@huloglobal/vendure-licence-sdk 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,13 @@
+# Changelog
+
+All notable changes to `@huloglobal/vendure-licence-sdk` are documented here. The
+format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and
+this project adheres to [semantic versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] — Unreleased
+
+### Added
+- Offline RSA-SHA256 JWT licence verification (`verifyLicence`).
+- `RevocationChecker` with a 7-day default poll interval and soft-failure
+  caching of the previous revocation list.
+- `LicenceStatus` and `LicencePayload` shared types.

package/LICENSE

@@ -0,0 +1,22 @@
+HULO Global Limited — Commercial Plugin Licence
+
+Copyright (c) 2026 HULO Global Limited (Companies House registration in
+England and Wales). All rights reserved.
+
+This package contains licence-verification code shared by the
+@hulo/vendure-plugin-* family of Vendure plugins. The package may be
+installed and used only in conjunction with a paid HULO Vendure plugin
+that depends on it. Redistribution of the package outside of that
+context is not permitted.
+
+The source code is published only to allow customers to audit the
+verification logic for the plugins they have purchased. Modification,
+reverse engineering of the licence-signing keys, or use of this package
+to circumvent licence verification in any HULO product is expressly
+prohibited.
+
+No warranty is given. To the maximum extent permitted by law, HULO
+Global Limited disclaims all liability arising from use of this
+software.
+
+For commercial licensing enquiries, contact: sales@eliteenterprisesoftware.com

package/README.md

@@ -0,0 +1,75 @@
+# @huloglobal/vendure-licence-sdk
+
+Licence-key verification helpers shared by every commercial HULO Vendure plugin.
+
+The SDK is consumed by plugins, not by Vendure storefronts directly. Install it
+as a runtime dependency of your plugin package, embed your `publicKey`
+constant in the plugin source, and call `verifyLicence(...)` once at boot.
+
+## Install
+
+```bash
+yarn add @huloglobal/vendure-licence-sdk
+```
+
+## Usage in a plugin
+
+```ts
+import { verifyLicence, RevocationChecker } from '@huloglobal/vendure-licence-sdk';
+import { VendurePlugin } from '@vendure/core';
+
+const HULO_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
+... your plugin's embedded RSA public key ...
+-----END PUBLIC KEY-----`;
+
+const revocation = new RevocationChecker('https://licence.hulo-global.com/revoked.json');
+revocation.start();
+
+@VendurePlugin({ /* ... */ })
+export class MyPlugin {
+  static init(options: { licenceKey?: string }) {
+    const status = verifyLicence({
+      licenceKey: options.licenceKey,
+      pluginId: 'vendure-plugin-my-thing',
+      host: process.env.VENDURE_HOST || 'localhost',
+      publicKey: HULO_PUBLIC_KEY,
+      revokedIds: revocation.getRevokedIds(),
+    });
+    // status.valid → enable all features
+    // !status.valid → log status.message, run in unlicensed mode
+    MyPlugin.licenceStatus = status;
+    return MyPlugin;
+  }
+  static licenceStatus: LicenceStatus;
+}
+```
+
+## Why offline JWT + periodic revocation?
+
+- **Boot-time offline check.** Vendure stays bootable even when our licence
+  server is unreachable. The customer's storefront never hangs on a network call.
+- **Soft revocation.** Refunded / leaked keys are revoked by adding the JWT
+  `jti` to a flat list at `https://licence.hulo-global.com/revoked.json`. The
+  plugin re-fetches the list every 7 days.
+- **Soft failure.** Network outages keep the previous cached revocation list in
+  memory — your customer is never accidentally locked out of features they paid
+  for because our server hiccuped.
+
+## Licence status reasons
+
+`LicenceStatus.reason` is one of:
+
+| reason | meaning |
+| --- | --- |
+| `ok` | Licence verified and active. |
+| `missing` | No key supplied. Run in unlicensed mode. |
+| `malformed` | Key isn't a valid JWT. |
+| `bad-signature` | Signature didn't verify — possible tampering. |
+| `plugin-mismatch` | Licence is for a different HULO plugin. |
+| `domain-mismatch` | Host domain not in `allowedDomains`. |
+| `expired` | `exp` is in the past. |
+| `revoked` | Key appears in the revocation list. |
+
+## Licence
+
+Commercial — see LICENSE.

package/dist/index.d.ts

@@ -0,0 +1,24 @@
+/**
+ * @huloglobal/vendure-licence-sdk
+ *
+ * Licence-key validation helpers shared by every commercial HULO
+ * Vendure plugin. Each plugin embeds the SDK and calls
+ * `verifyLicence(...)` at boot. The SDK:
+ *
+ *  - Verifies an offline RSA-signed JWT payload (no boot-time network
+ *    call required — Vendure stays bootable even when our licence
+ *    server is unreachable).
+ *  - Optionally polls a revocation list every 7 days so leaked or
+ *    refunded keys can be cancelled.
+ *  - Exposes a single `LicenceStatus` object plugins can read to
+ *    decide whether to enable write paths / paid features.
+ *
+ * Plugins are expected to fail-soft: if no key is supplied or the key
+ * is invalid, the plugin should still register without crashing, log a
+ * clear warning, and disable mutation paths or restrict to a free
+ * tier. The end-user can always upgrade by supplying a valid key.
+ */
+export { verifyLicence } from './verify';
+export { LicenceStatus, LicencePayload, VerifyLicenceOptions } from './types';
+export { RevocationChecker } from './revocation';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAC9E,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,28 @@
+"use strict";
+/**
+ * @huloglobal/vendure-licence-sdk
+ *
+ * Licence-key validation helpers shared by every commercial HULO
+ * Vendure plugin. Each plugin embeds the SDK and calls
+ * `verifyLicence(...)` at boot. The SDK:
+ *
+ *  - Verifies an offline RSA-signed JWT payload (no boot-time network
+ *    call required — Vendure stays bootable even when our licence
+ *    server is unreachable).
+ *  - Optionally polls a revocation list every 7 days so leaked or
+ *    refunded keys can be cancelled.
+ *  - Exposes a single `LicenceStatus` object plugins can read to
+ *    decide whether to enable write paths / paid features.
+ *
+ * Plugins are expected to fail-soft: if no key is supplied or the key
+ * is invalid, the plugin should still register without crashing, log a
+ * clear warning, and disable mutation paths or restrict to a free
+ * tier. The end-user can always upgrade by supplying a valid key.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RevocationChecker = exports.verifyLicence = void 0;
+var verify_1 = require("./verify");
+Object.defineProperty(exports, "verifyLicence", { enumerable: true, get: function () { return verify_1.verifyLicence; } });
+var revocation_1 = require("./revocation");
+Object.defineProperty(exports, "RevocationChecker", { enumerable: true, get: function () { return revocation_1.RevocationChecker; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;GAmBG;;;AAEH,mCAAyC;AAAhC,uGAAA,aAAa,OAAA;AAEtB,2CAAiD;AAAxC,+GAAA,iBAAiB,OAAA"}

package/dist/revocation.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Periodically polls the HULO revocation endpoint and exposes the
+ * latest set of revoked licence ids. Each plugin instantiates one
+ * `RevocationChecker` at boot and reads `getRevokedIds()` whenever it
+ * re-verifies (which is cheap because the JWT check is already
+ * cached).
+ *
+ * Failures (network, 500s) keep the previous cached set in memory so a
+ * brief outage at HULO never disables paid features at the customer's
+ * end. The cache is wiped only when a fresh list arrives.
+ */
+export declare class RevocationChecker {
+    private readonly url;
+    private readonly pollMs;
+    private revokedIds;
+    private timer;
+    private lastFetchedAt;
+    private lastError;
+    constructor(url: string, pollMs?: number);
+    /** Start the background poll. Idempotent. */
+    start(): void;
+    /** Stop the background poll. Useful for tests and graceful shutdown. */
+    stop(): void;
+    getRevokedIds(): Set<string>;
+    getStatus(): {
+        lastFetchedAt: Date | null;
+        count: number;
+        lastError: string | null;
+    };
+    /** Force an immediate refresh — useful from a CLI / admin button. */
+    refresh(): Promise<void>;
+}
+//# sourceMappingURL=revocation.d.ts.map

package/dist/revocation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revocation.d.ts","sourceRoot":"","sources":["../src/revocation.ts"],"names":[],"mappings":"AAUA;;;;;;;;;;GAUG;AACH,qBAAa,iBAAiB;IAOtB,OAAO,CAAC,QAAQ,CAAC,GAAG;IACpB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAP3B,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,aAAa,CAAqB;IAC1C,OAAO,CAAC,SAAS,CAAuB;gBAGnB,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,MAAgC;IAG7D,6CAA6C;IAC7C,KAAK,IAAI,IAAI;IAUb,wEAAwE;IACxE,IAAI,IAAI,IAAI;IAOZ,aAAa,IAAI,GAAG,CAAC,MAAM,CAAC;IAI5B,SAAS,IAAI;QAAE,aAAa,EAAE,IAAI,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;IAQpF,qEAAqE;IAC/D,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CA0BjC"}

package/dist/revocation.js

@@ -0,0 +1,85 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RevocationChecker = void 0;
+const core_1 = require("@vendure/core");
+const loggerCtx = 'LicenceSdk:Revocation';
+/**
+ * Periodically polls the HULO revocation endpoint and exposes the
+ * latest set of revoked licence ids. Each plugin instantiates one
+ * `RevocationChecker` at boot and reads `getRevokedIds()` whenever it
+ * re-verifies (which is cheap because the JWT check is already
+ * cached).
+ *
+ * Failures (network, 500s) keep the previous cached set in memory so a
+ * brief outage at HULO never disables paid features at the customer's
+ * end. The cache is wiped only when a fresh list arrives.
+ */
+class RevocationChecker {
+    constructor(url, pollMs = 7 * 24 * 60 * 60 * 1000) {
+        this.url = url;
+        this.pollMs = pollMs;
+        this.revokedIds = new Set();
+        this.timer = null;
+        this.lastFetchedAt = null;
+        this.lastError = null;
+    }
+    /** Start the background poll. Idempotent. */
+    start() {
+        if (this.timer)
+            return;
+        // Run the first refresh on the next tick so the host can finish
+        // bootstrapping; subsequent refreshes follow the poll interval.
+        setTimeout(() => this.refresh().catch(() => undefined), 5000);
+        this.timer = setInterval(() => this.refresh().catch(() => undefined), this.pollMs);
+        // Don't keep the Node event loop alive purely for licence polling.
+        if (typeof this.timer.unref === 'function')
+            this.timer.unref();
+    }
+    /** Stop the background poll. Useful for tests and graceful shutdown. */
+    stop() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+    }
+    getRevokedIds() {
+        return this.revokedIds;
+    }
+    getStatus() {
+        return {
+            lastFetchedAt: this.lastFetchedAt,
+            count: this.revokedIds.size,
+            lastError: this.lastError,
+        };
+    }
+    /** Force an immediate refresh — useful from a CLI / admin button. */
+    async refresh() {
+        try {
+            const controller = new AbortController();
+            const t = setTimeout(() => controller.abort(), 10000);
+            const res = await fetch(this.url, { signal: controller.signal });
+            clearTimeout(t);
+            if (!res.ok) {
+                this.lastError = `HTTP ${res.status}`;
+                core_1.Logger.warn(`Revocation fetch failed: ${this.lastError}`, loggerCtx);
+                return;
+            }
+            const body = await res.json();
+            if (!body || !Array.isArray(body.revoked)) {
+                this.lastError = 'malformed response';
+                core_1.Logger.warn(`Revocation list malformed`, loggerCtx);
+                return;
+            }
+            this.revokedIds = new Set(body.revoked.map(String));
+            this.lastFetchedAt = new Date();
+            this.lastError = null;
+        }
+        catch (e) {
+            this.lastError = (e === null || e === void 0 ? void 0 : e.message) || 'fetch failed';
+            // Soft failure — keep the previously cached set in place.
+            core_1.Logger.warn(`Revocation fetch error: ${this.lastError}`, loggerCtx);
+        }
+    }
+}
+exports.RevocationChecker = RevocationChecker;
+//# sourceMappingURL=revocation.js.map

package/dist/revocation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revocation.js","sourceRoot":"","sources":["../src/revocation.ts"],"names":[],"mappings":";;;AAAA,wCAAuC;AAEvC,MAAM,SAAS,GAAG,uBAAuB,CAAC;AAQ1C;;;;;;;;;;GAUG;AACH,MAAa,iBAAiB;IAM1B,YACqB,GAAW,EACX,SAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;QADxC,QAAG,GAAH,GAAG,CAAQ;QACX,WAAM,GAAN,MAAM,CAAkC;QAPrD,eAAU,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,UAAK,GAA0B,IAAI,CAAC;QACpC,kBAAa,GAAgB,IAAI,CAAC;QAClC,cAAS,GAAkB,IAAI,CAAC;IAKrC,CAAC;IAEJ,6CAA6C;IAC7C,KAAK;QACD,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO;QACvB,gEAAgE;QAChE,gEAAgE;QAChE,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,EAAE,IAAK,CAAC,CAAC;QAC/D,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACnF,mEAAmE;QACnE,IAAI,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,KAAK,UAAU;YAAE,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACnE,CAAC;IAED,wEAAwE;IACxE,IAAI;QACA,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACb,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACtB,CAAC;IACL,CAAC;IAED,aAAa;QACT,OAAO,IAAI,CAAC,UAAU,CAAC;IAC3B,CAAC;IAED,SAAS;QACL,OAAO;YACH,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;YAC3B,SAAS,EAAE,IAAI,CAAC,SAAS;SAC5B,CAAC;IACN,CAAC;IAED,qEAAqE;IACrE,KAAK,CAAC,OAAO;QACT,IAAI,CAAC;YACD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,KAAM,CAAC,CAAC;YACvD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACjE,YAAY,CAAC,CAAC,CAAC,CAAC;YAChB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACV,IAAI,CAAC,SAAS,GAAG,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;gBACtC,aAAM,CAAC,IAAI,CAAC,4BAA4B,IAAI,CAAC,SAAS,EAAE,EAAE,SAAS,CAAC,CAAC;gBACrE,OAAO;YACX,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA4B,CAAC;YACxD,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxC,IAAI,CAAC,SAAS,GAAG,oBAAoB,CAAC;gBACtC,aAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE,SAAS,CAAC,CAAC;gBACpD,OAAO;YACX,CAAC;YACD,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;YACpD,IAAI,CAAC,aAAa,GAAG,IAAI,IAAI,EAAE,CAAC;YAChC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,SAAS,GAAG,CAAA,CAAC,aAAD,CAAC,uBAAD,CAAC,CAAE,OAAO,KAAI,cAAc,CAAC;YAC9C,0DAA0D;YAC1D,aAAM,CAAC,IAAI,CAAC,2BAA2B,IAAI,CAAC,SAAS,EAAE,EAAE,SAAS,CAAC,CAAC;QACxE,CAAC;IACL,CAAC;CACJ;AArED,8CAqEC"}

package/dist/types.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Decoded payload from a HULO licence JWT.
+ *
+ * Plugins must check `pluginId` matches their own identifier and that
+ * the host domain matches one of `allowedDomains` (or the wildcard
+ * `*`). The SDK does both checks for you.
+ */
+export interface LicencePayload {
+    /** Stable plugin identifier — e.g. "vendure-plugin-visitor-analytics". */
+    pluginId: string;
+    /** Customer-facing identifier, usually the buyer's email. */
+    customer: string;
+    /** Domains the host install is permitted to run on. Use `["*"]` to
+     *  allow any. Normally one or two domains. */
+    allowedDomains: string[];
+    /** Plan tier, e.g. "starter" / "pro" / "enterprise". Plugins can
+     *  read this to gate per-tier features. */
+    plan: string;
+    /** Issued-at (seconds since epoch). */
+    iat: number;
+    /** Expiry (seconds since epoch). After this the SDK reports
+     *  `valid: false, reason: "expired"`. */
+    exp: number;
+    /** Unique licence id used for revocation lookup. */
+    jti: string;
+}
+/** Result of a `verifyLicence(...)` call. Plugins should branch on
+ *  `valid` and surface `reason` in their admin UI. */
+export interface LicenceStatus {
+    /** `true` only when the JWT signature is valid, the plugin id and
+     *  host domain match, the licence has not expired and it does not
+     *  appear in the revocation list. */
+    valid: boolean;
+    /** Short machine-readable reason — one of `ok`, `missing`,
+     *  `malformed`, `bad-signature`, `plugin-mismatch`,
+     *  `domain-mismatch`, `expired`, `revoked`, `unknown`. */
+    reason: string;
+    /** Decoded payload if the JWT structure was readable, otherwise
+     *  `null`. Available even on some failure paths (`expired`,
+     *  `revoked`) so plugins can show "expired on 2026-12-31". */
+    payload: LicencePayload | null;
+    /** Human-readable message intended for the admin UI. */
+    message: string;
+}
+/** Options the plugin passes to `verifyLicence`. */
+export interface VerifyLicenceOptions {
+    /** The licence JWT supplied by the customer in their plugin
+     *  `init()` config. Pass `undefined` or empty string for unlicensed
+     *  installs — the SDK reports `valid: false, reason: "missing"`. */
+    licenceKey?: string | null;
+    /** Stable identifier of the plugin checking. The SDK rejects the
+     *  licence if the JWT's `pluginId` doesn't match. */
+    pluginId: string;
+    /** Hostname of the install. Compared against `allowedDomains`.
+     *  Read from `process.env.VENDURE_HOST` or the Vendure config when
+     *  available. */
+    host: string;
+    /** RSA public key the SDK uses to verify the JWT signature.
+     *  Embedded in the plugin source code at build time. */
+    publicKey: string;
+    /** Optional set of revoked `jti` values fetched from the
+     *  revocation server. Pass an empty Set for an offline-only check. */
+    revokedIds?: Set<string>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,WAAW,cAAc;IAC3B,0EAA0E;IAC1E,QAAQ,EAAE,MAAM,CAAC;IACjB,6DAA6D;IAC7D,QAAQ,EAAE,MAAM,CAAC;IACjB;kDAC8C;IAC9C,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB;+CAC2C;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ;6CACyC;IACzC,GAAG,EAAE,MAAM,CAAC;IACZ,oDAAoD;IACpD,GAAG,EAAE,MAAM,CAAC;CACf;AAED;sDACsD;AACtD,MAAM,WAAW,aAAa;IAC1B;;yCAEqC;IACrC,KAAK,EAAE,OAAO,CAAC;IACf;;8DAE0D;IAC1D,MAAM,EAAE,MAAM,CAAC;IACf;;kEAE8D;IAC9D,OAAO,EAAE,cAAc,GAAG,IAAI,CAAC;IAC/B,wDAAwD;IACxD,OAAO,EAAE,MAAM,CAAC;CACnB;AAED,oDAAoD;AACpD,MAAM,WAAW,oBAAoB;IACjC;;wEAEoE;IACpE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B;yDACqD;IACrD,QAAQ,EAAE,MAAM,CAAC;IACjB;;qBAEiB;IACjB,IAAI,EAAE,MAAM,CAAC;IACb;4DACwD;IACxD,SAAS,EAAE,MAAM,CAAC;IAClB;0EACsE;IACtE,UAAU,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAC5B"}

package/dist/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/verify.d.ts

@@ -0,0 +1,12 @@
+import { LicenceStatus, VerifyLicenceOptions } from './types';
+/**
+ * Verify a HULO licence JWT. The JWT uses the `RS256` algorithm:
+ * `base64url(header).base64url(payload).base64url(signature)` where the
+ * signature is RSA-SHA256 over the dot-joined header+payload.
+ *
+ * We implement the verification inline (rather than pulling in
+ * `jsonwebtoken`) because it removes a runtime dependency and keeps
+ * the plugin install lean. The JWT format is small and stable.
+ */
+export declare function verifyLicence(opts: VerifyLicenceOptions): LicenceStatus;
+//# sourceMappingURL=verify.d.ts.map

package/dist/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AACA,OAAO,EAAkB,aAAa,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAE9E;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,oBAAoB,GAAG,aAAa,CA6DvE"}

package/dist/verify.js

@@ -0,0 +1,142 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyLicence = verifyLicence;
+const crypto_1 = require("crypto");
+/**
+ * Verify a HULO licence JWT. The JWT uses the `RS256` algorithm:
+ * `base64url(header).base64url(payload).base64url(signature)` where the
+ * signature is RSA-SHA256 over the dot-joined header+payload.
+ *
+ * We implement the verification inline (rather than pulling in
+ * `jsonwebtoken`) because it removes a runtime dependency and keeps
+ * the plugin install lean. The JWT format is small and stable.
+ */
+function verifyLicence(opts) {
+    const { licenceKey, pluginId, host, publicKey, revokedIds } = opts;
+    if (!licenceKey || !licenceKey.trim()) {
+        return missing();
+    }
+    const parts = licenceKey.trim().split('.');
+    if (parts.length !== 3)
+        return malformed();
+    const [headerB64, payloadB64, sigB64] = parts;
+    let header;
+    let payload;
+    try {
+        header = JSON.parse(base64UrlDecode(headerB64).toString('utf8'));
+        payload = JSON.parse(base64UrlDecode(payloadB64).toString('utf8'));
+    }
+    catch {
+        return malformed();
+    }
+    if (header.alg !== 'RS256' || header.typ !== 'JWT')
+        return malformed();
+    // Verify the RSA signature.
+    let signatureValid = false;
+    try {
+        const verifier = (0, crypto_1.createVerify)('RSA-SHA256');
+        verifier.update(`${headerB64}.${payloadB64}`);
+        verifier.end();
+        signatureValid = verifier.verify(publicKey, base64UrlDecode(sigB64));
+    }
+    catch {
+        signatureValid = false;
+    }
+    if (!signatureValid)
+        return badSignature(payload);
+    // Structural checks.
+    if (!payload.pluginId || payload.pluginId !== pluginId) {
+        return pluginMismatch(payload);
+    }
+    if (!Array.isArray(payload.allowedDomains))
+        return malformed();
+    const hostNorm = (host || '').toLowerCase().replace(/^https?:\/\//, '').replace(/\/.*$/, '');
+    const matchesDomain = payload.allowedDomains.some(d => {
+        const dn = (d || '').toLowerCase().trim();
+        return dn === '*' || dn === hostNorm
+            || (dn.startsWith('*.') && hostNorm.endsWith(dn.slice(1)));
+    });
+    if (!matchesDomain)
+        return domainMismatch(payload, hostNorm);
+    const nowSec = Math.floor(Date.now() / 1000);
+    if (payload.exp && payload.exp < nowSec)
+        return expired(payload);
+    if (revokedIds && payload.jti && revokedIds.has(payload.jti)) {
+        return revoked(payload);
+    }
+    return {
+        valid: true,
+        reason: 'ok',
+        payload,
+        message: `Licensed to ${payload.customer} (${payload.plan}); expires ${formatExpiry(payload.exp)}.`,
+    };
+}
+// --- Status factories ------------------------------------------------------
+function missing() {
+    return {
+        valid: false,
+        reason: 'missing',
+        payload: null,
+        message: 'No licence key configured. The plugin will run in unlicensed (degraded) mode.',
+    };
+}
+function malformed() {
+    return {
+        valid: false,
+        reason: 'malformed',
+        payload: null,
+        message: 'Licence key is malformed. Re-copy the key from your purchase confirmation.',
+    };
+}
+function badSignature(payload) {
+    return {
+        valid: false,
+        reason: 'bad-signature',
+        payload,
+        message: 'Licence signature failed verification. The key may be tampered with — contact support.',
+    };
+}
+function pluginMismatch(payload) {
+    return {
+        valid: false,
+        reason: 'plugin-mismatch',
+        payload,
+        message: `Licence is for "${payload.pluginId}" but the plugin checking is different — wrong key?`,
+    };
+}
+function domainMismatch(payload, host) {
+    return {
+        valid: false,
+        reason: 'domain-mismatch',
+        payload,
+        message: `Licence does not cover host "${host}". Allowed: ${payload.allowedDomains.join(', ')}.`,
+    };
+}
+function expired(payload) {
+    return {
+        valid: false,
+        reason: 'expired',
+        payload,
+        message: `Licence expired on ${formatExpiry(payload.exp)}. Renew to re-enable paid features.`,
+    };
+}
+function revoked(payload) {
+    return {
+        valid: false,
+        reason: 'revoked',
+        payload,
+        message: 'Licence has been revoked. Contact support if this is unexpected.',
+    };
+}
+// --- Helpers ---------------------------------------------------------------
+function base64UrlDecode(s) {
+    const norm = s.replace(/-/g, '+').replace(/_/g, '/');
+    const pad = norm.length % 4 ? norm + '='.repeat(4 - (norm.length % 4)) : norm;
+    return Buffer.from(pad, 'base64');
+}
+function formatExpiry(secSinceEpoch) {
+    if (!secSinceEpoch)
+        return 'never';
+    return new Date(secSinceEpoch * 1000).toISOString().slice(0, 10);
+}
+//# sourceMappingURL=verify.js.map

package/dist/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":";;AAYA,sCA6DC;AAzED,mCAAsC;AAGtC;;;;;;;;GAQG;AACH,SAAgB,aAAa,CAAC,IAA0B;IACpD,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC;IAEnE,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC;QACpC,OAAO,OAAO,EAAE,CAAC;IACrB,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,EAAE,CAAC;IAE3C,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC;IAC9C,IAAI,MAAW,CAAC;IAChB,IAAI,OAAuB,CAAC;IAC5B,IAAI,CAAC;QACD,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACjE,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,SAAS,EAAE,CAAC;IACvB,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,IAAI,MAAM,CAAC,GAAG,KAAK,KAAK;QAAE,OAAO,SAAS,EAAE,CAAC;IAEvE,4BAA4B;IAC5B,IAAI,cAAc,GAAG,KAAK,CAAC;IAC3B,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,IAAA,qBAAY,EAAC,YAAY,CAAC,CAAC;QAC5C,QAAQ,CAAC,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC,CAAC;QAC9C,QAAQ,CAAC,GAAG,EAAE,CAAC;QACf,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACL,cAAc,GAAG,KAAK,CAAC;IAC3B,CAAC;IACD,IAAI,CAAC,cAAc;QAAE,OAAO,YAAY,CAAC,OAAO,CAAC,CAAC;IAElD,qBAAqB;IACrB,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACrD,OAAO,cAAc,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC;QAAE,OAAO,SAAS,EAAE,CAAC;IAE/D,MAAM,QAAQ,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC7F,MAAM,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;QAClD,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;QAC1C,OAAO,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,QAAQ;eAC7B,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IACH,IAAI,CAAC,aAAa;QAAE,OAAO,cAAc,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAE7D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,MAAM;QAAE,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC;IAEjE,IAAI,UAAU,IAAI,OAAO,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3D,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;IAED,OAAO;QACH,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,IAAI;QACZ,OAAO;QACP,OAAO,EAAE,eAAe,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,IAAI,cAAc,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG;KACtG,CAAC;AACN,CAAC;AAED,8EAA8E;AAE9E,SAAS,OAAO;IACZ,OAAO;QACH,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,+EAA+E;KAC3F,CAAC;AACN,CAAC;AACD,SAAS,SAAS;IACd,OAAO;QACH,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,WAAW;QACnB,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,4EAA4E;KACxF,CAAC;AACN,CAAC;AACD,SAAS,YAAY,CAAC,OAAuB;IACzC,OAAO;QACH,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,eAAe;QACvB,OAAO;QACP,OAAO,EAAE,wFAAwF;KACpG,CAAC;AACN,CAAC;AACD,SAAS,cAAc,CAAC,OAAuB;IAC3C,OAAO;QACH,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,iBAAiB;QACzB,OAAO;QACP,OAAO,EAAE,mBAAmB,OAAO,CAAC,QAAQ,qDAAqD;KACpG,CAAC;AACN,CAAC;AACD,SAAS,cAAc,CAAC,OAAuB,EAAE,IAAY;IACzD,OAAO;QACH,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,iBAAiB;QACzB,OAAO;QACP,OAAO,EAAE,gCAAgC,IAAI,eAAe,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;KACnG,CAAC;AACN,CAAC;AACD,SAAS,OAAO,CAAC,OAAuB;IACpC,OAAO;QACH,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,SAAS;QACjB,OAAO;QACP,OAAO,EAAE,sBAAsB,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,qCAAqC;KAChG,CAAC;AACN,CAAC;AACD,SAAS,OAAO,CAAC,OAAuB;IACpC,OAAO;QACH,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,SAAS;QACjB,OAAO;QACP,OAAO,EAAE,kEAAkE;KAC9E,CAAC;AACN,CAAC;AAED,8EAA8E;AAE9E,SAAS,eAAe,CAAC,CAAS;IAC9B,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACrD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9E,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,YAAY,CAAC,aAAqB;IACvC,IAAI,CAAC,aAAa;QAAE,OAAO,OAAO,CAAC;IACnC,OAAO,IAAI,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC"}

package/package.json

@@ -0,0 +1,39 @@
+{
+    "name": "@huloglobal/vendure-licence-sdk",
+    "version": "0.1.0",
+    "description": "Licence validation helpers for HULO Vendure plugins. JWT verification, revocation polling and an admin status check used by paid HULO plugins to confirm the host installation is licensed.",
+    "license": "SEE LICENSE IN LICENSE",
+    "author": "Wayne Garrison <wayne@garrison.me.uk>",
+    "homepage": "https://github.com/exceeded/vendure-licence-sdk",
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/exceeded/vendure-licence-sdk.git"
+    },
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "files": [
+        "dist",
+        "README.md",
+        "CHANGELOG.md",
+        "LICENSE"
+    ],
+    "scripts": {
+        "build": "tsc -p tsconfig.json",
+        "prepublishOnly": "yarn build"
+    },
+    "peerDependencies": {
+        "@vendure/core": ">=3.0.0",
+        "@nestjs/common": ">=10.0.0"
+    },
+    "devDependencies": {
+        "@nestjs/common": "^10.0.0",
+        "@vendure/core": "^3.6.0",
+        "typescript": "^5.4.0"
+    },
+    "keywords": [
+        "vendure",
+        "vendure-plugin",
+        "licence",
+        "license"
+    ]
+}