@moontra/moonui-pro 2.37.1 → 2.37.2

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@moontra/moonui-pro",
-    "version": "2.37.1",
+    "version": "2.37.2",
     "description": "Premium React components for MoonUI - Advanced UI library with 50+ pro components including performance, interactive, and gesture components",
     "type": "module",
     "main": "dist/index.mjs",

package/templates/validate-pro-route.ts

@@ -17,6 +17,8 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { cookies, headers } from 'next/headers';
 import crypto from 'crypto';
+import os from 'os';
+import { execSync } from 'child_process';
 
 // Security checksum - DO NOT MODIFY
 const SECURITY_CHECKSUM = process.env.MOONUI_SECURITY_HASH ||
@@ -40,21 +42,107 @@ const validationCache = new Map<string, {
   expiresAt: number;
 }>();
 
+/**
+ * Get MAC address for hardware fingerprinting
+ */
+function getMacAddress(): string {
+  try {
+    const platform = os.platform();
+    let command: string;
+
+    switch (platform) {
+      case 'darwin':
+        command = "ifconfig | grep ether | head -1 | awk '{print $2}'";
+        break;
+      case 'linux':
+        command = "ip link show | grep ether | head -1 | awk '{print $2}'";
+        break;
+      case 'win32':
+        command = 'getmac /NH /FO csv | findstr /r "^"';
+        break;
+      default:
+        return 'unknown-mac';
+    }
+
+    const result = execSync(command, { encoding: 'utf8' }).trim();
+    const match = result.match(/([a-f0-9:]+)/i);
+
+    if (match && match[1]) {
+      return match[1].replace(/[:-]/g, '').toLowerCase();
+    }
+
+    // Fallback to network interfaces
+    const interfaces = os.networkInterfaces();
+    for (const name in interfaces) {
+      const iface = interfaces[name];
+      if (iface) {
+        for (const entry of iface) {
+          if (entry.mac && entry.mac !== '00:00:00:00:00:00') {
+            return entry.mac.replace(/[:-]/g, '').toLowerCase();
+          }
+        }
+      }
+    }
+    return 'fallback-mac';
+  } catch (error) {
+    console.error('[Hardware] Error getting MAC:', error);
+    return 'error-mac';
+  }
+}
+
+/**
+ * Generate hardware-based device fingerprint
+ * Format: hw-{platform}-{macHash}-{cpuHash}
+ */
+function generateHardwareFingerprint(): string {
+  const platform = os.platform();
+  const macAddress = getMacAddress();
+  const cpuCount = os.cpus().length;
+  const totalMem = Math.round(os.totalmem() / (1024 * 1024 * 1024)); // GB
+  const hostname = os.hostname();
+
+  // Create hashes
+  const macHash = crypto.createHash('sha256')
+    .update(macAddress)
+    .digest('hex')
+    .substring(0, 8);
+
+  const systemHash = crypto.createHash('sha256')
+    .update(`${cpuCount}:${totalMem}:${hostname}`)
+    .digest('hex')
+    .substring(0, 6);
+
+  return `hw-${platform}-${macHash}-${systemHash}`;
+}
+
 /**
  * Generate a device fingerprint from request headers
+ * Combines hardware fingerprint with browser characteristics
  */
 async function getDeviceFingerprint(request: NextRequest): Promise<string> {
-  const headersList = await headers();
-  const ua = headersList.get('user-agent') || 'unknown';
-  const lang = headersList.get('accept-language') || 'unknown';
-  const ip = headersList.get('x-forwarded-for') ||
-              headersList.get('x-real-ip') ||
-              'unknown';
+  // In development with CLI auth, generate hardware-based fingerprint
+  if (process.env.NODE_ENV === 'development') {
+    // Use hardware fingerprint for maximum security
+    const hardwareId = generateHardwareFingerprint();
+
+    // If CLI device ID is set, validate it matches hardware
+    if (process.env.NEXT_PUBLIC_MOONUI_DEVICE_ID) {
+      const cliDeviceId = process.env.NEXT_PUBLIC_MOONUI_DEVICE_ID;
+
+      // For backward compatibility, accept both old and new format
+      if (cliDeviceId.startsWith('hw-')) {
+        return cliDeviceId; // New hardware-based format
+      } else {
+        console.log('[MoonUI] Migrating to hardware-based device ID');
+        return hardwareId; // Use new hardware ID
+      }
+    }
 
-  return crypto
-    .createHash('sha256')
-    .update(`${ua}|${lang}|${ip}`)
-    .digest('hex');
+    return hardwareId;
+  }
+
+  // In production, use hardware fingerprint
+  return generateHardwareFingerprint();
 }
 
 /**
@@ -93,20 +181,56 @@ async function validateWithMoonUIServer(
     const devToken = process.env.NEXT_PUBLIC_MOONUI_DEV_TOKEN;
     const devDeviceId = process.env.NEXT_PUBLIC_MOONUI_DEVICE_ID;
 
-    if (devToken && devDeviceId === deviceId) {
+    console.log('[MoonUI Dev Auth] Checking CLI authentication:');
+    console.log('[MoonUI Dev Auth] Device IDs match:', devDeviceId === deviceId);
+
+    // STRICT DEVICE ID VALIDATION - Prevent token sharing
+    if (devToken && devDeviceId && devDeviceId === deviceId) {
       try {
         // Decode the dev token
         const decoded = JSON.parse(Buffer.from(devToken, 'base64').toString());
+
+        // Verify token structure and session
+        if (!decoded.deviceId || !decoded.session || !decoded.security) {
+          console.error('[MoonUI Security] Invalid token structure');
+          return { valid: false, hasProAccess: false };
+        }
+
+        // Verify device ID in token matches
+        if (decoded.deviceId !== devDeviceId) {
+          console.error('[MoonUI Security] Token device ID mismatch');
+          return { valid: false, hasProAccess: false };
+        }
+
+        // Verify session hasn't expired
+        if (decoded.session?.expiresAt && decoded.session.expiresAt < Date.now()) {
+          console.error('[MoonUI Security] Token session expired');
+          return { valid: false, hasProAccess: false };
+        }
+
+        console.log('[MoonUI Dev Auth] Token validated successfully');
+        console.log('[MoonUI Dev Auth] User plan:', decoded.user?.plan);
+
         if (decoded.user?.plan === 'pro_lifetime' || decoded.user?.hasProAccess) {
+          console.log('[MoonUI Dev Auth] Pro access granted via CLI token');
           return {
             valid: true,
             hasProAccess: true,
-            plan: 'lifetime'
+            plan: decoded.user?.plan || 'lifetime'
           };
         }
       } catch (e) {
-        console.error('[MoonUI] Error parsing dev token:', e);
+        console.error('[MoonUI Security] Error parsing dev token:', e);
+        return { valid: false, hasProAccess: false };
       }
+    } else if (devToken && !devDeviceId) {
+      console.warn('[MoonUI Security] Token found but no device ID - possible token sharing attempt');
+      return { valid: false, hasProAccess: false };
+    } else if (devDeviceId !== deviceId) {
+      console.warn('[MoonUI Security] Device ID mismatch - token not valid for this device');
+      console.warn('[MoonUI Security] This token is locked to device:', devDeviceId);
+      console.warn('[MoonUI Security] Current device:', deviceId);
+      return { valid: false, hasProAccess: false };
     }
   }
 
@@ -178,7 +302,9 @@ function verifyRequestIntegrity(request: NextRequest): boolean {
   const suspiciousHeaders = [
     'x-moonui-bypass',
     'x-force-pro',
-    'x-admin-override'
+    'x-admin-override',
+    'x-moonui-device-override',
+    'x-moonui-token-override'
   ];
 
   for (const header of suspiciousHeaders) {
@@ -188,6 +314,19 @@ function verifyRequestIntegrity(request: NextRequest): boolean {
     }
   }
 
+  // Check for proxy/VPN indicators
+  const proxyHeaders = [
+    'x-proxy-connection',
+    'x-forwarded-server',
+    'x-originating-ip',
+    'x-remote-ip'
+  ];
+
+  const hasProxy = proxyHeaders.some(header => request.headers.has(header));
+  if (hasProxy) {
+    console.warn('[MoonUI Security] Proxy/VPN detected - additional validation required');
+  }
+
   return true;
 }