web-agent-bridge 3.2.0 → 3.3.0

package/server/middleware/adminAuth.js

@@ -1,35 +1,35 @@
-const { signAdminToken, verifyAdminToken } = require('../config/secrets');
-const { isJWTRevoked } = require('../services/security');
-
-function generateAdminToken(admin) {
-  return signAdminToken(
-    { id: admin.id, email: admin.email, name: admin.name, role: admin.role, isAdmin: true },
-    { expiresIn: '4h' }
-  );
-}
-
-function authenticateAdmin(req, res, next) {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (!token) {
-    return res.status(401).json({ error: 'Admin access token required' });
-  }
-
-  try {
-    if (isJWTRevoked(token)) {
-      return res.status(403).json({ error: 'Token has been revoked' });
-    }
-    const decoded = verifyAdminToken(token);
-    if (!decoded.isAdmin) {
-      return res.status(403).json({ error: 'Admin privileges required' });
-    }
-    req.admin = decoded;
-    req._rawToken = token;
-    next();
-  } catch (err) {
-    return res.status(403).json({ error: 'Invalid or expired admin token' });
-  }
-}
-
-module.exports = { generateAdminToken, authenticateAdmin };
+const { signAdminToken, verifyAdminToken } = require('../config/secrets');
+const { isJWTRevoked } = require('../services/security');
+
+function generateAdminToken(admin) {
+  return signAdminToken(
+    { id: admin.id, email: admin.email, name: admin.name, role: admin.role, isAdmin: true },
+    { expiresIn: '4h' }
+  );
+}
+
+function authenticateAdmin(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (!token) {
+    return res.status(401).json({ error: 'Admin access token required' });
+  }
+
+  try {
+    if (isJWTRevoked(token)) {
+      return res.status(403).json({ error: 'Token has been revoked' });
+    }
+    const decoded = verifyAdminToken(token);
+    if (!decoded.isAdmin) {
+      return res.status(403).json({ error: 'Admin privileges required' });
+    }
+    req.admin = decoded;
+    req._rawToken = token;
+    next();
+  } catch (err) {
+    return res.status(403).json({ error: 'Invalid or expired admin token' });
+  }
+}
+
+module.exports = { generateAdminToken, authenticateAdmin };

package/server/middleware/auth.js

@@ -1,50 +1,50 @@
-const { signUserToken, verifyUserToken } = require('../config/secrets');
-const { isJWTRevoked } = require('../services/security');
-
-function generateToken(user) {
-  return signUserToken(
-    { id: user.id, email: user.email, name: user.name },
-    { expiresIn: '24h' }
-  );
-}
-
-function authenticateToken(req, res, next) {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (!token) {
-    return res.status(401).json({ error: 'Access token required' });
-  }
-
-  try {
-    // Check revocation list
-    if (isJWTRevoked(token)) {
-      return res.status(403).json({ error: 'Token has been revoked' });
-    }
-    const decoded = verifyUserToken(token);
-    req.user = decoded;
-    req._rawToken = token;
-    next();
-  } catch (err) {
-    return res.status(403).json({ error: 'Invalid or expired token' });
-  }
-}
-
-function optionalAuth(req, res, next) {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (token) {
-    try {
-      if (!isJWTRevoked(token)) {
-        req.user = verifyUserToken(token);
-        req._rawToken = token;
-      }
-    } catch (e) {
-      // ignore invalid tokens for optional auth
-    }
-  }
-  next();
-}
-
-module.exports = { generateToken, authenticateToken, optionalAuth };
+const { signUserToken, verifyUserToken } = require('../config/secrets');
+const { isJWTRevoked } = require('../services/security');
+
+function generateToken(user) {
+  return signUserToken(
+    { id: user.id, email: user.email, name: user.name },
+    { expiresIn: '24h' }
+  );
+}
+
+function authenticateToken(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (!token) {
+    return res.status(401).json({ error: 'Access token required' });
+  }
+
+  try {
+    // Check revocation list
+    if (isJWTRevoked(token)) {
+      return res.status(403).json({ error: 'Token has been revoked' });
+    }
+    const decoded = verifyUserToken(token);
+    req.user = decoded;
+    req._rawToken = token;
+    next();
+  } catch (err) {
+    return res.status(403).json({ error: 'Invalid or expired token' });
+  }
+}
+
+function optionalAuth(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (token) {
+    try {
+      if (!isJWTRevoked(token)) {
+        req.user = verifyUserToken(token);
+        req._rawToken = token;
+      }
+    } catch (e) {
+      // ignore invalid tokens for optional auth
+    }
+  }
+  next();
+}
+
+module.exports = { generateToken, authenticateToken, optionalAuth };

package/server/middleware/featureGate.js

@@ -1,88 +1,88 @@
-'use strict';
-
-/**
- * Feature Gate Middleware for Agent OS
- *
- * Enforces plan-based access control on /api/os/* endpoints.
- * Checks tier features and usage limits before allowing access.
- *
- * OPEN endpoints (always free): protocol, registry read, discovery, adapters read,
- *   agent registration, basic health, SDK downloads
- *
- * GATED endpoints: orchestration, observability details, replay, failure analysis,
- *   sessions beyond limit, LLM inference, certification, signing, hosted runtime,
- *   marketplace publish, swarm, vision
- */
-
-const { checkFeatureGate, hasFeature, getPlan } = require('../config/plans');
-const metering = require('../services/metering');
-const { metrics } = require('../observability');
-
-/**
- * Feature Gate Middleware
- * Checks if the requesting agent/user has the required feature in their plan.
- *
- * Requires req.agentTier to be set (by auth middleware or license verification).
- * Falls back to 'free' if not set.
- */
-function featureGate(req, res, next) {
-  const tier = req.agentTier || req.session?.tier || 'free';
-  const requiredFeature = checkFeatureGate(req.path, req.method);
-
-  // No gate on this endpoint — free access
-  if (!requiredFeature) return next();
-
-  // Check feature
-  if (!hasFeature(tier, requiredFeature)) {
-    metrics.increment('feature_gate.denied', 1, { feature: requiredFeature, tier });
-    const plan = getPlan(tier);
-    return res.status(403).json({
-      error: 'Feature not available on your plan',
-      feature: requiredFeature,
-      currentPlan: tier,
-      upgrade: `This feature requires a higher plan. Visit /api/os/plans for available plans.`,
-      upgradeUrl: '/api/os/plans',
-    });
-  }
-
-  metrics.increment('feature_gate.allowed', 1, { feature: requiredFeature, tier });
-  next();
-}
-
-/**
- * Usage Limit Middleware
- * Enforces per-metric limits (executions/day, tasks/day, etc.) based on plan.
- */
-function usageLimit(metric) {
-  return function (req, res, next) {
-    const tier = req.agentTier || req.session?.tier || 'free';
-    const entityId = req.agentId || req.session?.agentId || req.ip;
-
-    const result = metering.record(entityId, metric, tier);
-
-    if (!result.allowed) {
-      metrics.increment('usage_limit.exceeded', 1, { metric, tier });
-      return res.status(429).json({
-        error: 'Usage limit exceeded',
-        metric,
-        current: result.current,
-        limit: result.limit,
-        overage: result.overageAmount,
-        overageCost: result.overageCost,
-        upgrade: 'Upgrade your plan for higher limits or enable pay-as-you-go overages.',
-        upgradeUrl: '/api/os/plans',
-      });
-    }
-
-    // Attach usage info to response headers
-    if (result.limit > 0) {
-      res.set('X-WAB-Usage-Current', String(result.current));
-      res.set('X-WAB-Usage-Limit', String(result.limit));
-      res.set('X-WAB-Usage-Remaining', String(Math.max(0, result.limit - result.current)));
-    }
-
-    next();
-  };
-}
-
-module.exports = { featureGate, usageLimit };
+'use strict';
+
+/**
+ * Feature Gate Middleware for Agent OS
+ *
+ * Enforces plan-based access control on /api/os/* endpoints.
+ * Checks tier features and usage limits before allowing access.
+ *
+ * OPEN endpoints (always free): protocol, registry read, discovery, adapters read,
+ *   agent registration, basic health, SDK downloads
+ *
+ * GATED endpoints: orchestration, observability details, replay, failure analysis,
+ *   sessions beyond limit, LLM inference, certification, signing, hosted runtime,
+ *   marketplace publish, swarm, vision
+ */
+
+const { checkFeatureGate, hasFeature, getPlan } = require('../config/plans');
+const metering = require('../services/metering');
+const { metrics } = require('../observability');
+
+/**
+ * Feature Gate Middleware
+ * Checks if the requesting agent/user has the required feature in their plan.
+ *
+ * Requires req.agentTier to be set (by auth middleware or license verification).
+ * Falls back to 'free' if not set.
+ */
+function featureGate(req, res, next) {
+  const tier = req.agentTier || req.session?.tier || 'free';
+  const requiredFeature = checkFeatureGate(req.path, req.method);
+
+  // No gate on this endpoint — free access
+  if (!requiredFeature) return next();
+
+  // Check feature
+  if (!hasFeature(tier, requiredFeature)) {
+    metrics.increment('feature_gate.denied', 1, { feature: requiredFeature, tier });
+    const plan = getPlan(tier);
+    return res.status(403).json({
+      error: 'Feature not available on your plan',
+      feature: requiredFeature,
+      currentPlan: tier,
+      upgrade: `This feature requires a higher plan. Visit /api/os/plans for available plans.`,
+      upgradeUrl: '/api/os/plans',
+    });
+  }
+
+  metrics.increment('feature_gate.allowed', 1, { feature: requiredFeature, tier });
+  next();
+}
+
+/**
+ * Usage Limit Middleware
+ * Enforces per-metric limits (executions/day, tasks/day, etc.) based on plan.
+ */
+function usageLimit(metric) {
+  return function (req, res, next) {
+    const tier = req.agentTier || req.session?.tier || 'free';
+    const entityId = req.agentId || req.session?.agentId || req.ip;
+
+    const result = metering.record(entityId, metric, tier);
+
+    if (!result.allowed) {
+      metrics.increment('usage_limit.exceeded', 1, { metric, tier });
+      return res.status(429).json({
+        error: 'Usage limit exceeded',
+        metric,
+        current: result.current,
+        limit: result.limit,
+        overage: result.overageAmount,
+        overageCost: result.overageCost,
+        upgrade: 'Upgrade your plan for higher limits or enable pay-as-you-go overages.',
+        upgradeUrl: '/api/os/plans',
+      });
+    }
+
+    // Attach usage info to response headers
+    if (result.limit > 0) {
+      res.set('X-WAB-Usage-Current', String(result.current));
+      res.set('X-WAB-Usage-Limit', String(result.limit));
+      res.set('X-WAB-Usage-Remaining', String(Math.max(0, result.limit - result.current)));
+    }
+
+    next();
+  };
+}
+
+module.exports = { featureGate, usageLimit };

package/server/middleware/rateLimits.js

@@ -1,100 +1,100 @@
-/**
- * Comprehensive rate limits for all security-sensitive endpoints.
- */
-
-const rateLimit = require('express-rate-limit');
-
-// ─── Auth endpoints ──────────────────────────────────────────────────
-
-const authLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 10,
-  standardHeaders: true,
-  legacyHeaders: false,
-  message: { error: 'Too many authentication attempts, please try again later' }
-});
-
-const registerLimiter = rateLimit({
-  windowMs: 60 * 60 * 1000,
-  max: 20,
-  standardHeaders: true,
-  legacyHeaders: false,
-  message: { error: 'Too many registration attempts, please try again later' }
-});
-
-const adminLoginLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 5,
-  standardHeaders: true,
-  legacyHeaders: false,
-  message: { error: 'Too many admin login attempts, please try again later' }
-});
-
-// ─── WAB API endpoints ───────────────────────────────────────────────
-
-const wabAuthenticateLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 20,
-  standardHeaders: true,
-  legacyHeaders: false,
-  keyGenerator: (req) => `${req.ip}:${req.body?.siteId || req.body?.apiKey || 'anon'}`,
-  message: { error: 'Too many WAB authentication attempts' }
-});
-
-const wabActionLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 300,
-  standardHeaders: true,
-  legacyHeaders: false,
-  keyGenerator: (req) => `${req.ip}:${req.wabSession?.siteId || 'anon'}`,
-  message: { error: 'Too many action requests, please slow down' }
-});
-
-// ─── General API endpoints ───────────────────────────────────────────
-
-const apiLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 300,
-  standardHeaders: true,
-  legacyHeaders: false,
-  message: { error: 'Too many requests, please try again later' }
-});
-
-const searchLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 30,
-  standardHeaders: true,
-  legacyHeaders: false,
-  message: { error: 'Too many search requests' }
-});
-
-// ─── License endpoints (existing) ────────────────────────────────────
-
-const licenseTokenLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 30,
-  standardHeaders: true,
-  legacyHeaders: false,
-  message: { error: 'Too many token requests, please try again later' }
-});
-
-const licenseTrackLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  max: 300,
-  standardHeaders: true,
-  legacyHeaders: false,
-  keyGenerator: (req) => `${req.ip}:${req.body?.sessionToken || req.body?.siteId || 'anon'}`,
-  message: { error: 'Too many track requests, please try again later' }
-});
-
-module.exports = {
-  authLimiter,
-  registerLimiter,
-  adminLoginLimiter,
-  wabAuthenticateLimiter,
-  wabActionLimiter,
-  apiLimiter,
-  searchLimiter,
-  licenseTokenLimiter,
-  licenseTrackLimiter,
-};
+/**
+ * Comprehensive rate limits for all security-sensitive endpoints.
+ */
+
+const rateLimit = require('express-rate-limit');
+
+// ─── Auth endpoints ──────────────────────────────────────────────────
+
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 10,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many authentication attempts, please try again later' }
+});
+
+const registerLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000,
+  max: 20,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many registration attempts, please try again later' }
+});
+
+const adminLoginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 5,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many admin login attempts, please try again later' }
+});
+
+// ─── WAB API endpoints ───────────────────────────────────────────────
+
+const wabAuthenticateLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 20,
+  standardHeaders: true,
+  legacyHeaders: false,
+  keyGenerator: (req) => `${req.ip}:${req.body?.siteId || req.body?.apiKey || 'anon'}`,
+  message: { error: 'Too many WAB authentication attempts' }
+});
+
+const wabActionLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 300,
+  standardHeaders: true,
+  legacyHeaders: false,
+  keyGenerator: (req) => `${req.ip}:${req.wabSession?.siteId || 'anon'}`,
+  message: { error: 'Too many action requests, please slow down' }
+});
+
+// ─── General API endpoints ───────────────────────────────────────────
+
+const apiLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 300,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many requests, please try again later' }
+});
+
+const searchLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 30,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many search requests' }
+});
+
+// ─── License endpoints (existing) ────────────────────────────────────
+
+const licenseTokenLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 30,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many token requests, please try again later' }
+});
+
+const licenseTrackLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 300,
+  standardHeaders: true,
+  legacyHeaders: false,
+  keyGenerator: (req) => `${req.ip}:${req.body?.sessionToken || req.body?.siteId || 'anon'}`,
+  message: { error: 'Too many track requests, please try again later' }
+});
+
+module.exports = {
+  authLimiter,
+  registerLimiter,
+  adminLoginLimiter,
+  wabAuthenticateLimiter,
+  wabActionLimiter,
+  apiLimiter,
+  searchLimiter,
+  licenseTokenLimiter,
+  licenseTrackLimiter,
+};