chore: upgrade jwt to v5

2025-06-14 03:47:50 +00:00 · 2024-04-16 08:42:44 +08:00
parent 6bb99ed3cc
commit 9a2618f42b
11 changed files with 120 additions and 59 deletions
--- a/server/route/api/v1/acl.go
+++ b/server/route/api/v1/acl.go
@ -5,7 +5,7 @@ import (
 	"net/http"
 	"strings"

-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
--- a/server/route/api/v1/user_service.go
+++ b/server/route/api/v1/user_service.go
@ -4,7 +4,7 @@ import (
 	"context"
 	"time"

-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/exp/slices"
--- a/server/route/auth/auth.go
+++ b/server/route/auth/auth.go
@ -4,7 +4,7 @@ import (
 	"fmt"
 	"time"

-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )

 const (
--- a/server/service/license/cache.go
+++ b/server/service/license/cache.go
@ -1,24 +0,0 @@
-package license
-
-import (
-	"fmt"
-	"time"
-
-	"github.com/patrickmn/go-cache"
-)
-
-var (
-	licenseCache = cache.New(24*time.Hour, 24*time.Hour)
-)
-
-func SetLicenseCache(licenseKey, instanceName string, license LicenseKey) {
-	licenseCache.Set(fmt.Sprintf("%s-%s", licenseKey, instanceName), license, 24*time.Hour)
-}
-
-func GetLicenseCache(licenseKey, instanceName string) *LicenseKey {
-	cache, ok := licenseCache.Get(fmt.Sprintf("%s-%s", licenseKey, instanceName))
-	if !ok {
-		return nil
-	}
-	return cache.(*LicenseKey)
-}
--- a/server/service/license/lemonsqueezy/lemonsqueezy.go
+++ b/server/service/license/lemonsqueezy/lemonsqueezy.go
@ -0,0 +1 @@
+package lemonsqueezy
--- a/server/service/license/lemonsqueezy/requests.go
+++ b/server/service/license/lemonsqueezy/requests.go
@ -1,4 +1,4 @@
-package license
+package lemonsqueezy

 import (
 	"bytes"
@ -6,7 +6,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"time"

 	"github.com/pkg/errors"
 )
@ -57,7 +56,7 @@ type ActiveLicenseKeyResponse struct {
 	Meta       *LicenseKeyMeta `json:"meta"`
 }

-func validateLicenseKey(licenseKey string, instanceName string) (*ValidateLicenseKeyResponse, error) {
+func ValidateLicenseKey(licenseKey string, instanceName string) (*ValidateLicenseKeyResponse, error) {
 	data := map[string]string{"license_key": licenseKey}
 	if instanceName != "" {
 		data["instance_name"] = instanceName
@ -98,11 +97,10 @@ func validateLicenseKey(licenseKey string, instanceName string) (*ValidateLicens
 			return nil, errors.New("invalid store or product id")
 		}
 	}
-	licenseCache.Set("key", "value", 24*time.Hour)
 	return &response, nil
 }

-func activeLicenseKey(licenseKey string, instanceName string) (*ActiveLicenseKeyResponse, error) {
+func ActiveLicenseKey(licenseKey string, instanceName string) (*ActiveLicenseKeyResponse, error) {
 	data := map[string]string{"license_key": licenseKey, "instance_name": instanceName}
 	payload, err := json.Marshal(data)
 	if err != nil {
--- a/server/service/license/lemonsqueezy/requests_test.go
+++ b/server/service/license/lemonsqueezy/requests_test.go
@ -1,4 +1,4 @@
-package license
+package lemonsqueezy

 import (
 	"testing"
@ -27,7 +27,7 @@ func TestValidateLicenseKey(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			response, err := validateLicenseKey(tt.key, "test-instance")
+			response, err := ValidateLicenseKey(tt.key, "test-instance")
 			if tt.err != nil {
 				require.EqualError(t, err, tt.err.Error())
 				return
@ -58,7 +58,7 @@ func TestActiveLicenseKey(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			response, err := activeLicenseKey(tt.key, "test-instance")
+			response, err := ActiveLicenseKey(tt.key, "test-instance")
 			require.NoError(t, err)
 			require.Equal(t, tt.expected, response.Activated)
 		})
--- a/server/service/license/license.go
+++ b/server/service/license/license.go
@ -2,17 +2,23 @@ package license

 import (
 	"context"
+	_ "embed"
 	"time"

+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 	"google.golang.org/protobuf/types/known/timestamppb"

 	apiv1pb "github.com/yourselfhosted/slash/proto/gen/api/v1"
 	storepb "github.com/yourselfhosted/slash/proto/gen/store"
 	"github.com/yourselfhosted/slash/server/profile"
+	"github.com/yourselfhosted/slash/server/service/license/lemonsqueezy"
 	"github.com/yourselfhosted/slash/store"
 )

+//go:embed slash.public.pem
+var slashPublicRSAKey string
+
 type LicenseService struct {
 	Profile *profile.Profile
 	Store   *store.Store
@ -49,25 +55,15 @@ func (s *LicenseService) LoadSubscription(ctx context.Context) (*apiv1pb.Subscri
 		return subscription, nil
 	}

-	validateResponse, err := validateLicenseKey(licenseKey, "")
+	result, err := validateLicenseKey(licenseKey)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to validate license key")
 	}
-	if validateResponse.Valid {
-		subscription.Plan = apiv1pb.PlanType_PRO
-		if validateResponse.LicenseKey.ExpiresAt != nil && *validateResponse.LicenseKey.ExpiresAt != "" {
-			expiresTime, err := time.Parse(time.RFC3339Nano, *validateResponse.LicenseKey.ExpiresAt)
-			if err != nil {
-				return nil, errors.Wrap(err, "failed to parse license key expires time")
-			}
-			subscription.ExpiresTime = timestamppb.New(expiresTime)
-		}
-		startedTime, err := time.Parse(time.RFC3339Nano, validateResponse.LicenseKey.CreatedAt)
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to parse license key created time")
-		}
-		subscription.StartedTime = timestamppb.New(startedTime)
+	if result == nil {
+		return subscription, nil
 	}
+	subscription.Plan = result.Plan
+	subscription.ExpiresTime = timestamppb.New(result.ExpiresTime)
 	s.cachedSubscription = subscription
 	return subscription, nil
 }
@ -76,11 +72,11 @@ func (s *LicenseService) UpdateSubscription(ctx context.Context, licenseKey stri
 	if licenseKey == "" {
 		return nil, errors.New("license key is required")
 	}
-	validateResponse, err := validateLicenseKey(licenseKey, "")
+	result, err := validateLicenseKey(licenseKey)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to validate license key")
 	}
-	if !validateResponse.Valid {
+	if result == nil {
 		return nil, errors.New("invalid license key")
 	}
 	_, err = s.Store.UpsertWorkspaceSetting(ctx, &storepb.WorkspaceSetting{
@ -96,7 +92,14 @@ func (s *LicenseService) UpdateSubscription(ctx context.Context, licenseKey stri
 }

 func (s *LicenseService) GetSubscription(ctx context.Context) (*apiv1pb.Subscription, error) {
-	return s.LoadSubscription(ctx)
+	subscription, err := s.LoadSubscription(ctx)
+	if err != nil || subscription.Plan == apiv1pb.PlanType_PLAN_TYPE_UNSPECIFIED {
+		// nolint
+		return &apiv1pb.Subscription{
+			Plan: apiv1pb.PlanType_FREE,
+		}, nil
+	}
+	return subscription, nil
 }

 func (s *LicenseService) IsFeatureEnabled(feature FeatureType) bool {
@ -106,3 +109,80 @@ func (s *LicenseService) IsFeatureEnabled(feature FeatureType) bool {
 	}
 	return matrix[s.cachedSubscription.Plan-1]
 }
+
+type ValidateResult struct {
+	Plan        apiv1pb.PlanType
+	ExpiresTime time.Time
+}
+
+type Claims struct {
+	jwt.RegisteredClaims
+
+	Owner string `json:"owner"`
+	Plan  string `json:"plan"`
+	Trial bool   `json:"trial"`
+}
+
+func validateLicenseKey(licenseKey string) (*ValidateResult, error) {
+	// Try to parse the license key as a JWT token.
+	claims, _ := parseLicenseKey(licenseKey)
+	if claims != nil {
+		plan := apiv1pb.PlanType(apiv1pb.PlanType_value[claims.Plan])
+		if plan == apiv1pb.PlanType_PLAN_TYPE_UNSPECIFIED {
+			return nil, errors.New("invalid plan")
+		}
+		return &ValidateResult{
+			Plan:        apiv1pb.PlanType(apiv1pb.PlanType_value[claims.Plan]),
+			ExpiresTime: claims.ExpiresAt.Time,
+		}, nil
+	}
+
+	// Try to validate the license key with the license server.
+	validateResponse, err := lemonsqueezy.ValidateLicenseKey(licenseKey, "")
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to validate license key")
+	}
+	if validateResponse.Valid {
+		result := &ValidateResult{
+			Plan: apiv1pb.PlanType_PRO,
+		}
+		if validateResponse.LicenseKey.ExpiresAt != nil && *validateResponse.LicenseKey.ExpiresAt != "" {
+			expiresTime, err := time.Parse(time.RFC3339Nano, *validateResponse.LicenseKey.ExpiresAt)
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to parse license key expires time")
+			}
+			result.ExpiresTime = expiresTime
+		}
+		return result, nil
+	}
+
+	// Otherwise, return an error.
+	return nil, errors.New("invalid license key")
+}
+
+func parseLicenseKey(licenseKey string) (*Claims, error) {
+	token, err := jwt.ParseWithClaims(licenseKey, &Claims{}, func(token *jwt.Token) (any, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
+			return nil, errors.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+
+		key, err := jwt.ParseRSAPublicKeyFromPEM([]byte(slashPublicRSAKey))
+		if err != nil {
+			return nil, err
+		}
+
+		return key, nil
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse token")
+	}
+	if token == nil || !token.Valid {
+		return nil, errors.New("invalid token")
+	}
+
+	claims, ok := token.Claims.(*Claims)
+	if !ok {
+		return nil, errors.New("invalid claims")
+	}
+	return claims, nil
+}
--- a/server/service/license/slash.public.pem
+++ b/server/service/license/slash.public.pem
@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsNHQEGf4EiGUKG/buu1d
+llNjxwmKiUX0htAoBa7JPqNjlQqyd27gBQCJ9b1d4gor3SBbEdKKirph6I/jJ2in
+LQwSVtIuQUdILC0PSEyUZ1t/QOOfgNuAW15cvj7e1W2I3GqTy/PwQ08+xTziDiU0
+j9fM15vMEx/G378ikPaSfaoLueugI/tpta3Ho6wJqpNr2pL2+pIb1LUurltufA/O
+5mIcxorlu+1iSB5PLB6X1ptipDkD+ZdHlDLzKgzkUoIrqDynC7jlwhiDtqDl2q+j
+VTyZKhP6PB81rI4/DXAafrl4ndAGxWiZj83/+m/uzqIx8XWMA10jnSeGvBxbVWrw
+rwIDAQAB
+-----END PUBLIC KEY-----