web-agent-bridge 3.4.0 → 3.9.0

package/server/middleware/adminAuth.js

@@ -1,35 +1,35 @@
-const { signAdminToken, verifyAdminToken } = require('../config/secrets');
-const { isJWTRevoked } = require('../services/security');
-
-function generateAdminToken(admin) {
-  return signAdminToken(
-    { id: admin.id, email: admin.email, name: admin.name, role: admin.role, isAdmin: true },
-    { expiresIn: '4h' }
-  );
-}
-
-function authenticateAdmin(req, res, next) {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (!token) {
-    return res.status(401).json({ error: 'Admin access token required' });
-  }
-
-  try {
-    if (isJWTRevoked(token)) {
-      return res.status(403).json({ error: 'Token has been revoked' });
-    }
-    const decoded = verifyAdminToken(token);
-    if (!decoded.isAdmin) {
-      return res.status(403).json({ error: 'Admin privileges required' });
-    }
-    req.admin = decoded;
-    req._rawToken = token;
-    next();
-  } catch (err) {
-    return res.status(403).json({ error: 'Invalid or expired admin token' });
-  }
-}
-
-module.exports = { generateAdminToken, authenticateAdmin };
+const { signAdminToken, verifyAdminToken } = require('../config/secrets');
+const { isJWTRevoked } = require('../services/security');
+
+function generateAdminToken(admin) {
+  return signAdminToken(
+    { id: admin.id, email: admin.email, name: admin.name, role: admin.role, isAdmin: true },
+    { expiresIn: '4h' }
+  );
+}
+
+function authenticateAdmin(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (!token) {
+    return res.status(401).json({ error: 'Admin access token required' });
+  }
+
+  try {
+    if (isJWTRevoked(token)) {
+      return res.status(403).json({ error: 'Token has been revoked' });
+    }
+    const decoded = verifyAdminToken(token);
+    if (!decoded.isAdmin) {
+      return res.status(403).json({ error: 'Admin privileges required' });
+    }
+    req.admin = decoded;
+    req._rawToken = token;
+    next();
+  } catch (err) {
+    return res.status(403).json({ error: 'Invalid or expired admin token' });
+  }
+}
+
+module.exports = { generateAdminToken, authenticateAdmin };

package/server/middleware/api-tier.js

@@ -0,0 +1,170 @@
+// ═══════════════════════════════════════════════════════════════════════════
+// WAB Trust Graph — API tier middleware
+//
+//   Reads X-API-Key (or ?api_key=) and enforces:
+//     • per-key per-minute rate limit
+//     • per-key per-month quota
+//     • scope check (each route declares required scope)
+//
+//   When no key is presented, the request is treated as anonymous "free" with
+//   a low public allowance — keeping the API explorable but unattractive for
+//   abuse. Routes that require a specific scope must use enforceScope().
+//
+//   Usage record is best-effort: write failures never block requests.
+// ═══════════════════════════════════════════════════════════════════════════
+
+'use strict';
+
+const crypto = require('crypto');
+const { db } = require('../models/db');
+
+const ANON_TIER = Object.freeze({
+  key_id:        null,
+  tier:          'anonymous',
+  monthly_quota: 200,
+  rate_per_min:  10,
+  scopes:        ['trust:read']
+});
+
+// In-process rate buckets — sliding window (one minute).
+const buckets = new Map();
+function rateOk(keyId, rate) {
+  const now = Date.now();
+  const cutoff = now - 60_000;
+  const arr = buckets.get(keyId) || [];
+  const pruned = arr.filter(t => t > cutoff);
+  if (pruned.length >= rate) {
+    buckets.set(keyId, pruned);
+    return false;
+  }
+  pruned.push(now);
+  buckets.set(keyId, pruned);
+  return true;
+}
+
+function hashKey(secret) {
+  return crypto.createHash('sha256').update(String(secret), 'utf8').digest('hex');
+}
+
+function extractKey(req) {
+  const h = req.headers['x-api-key'];
+  if (typeof h === 'string' && h.length >= 24) return h.trim();
+  if (typeof req.query.api_key === 'string' && req.query.api_key.length >= 24) return req.query.api_key.trim();
+  return null;
+}
+
+function loadKey(secret) {
+  if (!secret) return null;
+  try {
+    return db.prepare(`
+      SELECT key_id, tier, monthly_quota, rate_per_min, scopes, status
+      FROM wab_api_keys WHERE key_hash = ?
+    `).get(hashKey(secret));
+  } catch { return null; }
+}
+
+function monthOf(d = new Date()) {
+  return d.toISOString().slice(0, 7); // YYYY-MM
+}
+function dayOf(d = new Date()) {
+  return d.toISOString().slice(0, 10);
+}
+
+function monthUsage(keyId) {
+  if (!keyId) return 0;
+  const since = monthOf() + '-01';
+  try {
+    const row = db.prepare(`SELECT COALESCE(SUM(count),0) AS n FROM wab_api_usage WHERE key_id = ? AND day >= ?`).get(keyId, since);
+    return row ? row.n : 0;
+  } catch { return 0; }
+}
+
+function recordUsage(keyId, endpoint, bytesOut) {
+  if (!keyId) return;
+  try {
+    db.prepare(`
+      INSERT INTO wab_api_usage (key_id, day, endpoint, count, bytes_out)
+      VALUES (?, ?, ?, 1, ?)
+      ON CONFLICT(key_id, day, endpoint) DO UPDATE SET
+        count = count + 1,
+        bytes_out = bytes_out + excluded.bytes_out
+    `).run(keyId, dayOf(), endpoint.slice(0, 120), Math.max(0, bytesOut|0));
+    db.prepare(`UPDATE wab_api_keys SET last_used_at = datetime('now') WHERE key_id = ?`).run(keyId);
+  } catch { /* swallow */ }
+}
+
+function apiTierMiddleware(req, res, next) {
+  const secret = extractKey(req);
+  let tierInfo;
+  if (secret) {
+    const row = loadKey(secret);
+    if (!row) {
+      return res.status(401).json({ error: 'invalid_api_key' });
+    }
+    if (row.status !== 'active') {
+      return res.status(403).json({ error: 'api_key_' + row.status });
+    }
+    let scopes;
+    try { scopes = JSON.parse(row.scopes); } catch { scopes = []; }
+    tierInfo = {
+      key_id: row.key_id,
+      tier: row.tier,
+      monthly_quota: row.monthly_quota,
+      rate_per_min: row.rate_per_min,
+      scopes: Array.isArray(scopes) ? scopes : []
+    };
+  } else {
+    tierInfo = { ...ANON_TIER };
+  }
+
+  // Rate
+  const bucketId = tierInfo.key_id || ('anon:' + (req.ip || 'unknown'));
+  if (!rateOk(bucketId, tierInfo.rate_per_min)) {
+    res.set('Retry-After', '60');
+    return res.status(429).json({ error: 'rate_limited', tier: tierInfo.tier, rate_per_min: tierInfo.rate_per_min });
+  }
+
+  // Quota (skip for anonymous — IP-rate is enough; quota requires identity)
+  if (tierInfo.key_id) {
+    const used = monthUsage(tierInfo.key_id);
+    if (used >= tierInfo.monthly_quota) {
+      return res.status(402).json({
+        error: 'quota_exceeded',
+        tier: tierInfo.tier,
+        monthly_quota: tierInfo.monthly_quota,
+        used,
+        upgrade: 'https://www.webagentbridge.com/trust-graph-api'
+      });
+    }
+    res.set('X-WAB-Quota-Used', String(used));
+    res.set('X-WAB-Quota-Limit', String(tierInfo.monthly_quota));
+  }
+
+  req.apiTier = tierInfo;
+  res.set('X-WAB-Tier', tierInfo.tier);
+
+  // Record on response finish (best-effort)
+  res.once('finish', () => {
+    const bytes = parseInt(res.get('content-length') || '0', 10) || 0;
+    recordUsage(tierInfo.key_id, (req.baseUrl || '') + (req.path || req.url || ''), bytes);
+  });
+
+  next();
+}
+
+function enforceScope(requiredScope) {
+  return function (req, res, next) {
+    const tier = req.apiTier || ANON_TIER;
+    if (!tier.scopes.includes(requiredScope)) {
+      return res.status(403).json({
+        error: 'scope_required',
+        required: requiredScope,
+        granted: tier.scopes,
+        tier: tier.tier
+      });
+    }
+    next();
+  };
+}
+
+module.exports = { apiTierMiddleware, enforceScope, hashKey, _internals: { rateOk, monthUsage } };

package/server/middleware/auth.js

@@ -1,50 +1,50 @@
-const { signUserToken, verifyUserToken } = require('../config/secrets');
-const { isJWTRevoked } = require('../services/security');
-
-function generateToken(user) {
-  return signUserToken(
-    { id: user.id, email: user.email, name: user.name },
-    { expiresIn: '24h' }
-  );
-}
-
-function authenticateToken(req, res, next) {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (!token) {
-    return res.status(401).json({ error: 'Access token required' });
-  }
-
-  try {
-    // Check revocation list
-    if (isJWTRevoked(token)) {
-      return res.status(403).json({ error: 'Token has been revoked' });
-    }
-    const decoded = verifyUserToken(token);
-    req.user = decoded;
-    req._rawToken = token;
-    next();
-  } catch (err) {
-    return res.status(403).json({ error: 'Invalid or expired token' });
-  }
-}
-
-function optionalAuth(req, res, next) {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (token) {
-    try {
-      if (!isJWTRevoked(token)) {
-        req.user = verifyUserToken(token);
-        req._rawToken = token;
-      }
-    } catch (e) {
-      // ignore invalid tokens for optional auth
-    }
-  }
-  next();
-}
-
-module.exports = { generateToken, authenticateToken, optionalAuth };
+const { signUserToken, verifyUserToken } = require('../config/secrets');
+const { isJWTRevoked } = require('../services/security');
+
+function generateToken(user) {
+  return signUserToken(
+    { id: user.id, email: user.email, name: user.name },
+    { expiresIn: '24h' }
+  );
+}
+
+function authenticateToken(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (!token) {
+    return res.status(401).json({ error: 'Access token required' });
+  }
+
+  try {
+    // Check revocation list
+    if (isJWTRevoked(token)) {
+      return res.status(403).json({ error: 'Token has been revoked' });
+    }
+    const decoded = verifyUserToken(token);
+    req.user = decoded;
+    req._rawToken = token;
+    next();
+  } catch (err) {
+    return res.status(403).json({ error: 'Invalid or expired token' });
+  }
+}
+
+function optionalAuth(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (token) {
+    try {
+      if (!isJWTRevoked(token)) {
+        req.user = verifyUserToken(token);
+        req._rawToken = token;
+      }
+    } catch (e) {
+      // ignore invalid tokens for optional auth
+    }
+  }
+  next();
+}
+
+module.exports = { generateToken, authenticateToken, optionalAuth };

package/server/middleware/featureGate.js

@@ -1,88 +1,88 @@
-'use strict';
-
-/**
- * Feature Gate Middleware for Agent OS
- *
- * Enforces plan-based access control on /api/os/* endpoints.
- * Checks tier features and usage limits before allowing access.
- *
- * OPEN endpoints (always free): protocol, registry read, discovery, adapters read,
- *   agent registration, basic health, SDK downloads
- *
- * GATED endpoints: orchestration, observability details, replay, failure analysis,
- *   sessions beyond limit, LLM inference, certification, signing, hosted runtime,
- *   marketplace publish, swarm, vision
- */
-
-const { checkFeatureGate, hasFeature, getPlan } = require('../config/plans');
-const metering = require('../services/metering');
-const { metrics } = require('../observability');
-
-/**
- * Feature Gate Middleware
- * Checks if the requesting agent/user has the required feature in their plan.
- *
- * Requires req.agentTier to be set (by auth middleware or license verification).
- * Falls back to 'free' if not set.
- */
-function featureGate(req, res, next) {
-  const tier = req.agentTier || req.session?.tier || 'free';
-  const requiredFeature = checkFeatureGate(req.path, req.method);
-
-  // No gate on this endpoint — free access
-  if (!requiredFeature) return next();
-
-  // Check feature
-  if (!hasFeature(tier, requiredFeature)) {
-    metrics.increment('feature_gate.denied', 1, { feature: requiredFeature, tier });
-    const plan = getPlan(tier);
-    return res.status(403).json({
-      error: 'Feature not available on your plan',
-      feature: requiredFeature,
-      currentPlan: tier,
-      upgrade: `This feature requires a higher plan. Visit /api/os/plans for available plans.`,
-      upgradeUrl: '/api/os/plans',
-    });
-  }
-
-  metrics.increment('feature_gate.allowed', 1, { feature: requiredFeature, tier });
-  next();
-}
-
-/**
- * Usage Limit Middleware
- * Enforces per-metric limits (executions/day, tasks/day, etc.) based on plan.
- */
-function usageLimit(metric) {
-  return function (req, res, next) {
-    const tier = req.agentTier || req.session?.tier || 'free';
-    const entityId = req.agentId || req.session?.agentId || req.ip;
-
-    const result = metering.record(entityId, metric, tier);
-
-    if (!result.allowed) {
-      metrics.increment('usage_limit.exceeded', 1, { metric, tier });
-      return res.status(429).json({
-        error: 'Usage limit exceeded',
-        metric,
-        current: result.current,
-        limit: result.limit,
-        overage: result.overageAmount,
-        overageCost: result.overageCost,
-        upgrade: 'Upgrade your plan for higher limits or enable pay-as-you-go overages.',
-        upgradeUrl: '/api/os/plans',
-      });
-    }
-
-    // Attach usage info to response headers
-    if (result.limit > 0) {
-      res.set('X-WAB-Usage-Current', String(result.current));
-      res.set('X-WAB-Usage-Limit', String(result.limit));
-      res.set('X-WAB-Usage-Remaining', String(Math.max(0, result.limit - result.current)));
-    }
-
-    next();
-  };
-}
-
-module.exports = { featureGate, usageLimit };
+'use strict';
+
+/**
+ * Feature Gate Middleware for Agent OS
+ *
+ * Enforces plan-based access control on /api/os/* endpoints.
+ * Checks tier features and usage limits before allowing access.
+ *
+ * OPEN endpoints (always free): protocol, registry read, discovery, adapters read,
+ *   agent registration, basic health, SDK downloads
+ *
+ * GATED endpoints: orchestration, observability details, replay, failure analysis,
+ *   sessions beyond limit, LLM inference, certification, signing, hosted runtime,
+ *   marketplace publish, swarm, vision
+ */
+
+const { checkFeatureGate, hasFeature, getPlan } = require('../config/plans');
+const metering = require('../services/metering');
+const { metrics } = require('../observability');
+
+/**
+ * Feature Gate Middleware
+ * Checks if the requesting agent/user has the required feature in their plan.
+ *
+ * Requires req.agentTier to be set (by auth middleware or license verification).
+ * Falls back to 'free' if not set.
+ */
+function featureGate(req, res, next) {
+  const tier = req.agentTier || req.session?.tier || 'free';
+  const requiredFeature = checkFeatureGate(req.path, req.method);
+
+  // No gate on this endpoint — free access
+  if (!requiredFeature) return next();
+
+  // Check feature
+  if (!hasFeature(tier, requiredFeature)) {
+    metrics.increment('feature_gate.denied', 1, { feature: requiredFeature, tier });
+    const plan = getPlan(tier);
+    return res.status(403).json({
+      error: 'Feature not available on your plan',
+      feature: requiredFeature,
+      currentPlan: tier,
+      upgrade: `This feature requires a higher plan. Visit /api/os/plans for available plans.`,
+      upgradeUrl: '/api/os/plans',
+    });
+  }
+
+  metrics.increment('feature_gate.allowed', 1, { feature: requiredFeature, tier });
+  next();
+}
+
+/**
+ * Usage Limit Middleware
+ * Enforces per-metric limits (executions/day, tasks/day, etc.) based on plan.
+ */
+function usageLimit(metric) {
+  return function (req, res, next) {
+    const tier = req.agentTier || req.session?.tier || 'free';
+    const entityId = req.agentId || req.session?.agentId || req.ip;
+
+    const result = metering.record(entityId, metric, tier);
+
+    if (!result.allowed) {
+      metrics.increment('usage_limit.exceeded', 1, { metric, tier });
+      return res.status(429).json({
+        error: 'Usage limit exceeded',
+        metric,
+        current: result.current,
+        limit: result.limit,
+        overage: result.overageAmount,
+        overageCost: result.overageCost,
+        upgrade: 'Upgrade your plan for higher limits or enable pay-as-you-go overages.',
+        upgradeUrl: '/api/os/plans',
+      });
+    }
+
+    // Attach usage info to response headers
+    if (result.limit > 0) {
+      res.set('X-WAB-Usage-Current', String(result.current));
+      res.set('X-WAB-Usage-Limit', String(result.limit));
+      res.set('X-WAB-Usage-Remaining', String(Math.max(0, result.limit - result.current)));
+    }
+
+    next();
+  };
+}
+
+module.exports = { featureGate, usageLimit };