web-agent-bridge 3.16.0 → 3.20.0

package/server/services/agent-tasks.js

@@ -16,6 +16,7 @@
 
 const crypto = require('crypto');
 const { db } = require('../models/db');
+const { safeFetch } = require('../utils/safe-fetch');
 
 // ─── Schema ──────────────────────────────────────────────────────────
 
@@ -362,21 +363,22 @@ async function executeUrlTask(taskId) {
   _addMessage(taskId, 'agent', analyzeMsg, { type: 'progress', step: 'analyze' });
   updates.push({ type: 'progress', step: 'analyze', message: analyzeMsg });
 
-  // Try to fetch the original page to get the current price
+  // Try to fetch the original page to get the current price.
+  // SSRF-hardened: safeFetch blocks private/internal IPs, caps body size,
+  // enforces a timeout, and re-validates every redirect hop.
   let originalPrice = null;
   try {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 12000);
-    const res = await fetch(urlData.url, {
+    const res = await safeFetch(urlData.url, {
       headers: {
         'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36',
         'Accept': 'text/html',
         'Accept-Language': 'ar,en-US;q=0.9,en;q=0.8',
       },
-      signal: controller.signal,
-      redirect: 'follow',
+    }, {
+      timeoutMs: 12000,
+      maxBytes: 2 * 1024 * 1024,
+      allowedContentTypes: ['text/html', 'application/xhtml+xml'],
     });
-    clearTimeout(timeout);
 
     if (res.ok) {
       const html = await res.text();

package/server/services/email.js

@@ -4,8 +4,48 @@
  */
 
 const nodemailer = require('nodemailer');
+const crypto     = require('crypto');
 const { getSmtpSettings, logNotification } = require('../models/db');
 
+// WAB email headers (RFC 5322 X-* extension headers) — let receiving agents
+// verify that a transactional email came from a WAB-enabled domain. Spec at
+// https://webagentbridge.com/wab-email. Signing is opt-in via env:
+//   WAB_EMAIL_HOST           — the domain that owns the wab.json manifest
+//   WAB_EMAIL_SIGNING_KEY    — base64 Ed25519 private key (32 bytes raw)
+const WAB_EMAIL_HOST = process.env.WAB_EMAIL_HOST || 'webagentbridge.com';
+const WAB_EMAIL_KEY  = process.env.WAB_EMAIL_SIGNING_KEY || '';
+let _wabSigningKey = null;
+function _getSigningKey() {
+  if (_wabSigningKey !== null) return _wabSigningKey;
+  if (!WAB_EMAIL_KEY) { _wabSigningKey = false; return false; }
+  try {
+    const raw = Buffer.from(WAB_EMAIL_KEY, 'base64');
+    if (raw.length !== 32) throw new Error('expected 32-byte ed25519 seed');
+    const der = Buffer.concat([Buffer.from('302e020100300506032b657004220420', 'hex'), raw]);
+    _wabSigningKey = crypto.createPrivateKey({ key: der, format: 'der', type: 'pkcs8' });
+  } catch (e) {
+    console.warn('[wab-email] signing disabled:', e.message);
+    _wabSigningKey = false;
+  }
+  return _wabSigningKey;
+}
+function buildWabHeaders({ from, to, subject, template, messageId, receipt }) {
+  const headers = {
+    'X-WAB-Manifest': `https://${WAB_EMAIL_HOST}/.well-known/wab.json`,
+    'X-WAB-Action':   `email.${template || 'transactional'}`
+  };
+  if (receipt) headers['X-WAB-Receipt'] = receipt;
+  const key = _getSigningKey();
+  if (key) {
+    const digest = crypto.createHash('sha256')
+      .update(`${from}\n${to}\n${subject}\n${messageId}`)
+      .digest();
+    const sig = crypto.sign(null, digest, key).toString('base64');
+    headers['X-WAB-Signature'] = `ed25519=${sig}`;
+  }
+  return headers;
+}
+
 function escapeHtml(s) {
   if (s == null) return '';
   return String(s)
@@ -269,11 +309,19 @@ async function sendEmail({ to, template, data, userId }) {
   const { subject, html } = tmpl(data);
 
   try {
+    const from = `"${settings.from_name}" <${settings.from_email}>`;
+    const messageId = `<${crypto.randomBytes(12).toString('hex')}@${WAB_EMAIL_HOST}>`;
+    const wabHeaders = buildWabHeaders({
+      from: settings.from_email, to, subject, template,
+      messageId, receipt: data && data.wab_receipt
+    });
     await transport.sendMail({
-      from: `"${settings.from_name}" <${settings.from_email}>`,
+      from,
       to,
       subject,
-      html
+      html,
+      messageId,
+      headers: wabHeaders
     });
     logNotification({ userId, emailTo: to, template, subject, status: 'sent' });
     return { success: true };

package/server/services/marketplace.js

@@ -125,29 +125,48 @@ class MarketplaceEngine {
     };
 
     this._purchases.set(purchaseId, purchase);
-    listing.installs++;
 
-    // Track earnings
-    if (sellerEarning > 0) {
-      const earnings = this._earnings.get(listing.sellerId) || { total: 0, pending: 0, paid: 0 };
-      earnings.total += sellerEarning;
-      earnings.pending += sellerEarning;
-      this._earnings.set(listing.sellerId, earnings);
+    // Only credit installs / revenue / seller earnings once the purchase is
+    // actually completed. For paid listings the purchase starts in
+    // 'pending_payment' and must be promoted via completePayment(). Crediting
+    // here would let any caller who can reach POST /marketplace/:id/purchase
+    // inflate a seller's earnings without ever paying.
+    if (purchase.status === 'completed') {
+      this._creditCompletedPurchase(listing, purchase);
     }
 
-    listing.revenue += listing.price;
     bus.emit('marketplace.purchased', { purchaseId, listingId, buyerId, price: listing.price });
     return purchase;
   }
 
+  /**
+   * Credit installs / revenue / seller earnings for a completed purchase.
+   * Idempotent guard: stamps purchase._credited so a double-call is a no-op.
+   */
+  _creditCompletedPurchase(listing, purchase) {
+    if (purchase._credited) return;
+    listing.installs++;
+    listing.revenue += purchase.price;
+    if (purchase.sellerEarning > 0) {
+      const earnings = this._earnings.get(listing.sellerId) || { total: 0, pending: 0, paid: 0 };
+      earnings.total += purchase.sellerEarning;
+      earnings.pending += purchase.sellerEarning;
+      this._earnings.set(listing.sellerId, earnings);
+    }
+    purchase._credited = true;
+  }
+
   /**
    * Complete payment for a purchase
    */
   completePayment(purchaseId) {
     const purchase = this._purchases.get(purchaseId);
     if (!purchase) throw new Error('Purchase not found');
+    if (purchase.status === 'completed') return purchase;
     purchase.status = 'completed';
     purchase.completedAt = Date.now();
+    const listing = this._listings.get(purchase.listingId);
+    if (listing) this._creditCompletedPurchase(listing, purchase);
     return purchase;
   }
 

package/server/services/plans.js

@@ -24,7 +24,7 @@ function db() {
   const DATA_DIR = process.env.NODE_ENV === 'test'
     ? path.join(__dirname, '..', '..', 'data-test')
     : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-  const dbFile = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+  const dbFile = process.env.NODE_ENV === 'test' ? `wab-test-${process.env.JEST_WORKER_ID || '1'}.db` : 'wab.db';
   _db = new Database(path.join(DATA_DIR, dbFile));
   return _db;
 }

package/server/services/shieldlink.js

@@ -40,7 +40,7 @@ const { encryptOptional, decryptOptional } = require('../utils/secureFields');
 const DATA_DIR = process.env.NODE_ENV === 'test'
   ? path.join(__dirname, '..', '..', 'data-test')
   : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+const DB_FILE = process.env.NODE_ENV === 'test' ? `wab-test-${process.env.JEST_WORKER_ID || '1'}.db` : 'wab.db';
 let _db = null;
 function db() {
   if (!_db) _db = new Database(path.join(DATA_DIR, DB_FILE));

package/server/services/ssl-ct-monitor.js

@@ -21,7 +21,7 @@ const Database = require('better-sqlite3');
 const DATA_DIR = process.env.NODE_ENV === 'test'
   ? path.join(__dirname, '..', '..', 'data-test')
   : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+const DB_FILE = process.env.NODE_ENV === 'test' ? `wab-test-${process.env.JEST_WORKER_ID || '1'}.db` : 'wab.db';
 
 let _db = null;
 function db() {

package/server/services/ssl-monitor.js

@@ -17,7 +17,7 @@ const ssl = require('./ssl-inspector');
 const DATA_DIR = process.env.NODE_ENV === 'test'
   ? path.join(__dirname, '..', '..', 'data-test')
   : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+const DB_FILE = process.env.NODE_ENV === 'test' ? `wab-test-${process.env.JEST_WORKER_ID || '1'}.db` : 'wab.db';
 
 let _db = null;
 function db() {

package/server/services/stripe.js

@@ -26,10 +26,11 @@ function getStripe() {
 
 function getStripePrices() {
   return {
-    starter: process.env.STRIPE_PRICE_STARTER || getPlatformSetting('stripe_price_starter'),
-    pro: process.env.STRIPE_PRICE_PRO || getPlatformSetting('stripe_price_pro'),
-    business: process.env.STRIPE_PRICE_BUSINESS || getPlatformSetting('stripe_price_business'),
-    enterprise: process.env.STRIPE_PRICE_ENTERPRISE || getPlatformSetting('stripe_price_enterprise')
+    starter:    process.env.STRIPE_PRICE_STARTER    || getPlatformSetting('stripe_price_starter'),
+    freelancer: process.env.STRIPE_PRICE_FREELANCER || getPlatformSetting('stripe_price_freelancer'),
+    pro:        process.env.STRIPE_PRICE_PRO        || getPlatformSetting('stripe_price_pro'),
+    business:   process.env.STRIPE_PRICE_BUSINESS   || getPlatformSetting('stripe_price_business'),
+    enterprise: process.env.STRIPE_PRICE_ENTERPRISE || getPlatformSetting('stripe_price_enterprise'),
   };
 }
 
@@ -332,6 +333,30 @@ function handleWebhookRequest(req) {
   if (!s) throw new Error('Stripe not configured');
   const event = s.webhooks.constructEvent(raw, sig, whSecret);
   handleWebhookEvent(event);
+
+  // ── Forward genius-tagged events to genius-platform (same webhook, same secret) ──
+  const obj = event.data && event.data.object;
+  const geniusOrgId = obj && obj.metadata && obj.metadata.genius_org_id;
+  if (geniusOrgId) {
+    const callbackUrl = `${process.env.GENIUS_CALLBACK_URL || 'http://localhost:3004'}/api/wab/billing-callback`;
+    (async () => {
+      try {
+        const fetchFn = globalThis.fetch || (await import('node-fetch').then(m => m.default).catch(() => null));
+        if (!fetchFn) return;
+        await fetchFn(callbackUrl, {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Internal-Secret': process.env.GENIUS_BRIDGE_SECRET || '',
+          },
+          body: JSON.stringify({ type: event.type, data: event.data }),
+        });
+        console.log(`[stripe] forwarded ${event.type} → genius-platform (org: ${geniusOrgId})`);
+      } catch (e) {
+        console.error('[stripe] genius billing-callback failed (non-fatal):', e.message);
+      }
+    })();
+  }
 }
 
 module.exports = {

package/server/services/webhooks.js

@@ -20,6 +20,8 @@
 
 const crypto = require('crypto');
 const { db } = require('../models/db');
+const { canonicalize } = require('./canonical-json');
+const signer = require('./operator-signer');
 
 const VALID_EVENTS = new Set([
   'revocation.opened',
@@ -183,6 +185,10 @@ async function _attemptDelivery(deliveryId, subscription, body) {
     'X-WAB-Webhook-Delivery': deliveryId,
     'User-Agent': 'web-agent-bridge-webhooks/1.0',
   };
+  if (subscription._operatorSignature) {
+    headers['X-WAB-Operator-Signature'] = subscription._operatorSignature;
+    headers['X-WAB-Operator-Key-Url'] = '/api/operator-key.json';
+  }
   try {
     const res = await _httpPost(subscription.url, body, headers);
     if (res.ok) {
@@ -264,6 +270,20 @@ function emit(eventType, data) {
     created_at: new Date().toISOString(),
     data,
   };
+  // Ed25519-sign the canonical form of the payload (RFC 8785). Receivers verify
+  // with the public key published at /api/operator-key.json. If no operator key
+  // is configured, we still deliver — the HMAC signature alone is sufficient for
+  // per-subscription auth.
+  const operatorSignature = signer.isConfigured() ? signer.sign(payload) : null;
+  if (operatorSignature) {
+    payload.signature = {
+      alg: signer.ALGORITHM,
+      value: operatorSignature,
+      key_url: '/api/operator-key.json',
+      canonicalization: 'RFC8785',
+      signed_fields: ['id', 'type', 'created_at', 'data'],
+    };
+  }
   const body = JSON.stringify(payload);
 
   for (const sub of subs) {
@@ -273,7 +293,12 @@ function emit(eventType, data) {
         (id, subscription_id, event_id, event_type, payload, status, attempts)
       VALUES (?, ?, ?, ?, ?, 'pending', 0)
     `).run(deliveryId, sub.id, eventId, eventType, body);
-    const enriched = { ...sub, _eventId: eventId, _eventType: eventType };
+    const enriched = {
+      ...sub,
+      _eventId: eventId,
+      _eventType: eventType,
+      _operatorSignature: operatorSignature,
+    };
     setImmediate(async () => {
       const ok = await _attemptDelivery(deliveryId, enriched, body);
       if (!ok) _scheduleRetry(deliveryId, enriched, body, 1);
@@ -298,6 +323,40 @@ function verifySignature({ secret, header, body, toleranceSec = 300 }) {
   } catch (_) { return false; }
 }
 
+/**
+ * Verify the operator (Ed25519) signature embedded inside an event body.
+ *
+ * The receiver passes the parsed JSON envelope (or the raw body string + we
+ * parse). We strip the `signature` field, RFC8785-canonicalise the remainder,
+ * and verify with the operator public key (32-byte raw, base64).
+ *
+ *   verifyOperatorSignature({ body, publicKeyB64 }) -> true | false
+ */
+function verifyOperatorSignature({ body, publicKeyB64 }) {
+  if (!body || !publicKeyB64) return false;
+  let envelope;
+  try {
+    envelope = typeof body === 'string' ? JSON.parse(body) : body;
+  } catch (_) { return false; }
+  const sigObj = envelope.signature;
+  if (!sigObj || sigObj.alg !== 'ed25519' || !sigObj.value) return false;
+
+  const { signature: _omit, ...signed } = envelope;
+  const canon = canonicalize(signed);
+
+  try {
+    const raw = Buffer.from(publicKeyB64, 'base64');
+    if (raw.length !== 32) return false;
+    // Reconstruct SPKI DER for Ed25519: 12-byte prefix + 32-byte raw.
+    const spki = Buffer.concat([
+      Buffer.from('302a300506032b6570032100', 'hex'),
+      raw,
+    ]);
+    const pub = crypto.createPublicKey({ key: spki, format: 'der', type: 'spki' });
+    return crypto.verify(null, Buffer.from(canon, 'utf8'), pub, Buffer.from(sigObj.value, 'base64'));
+  } catch (_) { return false; }
+}
+
 module.exports = {
   createSubscription,
   listSubscriptions,
@@ -307,6 +366,7 @@ module.exports = {
   listDeliveries,
   emit,
   verifySignature,
+  verifyOperatorSignature,
   VALID_EVENTS,
   // exposed for tests
   _attemptDelivery,

package/server/utils/migrate.js

@@ -12,7 +12,7 @@ const DATA_DIR = process.env.NODE_ENV === 'test'
   : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
 if (!fs.existsSync(DATA_DIR)) fs.mkdirSync(DATA_DIR, { recursive: true });
 
-const dbFile = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+const dbFile = process.env.NODE_ENV === 'test' ? `wab-test-${process.env.JEST_WORKER_ID || '1'}.db` : 'wab.db';
 const db = new Database(path.join(DATA_DIR, dbFile));
 
 // Ensure migrations tracking table exists

package/server/utils/safe-compare.js

@@ -0,0 +1,26 @@
+'use strict';
+
+const crypto = require('crypto');
+
+/**
+ * Constant-time comparison for secrets / bearer tokens.
+ *
+ * Both operands are hashed to a fixed-length SHA-256 digest before the
+ * timing-safe compare, so this never throws on length mismatch and does not
+ * leak the secret length through early termination. Non-string inputs (missing
+ * headers, undefined env vars) return false instead of throwing.
+ *
+ * Use this for ALL static-token / shared-secret equality checks instead of
+ * `a === b` / `a !== b`, which short-circuit on the first differing byte and
+ * are therefore vulnerable to remote timing analysis.
+ */
+function safeEqual(a, b) {
+  if (typeof a !== 'string' || typeof b !== 'string' || a.length === 0 || b.length === 0) {
+    return false;
+  }
+  const ha = crypto.createHash('sha256').update(a, 'utf8').digest();
+  const hb = crypto.createHash('sha256').update(b, 'utf8').digest();
+  return crypto.timingSafeEqual(ha, hb);
+}
+
+module.exports = { safeEqual };