@mooncompany/uplink-chat 0.5.0

package/server/premium/license.js

@@ -0,0 +1,140 @@
+/**
+ * License Validation Module
+ * 
+ * Validates Uplink Premium license keys using HMAC-SHA256.
+ * 
+ * Key format: UPL-XXXXX-XXXXX-XXXXX-XXXXX
+ * 
+ * Structure:
+ *   - First 10 base32 chars (6 bytes): random payload
+ *   - Last 10 base32 chars (6 bytes): truncated HMAC-SHA256 tag
+ * 
+ * The HMAC secret is derived from multiple components to avoid
+ * a single obvious string in the source code.
+ */
+
+import { createHmac } from 'crypto';
+
+// Key derivation components — split across the file to avoid easy grep
+// These combine to form the HMAC signing key
+const _a = Buffer.from('7570-6c69-6e6b', 'hex'); // part 1
+const _b = Buffer.from('2e70-7265-6d69-756d', 'hex'); // part 2  
+const _c = Buffer.from('2e6c-6963-656e-7365', 'hex'); // part 3
+const _d = Buffer.from('2e76-3031', 'hex'); // part 4
+
+function _dk() {
+  // Derive signing key from components + additional mixing
+  const base = Buffer.concat([_a, _b, _c, _d]);
+  return createHmac('sha256', 'uplink-key-derivation')
+    .update(base)
+    .digest();
+}
+
+// Base32 alphabet (Crockford variant — no I/L/O/U to avoid confusion)
+const B32 = '0123456789ABCDEFGHJKMNPQRSTVWXYZ';
+
+function base32Encode(buffer) {
+  let result = '';
+  let bits = 0;
+  let value = 0;
+  for (const byte of buffer) {
+    value = (value << 8) | byte;
+    bits += 8;
+    while (bits >= 5) {
+      bits -= 5;
+      result += B32[(value >>> bits) & 0x1f];
+    }
+  }
+  if (bits > 0) {
+    result += B32[(value << (5 - bits)) & 0x1f];
+  }
+  return result;
+}
+
+function base32Decode(str) {
+  const lookup = {};
+  for (let i = 0; i < B32.length; i++) {
+    lookup[B32[i]] = i;
+  }
+  // Also accept lowercase
+  for (let i = 0; i < B32.length; i++) {
+    lookup[B32[i].toLowerCase()] = i;
+  }
+
+  let bits = 0;
+  let value = 0;
+  const bytes = [];
+  for (const char of str) {
+    const v = lookup[char];
+    if (v === undefined) return null;
+    value = (value << 5) | v;
+    bits += 5;
+    if (bits >= 8) {
+      bits -= 8;
+      bytes.push((value >>> bits) & 0xff);
+    }
+  }
+  return Buffer.from(bytes);
+}
+
+/**
+ * Validate a license key
+ * @param {string} key - License key (e.g. UPL-A1B2C-D3E4F-G5H6J-K7M8N)
+ * @returns {{ valid: boolean, error?: string }}
+ */
+export function validateLicense(key) {
+  if (!key || typeof key !== 'string') {
+    return { valid: false, error: 'No license key provided' };
+  }
+
+  // Normalize: remove prefix, dashes, whitespace, uppercase
+  const cleaned = key.trim().toUpperCase().replace(/^UPL-/, '').replace(/[-\s]/g, '');
+
+  // Should be exactly 20 base32 chars (10 payload + 10 tag)
+  if (cleaned.length !== 20) {
+    return { valid: false, error: 'Invalid key format' };
+  }
+
+  // Split into payload and tag
+  const payloadStr = cleaned.slice(0, 10);
+  const tagStr = cleaned.slice(10);
+
+  const payload = base32Decode(payloadStr);
+  const tag = base32Decode(tagStr);
+
+  if (!payload || !tag) {
+    return { valid: false, error: 'Invalid key format' };
+  }
+
+  // Canonicalize: re-encode decoded bytes and compare to input
+  // This prevents padding bit variants from being treated as different keys
+  if (base32Encode(payload).slice(0, 10) !== payloadStr || 
+      base32Encode(tag).slice(0, 10) !== tagStr) {
+    return { valid: false, error: 'Invalid key format' };
+  }
+
+  // Compute expected HMAC tag
+  const signingKey = _dk();
+  const expectedTag = createHmac('sha256', signingKey)
+    .update(payload)
+    .digest()
+    .slice(0, 6); // Truncate to 6 bytes (matches tag length)
+
+  // Constant-time comparison
+  if (expectedTag.length !== tag.length) {
+    return { valid: false, error: 'Invalid license key' };
+  }
+
+  let diff = 0;
+  for (let i = 0; i < expectedTag.length; i++) {
+    diff |= expectedTag[i] ^ tag[i];
+  }
+
+  if (diff !== 0) {
+    return { valid: false, error: 'Invalid license key' };
+  }
+
+  return { valid: true };
+}
+
+export default { validateLicense };