URL = () => process.env.GENIUS_CALLBACK_URL || 'http://localhost:3004';
+
+function getStripe() {
+  const key = process.env.STRIPE_SECRET_KEY;
+  if (!key || key.startsWith('sk_disabled')) return null;
+  // Cache the instance to avoid re-init on every request
+  if (!getStripe._instance) {
+    getStripe._instance = require('stripe')(key);
+  }
+  return getStripe._instance;
+}
+
+// Invalidate cached Stripe instance when key changes (hot reload)
+let _lastKey = null;
+function stripe() {
+  const key = process.env.STRIPE_SECRET_KEY;
+  if (key !== _lastKey) { getStripe._instance = null; _lastKey = key; }
+  return getStripe();
+}
+
+function resolvePriceId(tier) {
+  const t = (tier || '').toUpperCase();
+  const lookup = {
+    STARTER:  process.env.STRIPE_GENIUS_PRICE_STARTER  || process.env.STRIPE_PRICE_STARTER,
+    PRO:      process.env.STRIPE_GENIUS_PRICE_PRO      || process.env.STRIPE_PRICE_PRO,
+    BUSINESS: process.env.STRIPE_GENIUS_PRICE_BUSINESS || process.env.STRIPE_PRICE_BUSINESS,
+  };
+  return lookup[t] || null;
+}
+
+// Middleware — validate shared internal secret
+function bridgeAuth(req, res, next) {
+  const secret = BRIDGE_SECRET();
+  if (!secret) {
+    // Bridge secret not configured → treat as disabled
+    return res.status(503).json({ error: 'Genius payment bridge not configured on this server' });
+  }
+  if (req.headers['x-internal-secret'] !== secret) {
+    return res.status(401).json({ error: 'unauthorized' });
+  }
+  next();
+}
+
+// ── POST /api/genius/checkout ─────────────────────────────────────────────────
+router.post('/checkout', bridgeAuth, express.json({ limit: '8kb' }), async (req, res) => {
+  const s = stripe();
+  if (!s) return res.status(503).json({ error: 'Stripe not configured on this server' });
+
+  const { orgId, userId, email, name, tier, existingCustomerId } = req.body;
+
+  if (!orgId || !tier || !email) {
+    return res.status(400).json({ error: 'orgId, tier, and email are required' });
+  }
+
+  const priceId = resolvePriceId(tier);
+  if (!priceId) {
+    return res.status(400).json({ error: `No Stripe price ID configured for tier: ${tier}` });
+  }
+
+  try {
+    // Re-use existing customer or create a new one
+    let customerId = existingCustomerId || null;
+    if (!customerId) {
+      const customer = await s.customers.create({
+        email,
+        name: name || email,
+        metadata: {
+          genius_org_id:  orgId,
+          genius_user_id: userId || '',
+          source:         'genius-platform',
+        },
+      });
+      customerId = customer.id;
+    }
+
+    const baseUrl = GENIUS_APP_URL();
+    const session = await s.checkout.sessions.create({
+      customer:             customerId,
+      mode:                 'subscription',
+      payment_method_types: ['card'],
+      line_items: [{ price: priceId, quantity: 1 }],
+      metadata: {
+        genius_org_id:  orgId,
+        genius_user_id: userId || '',
+        tier:           tier.toUpperCase(),
+        source:         'genius-platform',
+      },
+      subscription_data: {
+        metadata: {
+          genius_org_id:  orgId,
+          genius_user_id: userId || '',
+          tier:           tier.toUpperCase(),
+          source:         'genius-platform',
+        },
+      },
+      success_url: `${baseUrl}/dashboard/user/billing?success=1&plan=${tier.toUpperCase()}`,
+      cancel_url:  `${baseUrl}/pricing?canceled=1`,
+    });
+
+    res.json({ url: session.url, customerId });
+  } catch (err) {
+    console.error('[genius-bridge] checkout error:', err.message);
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ── POST /api/genius/portal ───────────────────────────────────────────────────
+router.post('/portal', bridgeAuth, express.json({ limit: '8kb' }), async (req, res) => {
+  const s = stripe();
+  if (!s) return res.status(503).json({ error: 'Stripe not configured on this server' });
+
+  const { customerId } = req.body;
+  if (!customerId) {
+    return res.status(400).json({ error: 'customerId is required' });
+  }
+
+  try {
+    const baseUrl = GENIUS_APP_URL();
+    const session = await s.billingPortal.sessions.create({
+      customer:   customerId,
+      return_url: `${baseUrl}/dashboard/user/billing`,
+    });
+    res.json({ url: session.url });
+  } catch (err) {
+    console.error('[genius-bridge] portal error:', err.message);
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ── POST /api/genius/stripe-webhook ──────────────────────────────────────────
+// Register a SEPARATE Stripe webhook pointing here:
+//   https://webagentbridge.com/api/genius/stripe-webhook
+// Use STRIPE_GENIUS_WEBHOOK_SECRET (different from WAB's own webhook secret).
+router.post('/stripe-webhook', express.raw({ type: 'application/json' }), async (req, res) => {
+  const s = stripe();
+  if (!s) return res.status(503).json({ error: 'Stripe not configured' });
+
+  const sig           = req.headers['stripe-signature'];
+  const webhookSecret = process.env.STRIPE_GENIUS_WEBHOOK_SECRET;
+
+  if (!sig || !webhookSecret) {
+    return res.status(400).json({ error: 'Missing Stripe signature or STRIPE_GENIUS_WEBHOOK_SECRET' });
+  }
+
+  let event;
+  try {
+    event = s.webhooks.constructEvent(req.body, sig, webhookSecret);
+  } catch (err) {
+    console.error('[genius-bridge] webhook signature failed:', err.message);
+    return res.status(400).json({ error: `Webhook signature verification failed: ${err.message}` });
+  }
+
+  // Only process events originating from genius-platform
+  const meta = event.data.object?.metadata ?? {};
+  if (meta.source !== 'genius-platform') {
+    return res.json({ received: true, skipped: 'not a genius event' });
+  }
+
+  let payload = null;
+
+  try {
+    switch (event.type) {
+      case 'checkout.session.completed': {
+        const sess = event.data.object;
+        payload = {
+          event:          'checkout.completed',
+          orgId:          sess.metadata?.genius_org_id,
+          tier:           sess.metadata?.tier,
+          customerId:     sess.customer,
+          subscriptionId: sess.subscription,
+        };
+        break;
+      }
+      case 'customer.subscription.updated': {
+        const sub = event.data.object;
+        payload = {
+          event:          'subscription.updated',
+          orgId:          sub.metadata?.genius_org_id,
+          tier:           sub.metadata?.tier,
+          subscriptionId: sub.id,
+          status:         sub.status,
+        };
+        break;
+      }
+      case 'customer.subscription.deleted': {
+        const sub = event.data.object;
+        payload = {
+          event:          'subscription.deleted',
+          orgId:          sub.metadata?.genius_org_id,
+          subscriptionId: sub.id,
+        };
+        break;
+      }
+      default:
+        return res.json({ received: true });
+    }
+
+    if (payload?.orgId) {
+      const callbackUrl = `${GENIUS_CALLBACK_URL()}/api/wab/billing-callback`;
+      const secret      = BRIDGE_SECRET();
+      const r = await fetch(callbackUrl, {
+        method:  'POST',
+        headers: {
+          'Content-Type':     'application/json',
+          'X-Internal-Secret': secret,
+        },
+        body: JSON.stringify(payload),
+        signal: AbortSignal.timeout(8000),
+      }).catch(err => {
+        console.error('[genius-bridge] callback to genius failed:', err.message);
+        return null;
+      });
+
+      if (r && !r.ok) {
+        console.error('[genius-bridge] callback returned', r.status);
+      }
+    }
+  } catch (err) {
+    console.error('[genius-bridge] webhook handler error:', err);
+    return res.status(500).json({ error: 'Internal error processing event' });
+  }
+
+  res.json({ received: true });
+});
+
+module.exports = router;

package/server/routes/genius-gateway.js

@@ -0,0 +1,137 @@
+/**
+ * Genius Platform Payment Gateway
+ *
+ * Exposes WAB's existing Stripe service to genius-platform over a shared
+ * secret. Uses WAB's configured Stripe keys and price IDs — no separate
+ * Stripe account or duplicated logic required.
+ *
+ * Endpoints (prefix: /api/genius):
+ *   POST /checkout          → create Stripe Checkout session for a genius org
+ *   POST /portal            → create Customer Portal session for a genius org
+ *
+ * Stripe Webhook:
+ *   Use the EXISTING WAB webhook:  POST /api/billing/webhook
+ *   Same STRIPE_WEBHOOK_SECRET — no separate endpoint or secret needed.
+ *   Events tagged with genius_org_id in metadata are automatically forwarded
+ *   to genius-platform's /api/wab/billing-callback by stripe.js.
+ *
+ * Auth: X-Internal-Secret header must match GENIUS_BRIDGE_SECRET env var.
+ * All endpoints are reachable only from localhost (blocked by nginx for external).
+ */
+
+'use strict';
+
+const express = require('express');
+const router  = express.Router();
+
+// ── Use WAB's existing Stripe service — single Stripe account for everything ──
+// Note: customer storage stays in genius-platform's own DB (no WAB DB foreign key needed)
+const { getStripe, getStripePrices, isStripeConfigured } = require('../services/stripe');
+
+// ── Auth middleware — shared secret ──────────────────────────────────────────
+function requireInternalSecret(req, res, next) {
+  const secret = process.env.GENIUS_BRIDGE_SECRET;
+  if (!secret) return res.status(503).json({ error: 'GENIUS_BRIDGE_SECRET not configured on WAB' });
+  if (req.headers['x-internal-secret'] !== secret) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+  next();
+}
+
+// ── Resolve price ID for genius tiers ─────────────────────────────────────────
+// Priority: STRIPE_GENIUS_PRICE_<TIER> → WAB's existing prices → null
+function resolveGeniusPrice(tier) {
+  const t = String(tier || '').toUpperCase();
+  // Genius-specific override (optional)
+  const override = process.env[`STRIPE_GENIUS_PRICE_${t}`];
+  if (override) return override;
+  // Fall back to WAB's own price IDs (same products, shared account)
+  const prices = getStripePrices();
+  return prices[t.toLowerCase()] || null;
+}
+
+// ── POST /checkout ────────────────────────────────────────────────────────────
+router.post('/checkout', requireInternalSecret, express.json(), async (req, res) => {
+  if (!isStripeConfigured()) {
+    return res.status(503).json({ error: 'Stripe not configured on this server' });
+  }
+
+  const { orgId, userId, email, name, tier, existingCustomerId } = req.body || {};
+  if (!orgId || !tier || !email) {
+    return res.status(400).json({ error: 'orgId, tier, and email are required' });
+  }
+
+  const priceId = resolveGeniusPrice(tier);
+  if (!priceId) {
+    return res.status(400).json({ error: `No Stripe price configured for tier: ${tier}` });
+  }
+
+  try {
+    const s = getStripe();
+
+    // genius-platform stores and passes back its own Stripe customer ID
+    let stripeCustomerId = existingCustomerId || null;
+
+    if (!stripeCustomerId) {
+      const stripeCustomer = await s.customers.create({
+        email,
+        name: name || email,
+        metadata: { genius_org_id: orgId, source: 'thecodegenius' }
+      });
+      stripeCustomerId = stripeCustomer.id;
+    }
+
+    const appUrl  = process.env.GENIUS_APP_URL || 'https://thecodegenius.com';
+    const session = await s.checkout.sessions.create({
+      customer: stripeCustomerId,
+      mode: 'subscription',
+      payment_method_types: ['card'],
+      line_items: [{ price: priceId, quantity: 1 }],
+      metadata: { genius_org_id: orgId, genius_user_id: userId || '', tier },
+      success_url: `${appUrl}/dashboard/user/billing?payment=success&session_id={CHECKOUT_SESSION_ID}`,
+      cancel_url:  `${appUrl}/pricing?canceled=1`,
+    });
+
+    // Return customerId so genius-platform can persist it in its own DB
+    res.json({ sessionId: session.id, url: session.url, customerId: stripeCustomerId });
+  } catch (err) {
+    console.error('[genius-gateway] checkout error:', err.message);
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ── POST /portal ──────────────────────────────────────────────────────────────
+router.post('/portal', requireInternalSecret, express.json(), async (req, res) => {
+  if (!isStripeConfigured()) {
+    return res.status(503).json({ error: 'Stripe not configured on this server' });
+  }
+
+  const { orgId, customerId } = req.body || {};
+  if (!orgId && !customerId) {
+    return res.status(400).json({ error: 'orgId or customerId is required' });
+  }
+
+  try {
+    const s = getStripe();
+
+    // genius-platform is expected to pass customerId from its own DB
+    let stripeCustomerId = customerId;
+
+    if (!stripeCustomerId) {
+      return res.status(404).json({ error: 'No Stripe customer found for this org' });
+    }
+
+    const appUrl  = process.env.GENIUS_APP_URL || 'https://thecodegenius.com';
+    const session = await s.billingPortal.sessions.create({
+      customer:   stripeCustomerId,
+      return_url: `${appUrl}/dashboard/user/billing`,
+    });
+
+    res.json({ url: session.url });
+  } catch (err) {
+    console.error('[genius-gateway] portal error:', err.message);
+    res.status(500).json({ error: err.message });
+  }
+});
+
+module.exports = router;

package/server/routes/governance-saas.js

@@ -38,9 +38,10 @@ const EVENT_TYPES = new Set(['refusal','approval','override','policy','audit','c
 const SEVERITIES  = new Set(['info','low','medium','high','critical']);
 
 function adminGate(req, res, next) {
+  const { safeEqual } = require('../utils/safe-compare');
   const expected = process.env.WAB_GOVERNANCE_ADMIN_TOKEN || process.env.WAB_RING4_ADMIN_TOKEN;
   if (!expected) return res.status(503).json({ error: 'admin_disabled' });
-  if ((req.headers['x-admin-token'] || '') !== expected) return res.status(401).json({ error: 'unauthorized' });
+  if (!safeEqual(req.headers['x-admin-token'] || '', expected)) return res.status(401).json({ error: 'unauthorized' });
   next();
 }