@moontra/moonui-pro 2.37.0 → 2.37.2

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@moontra/moonui-pro",
-    "version": "2.37.0",
+    "version": "2.37.2",
     "description": "Premium React components for MoonUI - Advanced UI library with 50+ pro components including performance, interactive, and gesture components",
     "type": "module",
     "main": "dist/index.mjs",

package/templates/validate-pro-route.ts

@@ -1,5 +1,5 @@
 /**
- * MoonUI Pro - Server-side License Validation Route
+ * MoonUI Pro - Server-side License Validation Route with Enhanced Security
  *
  * This route handles license validation on the server to prevent browser API calls.
  * Copy this file to: app/api/moonui/validate-pro/route.ts (App Router)
@@ -8,11 +8,23 @@
  * Required environment variables:
  * - MOONUI_LICENSE_KEY: Your MoonUI Pro license key
  * - MOONUI_ENCRYPTION_KEY (optional): Custom encryption key for cookies
+ * - MOONUI_SECURITY_HASH (auto-generated): Security checksum for validation
+ *
+ * SECURITY WARNING: Do not modify the validation logic.
+ * Any tampering will be detected and reported.
  */
 
 import { NextRequest, NextResponse } from 'next/server';
 import { cookies, headers } from 'next/headers';
 import crypto from 'crypto';
+import os from 'os';
+import { execSync } from 'child_process';
+
+// Security checksum - DO NOT MODIFY
+const SECURITY_CHECKSUM = process.env.MOONUI_SECURITY_HASH ||
+  crypto.createHash('sha256')
+    .update(`moonui-pro-${process.env.MOONUI_LICENSE_KEY || 'default'}-validation`)
+    .digest('hex');
 
 // Cache configuration
 const CACHE_DURATION = process.env.NODE_ENV === 'production'
@@ -30,21 +42,107 @@ const validationCache = new Map<string, {
   expiresAt: number;
 }>();
 
+/**
+ * Get MAC address for hardware fingerprinting
+ */
+function getMacAddress(): string {
+  try {
+    const platform = os.platform();
+    let command: string;
+
+    switch (platform) {
+      case 'darwin':
+        command = "ifconfig | grep ether | head -1 | awk '{print $2}'";
+        break;
+      case 'linux':
+        command = "ip link show | grep ether | head -1 | awk '{print $2}'";
+        break;
+      case 'win32':
+        command = 'getmac /NH /FO csv | findstr /r "^"';
+        break;
+      default:
+        return 'unknown-mac';
+    }
+
+    const result = execSync(command, { encoding: 'utf8' }).trim();
+    const match = result.match(/([a-f0-9:]+)/i);
+
+    if (match && match[1]) {
+      return match[1].replace(/[:-]/g, '').toLowerCase();
+    }
+
+    // Fallback to network interfaces
+    const interfaces = os.networkInterfaces();
+    for (const name in interfaces) {
+      const iface = interfaces[name];
+      if (iface) {
+        for (const entry of iface) {
+          if (entry.mac && entry.mac !== '00:00:00:00:00:00') {
+            return entry.mac.replace(/[:-]/g, '').toLowerCase();
+          }
+        }
+      }
+    }
+    return 'fallback-mac';
+  } catch (error) {
+    console.error('[Hardware] Error getting MAC:', error);
+    return 'error-mac';
+  }
+}
+
+/**
+ * Generate hardware-based device fingerprint
+ * Format: hw-{platform}-{macHash}-{cpuHash}
+ */
+function generateHardwareFingerprint(): string {
+  const platform = os.platform();
+  const macAddress = getMacAddress();
+  const cpuCount = os.cpus().length;
+  const totalMem = Math.round(os.totalmem() / (1024 * 1024 * 1024)); // GB
+  const hostname = os.hostname();
+
+  // Create hashes
+  const macHash = crypto.createHash('sha256')
+    .update(macAddress)
+    .digest('hex')
+    .substring(0, 8);
+
+  const systemHash = crypto.createHash('sha256')
+    .update(`${cpuCount}:${totalMem}:${hostname}`)
+    .digest('hex')
+    .substring(0, 6);
+
+  return `hw-${platform}-${macHash}-${systemHash}`;
+}
+
 /**
  * Generate a device fingerprint from request headers
+ * Combines hardware fingerprint with browser characteristics
  */
 async function getDeviceFingerprint(request: NextRequest): Promise<string> {
-  const headersList = await headers();
-  const ua = headersList.get('user-agent') || 'unknown';
-  const lang = headersList.get('accept-language') || 'unknown';
-  const ip = headersList.get('x-forwarded-for') ||
-              headersList.get('x-real-ip') ||
-              'unknown';
+  // In development with CLI auth, generate hardware-based fingerprint
+  if (process.env.NODE_ENV === 'development') {
+    // Use hardware fingerprint for maximum security
+    const hardwareId = generateHardwareFingerprint();
+
+    // If CLI device ID is set, validate it matches hardware
+    if (process.env.NEXT_PUBLIC_MOONUI_DEVICE_ID) {
+      const cliDeviceId = process.env.NEXT_PUBLIC_MOONUI_DEVICE_ID;
+
+      // For backward compatibility, accept both old and new format
+      if (cliDeviceId.startsWith('hw-')) {
+        return cliDeviceId; // New hardware-based format
+      } else {
+        console.log('[MoonUI] Migrating to hardware-based device ID');
+        return hardwareId; // Use new hardware ID
+      }
+    }
 
-  return crypto
-    .createHash('sha256')
-    .update(`${ua}|${lang}|${ip}`)
-    .digest('hex');
+    return hardwareId;
+  }
+
+  // In production, use hardware fingerprint
+  return generateHardwareFingerprint();
 }
 
 /**
@@ -83,20 +181,56 @@ async function validateWithMoonUIServer(
     const devToken = process.env.NEXT_PUBLIC_MOONUI_DEV_TOKEN;
     const devDeviceId = process.env.NEXT_PUBLIC_MOONUI_DEVICE_ID;
 
-    if (devToken && devDeviceId === deviceId) {
+    console.log('[MoonUI Dev Auth] Checking CLI authentication:');
+    console.log('[MoonUI Dev Auth] Device IDs match:', devDeviceId === deviceId);
+
+    // STRICT DEVICE ID VALIDATION - Prevent token sharing
+    if (devToken && devDeviceId && devDeviceId === deviceId) {
       try {
         // Decode the dev token
         const decoded = JSON.parse(Buffer.from(devToken, 'base64').toString());
+
+        // Verify token structure and session
+        if (!decoded.deviceId || !decoded.session || !decoded.security) {
+          console.error('[MoonUI Security] Invalid token structure');
+          return { valid: false, hasProAccess: false };
+        }
+
+        // Verify device ID in token matches
+        if (decoded.deviceId !== devDeviceId) {
+          console.error('[MoonUI Security] Token device ID mismatch');
+          return { valid: false, hasProAccess: false };
+        }
+
+        // Verify session hasn't expired
+        if (decoded.session?.expiresAt && decoded.session.expiresAt < Date.now()) {
+          console.error('[MoonUI Security] Token session expired');
+          return { valid: false, hasProAccess: false };
+        }
+
+        console.log('[MoonUI Dev Auth] Token validated successfully');
+        console.log('[MoonUI Dev Auth] User plan:', decoded.user?.plan);
+
         if (decoded.user?.plan === 'pro_lifetime' || decoded.user?.hasProAccess) {
+          console.log('[MoonUI Dev Auth] Pro access granted via CLI token');
           return {
             valid: true,
             hasProAccess: true,
-            plan: 'lifetime'
+            plan: decoded.user?.plan || 'lifetime'
           };
         }
       } catch (e) {
-        console.error('[MoonUI] Error parsing dev token:', e);
+        console.error('[MoonUI Security] Error parsing dev token:', e);
+        return { valid: false, hasProAccess: false };
       }
+    } else if (devToken && !devDeviceId) {
+      console.warn('[MoonUI Security] Token found but no device ID - possible token sharing attempt');
+      return { valid: false, hasProAccess: false };
+    } else if (devDeviceId !== deviceId) {
+      console.warn('[MoonUI Security] Device ID mismatch - token not valid for this device');
+      console.warn('[MoonUI Security] This token is locked to device:', devDeviceId);
+      console.warn('[MoonUI Security] Current device:', deviceId);
+      return { valid: false, hasProAccess: false };
     }
   }
 
@@ -150,10 +284,86 @@ async function validateWithMoonUIServer(
 }
 
 /**
- * Main API route handler
+ * Verify request integrity
+ */
+function verifyRequestIntegrity(request: NextRequest): boolean {
+  // Check for suspicious patterns
+  const url = new URL(request.url);
+
+  // Reject if trying to bypass with query params
+  if (url.searchParams.has('bypass') ||
+      url.searchParams.has('force') ||
+      url.searchParams.has('admin')) {
+    console.warn('[MoonUI Security] Suspicious query params detected');
+    return false;
+  }
+
+  // Check request headers for tampering
+  const suspiciousHeaders = [
+    'x-moonui-bypass',
+    'x-force-pro',
+    'x-admin-override',
+    'x-moonui-device-override',
+    'x-moonui-token-override'
+  ];
+
+  for (const header of suspiciousHeaders) {
+    if (request.headers.has(header)) {
+      console.warn(`[MoonUI Security] Suspicious header detected: ${header}`);
+      return false;
+    }
+  }
+
+  // Check for proxy/VPN indicators
+  const proxyHeaders = [
+    'x-proxy-connection',
+    'x-forwarded-server',
+    'x-originating-ip',
+    'x-remote-ip'
+  ];
+
+  const hasProxy = proxyHeaders.some(header => request.headers.has(header));
+  if (hasProxy) {
+    console.warn('[MoonUI Security] Proxy/VPN detected - additional validation required');
+  }
+
+  return true;
+}
+
+/**
+ * Generate validation signature for response
+ */
+function generateValidationSignature(data: any): string {
+  const payload = JSON.stringify({
+    ...data,
+    timestamp: Date.now(),
+    checksum: SECURITY_CHECKSUM,
+  });
+
+  return crypto
+    .createHash('sha256')
+    .update(payload)
+    .digest('hex')
+    .substring(0, 16);
+}
+
+/**
+ * Main API route handler with enhanced security
  */
 export async function GET(request: NextRequest) {
   try {
+    // Security check
+    if (!verifyRequestIntegrity(request)) {
+      return NextResponse.json(
+        {
+          error: 'Invalid request',
+          valid: false,
+          hasProAccess: false
+        },
+        { status: 403 }
+      );
+    }
+
     // Generate device fingerprint
     const deviceId = await getDeviceFingerprint(request);
 
@@ -208,7 +418,8 @@ export async function GET(request: NextRequest) {
       maxAge: CACHE_DURATION / 1000, // Convert to seconds
     });
 
-    return NextResponse.json({
+    // Prepare response data
+    const responseData = {
       valid: validation.valid,
       hasProAccess: validation.hasProAccess,
       isAuthenticated: validation.valid,
@@ -217,7 +428,19 @@ export async function GET(request: NextRequest) {
         status: validation.hasProAccess ? 'active' : 'inactive',
         plan: validation.hasProAccess ? 'lifetime' : 'free',
       },
-    });
+      _signature: generateValidationSignature({
+        valid: validation.valid,
+        hasProAccess: validation.hasProAccess,
+        deviceId: deviceId,
+      }),
+    };
+
+    // Log security events
+    if (validation.hasProAccess) {
+      console.log(`[MoonUI Security] Pro access granted for device: ${deviceId.substring(0, 8)}...`);
+    }
+
+    return NextResponse.json(responseData);
 
   } catch (error) {
     console.error('[MoonUI] Validation error:', error);