web-agent-bridge 3.3.0 → 3.8.1

package/server/routes/api-keys.js

@@ -0,0 +1,127 @@
+// ═══════════════════════════════════════════════════════════════════════════
+// WAB Trust Graph API — key issuance & administration
+//
+//   POST  /api/keys/issue            — self-serve Free tier (rate-limited)
+//   GET   /api/keys/me               — show usage for the presented key
+//   POST  /api/keys/revoke           — owner-side revocation
+//   POST  /api/keys/admin/upgrade    — admin upgrades a key tier (Pro/Enterprise)
+//   GET   /api/keys/admin/list       — admin index
+//
+//   Secret format: "wabk_<keyId>_<random>" — only the sha256 hash is stored.
+//   A presented secret is rejected unless its hash matches a row marked active.
+// ═══════════════════════════════════════════════════════════════════════════
+
+'use strict';
+
+const express = require('express');
+const crypto  = require('crypto');
+const { db }  = require('../models/db');
+const { hashKey } = require('../middleware/api-tier');
+
+const router = express.Router();
+
+const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+
+const TIER_DEFAULTS = {
+  free:       { monthly_quota: 1_000,    rate_per_min: 30,  scopes: ['trust:read'] },
+  pro:        { monthly_quota: 100_000,  rate_per_min: 120, scopes: ['trust:read','trust:history','reputation:read'] },
+  enterprise: { monthly_quota: 5_000_000,rate_per_min: 600, scopes: ['trust:read','trust:history','reputation:read','governance:write','sla:priority'] }
+};
+
+// Issuance rate guard — 5 free keys per IP per hour to prevent abuse.
+const issueLog = new Map();
+function issueOk(ip) {
+  const now = Date.now();
+  const arr = (issueLog.get(ip) || []).filter(t => t > now - 3_600_000);
+  if (arr.length >= 5) return false;
+  arr.push(now); issueLog.set(ip, arr); return true;
+}
+
+function adminGate(req, res, next) {
+  const expected = process.env.WAB_API_KEYS_ADMIN_TOKEN || process.env.WAB_RING4_ADMIN_TOKEN;
+  if (!expected) return res.status(503).json({ error: 'admin_disabled' });
+  if ((req.headers['x-admin-token'] || '') !== expected) return res.status(401).json({ error: 'unauthorized' });
+  next();
+}
+
+function newKey(tier) {
+  const keyId = 'k_' + crypto.randomBytes(6).toString('base64url');
+  const secret = `wabk_${keyId}_${crypto.randomBytes(24).toString('base64url')}`;
+  const d = TIER_DEFAULTS[tier] || TIER_DEFAULTS.free;
+  return { keyId, secret, ...d };
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+router.post('/issue', (req, res) => {
+  const email = String((req.body || {}).email || '').toLowerCase().trim();
+  const name  = String((req.body || {}).name  || '').slice(0, 80);
+  if (!EMAIL_RE.test(email)) return res.status(400).json({ error: 'invalid email' });
+  if (!issueOk(req.ip || 'unknown')) return res.status(429).json({ error: 'too_many_requests' });
+
+  // One active free key per email is enough; soft-cap at 3.
+  const existing = db.prepare(`SELECT COUNT(*) AS n FROM wab_api_keys WHERE owner_email = ? AND tier = 'free' AND status = 'active'`).get(email);
+  if (existing.n >= 3) return res.status(409).json({ error: 'too_many_keys_for_email', max: 3 });
+
+  const k = newKey('free');
+  try {
+    db.prepare(`
+      INSERT INTO wab_api_keys (key_id, key_hash, owner_email, owner_name, tier, monthly_quota, rate_per_min, scopes)
+      VALUES (?, ?, ?, ?, 'free', ?, ?, ?)
+    `).run(k.keyId, hashKey(k.secret), email, name, k.monthly_quota, k.rate_per_min, JSON.stringify(k.scopes));
+  } catch (e) { return res.status(500).json({ error: 'issue_failed', detail: e.message }); }
+
+  res.json({
+    ok: true,
+    key_id: k.keyId,
+    api_key: k.secret,           // shown ONCE — client must store
+    tier: 'free',
+    monthly_quota: k.monthly_quota,
+    rate_per_min: k.rate_per_min,
+    scopes: k.scopes,
+    notice: 'Store this secret now — it cannot be retrieved later.'
+  });
+});
+
+// ─────────────────────────────────────────────────────────────────────────────
+router.get('/me', (req, res) => {
+  const secret = (req.headers['x-api-key'] || '').toString();
+  if (!secret) return res.status(401).json({ error: 'missing X-API-Key' });
+  const row = db.prepare(`SELECT key_id, owner_email, tier, monthly_quota, rate_per_min, scopes, status, last_used_at, created_at FROM wab_api_keys WHERE key_hash = ?`).get(hashKey(secret));
+  if (!row) return res.status(401).json({ error: 'invalid_api_key' });
+  const month = new Date().toISOString().slice(0,7) + '-01';
+  const usage = db.prepare(`SELECT COALESCE(SUM(count),0) AS used FROM wab_api_usage WHERE key_id = ? AND day >= ?`).get(row.key_id, month);
+  res.json({ ...row, scopes: JSON.parse(row.scopes), used_this_month: usage.used });
+});
+
+// ─────────────────────────────────────────────────────────────────────────────
+router.post('/revoke', (req, res) => {
+  const secret = (req.headers['x-api-key'] || '').toString();
+  if (!secret) return res.status(401).json({ error: 'missing X-API-Key' });
+  const row = db.prepare(`SELECT key_id FROM wab_api_keys WHERE key_hash = ? AND status = 'active'`).get(hashKey(secret));
+  if (!row) return res.status(404).json({ error: 'not_found_or_inactive' });
+  db.prepare(`UPDATE wab_api_keys SET status='revoked', revoked_at=datetime('now') WHERE key_id = ?`).run(row.key_id);
+  res.json({ ok: true, key_id: row.key_id, status: 'revoked' });
+});
+
+// ─────────────────────────────────────────────────────────────────────────────
+router.post('/admin/upgrade', adminGate, (req, res) => {
+  const { key_id, tier, scopes, monthly_quota, rate_per_min } = req.body || {};
+  if (!key_id || !TIER_DEFAULTS[tier]) return res.status(400).json({ error: 'key_id + valid tier required' });
+  const defaults = TIER_DEFAULTS[tier];
+  const q = Number.isFinite(+monthly_quota) ? +monthly_quota : defaults.monthly_quota;
+  const r = Number.isFinite(+rate_per_min)  ? +rate_per_min  : defaults.rate_per_min;
+  const s = Array.isArray(scopes) ? scopes.filter(x => typeof x === 'string').slice(0, 20) : defaults.scopes;
+  const result = db.prepare(`UPDATE wab_api_keys SET tier=?, monthly_quota=?, rate_per_min=?, scopes=? WHERE key_id=?`).run(tier, q, r, JSON.stringify(s), key_id);
+  if (result.changes === 0) return res.status(404).json({ error: 'key_not_found' });
+  res.json({ ok: true, key_id, tier, monthly_quota: q, rate_per_min: r, scopes: s });
+});
+
+router.get('/admin/list', adminGate, (req, res) => {
+  const tier = req.query.tier && TIER_DEFAULTS[req.query.tier] ? String(req.query.tier) : null;
+  const rows = tier
+    ? db.prepare(`SELECT key_id, owner_email, tier, monthly_quota, status, last_used_at, created_at FROM wab_api_keys WHERE tier = ? ORDER BY created_at DESC LIMIT 500`).all(tier)
+    : db.prepare(`SELECT key_id, owner_email, tier, monthly_quota, status, last_used_at, created_at FROM wab_api_keys ORDER BY created_at DESC LIMIT 500`).all();
+  res.json({ keys: rows });
+});
+
+module.exports = router;

package/server/routes/api.js

@@ -1,150 +1,150 @@
-const express = require('express');
-const router = express.Router();
-const { authenticateToken } = require('../middleware/auth');
-const { apiLimiter } = require('../middleware/rateLimits');
-const { validateDomain, validateSiteConfig, sanitizeInput, auditLog } = require('../services/security');
-const {
-  addSite, findSitesByUser, findSiteById,
-  updateSiteConfig, updateSiteTier, deleteSite,
-  getAnalyticsBySite, getAnalyticsTimeline
-} = require('../models/db');
-
-// Apply general API rate limit to all routes
-router.use(apiLimiter);
-
-// ─── Sites ──────────────────────────────────────────────────────────────
-
-router.get('/sites', authenticateToken, (req, res) => {
-  const sites = findSitesByUser.all(req.user.id);
-  res.json({
-    sites: sites.filter(s => s.active).map(s => ({
-      ...s,
-      config: JSON.parse(s.config || '{}')
-    }))
-  });
-});
-
-router.post('/sites', authenticateToken, (req, res) => {
-  const { domain, name, description, tier } = req.body;
-
-  if (!domain || !name) {
-    return res.status(400).json({ error: 'Domain and name are required' });
-  }
-
-  if (!validateDomain(domain)) {
-    return res.status(400).json({ error: 'Invalid domain format. Must be a valid hostname (e.g., example.com)' });
-  }
-
-  const cleanName = sanitizeInput(name, 200);
-  const cleanDesc = description ? sanitizeInput(description, 500) : undefined;
-
-  try {
-    const site = addSite({ userId: req.user.id, domain: domain.toLowerCase().trim(), name: cleanName, description: cleanDesc, tier });
-    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'site_created', resource: 'site', resourceId: String(site.id), ip: req.ip });
-    res.status(201).json({ site });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to create site' });
-  }
-});
-
-router.get('/sites/:id', authenticateToken, (req, res) => {
-  const site = findSiteById.get(req.params.id);
-  if (!site || site.user_id !== req.user.id) {
-    return res.status(404).json({ error: 'Site not found' });
-  }
-  res.json({ site: { ...site, config: JSON.parse(site.config || '{}') } });
-});
-
-router.put('/sites/:id/config', authenticateToken, (req, res) => {
-  const { config } = req.body;
-  if (!config) return res.status(400).json({ error: 'Config is required' });
-
-  const validation = validateSiteConfig(config);
-  if (!validation.valid) {
-    return res.status(400).json({ error: validation.error });
-  }
-
-  try {
-    const r = updateSiteConfig.run(JSON.stringify(validation.config), req.params.id, req.user.id);
-    if (r.changes === 0) {
-      return res.status(404).json({ error: 'Site not found' });
-    }
-    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'site_config_updated', resource: 'site', resourceId: req.params.id, ip: req.ip });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update config' });
-  }
-});
-
-router.put('/sites/:id/tier', authenticateToken, (req, res) => {
-  const { tier } = req.body;
-  if (!['free', 'starter', 'pro', 'enterprise'].includes(tier)) {
-    return res.status(400).json({ error: 'Invalid tier' });
-  }
-
-  try {
-    const r = updateSiteTier.run(tier, req.params.id, req.user.id);
-    if (r.changes === 0) {
-      return res.status(404).json({ error: 'Site not found' });
-    }
-    res.json({ success: true, tier });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to update tier' });
-  }
-});
-
-router.delete('/sites/:id', authenticateToken, (req, res) => {
-  try {
-    const r = deleteSite.run(req.params.id, req.user.id);
-    if (r.changes === 0) {
-      return res.status(404).json({ error: 'Site not found' });
-    }
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to delete site' });
-  }
-});
-
-// ─── Analytics ──────────────────────────────────────────────────────────
-
-router.get('/sites/:id/analytics', authenticateToken, (req, res) => {
-  const site = findSiteById.get(req.params.id);
-  if (!site || site.user_id !== req.user.id) {
-    return res.status(404).json({ error: 'Site not found' });
-  }
-
-  const days = parseInt(req.query.days) || 30;
-  const since = new Date(Date.now() - days * 86400000).toISOString();
-
-  const summary = getAnalyticsBySite.all(site.id, since);
-  const timeline = getAnalyticsTimeline.all(site.id, since);
-
-  res.json({ summary, timeline, period: `${days} days` });
-});
-
-// ─── Script Generation ──────────────────────────────────────────────────
-
-router.get('/sites/:id/snippet', authenticateToken, (req, res) => {
-  const site = findSiteById.get(req.params.id);
-  if (!site || site.user_id !== req.user.id) {
-    return res.status(404).json({ error: 'Site not found' });
-  }
-
-  const config = JSON.parse(site.config || '{}');
-  // Public site id + token endpoint only — long-lived license key stays in dashboard, not in embed
-  const snippet = `<!-- Web Agent Bridge (Secure Mode) -->
-<script>
-window.AIBridgeConfig = {
-  siteId: "${site.id}",
-  configEndpoint: "/api/license/token",
-  agentPermissions: ${JSON.stringify(config.agentPermissions || {}, null, 4)},
-  restrictions: ${JSON.stringify(config.restrictions || {}, null, 4)},
-  logging: ${JSON.stringify(config.logging || {}, null, 4)}
-};
-</script>
-<script src="/script/ai-agent-bridge.js"></script>`;
-
-  res.json({ snippet, siteId: site.id });
-});
-
-module.exports = router;
+const express = require('express');
+const router = express.Router();
+const { authenticateToken } = require('../middleware/auth');
+const { apiLimiter } = require('../middleware/rateLimits');
+const { validateDomain, validateSiteConfig, sanitizeInput, auditLog } = require('../services/security');
+const {
+  addSite, findSitesByUser, findSiteById,
+  updateSiteConfig, updateSiteTier, deleteSite,
+  getAnalyticsBySite, getAnalyticsTimeline
+} = require('../models/db');
+
+// Apply general API rate limit to all routes
+router.use(apiLimiter);
+
+// ─── Sites ──────────────────────────────────────────────────────────────
+
+router.get('/sites', authenticateToken, (req, res) => {
+  const sites = findSitesByUser.all(req.user.id);
+  res.json({
+    sites: sites.filter(s => s.active).map(s => ({
+      ...s,
+      config: JSON.parse(s.config || '{}')
+    }))
+  });
+});
+
+router.post('/sites', authenticateToken, (req, res) => {
+  const { domain, name, description, tier } = req.body;
+
+  if (!domain || !name) {
+    return res.status(400).json({ error: 'Domain and name are required' });
+  }
+
+  if (!validateDomain(domain)) {
+    return res.status(400).json({ error: 'Invalid domain format. Must be a valid hostname (e.g., example.com)' });
+  }
+
+  const cleanName = sanitizeInput(name, 200);
+  const cleanDesc = description ? sanitizeInput(description, 500) : undefined;
+
+  try {
+    const site = addSite({ userId: req.user.id, domain: domain.toLowerCase().trim(), name: cleanName, description: cleanDesc, tier });
+    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'site_created', resource: 'site', resourceId: String(site.id), ip: req.ip });
+    res.status(201).json({ site });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to create site' });
+  }
+});
+
+router.get('/sites/:id', authenticateToken, (req, res) => {
+  const site = findSiteById.get(req.params.id);
+  if (!site || site.user_id !== req.user.id) {
+    return res.status(404).json({ error: 'Site not found' });
+  }
+  res.json({ site: { ...site, config: JSON.parse(site.config || '{}') } });
+});
+
+router.put('/sites/:id/config', authenticateToken, (req, res) => {
+  const { config } = req.body;
+  if (!config) return res.status(400).json({ error: 'Config is required' });
+
+  const validation = validateSiteConfig(config);
+  if (!validation.valid) {
+    return res.status(400).json({ error: validation.error });
+  }
+
+  try {
+    const r = updateSiteConfig.run(JSON.stringify(validation.config), req.params.id, req.user.id);
+    if (r.changes === 0) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
+    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'site_config_updated', resource: 'site', resourceId: req.params.id, ip: req.ip });
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update config' });
+  }
+});
+
+router.put('/sites/:id/tier', authenticateToken, (req, res) => {
+  const { tier } = req.body;
+  if (!['free', 'starter', 'pro', 'business', 'enterprise'].includes(tier)) {
+    return res.status(400).json({ error: 'Invalid tier' });
+  }
+
+  try {
+    const r = updateSiteTier.run(tier, req.params.id, req.user.id);
+    if (r.changes === 0) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
+    res.json({ success: true, tier });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to update tier' });
+  }
+});
+
+router.delete('/sites/:id', authenticateToken, (req, res) => {
+  try {
+    const r = deleteSite.run(req.params.id, req.user.id);
+    if (r.changes === 0) {
+      return res.status(404).json({ error: 'Site not found' });
+    }
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to delete site' });
+  }
+});
+
+// ─── Analytics ──────────────────────────────────────────────────────────
+
+router.get('/sites/:id/analytics', authenticateToken, (req, res) => {
+  const site = findSiteById.get(req.params.id);
+  if (!site || site.user_id !== req.user.id) {
+    return res.status(404).json({ error: 'Site not found' });
+  }
+
+  const days = parseInt(req.query.days) || 30;
+  const since = new Date(Date.now() - days * 86400000).toISOString();
+
+  const summary = getAnalyticsBySite.all(site.id, since);
+  const timeline = getAnalyticsTimeline.all(site.id, since);
+
+  res.json({ summary, timeline, period: `${days} days` });
+});
+
+// ─── Script Generation ──────────────────────────────────────────────────
+
+router.get('/sites/:id/snippet', authenticateToken, (req, res) => {
+  const site = findSiteById.get(req.params.id);
+  if (!site || site.user_id !== req.user.id) {
+    return res.status(404).json({ error: 'Site not found' });
+  }
+
+  const config = JSON.parse(site.config || '{}');
+  // Public site id + token endpoint only — long-lived license key stays in dashboard, not in embed
+  const snippet = `<!-- Web Agent Bridge (Secure Mode) -->
+<script>
+window.AIBridgeConfig = {
+  siteId: "${site.id}",
+  configEndpoint: "/api/license/token",
+  agentPermissions: ${JSON.stringify(config.agentPermissions || {}, null, 4)},
+  restrictions: ${JSON.stringify(config.restrictions || {}, null, 4)},
+  logging: ${JSON.stringify(config.logging || {}, null, 4)}
+};
+</script>
+<script src="/script/ai-agent-bridge.js"></script>`;
+
+  res.json({ snippet, siteId: site.id });
+});
+
+module.exports = router;

package/server/routes/auth.js

@@ -1,71 +1,71 @@
-const express = require('express');
-const router = express.Router();
-const { registerUser, loginUser, findUserById } = require('../models/db');
-const { generateToken, authenticateToken } = require('../middleware/auth');
-const { authLimiter, registerLimiter } = require('../middleware/rateLimits');
-const { validateEmail, sanitizeInput, auditLog, revokeJWT } = require('../services/security');
-
-router.post('/register', registerLimiter, (req, res) => {
-  const { email, password, name, company } = req.body;
-
-  if (!email || !password || !name) {
-    return res.status(400).json({ error: 'Email, password, and name are required' });
-  }
-
-  if (!validateEmail(email)) {
-    return res.status(400).json({ error: 'Invalid email format' });
-  }
-
-  if (password.length < 8 || password.length > 128) {
-    return res.status(400).json({ error: 'Password must be between 8 and 128 characters' });
-  }
-
-  const cleanName = sanitizeInput(name, 100);
-  const cleanCompany = company ? sanitizeInput(company, 100) : undefined;
-
-  try {
-    const user = registerUser({ email: email.toLowerCase().trim(), password, name: cleanName, company: cleanCompany });
-    const token = generateToken(user);
-    auditLog({ actorType: 'user', actorId: String(user.id), action: 'register', ip: req.ip });
-    res.status(201).json({ user, token });
-  } catch (err) {
-    if (err.message.includes('UNIQUE constraint')) {
-      return res.status(409).json({ error: 'Email already registered' });
-    }
-    res.status(500).json({ error: 'Registration failed' });
-  }
-});
-
-router.post('/login', authLimiter, (req, res) => {
-  const { email, password } = req.body;
-
-  if (!email || !password) {
-    return res.status(400).json({ error: 'Email and password are required' });
-  }
-
-  const user = loginUser({ email: email.toLowerCase().trim(), password });
-  if (!user) {
-    auditLog({ actorType: 'user', action: 'login_failed', details: { email: email.toLowerCase().trim() }, ip: req.ip, outcome: 'denied', severity: 'warning' });
-    return res.status(401).json({ error: 'Invalid email or password' });
-  }
-
-  const token = generateToken(user);
-  auditLog({ actorType: 'user', actorId: String(user.id), action: 'login', ip: req.ip });
-  res.json({ user, token });
-});
-
-router.post('/logout', authenticateToken, (req, res) => {
-  if (req._rawToken) {
-    revokeJWT(req._rawToken, 'user_logout');
-    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'logout', ip: req.ip });
-  }
-  res.json({ success: true });
-});
-
-router.get('/me', authenticateToken, (req, res) => {
-  const user = findUserById.get(req.user.id);
-  if (!user) return res.status(404).json({ error: 'User not found' });
-  res.json({ user });
-});
-
-module.exports = router;
+const express = require('express');
+const router = express.Router();
+const { registerUser, loginUser, findUserById } = require('../models/db');
+const { generateToken, authenticateToken } = require('../middleware/auth');
+const { authLimiter, registerLimiter } = require('../middleware/rateLimits');
+const { validateEmail, sanitizeInput, auditLog, revokeJWT } = require('../services/security');
+
+router.post('/register', registerLimiter, (req, res) => {
+  const { email, password, name, company } = req.body;
+
+  if (!email || !password || !name) {
+    return res.status(400).json({ error: 'Email, password, and name are required' });
+  }
+
+  if (!validateEmail(email)) {
+    return res.status(400).json({ error: 'Invalid email format' });
+  }
+
+  if (password.length < 8 || password.length > 128) {
+    return res.status(400).json({ error: 'Password must be between 8 and 128 characters' });
+  }
+
+  const cleanName = sanitizeInput(name, 100);
+  const cleanCompany = company ? sanitizeInput(company, 100) : undefined;
+
+  try {
+    const user = registerUser({ email: email.toLowerCase().trim(), password, name: cleanName, company: cleanCompany });
+    const token = generateToken(user);
+    auditLog({ actorType: 'user', actorId: String(user.id), action: 'register', ip: req.ip });
+    res.status(201).json({ user, token });
+  } catch (err) {
+    if (err.message.includes('UNIQUE constraint')) {
+      return res.status(409).json({ error: 'Email already registered' });
+    }
+    res.status(500).json({ error: 'Registration failed' });
+  }
+});
+
+router.post('/login', authLimiter, (req, res) => {
+  const { email, password } = req.body;
+
+  if (!email || !password) {
+    return res.status(400).json({ error: 'Email and password are required' });
+  }
+
+  const user = loginUser({ email: email.toLowerCase().trim(), password });
+  if (!user) {
+    auditLog({ actorType: 'user', action: 'login_failed', details: { email: email.toLowerCase().trim() }, ip: req.ip, outcome: 'denied', severity: 'warning' });
+    return res.status(401).json({ error: 'Invalid email or password' });
+  }
+
+  const token = generateToken(user);
+  auditLog({ actorType: 'user', actorId: String(user.id), action: 'login', ip: req.ip });
+  res.json({ user, token });
+});
+
+router.post('/logout', authenticateToken, (req, res) => {
+  if (req._rawToken) {
+    revokeJWT(req._rawToken, 'user_logout');
+    auditLog({ actorType: 'user', actorId: String(req.user.id), action: 'logout', ip: req.ip });
+  }
+  res.json({ success: true });
+});
+
+router.get('/me', authenticateToken, (req, res) => {
+  const user = findUserById.get(req.user.id);
+  if (!user) return res.status(404).json({ error: 'User not found' });
+  res.json({ user });
+});
+
+module.exports = router;