web-agent-bridge 3.3.0 → 3.8.1

package/server/services/wab-crypto.js

@@ -0,0 +1,178 @@
+/**
+ * WAB Crypto v1.3 — Ed25519 signing + canonical JSON.
+ *
+ * Trust model:
+ *   1. Domain owner generates Ed25519 keypair (offline).
+ *   2. Public key published as `pk=ed25519:BASE64KEY` in `_wab` TXT record.
+ *      DNSSEC protects the key from tampering at the resolver level.
+ *   3. The discovery manifest (wab.json) is signed with the private key.
+ *      Agents fetch the manifest, fetch the pubkey from DNS, and verify.
+ *   4. No CA required. Trust root = DNS + DNSSEC + TLS — already universal.
+ */
+
+'use strict';
+
+const crypto = require('crypto');
+
+/** Generate a fresh Ed25519 keypair encoded as base64 (raw 32-byte form). */
+function generateKeyPair() {
+  const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519');
+  // Export raw public key (last 32 bytes of DER)
+  const pubDer = publicKey.export({ type: 'spki', format: 'der' });
+  const rawPub = pubDer.slice(pubDer.length - 32);
+  // Export raw private key (last 32 bytes of DER PKCS#8)
+  const privDer = privateKey.export({ type: 'pkcs8', format: 'der' });
+  const rawPriv = privDer.slice(privDer.length - 32);
+  return {
+    public_key: rawPub.toString('base64'),
+    private_key: rawPriv.toString('base64'),
+    algorithm: 'ed25519',
+    fingerprint: fingerprint(rawPub.toString('base64')),
+    created_at: new Date().toISOString(),
+  };
+}
+
+/** SHA-256(public_key) base64, first 16 chars — short, stable identifier. */
+function fingerprint(publicKeyB64) {
+  const raw = Buffer.from(publicKeyB64, 'base64');
+  return crypto.createHash('sha256').update(raw).digest('base64').slice(0, 16);
+}
+
+/** Wrap a 32-byte raw Ed25519 key in DER for Node's crypto API. */
+function rawToPublicKey(rawB64) {
+  const raw = Buffer.from(rawB64, 'base64');
+  if (raw.length !== 32) throw new Error('public key must be 32 raw bytes (base64)');
+  // SPKI prefix for Ed25519
+  const prefix = Buffer.from('302a300506032b6570032100', 'hex');
+  const der = Buffer.concat([prefix, raw]);
+  return crypto.createPublicKey({ key: der, format: 'der', type: 'spki' });
+}
+
+function rawToPrivateKey(rawB64) {
+  const raw = Buffer.from(rawB64, 'base64');
+  if (raw.length !== 32) throw new Error('private key must be 32 raw bytes (base64)');
+  // PKCS#8 prefix for Ed25519
+  const prefix = Buffer.from('302e020100300506032b657004220420', 'hex');
+  const der = Buffer.concat([prefix, raw]);
+  return crypto.createPrivateKey({ key: der, format: 'der', type: 'pkcs8' });
+}
+
+/**
+ * RFC 8785-style JSON canonicalization (subset sufficient for WAB):
+ *   - object keys sorted lexicographically (UTF-16 code units)
+ *   - no insignificant whitespace
+ *   - numbers serialized as JS Number → JSON.stringify default
+ *   - the `signature` field at the top level is excluded from canonical form
+ */
+function canonicalize(value, excludeKeys = ['signature']) {
+  const seen = new WeakSet();
+  function walk(v, depth) {
+    if (v === null || typeof v !== 'object') return JSON.stringify(v);
+    if (seen.has(v)) throw new Error('canonicalize: cycle detected');
+    seen.add(v);
+    if (Array.isArray(v)) return '[' + v.map(x => walk(x, depth + 1)).join(',') + ']';
+    const keys = Object.keys(v).filter(k => v[k] !== undefined);
+    // Only the top-level signature field is excluded.
+    const filtered = depth === 0 ? keys.filter(k => !excludeKeys.includes(k)) : keys;
+    filtered.sort();
+    return '{' + filtered.map(k => JSON.stringify(k) + ':' + walk(v[k], depth + 1)).join(',') + '}';
+  }
+  return walk(value, 0);
+}
+
+/**
+ * Sign a manifest. Mutates a shallow copy by adding a `signature` block:
+ *   { algorithm: 'ed25519', value: '<b64>', key_id: '<fp>', signed_at: 'ISO' }
+ */
+function signManifest(manifest, privateKeyB64, opts = {}) {
+  if (!manifest || typeof manifest !== 'object') throw new Error('manifest must be an object');
+  const priv = rawToPrivateKey(privateKeyB64);
+
+  // Derive public key from private to compute key_id deterministically.
+  const pubObj = crypto.createPublicKey(priv);
+  const pubDer = pubObj.export({ type: 'spki', format: 'der' });
+  const pubB64 = pubDer.slice(pubDer.length - 32).toString('base64');
+
+  const toSign = { ...manifest };
+  delete toSign.signature;
+  const canonical = canonicalize(toSign);
+  const sig = crypto.sign(null, Buffer.from(canonical, 'utf8'), priv);
+
+  return {
+    ...toSign,
+    signature: {
+      algorithm: 'ed25519',
+      value: sig.toString('base64'),
+      key_id: opts.key_id || fingerprint(pubB64),
+      public_key: opts.embed_public_key ? pubB64 : undefined,
+      signed_at: new Date().toISOString(),
+    },
+  };
+}
+
+/**
+ * Verify a signed manifest. Returns { ok, reason?, key_id?, signed_at?, age_seconds? }.
+ */
+function verifyManifest(manifest, publicKeyB64, opts = {}) {
+  if (!manifest || typeof manifest !== 'object') return { ok: false, reason: 'manifest must be an object' };
+  const sig = manifest.signature;
+  if (!sig) return { ok: false, reason: 'no signature field' };
+  if (sig.algorithm !== 'ed25519') return { ok: false, reason: `unsupported algorithm: ${sig.algorithm}` };
+  if (!sig.value) return { ok: false, reason: 'signature.value missing' };
+
+  // Use embedded key only if caller didn't pin one.
+  const keyB64 = publicKeyB64 || sig.public_key;
+  if (!keyB64) return { ok: false, reason: 'no public key supplied (DNS pk= or embedded)' };
+
+  let pub;
+  try { pub = rawToPublicKey(keyB64); }
+  catch (err) { return { ok: false, reason: 'invalid public key: ' + err.message }; }
+
+  const expectedFp = fingerprint(keyB64);
+  if (sig.key_id && sig.key_id !== expectedFp) {
+    return { ok: false, reason: `key_id mismatch: signature claims ${sig.key_id}, key fingerprint is ${expectedFp}` };
+  }
+
+  const canonical = canonicalize(manifest);
+  let okSig = false;
+  try {
+    okSig = crypto.verify(null, Buffer.from(canonical, 'utf8'), pub, Buffer.from(sig.value, 'base64'));
+  } catch (err) {
+    return { ok: false, reason: 'verify error: ' + err.message };
+  }
+  if (!okSig) return { ok: false, reason: 'signature does not match' };
+
+  // Freshness check (optional)
+  let age_seconds = null;
+  if (sig.signed_at) {
+    const t = Date.parse(sig.signed_at);
+    if (!isNaN(t)) age_seconds = Math.max(0, Math.floor((Date.now() - t) / 1000));
+  }
+  if (opts.max_age_seconds && age_seconds !== null && age_seconds > opts.max_age_seconds) {
+    return { ok: false, reason: `signature too old (${age_seconds}s > ${opts.max_age_seconds}s)`, age_seconds };
+  }
+
+  return { ok: true, key_id: expectedFp, signed_at: sig.signed_at, age_seconds };
+}
+
+/**
+ * Parse the `pk=ed25519:BASE64KEY` field from a parsed _wab record.
+ * Returns { algorithm, public_key } or null.
+ */
+function parsePkField(pkValue) {
+  if (!pkValue || typeof pkValue !== 'string') return null;
+  const m = /^([a-z0-9]+):([A-Za-z0-9+/=_-]+)$/.exec(pkValue.trim());
+  if (!m) return null;
+  return { algorithm: m[1], public_key: m[2].replace(/-/g, '+').replace(/_/g, '/') };
+}
+
+module.exports = {
+  generateKeyPair,
+  fingerprint,
+  canonicalize,
+  signManifest,
+  verifyManifest,
+  parsePkField,
+  rawToPublicKey,
+  rawToPrivateKey,
+};

package/server/utils/cache.js

@@ -1,125 +1,125 @@
-/**
- * WAB Caching Layer — In-memory cache with TTL for hot data
- * Reduces DB reads for license verification, config, and stats
- */
-class Cache {
-  constructor(defaultTTL = 60000) {
-    this.store = new Map();
-    this.defaultTTL = defaultTTL;
-    this._interval = setInterval(() => this._cleanup(), 120000);
-  }
-
-  get(key) {
-    const entry = this.store.get(key);
-    if (!entry) return undefined;
-    if (Date.now() > entry.expiresAt) {
-      this.store.delete(key);
-      return undefined;
-    }
-    entry.hits++;
-    return entry.value;
-  }
-
-  set(key, value, ttl) {
-    this.store.set(key, {
-      value,
-      expiresAt: Date.now() + (ttl || this.defaultTTL),
-      hits: 0
-    });
-  }
-
-  del(key) {
-    this.store.delete(key);
-  }
-
-  invalidatePattern(pattern) {
-    for (const key of this.store.keys()) {
-      if (key.includes(pattern)) this.store.delete(key);
-    }
-  }
-
-  stats() {
-    return {
-      size: this.store.size,
-      keys: Array.from(this.store.keys())
-    };
-  }
-
-  _cleanup() {
-    const now = Date.now();
-    for (const [key, entry] of this.store) {
-      if (now > entry.expiresAt) this.store.delete(key);
-    }
-  }
-
-  destroy() {
-    clearInterval(this._interval);
-    this.store.clear();
-  }
-}
-
-/**
- * Analytics Queue — Batches analytics inserts for better write performance
- * Flushes every N seconds or when buffer reaches max size.
- * maxBufferTotal caps memory if DB writes fail repeatedly (DoS mitigation).
- */
-class AnalyticsQueue {
-  constructor(db, options = {}) {
-    this.db = db;
-    this.buffer = [];
-    this.maxSize = options.maxSize || 50;
-    this.maxBufferTotal = options.maxBufferTotal || 5000;
-    this.flushInterval = options.flushInterval || 5000;
-    this._timer = setInterval(() => this.flush(), this.flushInterval);
-  }
-
-  push(analytic) {
-    while (this.buffer.length >= this.maxBufferTotal) {
-      this.buffer.shift();
-      console.warn('[WAB] Analytics buffer at cap; dropped oldest event');
-    }
-    this.buffer.push(analytic);
-    if (this.buffer.length >= this.maxSize) {
-      this.flush();
-    }
-  }
-
-  flush() {
-    if (this.buffer.length === 0) return;
-    const batch = this.buffer.splice(0);
-
-    try {
-      const insert = this.db.prepare(
-        `INSERT INTO analytics (site_id, action_name, agent_id, trigger_type, success, metadata) VALUES (?, ?, ?, ?, ?, ?)`
-      );
-      const insertMany = this.db.transaction((items) => {
-        for (const item of items) {
-          insert.run(
-            item.siteId,
-            item.actionName,
-            item.agentId || null,
-            item.triggerType || null,
-            item.success ? 1 : 0,
-            JSON.stringify(item.metadata || {})
-          );
-        }
-      });
-      insertMany(batch);
-    } catch (err) {
-      console.error('[WAB Cache] Analytics batch insert failed:', err.message);
-      while (this.buffer.length + batch.length > this.maxBufferTotal) {
-        batch.shift();
-      }
-      this.buffer.unshift(...batch);
-    }
-  }
-
-  destroy() {
-    clearInterval(this._timer);
-    this.flush();
-  }
-}
-
-const cache = new Cache(60000);
-
-module.exports = { Cache, AnalyticsQueue, cache };
+/**
+ * WAB Caching Layer — In-memory cache with TTL for hot data
+ * Reduces DB reads for license verification, config, and stats
+ */
+class Cache {
+  constructor(defaultTTL = 60000) {
+    this.store = new Map();
+    this.defaultTTL = defaultTTL;
+    this._interval = setInterval(() => this._cleanup(), 120000);
+  }
+
+  get(key) {
+    const entry = this.store.get(key);
+    if (!entry) return undefined;
+    if (Date.now() > entry.expiresAt) {
+      this.store.delete(key);
+      return undefined;
+    }
+    entry.hits++;
+    return entry.value;
+  }
+
+  set(key, value, ttl) {
+    this.store.set(key, {
+      value,
+      expiresAt: Date.now() + (ttl || this.defaultTTL),
+      hits: 0
+    });
+  }
+
+  del(key) {
+    this.store.delete(key);
+  }
+
+  invalidatePattern(pattern) {
+    for (const key of this.store.keys()) {
+      if (key.includes(pattern)) this.store.delete(key);
+    }
+  }
+
+  stats() {
+    return {
+      size: this.store.size,
+      keys: Array.from(this.store.keys())
+    };
+  }
+
+  _cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.store) {
+      if (now > entry.expiresAt) this.store.delete(key);
+    }
+  }
+
+  destroy() {
+    clearInterval(this._interval);
+    this.store.clear();
+  }
+}
+
+/**
+ * Analytics Queue — Batches analytics inserts for better write performance
+ * Flushes every N seconds or when buffer reaches max size.
+ * maxBufferTotal caps memory if DB writes fail repeatedly (DoS mitigation).
+ */
+class AnalyticsQueue {
+  constructor(db, options = {}) {
+    this.db = db;
+    this.buffer = [];
+    this.maxSize = options.maxSize || 50;
+    this.maxBufferTotal = options.maxBufferTotal || 5000;
+    this.flushInterval = options.flushInterval || 5000;
+    this._timer = setInterval(() => this.flush(), this.flushInterval);
+  }
+
+  push(analytic) {
+    while (this.buffer.length >= this.maxBufferTotal) {
+      this.buffer.shift();
+      console.warn('[WAB] Analytics buffer at cap; dropped oldest event');
+    }
+    this.buffer.push(analytic);
+    if (this.buffer.length >= this.maxSize) {
+      this.flush();
+    }
+  }
+
+  flush() {
+    if (this.buffer.length === 0) return;
+    const batch = this.buffer.splice(0);
+
+    try {
+      const insert = this.db.prepare(
+        `INSERT INTO analytics (site_id, action_name, agent_id, trigger_type, success, metadata) VALUES (?, ?, ?, ?, ?, ?)`
+      );
+      const insertMany = this.db.transaction((items) => {
+        for (const item of items) {
+          insert.run(
+            item.siteId,
+            item.actionName,
+            item.agentId || null,
+            item.triggerType || null,
+            item.success ? 1 : 0,
+            JSON.stringify(item.metadata || {})
+          );
+        }
+      });
+      insertMany(batch);
+    } catch (err) {
+      console.error('[WAB Cache] Analytics batch insert failed:', err.message);
+      while (this.buffer.length + batch.length > this.maxBufferTotal) {
+        batch.shift();
+      }
+      this.buffer.unshift(...batch);
+    }
+  }
+
+  destroy() {
+    clearInterval(this._timer);
+    this.flush();
+  }
+}
+
+const cache = new Cache(60000);
+
+module.exports = { Cache, AnalyticsQueue, cache };

package/server/utils/migrate.js

@@ -1,81 +1,81 @@
-/**
- * Database Migration Runner
- * Tracks and applies SQL migrations from server/migrations/ in order.
- * Uses a `_migrations` table to record applied migrations.
- */
-const Database = require('better-sqlite3');
-const path = require('path');
-const fs = require('fs');
-
-const DATA_DIR = process.env.NODE_ENV === 'test'
-  ? path.join(__dirname, '..', '..', 'data-test')
-  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
-if (!fs.existsSync(DATA_DIR)) fs.mkdirSync(DATA_DIR, { recursive: true });
-
-const dbFile = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
-const db = new Database(path.join(DATA_DIR, dbFile));
-
-// Ensure migrations tracking table exists
-db.exec(`
-  CREATE TABLE IF NOT EXISTS _migrations (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
-    name TEXT UNIQUE NOT NULL,
-    applied_at TEXT DEFAULT (datetime('now'))
-  );
-`);
-
-const MIGRATIONS_DIR = path.join(__dirname, '..', 'migrations');
-
-function getAppliedMigrations() {
-  return new Set(
-    db.prepare('SELECT name FROM _migrations ORDER BY id').all().map(r => r.name)
-  );
-}
-
-function runMigrations() {
-  if (!fs.existsSync(MIGRATIONS_DIR)) {
-    console.log('No migrations directory found.');
-    return;
-  }
-
-  const files = fs.readdirSync(MIGRATIONS_DIR)
-    .filter(f => f.endsWith('.sql'))
-    .sort();
-
-  const applied = getAppliedMigrations();
-  let count = 0;
-
-  const applyMigration = db.transaction((name, sql) => {
-    db.exec(sql);
-    db.prepare('INSERT INTO _migrations (name) VALUES (?)').run(name);
-  });
-
-  for (const file of files) {
-    if (applied.has(file)) continue;
-
-    const sql = fs.readFileSync(path.join(MIGRATIONS_DIR, file), 'utf8');
-    try {
-      applyMigration(file, sql);
-      console.log(`  ✅ Migration applied: ${file}`);
-      count++;
-    } catch (err) {
-      console.error(`  ❌ Migration failed: ${file} — ${err.message}`);
-      process.exit(1);
-    }
-  }
-
-  if (count === 0) {
-    console.log('  All migrations up to date.');
-  } else {
-    console.log(`  ${count} migration(s) applied.`);
-  }
-}
-
-// Run when called directly: node server/utils/migrate.js
-if (require.main === module) {
-  console.log('Running database migrations...');
-  runMigrations();
-  db.close();
-}
-
-module.exports = { runMigrations };
+/**
+ * Database Migration Runner
+ * Tracks and applies SQL migrations from server/migrations/ in order.
+ * Uses a `_migrations` table to record applied migrations.
+ */
+const Database = require('better-sqlite3');
+const path = require('path');
+const fs = require('fs');
+
+const DATA_DIR = process.env.NODE_ENV === 'test'
+  ? path.join(__dirname, '..', '..', 'data-test')
+  : (process.env.DATA_DIR || path.join(__dirname, '..', '..', 'data'));
+if (!fs.existsSync(DATA_DIR)) fs.mkdirSync(DATA_DIR, { recursive: true });
+
+const dbFile = process.env.NODE_ENV === 'test' ? 'wab-test.db' : 'wab.db';
+const db = new Database(path.join(DATA_DIR, dbFile));
+
+// Ensure migrations tracking table exists
+db.exec(`
+  CREATE TABLE IF NOT EXISTS _migrations (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name TEXT UNIQUE NOT NULL,
+    applied_at TEXT DEFAULT (datetime('now'))
+  );
+`);
+
+const MIGRATIONS_DIR = path.join(__dirname, '..', 'migrations');
+
+function getAppliedMigrations() {
+  return new Set(
+    db.prepare('SELECT name FROM _migrations ORDER BY id').all().map(r => r.name)
+  );
+}
+
+function runMigrations() {
+  if (!fs.existsSync(MIGRATIONS_DIR)) {
+    console.log('No migrations directory found.');
+    return;
+  }
+
+  const files = fs.readdirSync(MIGRATIONS_DIR)
+    .filter(f => f.endsWith('.sql'))
+    .sort();
+
+  const applied = getAppliedMigrations();
+  let count = 0;
+
+  const applyMigration = db.transaction((name, sql) => {
+    db.exec(sql);
+    db.prepare('INSERT INTO _migrations (name) VALUES (?)').run(name);
+  });
+
+  for (const file of files) {
+    if (applied.has(file)) continue;
+
+    const sql = fs.readFileSync(path.join(MIGRATIONS_DIR, file), 'utf8');
+    try {
+      applyMigration(file, sql);
+      console.log(`  ✅ Migration applied: ${file}`);
+      count++;
+    } catch (err) {
+      console.error(`  ❌ Migration failed: ${file} — ${err.message}`);
+      process.exit(1);
+    }
+  }
+
+  if (count === 0) {
+    console.log('  All migrations up to date.');
+  } else {
+    console.log(`  ${count} migration(s) applied.`);
+  }
+}
+
+// Run when called directly: node server/utils/migrate.js
+if (require.main === module) {
+  console.log('Running database migrations...');
+  runMigrations();
+  db.close();
+}
+
+module.exports = { runMigrations };