web-agent-bridge 3.2.0 → 3.4.0

package/server/routes/api.js

@@ -1,150 +1,150 @@
-const express = require('express');
-const router = express.Router();
-const { authenticateToken } = require('../middleware/auth');
-const { apiLimiter } = require('../middleware/rateLimits');
-const { validateDomain, validateSiteConfig, sanitizeInput, auditLog } = require('../services/security');
-const {
-  addSite, findSitesByUser, findSiteById,
-  updateSiteConfig, updateSiteTier, deleteSite,
-  getAnalyticsBySite, getAnalyticsTimeline
-} = require('../models/db');
-
-// Apply general API rate limit to all routes
-router.use(apiLimiter);
-
-// ─── Sites ──────────────────────────────────────────────────────────────
-
-router.get('/sites', authenticateToken, (req, res) => {
-  const sites = findSitesByUser.all(req.user.id);
-  res.json({
-    sites: sites.filter(s => s.active).map(s => ({
-      ...s,
-      config: JSON.parse(s.config || '{}')
-    }))
-  });
-});
-
-router.post('/sites', authenticateToken, (req, res) => {
-  const { domain, name, description, tier } = req.body;
-
-  if (!domain || !name) {
-    return res.status(400).json({ error: 'Domain and name are required' });
-  }
-
-  if (!validateDomain(domain)) {
-    return res.status(400).json({ error: 'Invalid domain format. Must be a valid hostname (e.g., example.com)' });
-  }
-
-  const cleanName = sanitizeInput(name, 200);
-  const cleanDesc = description ? sanitizeInput(description, 500) : undefined;
-
-  try {
-    const site = addSite({ userId: req.user.id, domain: domain.toLowerCase().trim(), name: cleanName, description: cleanDesc, tier });
-    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'site_created', resource: 'site', resourceId: String(site.id), ip: req.ip });
-    res.status(201).json({ site });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to create site' });
-  }
-});
-
-router.get('/sites/:id', authenticateToken, (req, res) => {
-  const site = findSiteById.get(req.params.id);
-  if (!site || site.user_id !== req.user.id) {
-    return res.status(404).json({ error: 'Site not found' });
-  }
-  res.json({ site: { ...site, config: JSON.parse(site.config || '{}') } });
-});
-
-router.put('/sites/:id/config', authenticateToken, (req, res) => {
-  const { config } = req.body;
-  if (!config) return res.status(400).json({ error: 'Config is required' });
-
-  const validation = validateSiteConfig(config);
-  if (!validation.valid) {
-    return res.status(400).json({ error: validation.error });
-  }
-
-  try {
-    const r = updateSiteConfig.run(JSON.stringify(validation.config), req.params.id, req.user.id);
-    if (r.changes === 0) {
-      return res.status(404).json({ error: 'Site not found' });
-    }
-    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'site_config_updated', resource: 'site', resourceId: req.params.id, ip: req.ip });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update config' });
-  }
-});
-
-router.put('/sites/:id/tier', authenticateToken, (req, res) => {
-  const { tier } = req.body;
-  if (!['free', 'starter', 'pro', 'enterprise'].includes(tier)) {
-    return res.status(400).json({ error: 'Invalid tier' });
-  }
-
-  try {
-    const r = updateSiteTier.run(tier, req.params.id, req.user.id);
-    if (r.changes === 0) {
-      return res.status(404).json({ error: 'Site not found' });
-    }
-    res.json({ success: true, tier });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update tier' });
-  }
-});
-
-router.delete('/sites/:id', authenticateToken, (req, res) => {
-  try {
-    const r = deleteSite.run(req.params.id, req.user.id);
-    if (r.changes === 0) {
-      return res.status(404).json({ error: 'Site not found' });
-    }
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to delete site' });
-  }
-});
-
-// ─── Analytics ──────────────────────────────────────────────────────────
-
-router.get('/sites/:id/analytics', authenticateToken, (req, res) => {
-  const site = findSiteById.get(req.params.id);
-  if (!site || site.user_id !== req.user.id) {
-    return res.status(404).json({ error: 'Site not found' });
-  }
-
-  const days = parseInt(req.query.days) || 30;
-  const since = new Date(Date.now() - days * 86400000).toISOString();
-
-  const summary = getAnalyticsBySite.all(site.id, since);
-  const timeline = getAnalyticsTimeline.all(site.id, since);
-
-  res.json({ summary, timeline, period: `${days} days` });
-});
-
-// ─── Script Generation ──────────────────────────────────────────────────
-
-router.get('/sites/:id/snippet', authenticateToken, (req, res) => {
-  const site = findSiteById.get(req.params.id);
-  if (!site || site.user_id !== req.user.id) {
-    return res.status(404).json({ error: 'Site not found' });
-  }
-
-  const config = JSON.parse(site.config || '{}');
-  // Public site id + token endpoint only — long-lived license key stays in dashboard, not in embed
-  const snippet = `<!-- Web Agent Bridge (Secure Mode) -->
-<script>
-window.AIBridgeConfig = {
-  siteId: "${site.id}",
-  configEndpoint: "/api/license/token",
-  agentPermissions: ${JSON.stringify(config.agentPermissions || {}, null, 4)},
-  restrictions: ${JSON.stringify(config.restrictions || {}, null, 4)},
-  logging: ${JSON.stringify(config.logging || {}, null, 4)}
-};
-</script>
-<script src="/script/ai-agent-bridge.js"></script>`;
-
-  res.json({ snippet, siteId: site.id });
-});
-
-module.exports = router;
+const express = require('express');
+const router = express.Router();
+const { authenticateToken } = require('../middleware/auth');
+const { apiLimiter } = require('../middleware/rateLimits');
+const { validateDomain, validateSiteConfig, sanitizeInput, auditLog } = require('../services/security');
+const {
+  addSite, findSitesByUser, findSiteById,
+  updateSiteConfig, updateSiteTier, deleteSite,
+  getAnalyticsBySite, getAnalyticsTimeline
+} = require('../models/db');
+
+// Apply general API rate limit to all routes
+router.use(apiLimiter);
+
+// ─── Sites ──────────────────────────────────────────────────────────────
+
+router.get('/sites', authenticateToken, (req, res) => {
+  const sites = findSitesByUser.all(req.user.id);
+  res.json({
+    sites: sites.filter(s => s.active).map(s => ({
+      ...s,
+      config: JSON.parse(s.config || '{}')
+    }))
+  });
+});
+
+router.post('/sites', authenticateToken, (req, res) => {
+  const { domain, name, description, tier } = req.body;
+
+  if (!domain || !name) {
+    return res.status(400).json({ error: 'Domain and name are required' });
+  }
+
+  if (!validateDomain(domain)) {
+    return res.status(400).json({ error: 'Invalid domain format. Must be a valid hostname (e.g., example.com)' });
+  }
+
+  const cleanName = sanitizeInput(name, 200);
+  const cleanDesc = description ? sanitizeInput(description, 500) : undefined;
+
+  try {
+    const site = addSite({ userId: req.user.id, domain: domain.toLowerCase().trim(), name: cleanName, description: cleanDesc, tier });
+    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'site_created', resource: 'site', resourceId: String(site.id), ip: req.ip });
+    res.status(201).json({ site });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to create site' });
+  }
+});
+
+router.get('/sites/:id', authenticateToken, (req, res) => {
+  const site = findSiteById.get(req.params.id);
+  if (!site || site.user_id !== req.user.id) {
+    return res.status(404).json({ error: 'Site not found' });
+  }
+  res.json({ site: { ...site, config: JSON.parse(site.config || '{}') } });
+});
+
+router.put('/sites/:id/config', authenticateToken, (req, res) => {
+  const { config } = req.body;
+  if (!config) return res.status(400).json({ error: 'Config is required' });
+
+  const validation = validateSiteConfig(config);
+  if (!validation.valid) {
+    return res.status(400).json({ error: validation.error });
+  }
+
+  try {
+    const r = updateSiteConfig.run(JSON.stringify(validation.config), req.params.id, req.user.id);
+    if (r.changes === 0) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
+    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'site_config_updated', resource: 'site', resourceId: req.params.id, ip: req.ip });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update config' });
+  }
+});
+
+router.put('/sites/:id/tier', authenticateToken, (req, res) => {
+  const { tier } = req.body;
+  if (!['free', 'starter', 'pro', 'enterprise'].includes(tier)) {
+    return res.status(400).json({ error: 'Invalid tier' });
+  }
+
+  try {
+    const r = updateSiteTier.run(tier, req.params.id, req.user.id);
+    if (r.changes === 0) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
+    res.json({ success: true, tier });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update tier' });
+  }
+});
+
+router.delete('/sites/:id', authenticateToken, (req, res) => {
+  try {
+    const r = deleteSite.run(req.params.id, req.user.id);
+    if (r.changes === 0) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to delete site' });
+  }
+});
+
+// ─── Analytics ──────────────────────────────────────────────────────────
+
+router.get('/sites/:id/analytics', authenticateToken, (req, res) => {
+  const site = findSiteById.get(req.params.id);
+  if (!site || site.user_id !== req.user.id) {
+    return res.status(404).json({ error: 'Site not found' });
+  }
+
+  const days = parseInt(req.query.days) || 30;
+  const since = new Date(Date.now() - days * 86400000).toISOString();
+
+  const summary = getAnalyticsBySite.all(site.id, since);
+  const timeline = getAnalyticsTimeline.all(site.id, since);
+
+  res.json({ summary, timeline, period: `${days} days` });
+});
+
+// ─── Script Generation ──────────────────────────────────────────────────
+
+router.get('/sites/:id/snippet', authenticateToken, (req, res) => {
+  const site = findSiteById.get(req.params.id);
+  if (!site || site.user_id !== req.user.id) {
+    return res.status(404).json({ error: 'Site not found' });
+  }
+
+  const config = JSON.parse(site.config || '{}');
+  // Public site id + token endpoint only — long-lived license key stays in dashboard, not in embed
+  const snippet = `<!-- Web Agent Bridge (Secure Mode) -->
+<script>
+window.AIBridgeConfig = {
+  siteId: "${site.id}",
+  configEndpoint: "/api/license/token",
+  agentPermissions: ${JSON.stringify(config.agentPermissions || {}, null, 4)},
+  restrictions: ${JSON.stringify(config.restrictions || {}, null, 4)},
+  logging: ${JSON.stringify(config.logging || {}, null, 4)}
+};
+</script>
+<script src="/script/ai-agent-bridge.js"></script>`;
+
+  res.json({ snippet, siteId: site.id });
+});
+
+module.exports = router;

package/server/routes/auth.js

@@ -1,71 +1,71 @@
-const express = require('express');
-const router = express.Router();
-const { registerUser, loginUser, findUserById } = require('../models/db');
-const { generateToken, authenticateToken } = require('../middleware/auth');
-const { authLimiter, registerLimiter } = require('../middleware/rateLimits');
-const { validateEmail, sanitizeInput, auditLog, revokeJWT } = require('../services/security');
-
-router.post('/register', registerLimiter, (req, res) => {
-  const { email, password, name, company } = req.body;
-
-  if (!email || !password || !name) {
-    return res.status(400).json({ error: 'Email, password, and name are required' });
-  }
-
-  if (!validateEmail(email)) {
-    return res.status(400).json({ error: 'Invalid email format' });
-  }
-
-  if (password.length < 8 || password.length > 128) {
-    return res.status(400).json({ error: 'Password must be between 8 and 128 characters' });
-  }
-
-  const cleanName = sanitizeInput(name, 100);
-  const cleanCompany = company ? sanitizeInput(company, 100) : undefined;
-
-  try {
-    const user = registerUser({ email: email.toLowerCase().trim(), password, name: cleanName, company: cleanCompany });
-    const token = generateToken(user);
-    auditLog({ actorType: 'user', actorId: String(user.id), action: 'register', ip: req.ip });
-    res.status(201).json({ user, token });
-  } catch (err) {
-    if (err.message.includes('UNIQUE constraint')) {
-      return res.status(409).json({ error: 'Email already registered' });
-    }
-    res.status(500).json({ error: 'Registration failed' });
-  }
-});
-
-router.post('/login', authLimiter, (req, res) => {
-  const { email, password } = req.body;
-
-  if (!email || !password) {
-    return res.status(400).json({ error: 'Email and password are required' });
-  }
-
-  const user = loginUser({ email: email.toLowerCase().trim(), password });
-  if (!user) {
-    auditLog({ actorType: 'user', action: 'login_failed', details: { email: email.toLowerCase().trim() }, ip: req.ip, outcome: 'denied', severity: 'warning' });
-    return res.status(401).json({ error: 'Invalid email or password' });
-  }
-
-  const token = generateToken(user);
-  auditLog({ actorType: 'user', actorId: String(user.id), action: 'login', ip: req.ip });
-  res.json({ user, token });
-});
-
-router.post('/logout', authenticateToken, (req, res) => {
-  if (req._rawToken) {
-    revokeJWT(req._rawToken, 'user_logout');
-    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'logout', ip: req.ip });
-  }
-  res.json({ success: true });
-});
-
-router.get('/me', authenticateToken, (req, res) => {
-  const user = findUserById.get(req.user.id);
-  if (!user) return res.status(404).json({ error: 'User not found' });
-  res.json({ user });
-});
-
-module.exports = router;
+const express = require('express');
+const router = express.Router();
+const { registerUser, loginUser, findUserById } = require('../models/db');
+const { generateToken, authenticateToken } = require('../middleware/auth');
+const { authLimiter, registerLimiter } = require('../middleware/rateLimits');
+const { validateEmail, sanitizeInput, auditLog, revokeJWT } = require('../services/security');
+
+router.post('/register', registerLimiter, (req, res) => {
+  const { email, password, name, company } = req.body;
+
+  if (!email || !password || !name) {
+    return res.status(400).json({ error: 'Email, password, and name are required' });
+  }
+
+  if (!validateEmail(email)) {
+    return res.status(400).json({ error: 'Invalid email format' });
+  }
+
+  if (password.length < 8 || password.length > 128) {
+    return res.status(400).json({ error: 'Password must be between 8 and 128 characters' });
+  }
+
+  const cleanName = sanitizeInput(name, 100);
+  const cleanCompany = company ? sanitizeInput(company, 100) : undefined;
+
+  try {
+    const user = registerUser({ email: email.toLowerCase().trim(), password, name: cleanName, company: cleanCompany });
+    const token = generateToken(user);
+    auditLog({ actorType: 'user', actorId: String(user.id), action: 'register', ip: req.ip });
+    res.status(201).json({ user, token });
+  } catch (err) {
+    if (err.message.includes('UNIQUE constraint')) {
+      return res.status(409).json({ error: 'Email already registered' });
+    }
+    res.status(500).json({ error: 'Registration failed' });
+  }
+});
+
+router.post('/login', authLimiter, (req, res) => {
+  const { email, password } = req.body;
+
+  if (!email || !password) {
+    return res.status(400).json({ error: 'Email and password are required' });
+  }
+
+  const user = loginUser({ email: email.toLowerCase().trim(), password });
+  if (!user) {
+    auditLog({ actorType: 'user', action: 'login_failed', details: { email: email.toLowerCase().trim() }, ip: req.ip, outcome: 'denied', severity: 'warning' });
+    return res.status(401).json({ error: 'Invalid email or password' });
+  }
+
+  const token = generateToken(user);
+  auditLog({ actorType: 'user', actorId: String(user.id), action: 'login', ip: req.ip });
+  res.json({ user, token });
+});
+
+router.post('/logout', authenticateToken, (req, res) => {
+  if (req._rawToken) {
+    revokeJWT(req._rawToken, 'user_logout');
+    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'logout', ip: req.ip });
+  }
+  res.json({ success: true });
+});
+
+router.get('/me', authenticateToken, (req, res) => {
+  const user = findUserById.get(req.user.id);
+  if (!user) return res.status(404).json({ error: 'User not found' });
+  res.json({ user });
+});
+
+module.exports = router;

package/server/routes/billing.js

@@ -1,45 +1,57 @@
-/**
- * Billing Routes (Customer-facing Stripe integration)
- */
-
-const express = require('express');
-const router = express.Router();
-const { authenticateToken } = require('../middleware/auth');
-const { getPlatformSetting } = require('../models/db');
-const { createCheckoutSession, createPortalSession, isStripeConfigured } = require('../services/stripe');
-
-// ─── Create Checkout Session ──────────────────────────────────────────
-router.post('/checkout', authenticateToken, async (req, res) => {
-  const { siteId, tier } = req.body;
-  if (!siteId || !tier) return res.status(400).json({ error: 'siteId and tier required' });
-  if (!['starter', 'pro', 'enterprise'].includes(tier)) return res.status(400).json({ error: 'Invalid tier' });
-
-  if (!isStripeConfigured()) {
-    return res.status(503).json({ error: 'Payment system not configured' });
-  }
-
-  try {
-    const session = await createCheckoutSession({ userId: req.user.id, userEmail: req.user.email, siteId, tier });
-    res.json(session);
-  } catch (err) {
-    res.status(500).json({ error: err.message });
-  }
-});
-
-// ─── Customer Portal ──────────────────────────────────────────────────
-router.post('/portal', authenticateToken, async (req, res) => {
-  try {
-    const session = await createPortalSession(req.user.id);
-    res.json(session);
-  } catch (err) {
-    res.status(500).json({ error: err.message });
-  }
-});
-
-// ─── Stripe Config (public key for frontend) ─────────────────────────
-router.get('/config', (req, res) => {
-  const publishableKey = getPlatformSetting('stripe_publishable_key');
-  res.json({ configured: isStripeConfigured(), publishableKey: publishableKey || null });
-});
-
-module.exports = router;
+/**
+ * Billing Routes (Customer-facing Stripe integration)
+ */
+
+const express = require('express');
+const router = express.Router();
+const { authenticateToken } = require('../middleware/auth');
+const { getPlatformSetting } = require('../models/db');
+const { createCheckoutSession, createPortalSession, isStripeConfigured } = require('../services/stripe');
+const plansService = require('../services/plans');
+
+// ─── Create Checkout Session ──────────────────────────────────────────
+router.post('/checkout', authenticateToken, async (req, res) => {
+  const { siteId, tier, planId } = req.body;
+  const planRef = planId || tier;
+  if (!siteId || !planRef) return res.status(400).json({ error: 'siteId and planId (or tier) required' });
+
+  // Validate against DB plans first; fall back to legacy tier whitelist if the
+  // plans table is not yet populated (e.g. fresh install before migration).
+  const dbPlan = plansService.getPlan(planRef);
+  if (dbPlan) {
+    if (dbPlan.is_archived || dbPlan.cta_type !== 'checkout') {
+      return res.status(400).json({ error: 'plan is not purchasable' });
+    }
+  } else if (!['starter', 'pro', 'business', 'enterprise'].includes(planRef)) {
+    return res.status(400).json({ error: 'Invalid plan' });
+  }
+
+  if (!isStripeConfigured()) {
+    return res.status(503).json({ error: 'Payment system not configured' });
+  }
+
+  try {
+    const session = await createCheckoutSession({ userId: req.user.id, userEmail: req.user.email, siteId, tier: planRef, planId: planRef });
+    res.json(session);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── Customer Portal ──────────────────────────────────────────────────
+router.post('/portal', authenticateToken, async (req, res) => {
+  try {
+    const session = await createPortalSession(req.user.id);
+    res.json(session);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// ─── Stripe Config (public key for frontend) ─────────────────────────
+router.get('/config', (req, res) => {
+  const publishableKey = getPlatformSetting('stripe_publishable_key');
+  res.json({ configured: isStripeConfigured(), publishableKey: publishableKey || null });
+});
+
+module.exports = router;