web-agent-bridge 3.2.0 → 3.4.0

package/server/services/ssl-monitor.js

@@ -0,0 +1,167 @@
+/**
+ * server/services/ssl-monitor.js
+ * Extended Trust Layer — Certificate Companion & SSL Health Monitoring.
+ *
+ * Periodically inspects SSL certificates for every active site, persists state
+ * in `ssl_monitor`, appends new certs to `cert_history` (CT log), and emails
+ * the site owner when the certificate is within 7 days of expiry. The cron
+ * runs once per day inside the main process; can be disabled via env
+ * `WAB_SSL_MONITOR=off`.
+ */
+'use strict';
+
+const path = require('node:path');
+const Database = require('better-sqlite3');
+const ssl = require('./ssl-inspector');
+
+const DATA_DIR = process.env.NODE_ENV === 'test'
+  ? path.join(__dirname, '..', '..', 'data-test')
+  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
+const DB_FILE = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+
+let _db = null;
+function db() {
+  if (!_db) { _db = new Database(path.join(DATA_DIR, DB_FILE)); }
+  return _db;
+}
+
+const ALERT_DAYS = Number(process.env.WAB_SSL_ALERT_DAYS || 7);
+const ALERT_REPEAT_HOURS = Number(process.env.WAB_SSL_ALERT_REPEAT_HOURS || 24);
+
+function classify(daysLeft) {
+  if (daysLeft == null) return 'error';
+  if (daysLeft < 0) return 'expired';
+  if (daysLeft <= ALERT_DAYS) return 'expiring';
+  return 'active';
+}
+
+/**
+ * Inspect one host, persist state + CT log entry + alert if needed.
+ * Returns { host, status, days_until_expiry, alerted }.
+ */
+async function checkHost(host, opts = {}) {
+  const info = await ssl.inspect(host, 443);
+  const now = new Date().toISOString();
+
+  if (!info.ok) {
+    db().prepare(`
+      INSERT INTO ssl_monitor (host, status, error, last_checked_at, enabled, owner_user_id)
+      VALUES (?, 'error', ?, ?, 1, ?)
+      ON CONFLICT(host) DO UPDATE SET
+        status='error', error=excluded.error, last_checked_at=excluded.last_checked_at
+    `).run(host, info.error || 'unknown', now, opts.userId || null);
+    return { host, status: 'error', error: info.error };
+  }
+
+  const status = classify(info.days_until_expiry);
+
+  db().prepare(`
+    INSERT INTO ssl_monitor (host, fingerprint_sha256, issuer, valid_to, days_until_expiry,
+                             status, error, last_checked_at, enabled, owner_user_id)
+    VALUES (?, ?, ?, ?, ?, ?, NULL, ?, 1, ?)
+    ON CONFLICT(host) DO UPDATE SET
+      fingerprint_sha256=excluded.fingerprint_sha256,
+      issuer=excluded.issuer,
+      valid_to=excluded.valid_to,
+      days_until_expiry=excluded.days_until_expiry,
+      status=excluded.status,
+      error=NULL,
+      last_checked_at=excluded.last_checked_at
+  `).run(host, info.fingerprint_sha256, info.issuer, info.valid_to,
+         info.days_until_expiry, status, now, opts.userId || null);
+
+  // Append to CT log if fingerprint not seen for this host yet.
+  try {
+    db().prepare(`
+      INSERT OR IGNORE INTO cert_history
+        (host, fingerprint_sha256, issuer, subject, serial, valid_from, valid_to, source)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(host, info.fingerprint_sha256, info.issuer, info.subject, info.serial,
+           info.valid_from, info.valid_to, opts.source || 'monitor');
+  } catch (_) { /* table may not exist yet */ }
+
+  let alerted = false;
+  if (status === 'expiring' || status === 'expired') {
+    alerted = await maybeSendAlert(host, info, status, opts);
+  }
+
+  return { host, status, days_until_expiry: info.days_until_expiry, alerted };
+}
+
+async function maybeSendAlert(host, info, status, opts) {
+  const row = db().prepare(`SELECT last_alert_at, owner_user_id FROM ssl_monitor WHERE host = ?`).get(host);
+  if (row && row.last_alert_at) {
+    const last = new Date(row.last_alert_at).getTime();
+    if (Date.now() - last < ALERT_REPEAT_HOURS * 3600 * 1000) return false;
+  }
+
+  let to = opts.alertEmail || process.env.WAB_SSL_ALERT_EMAIL;
+  try {
+    if (!to && row && row.owner_user_id) {
+      const u = db().prepare('SELECT email FROM users WHERE id = ?').get(row.owner_user_id);
+      if (u && u.email) to = u.email;
+    }
+  } catch (_) { /* users table may not exist in tests */ }
+
+  if (!to) return false;
+
+  try {
+    const { sendEmail } = require('./email');
+    await sendEmail({
+      to, template: 'sslExpiringAlert',
+      data: {
+        host,
+        daysLeft: Math.max(0, info.days_until_expiry),
+        validTo: info.valid_to,
+        issuer: info.issuer,
+        fingerprint: info.fingerprint_sha256,
+      },
+    });
+    db().prepare(`UPDATE ssl_monitor SET last_alert_at = ? WHERE host = ?`)
+      .run(new Date().toISOString(), host);
+    return true;
+  } catch (_) { return false; }
+}
+
+/** Run a sweep across every active site domain (and optional extra hosts). */
+async function runSweep({ extraHosts = [] } = {}) {
+  let hosts = [...extraHosts];
+  try {
+    const rows = db().prepare(
+      "SELECT DISTINCT LOWER(REPLACE(domain, 'http://', '')) AS host, user_id FROM sites WHERE active = 1"
+    ).all();
+    for (const r of rows) {
+      const h = (r.host || '').replace(/^https?:\/\//, '').replace(/\/.*$/, '').replace(/^www\./, 'www.');
+      if (!h) continue;
+      hosts.push({ host: h, userId: r.user_id });
+    }
+  } catch (_) { /* sites table may not exist */ }
+
+  const results = [];
+  for (const item of hosts) {
+    const host = typeof item === 'string' ? item : item.host;
+    const userId = typeof item === 'string' ? null : item.userId;
+    try {
+      results.push(await checkHost(host, { userId }));
+    } catch (e) {
+      results.push({ host, status: 'error', error: e.message });
+    }
+  }
+  return results;
+}
+
+let _interval = null;
+function start() {
+  if (_interval || process.env.WAB_SSL_MONITOR === 'off') return;
+  if (process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID) return;
+  // Run immediately, then once per day.
+  setTimeout(() => runSweep().catch(() => {}), 30_000);
+  _interval = setInterval(() => runSweep().catch(() => {}), 24 * 3600 * 1000);
+  if (_interval.unref) _interval.unref();
+}
+
+function stop() {
+  if (_interval) { clearInterval(_interval); _interval = null; }
+}
+
+module.exports = { checkHost, runSweep, classify, start, stop };

package/server/services/stripe.js

@@ -1,192 +1,205 @@
-/**
- * Stripe Payment Integration Service
- */
-
-const {
-  getPlatformSetting,
-  saveStripeCustomer,
-  getStripeCustomer,
-  saveStripeSubscription,
-  updateStripeSubscription,
-  getStripeSubscriptionBySubId,
-  savePayment,
-  updateSiteTier,
-  findSiteById
-} = require('../models/db');
-
-let stripe = null;
-
-function getStripe() {
-  if (stripe) return stripe;
-  const key = process.env.STRIPE_SECRET_KEY || getPlatformSetting('stripe_secret_key');
-  if (!key) return null;
-  stripe = require('stripe')(key);
-  return stripe;
-}
-
-function getStripePrices() {
-  return {
-    starter: process.env.STRIPE_PRICE_STARTER || getPlatformSetting('stripe_price_starter'),
-    pro: process.env.STRIPE_PRICE_PRO || getPlatformSetting('stripe_price_pro'),
-    enterprise: process.env.STRIPE_PRICE_ENTERPRISE || getPlatformSetting('stripe_price_enterprise')
-  };
-}
-
-async function createCheckoutSession({ userId, userEmail, siteId, tier }) {
-  const site = findSiteById.get(siteId);
-  if (!site || site.user_id !== userId) {
-    throw new Error('Site not found or access denied');
-  }
-
-  const s = getStripe();
-  if (!s) throw new Error('Stripe not configured');
-
-  const prices = getStripePrices();
-  const priceId = prices[tier];
-  if (!priceId) throw new Error(`No price configured for tier: ${tier}`);
-
-  // Get or create Stripe customer
-  let customer = getStripeCustomer(userId);
-  if (!customer) {
-    const stripeCustomer = await s.customers.create({ email: userEmail, metadata: { wab_user_id: userId } });
-    saveStripeCustomer(userId, stripeCustomer.id);
-    customer = { stripe_customer_id: stripeCustomer.id };
-  }
-
-  const baseUrl = process.env.BASE_URL || 'https://webagentbridge.com';
-
-  const session = await s.checkout.sessions.create({
-    customer: customer.stripe_customer_id,
-    mode: 'subscription',
-    payment_method_types: ['card'],
-    line_items: [{ price: priceId, quantity: 1 }],
-    metadata: { wab_user_id: userId, wab_site_id: siteId, tier },
-    success_url: `${baseUrl}/dashboard?payment=success&session_id={CHECKOUT_SESSION_ID}`,
-    cancel_url: `${baseUrl}/dashboard?payment=cancelled`
-  });
-
-  return { sessionId: session.id, url: session.url };
-}
-
-async function createPortalSession(userId) {
-  const s = getStripe();
-  if (!s) throw new Error('Stripe not configured');
-
-  const customer = getStripeCustomer(userId);
-  if (!customer) throw new Error('No Stripe customer found');
-
-  const baseUrl = process.env.BASE_URL || 'https://webagentbridge.com';
-
-  const session = await s.billingPortal.sessions.create({
-    customer: customer.stripe_customer_id,
-    return_url: `${baseUrl}/dashboard`
-  });
-
-  return { url: session.url };
-}
-
-function handleWebhookEvent(event) {
-  switch (event.type) {
-    case 'checkout.session.completed': {
-      const session = event.data.object;
-      const { wab_user_id, wab_site_id, tier } = session.metadata || {};
-      if (wab_user_id && wab_site_id && session.subscription) {
-        saveStripeSubscription({
-          userId: wab_user_id,
-          siteId: wab_site_id,
-          stripeSubId: session.subscription,
-          stripePriceId: null,
-          tier: tier || 'starter',
-          status: 'active',
-          periodStart: new Date().toISOString(),
-          periodEnd: null
-        });
-        updateSiteTier.run(tier || 'starter', wab_site_id, wab_user_id);
-      }
-      break;
-    }
-
-    case 'invoice.payment_succeeded': {
-      const invoice = event.data.object;
-      if (invoice.subscription) {
-        const sub = getStripeSubscriptionBySubId(invoice.subscription);
-        if (sub) {
-          savePayment({
-            userId: sub.user_id,
-            stripePaymentId: invoice.payment_intent,
-            amount: invoice.amount_paid,
-            currency: invoice.currency,
-            status: 'succeeded',
-            description: `Subscription payment - ${sub.tier}`
-          });
-          updateStripeSubscription(invoice.subscription, {
-            status: 'active',
-            periodStart: new Date(invoice.period_start * 1000).toISOString(),
-            periodEnd: new Date(invoice.period_end * 1000).toISOString()
-          });
-        }
-      }
-      break;
-    }
-
-    case 'customer.subscription.updated': {
-      const subscription = event.data.object;
-      updateStripeSubscription(subscription.id, {
-        status: subscription.status === 'active' ? 'active' : subscription.status === 'past_due' ? 'past_due' : subscription.status === 'trialing' ? 'trialing' : 'cancelled'
-      });
-      break;
-    }
-
-    case 'customer.subscription.deleted': {
-      const subscription = event.data.object;
-      const sub = getStripeSubscriptionBySubId(subscription.id);
-      if (sub) {
-        updateStripeSubscription(subscription.id, { status: 'cancelled' });
-        updateSiteTier.run('free', sub.site_id, sub.user_id);
-      }
-      break;
-    }
-
-    case 'invoice.payment_failed': {
-      const invoice = event.data.object;
-      if (invoice.subscription) {
-        updateStripeSubscription(invoice.subscription, { status: 'past_due' });
-      }
-      break;
-    }
-  }
-}
-
-function isStripeConfigured() {
-  const key = process.env.STRIPE_SECRET_KEY || getPlatformSetting('stripe_secret_key');
-  return !!key;
-}
-
-/**
- * Express webhook handler: verifies Stripe signature, then dispatches business logic.
- */
-function handleWebhookRequest(req) {
-  const sig = req.headers['stripe-signature'];
-  const raw = req.body;
-  const whSecret = process.env.STRIPE_WEBHOOK_SECRET || getPlatformSetting('stripe_webhook_secret');
-  if (!whSecret) {
-    throw new Error('Stripe webhook secret not configured (STRIPE_WEBHOOK_SECRET or platform stripe_webhook_secret)');
-  }
-  if (!sig) {
-    throw new Error('Missing Stripe-Signature header');
-  }
-  const s = getStripe();
-  if (!s) throw new Error('Stripe not configured');
-  const event = s.webhooks.constructEvent(raw, sig, whSecret);
-  handleWebhookEvent(event);
-}
-
-module.exports = {
-  getStripe,
-  createCheckoutSession,
-  createPortalSession,
-  handleWebhookEvent,
-  handleWebhookRequest,
-  isStripeConfigured,
-  getStripePrices
-};
+/**
+ * Stripe Payment Integration Service
+ */
+
+const {
+  getPlatformSetting,
+  saveStripeCustomer,
+  getStripeCustomer,
+  saveStripeSubscription,
+  updateStripeSubscription,
+  getStripeSubscriptionBySubId,
+  savePayment,
+  updateSiteTier,
+  findSiteById
+} = require('../models/db');
+
+let stripe = null;
+
+function getStripe() {
+  if (stripe) return stripe;
+  const key = process.env.STRIPE_SECRET_KEY || getPlatformSetting('stripe_secret_key');
+  if (!key) return null;
+  stripe = require('stripe')(key);
+  return stripe;
+}
+
+function getStripePrices() {
+  return {
+    starter: process.env.STRIPE_PRICE_STARTER || getPlatformSetting('stripe_price_starter'),
+    pro: process.env.STRIPE_PRICE_PRO || getPlatformSetting('stripe_price_pro'),
+    enterprise: process.env.STRIPE_PRICE_ENTERPRISE || getPlatformSetting('stripe_price_enterprise')
+  };
+}
+
+// Resolve a Stripe price id from either a plan id (DB) or a legacy tier name.
+// Order: DB plan.stripe_price_id → env STRIPE_PRICE_<UPPER> → platform_settings → null.
+function resolvePriceId(planOrTier) {
+  if (!planOrTier) return null;
+  try {
+    const plans = require('./plans');
+    const p = plans.getPlan(planOrTier);
+    if (p && p.stripe_price_id) return p.stripe_price_id;
+  } catch { /* DB layer not ready (tests) — fall through to legacy lookup */ }
+  const envKey = `STRIPE_PRICE_${String(planOrTier).toUpperCase()}`;
+  return process.env[envKey] || getPlatformSetting(`stripe_price_${planOrTier}`) || null;
+}
+
+async function createCheckoutSession({ userId, userEmail, siteId, tier, planId }) {
+  const site = findSiteById.get(siteId);
+  if (!site || site.user_id !== userId) {
+    throw new Error('Site not found or access denied');
+  }
+
+  const s = getStripe();
+  if (!s) throw new Error('Stripe not configured');
+
+  const planRef = planId || tier;
+  const priceId = resolvePriceId(planRef);
+  if (!priceId) throw new Error(`No price configured for plan: ${planRef}`);
+
+  // Get or create Stripe customer
+  let customer = getStripeCustomer(userId);
+  if (!customer) {
+    const stripeCustomer = await s.customers.create({ email: userEmail, metadata: { wab_user_id: userId } });
+    saveStripeCustomer(userId, stripeCustomer.id);
+    customer = { stripe_customer_id: stripeCustomer.id };
+  }
+
+  const baseUrl = process.env.BASE_URL || 'https://webagentbridge.com';
+
+  const session = await s.checkout.sessions.create({
+    customer: customer.stripe_customer_id,
+    mode: 'subscription',
+    payment_method_types: ['card'],
+    line_items: [{ price: priceId, quantity: 1 }],
+    metadata: { wab_user_id: userId, wab_site_id: siteId, tier: planRef, plan_id: planRef },
+    success_url: `${baseUrl}/dashboard?payment=success&session_id={CHECKOUT_SESSION_ID}`,
+    cancel_url: `${baseUrl}/dashboard?payment=cancelled`
+  });
+
+  return { sessionId: session.id, url: session.url };
+}
+
+async function createPortalSession(userId) {
+  const s = getStripe();
+  if (!s) throw new Error('Stripe not configured');
+
+  const customer = getStripeCustomer(userId);
+  if (!customer) throw new Error('No Stripe customer found');
+
+  const baseUrl = process.env.BASE_URL || 'https://webagentbridge.com';
+
+  const session = await s.billingPortal.sessions.create({
+    customer: customer.stripe_customer_id,
+    return_url: `${baseUrl}/dashboard`
+  });
+
+  return { url: session.url };
+}
+
+function handleWebhookEvent(event) {
+  switch (event.type) {
+    case 'checkout.session.completed': {
+      const session = event.data.object;
+      const { wab_user_id, wab_site_id, tier } = session.metadata || {};
+      if (wab_user_id && wab_site_id && session.subscription) {
+        saveStripeSubscription({
+          userId: wab_user_id,
+          siteId: wab_site_id,
+          stripeSubId: session.subscription,
+          stripePriceId: null,
+          tier: tier || 'starter',
+          status: 'active',
+          periodStart: new Date().toISOString(),
+          periodEnd: null
+        });
+        updateSiteTier.run(tier || 'starter', wab_site_id, wab_user_id);
+      }
+      break;
+    }
+
+    case 'invoice.payment_succeeded': {
+      const invoice = event.data.object;
+      if (invoice.subscription) {
+        const sub = getStripeSubscriptionBySubId(invoice.subscription);
+        if (sub) {
+          savePayment({
+            userId: sub.user_id,
+            stripePaymentId: invoice.payment_intent,
+            amount: invoice.amount_paid,
+            currency: invoice.currency,
+            status: 'succeeded',
+            description: `Subscription payment - ${sub.tier}`
+          });
+          updateStripeSubscription(invoice.subscription, {
+            status: 'active',
+            periodStart: new Date(invoice.period_start * 1000).toISOString(),
+            periodEnd: new Date(invoice.period_end * 1000).toISOString()
+          });
+        }
+      }
+      break;
+    }
+
+    case 'customer.subscription.updated': {
+      const subscription = event.data.object;
+      updateStripeSubscription(subscription.id, {
+        status: subscription.status === 'active' ? 'active' : subscription.status === 'past_due' ? 'past_due' : subscription.status === 'trialing' ? 'trialing' : 'cancelled'
+      });
+      break;
+    }
+
+    case 'customer.subscription.deleted': {
+      const subscription = event.data.object;
+      const sub = getStripeSubscriptionBySubId(subscription.id);
+      if (sub) {
+        updateStripeSubscription(subscription.id, { status: 'cancelled' });
+        updateSiteTier.run('free', sub.site_id, sub.user_id);
+      }
+      break;
+    }
+
+    case 'invoice.payment_failed': {
+      const invoice = event.data.object;
+      if (invoice.subscription) {
+        updateStripeSubscription(invoice.subscription, { status: 'past_due' });
+      }
+      break;
+    }
+  }
+}
+
+function isStripeConfigured() {
+  const key = process.env.STRIPE_SECRET_KEY || getPlatformSetting('stripe_secret_key');
+  return !!key;
+}
+
+/**
+ * Express webhook handler: verifies Stripe signature, then dispatches business logic.
+ */
+function handleWebhookRequest(req) {
+  const sig = req.headers['stripe-signature'];
+  const raw = req.body;
+  const whSecret = process.env.STRIPE_WEBHOOK_SECRET || getPlatformSetting('stripe_webhook_secret');
+  if (!whSecret) {
+    throw new Error('Stripe webhook secret not configured (STRIPE_WEBHOOK_SECRET or platform stripe_webhook_secret)');
+  }
+  if (!sig) {
+    throw new Error('Missing Stripe-Signature header');
+  }
+  const s = getStripe();
+  if (!s) throw new Error('Stripe not configured');
+  const event = s.webhooks.constructEvent(raw, sig, whSecret);
+  handleWebhookEvent(event);
+}
+
+module.exports = {
+  getStripe,
+  createCheckoutSession,
+  createPortalSession,
+  handleWebhookEvent,
+  handleWebhookRequest,
+  isStripeConfigured,
+  getStripePrices
+};