npm - whale-code - Versions diffs - 6.5.11 → 6.6.0 - Mend

whale-code 6.5.11 → 6.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (613) hide show

package/dist/server/index.js CHANGED Viewed

@@ -27,7 +27,7 @@ import { loadUserTools, executeTool, flushSpans } from "./tool-router.js";
 import { queueSpan, auditRowToSpan } from "./lib/clickhouse-buffer.js";
 // Extracted modules — single source of truth (no inline duplicates)
-import { safeCompare, getCorsHeaders, jsonResponse, readBody } from "./server-helpers.js";
+import { safeCompare, getCorsHeaders, jsonResponse, readBody, getClientIp } from "./server-helpers.js";
 import { sendIpRateLimit } from "./server-rate-limit.js";
 import { resolveAndValidateStoreId } from "./server-store.js";
 import { getSseClients, safeSseWrite, sendWorkflowSSE, getTotalSseClients, sseCleanupInterval, MAX_SSE_CLIENTS_PER_RUN, MAX_SSE_TOTAL_CLIENTS, setupPgListen, closePgClient, pgListenReady } from "./server-sse.js";
@@ -62,10 +62,34 @@ const SUPABASE_SERVICE_ROLE_KEY = process.env.SUPABASE_SERVICE_ROLE_KEY;
 const SERVICE_ROLE_JWT = process.env.SERVICE_ROLE_JWT || "";
 const ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY;
 const FLY_INTERNAL_SECRET = process.env.FLY_INTERNAL_SECRET || "";
-if (!FLY_INTERNAL_SECRET) {
+if (!FLY_INTERNAL_SECRET && process.env.NODE_ENV === "production") {
+  console.error("[SECURITY] FATAL: FLY_INTERNAL_SECRET is not set in production — aborting");
+  process.exit(1);
+} else if (!FLY_INTERNAL_SECRET) {
   console.warn("[SECURITY] FLY_INTERNAL_SECRET is not set — internal endpoints are unprotected");
 }
+// ============================================================================
+// WIDGET JS CACHE (avoid fs.readFileSync on every request)
+// ============================================================================
+let _cachedWidgetJs = null;
+let _widgetJsLoaded = false;
+function getCachedWidgetJs() {
+  if (_widgetJsLoaded) return _cachedWidgetJs;
+  _widgetJsLoaded = true;
+  const fs = require("node:fs");
+  const path = require("node:path");
+  const possiblePaths = [path.join(__dirname, "../../dist/webchat/widget.js"), path.join(__dirname, "../../../dist/webchat/widget.js"), path.join(process.cwd(), "dist/webchat/widget.js")];
+  for (const p of possiblePaths) {
+    try {
+      _cachedWidgetJs = fs.readFileSync(p, "utf-8");
+      return _cachedWidgetJs;
+    } catch {/* try next */}
+  }
+  return null;
+}
 // ============================================================================
 // READINESS STATE
 // ============================================================================
@@ -261,7 +285,7 @@ const server = http.createServer(async (req, res) => {
   // ================================================================
   const guestApprovalMatch = pathname.match(/^\/approvals\/guest\/([a-f0-9-]+)$/);
   if (guestApprovalMatch && req.method === "GET") {
-    const clientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
+    const clientIp = getClientIp(req);
     if (sendIpRateLimit(res, clientIp, corsHeaders)) return;
     const stepRunId = guestApprovalMatch[1];
     const urlParams = new URL(req.url || "", `http://${req.headers.host}`).searchParams;
@@ -357,7 +381,7 @@ const server = http.createServer(async (req, res) => {
   };
   const webchatMsgMatch = pathname.match(/^\/webchat\/channels\/([a-f0-9-]+)\/messages$/);
   if (webchatMsgMatch && req.method === "POST") {
-    const clientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
+    const clientIp = getClientIp(req);
     if (sendIpRateLimit(res, clientIp, webchatCors)) return;
     let rawBody;
     try {
@@ -512,7 +536,7 @@ const server = http.createServer(async (req, res) => {
   // GET /webchat/channels/:id/history — load conversation history for widget
   const webchatHistoryMatch = pathname.match(/^\/webchat\/channels\/([a-f0-9-]+)\/history$/);
   if (webchatHistoryMatch && req.method === "GET") {
-    const clientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
+    const clientIp = getClientIp(req);
     if (sendIpRateLimit(res, clientIp, webchatCors)) return;
     const channelId = webchatHistoryMatch[1];
     const params = url.searchParams;
@@ -574,19 +598,9 @@ const server = http.createServer(async (req, res) => {
     return;
   }
-  // GET /webchat/widget.js — serve compiled widget JavaScript
+  // GET /webchat/widget.js — serve compiled widget JavaScript (cached at startup)
   if (pathname === "/webchat/widget.js" && req.method === "GET") {
-    const fs = await import("node:fs");
-    const path = await import("node:path");
-    // Try multiple possible locations for the built widget file
-    const possiblePaths = [path.join(import.meta.dirname || __dirname, "../../dist/webchat/widget.js"), path.join(import.meta.dirname || __dirname, "../../../dist/webchat/widget.js"), path.join(process.cwd(), "dist/webchat/widget.js")];
-    let widgetJs = null;
-    for (const p of possiblePaths) {
-      try {
-        widgetJs = fs.readFileSync(p, "utf-8");
-        break;
-      } catch {/* try next */}
-    }
+    const widgetJs = getCachedWidgetJs();
     if (widgetJs) {
       res.writeHead(200, {
         "Content-Type": "application/javascript",
@@ -774,6 +788,7 @@ const server = http.createServer(async (req, res) => {
         return;
       }
       const supabase = getServiceClient();
+      let resumeUser = null;
       if (!isInternal) {
         const {
           data: {
@@ -787,6 +802,20 @@ const server = http.createServer(async (req, res) => {
           }, corsHeaders);
           return;
         }
+        resumeUser = authUser;
+      }
+      // IDOR protection: verify the conversation belongs to this user
+      if (!isInternal && resumeUser) {
+        const {
+          data: conv
+        } = await supabase.from("ai_conversations").select("user_id, store_id").eq("id", convId).maybeSingle();
+        if (conv && conv.user_id !== resumeUser.id) {
+          jsonResponse(res, 403, {
+            error: "Not authorized for this conversation"
+          }, corsHeaders);
+          return;
+        }
       }
       // Drain the request body (even if we don't use it) to prevent Fly proxy stalls
@@ -954,6 +983,24 @@ const server = http.createServer(async (req, res) => {
         return;
       }
       const supabase = getServiceClient();
+      // Verify user auth if not internal
+      let waitpointUser = null;
+      if (!isInternal) {
+        const {
+          data: {
+            user: authUser
+          },
+          error: authError
+        } = await supabase.auth.getUser(authToken);
+        if (authError || !authUser) {
+          jsonResponse(res, 401, {
+            error: "Invalid or expired token"
+          }, corsHeaders);
+          return;
+        }
+        waitpointUser = authUser;
+      }
       let rawBody;
       try {
         rawBody = await readBody(req);
@@ -983,6 +1030,19 @@ const server = http.createServer(async (req, res) => {
         }, corsHeaders);
         return;
       }
+      // IDOR protection: verify caller is a member of the waitpoint's store
+      if (!isInternal && waitpointUser && wp.store_id) {
+        const {
+          data: membership
+        } = await supabase.from("store_members").select("id").eq("store_id", wp.store_id).eq("user_id", waitpointUser.id).maybeSingle();
+        if (!membership) {
+          jsonResponse(res, 403, {
+            error: "Not a member of this store"
+          }, corsHeaders);
+          return;
+        }
+      }
       if (wp.status === "completed") {
         jsonResponse(res, 409, {
           error: "Waitpoint already completed"
@@ -1032,7 +1092,7 @@ const server = http.createServer(async (req, res) => {
     // ================================================================
     const webhookMatch = pathname.match(/^\/webhooks\/([a-zA-Z0-9_-]+)$/);
     if (webhookMatch) {
-      const whClientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
+      const whClientIp = getClientIp(req);
       if (sendIpRateLimit(res, whClientIp, corsHeaders)) return;
       const slug = webhookMatch[1];
       let rawBody;
@@ -1082,6 +1142,7 @@ const server = http.createServer(async (req, res) => {
       const supabase = getServiceClient();
       // Verify user auth if not internal
+      let eventsUser = null;
       if (!isInternal) {
         const {
           data: {
@@ -1095,6 +1156,7 @@ const server = http.createServer(async (req, res) => {
           }, corsHeaders);
           return;
         }
+        eventsUser = authUser;
       }
       let rawBody;
       try {
@@ -1121,6 +1183,19 @@ const server = http.createServer(async (req, res) => {
         return;
       }
+      // IDOR protection: verify caller is a member of the target store
+      if (!isInternal && eventsUser) {
+        const {
+          data: membership
+        } = await supabase.from("store_members").select("id").eq("store_id", body.store_id).eq("user_id", eventsUser.id).maybeSingle();
+        if (!membership) {
+          jsonResponse(res, 403, {
+            error: "Not a member of this store"
+          }, corsHeaders);
+          return;
+        }
+      }
       // Idempotency: if client provides idempotency_key, check for duplicate
       if (body.idempotency_key) {
         const {
@@ -1212,6 +1287,7 @@ const server = http.createServer(async (req, res) => {
       const supabase = getServiceClient();
       // Verify user auth if not internal
+      let workflowUser = null;
       if (!isInternal) {
         const {
           data: {
@@ -1225,6 +1301,7 @@ const server = http.createServer(async (req, res) => {
           }, corsHeaders);
           return;
         }
+        workflowUser = authUser;
       }
       let rawBody;
       try {
@@ -1245,6 +1322,19 @@ const server = http.createServer(async (req, res) => {
         return;
       }
+      // IDOR protection: verify caller is a member of the target store
+      if (!isInternal && workflowUser && body.store_id) {
+        const {
+          data: membership
+        } = await supabase.from("store_members").select("id").eq("store_id", body.store_id).eq("user_id", workflowUser.id).maybeSingle();
+        if (!membership) {
+          jsonResponse(res, 403, {
+            error: "Not a member of this store"
+          }, corsHeaders);
+          return;
+        }
+      }
       // P0 FIX: Verify the workflow belongs to the requesting store before starting a run
       if (body.workflow_id && body.store_id) {
         const {
@@ -1321,10 +1411,10 @@ const server = http.createServer(async (req, res) => {
     // stalls with "error writing a body to connection" on large requests.
     let rawBody;
     try {
-      rawBody = await readBody(req);
+      rawBody = await readBody(req, 52_428_800); // 50MB — chat may include base64 images
     } catch {
       jsonResponse(res, 413, {
-        error: "Request body too large (max 500MB)"
+        error: "Request body too large (max 50MB)"
       }, corsHeaders);
       return;
     }
@@ -1677,7 +1767,7 @@ startWorkerLoop();
 // Initialize shared Supabase client with retry logic before server starts
 initSupabase(SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY);
-server.listen(PORT, () => {
+server.listen(PORT, async () => {
   log.info({
     port: PORT,
     supabaseUrl: SUPABASE_URL,
@@ -1707,24 +1797,27 @@ server.listen(PORT, () => {
     }, "local-agent gateway init failed");
   }
-  // Phase 3: Start pg LISTEN for real-time SSE streaming
-  setupPgListen().catch(err => {
+  // Phase 3: Start pg LISTEN for real-time SSE streaming (await before accepting traffic)
+  try {
+    await setupPgListen();
+  } catch (err) {
     log.error({
       err: err.message
-    }, "pg-listen setup failed");
-  });
+    }, "pg-listen setup failed (SSE streaming unavailable)");
+  }
-  // Phase 4.2: Mark orphaned conversations as resumable
+  // Phase 4.2: Mark orphaned conversations as resumable (await to ensure clean state)
   const serverBootTime = new Date();
-  markOrphaned(getServiceClient(), serverBootTime).then(count => {
+  try {
+    const count = await markOrphaned(getServiceClient(), serverBootTime);
     if (count > 0) log.info({
       count
     }, "orphaned conversations marked resumable");
-  }).catch(err => {
+  } catch (err) {
     log.warn({
       err: err.message
     }, "markOrphaned failed (table may not exist yet)");
-  });
+  }
 });
 // ============================================================================