@moontra/moonui-pro 2.37.5 → 2.37.7

package/templates/validate-pro-route.ts

@@ -1,475 +0,0 @@
-/**
- * MoonUI Pro - Server-side License Validation Route with Enhanced Security
- *
- * This route handles license validation on the server to prevent browser API calls.
- * Copy this file to: app/api/moonui/validate-pro/route.ts (App Router)
- * Or: pages/api/moonui/validate-pro.ts (Pages Router)
- *
- * Required environment variables:
- * - MOONUI_LICENSE_KEY: Your MoonUI Pro license key
- * - MOONUI_ENCRYPTION_KEY (optional): Custom encryption key for cookies
- * - MOONUI_SECURITY_HASH (auto-generated): Security checksum for validation
- *
- * SECURITY WARNING: Do not modify the validation logic.
- * Any tampering will be detected and reported.
- */
-
-import { NextRequest, NextResponse } from 'next/server';
-import { cookies, headers } from 'next/headers';
-import crypto from 'crypto';
-import os from 'os';
-import { execSync } from 'child_process';
-
-// Security checksum - DO NOT MODIFY
-const SECURITY_CHECKSUM = process.env.MOONUI_SECURITY_HASH ||
-  crypto.createHash('sha256')
-    .update(`moonui-pro-${process.env.MOONUI_LICENSE_KEY || 'default'}-validation`)
-    .digest('hex');
-
-// Cache configuration
-const CACHE_DURATION = process.env.NODE_ENV === 'production'
-  ? 24 * 60 * 60 * 1000  // 24 hours in production
-  : 60 * 60 * 1000;      // 1 hour in development
-
-// Rate limiting
-const rateLimitCache = new Map<string, { count: number; resetAt: number }>();
-
-// In-memory validation cache
-const validationCache = new Map<string, {
-  valid: boolean;
-  hasProAccess: boolean;
-  timestamp: number;
-  expiresAt: number;
-}>();
-
-/**
- * Get MAC address for hardware fingerprinting
- */
-function getMacAddress(): string {
-  try {
-    const platform = os.platform();
-    let command: string;
-
-    switch (platform) {
-      case 'darwin':
-        command = "ifconfig | grep ether | head -1 | awk '{print $2}'";
-        break;
-      case 'linux':
-        command = "ip link show | grep ether | head -1 | awk '{print $2}'";
-        break;
-      case 'win32':
-        command = 'getmac /NH /FO csv | findstr /r "^"';
-        break;
-      default:
-        return 'unknown-mac';
-    }
-
-    const result = execSync(command, { encoding: 'utf8' }).trim();
-    const match = result.match(/([a-f0-9:]+)/i);
-
-    if (match && match[1]) {
-      return match[1].replace(/[:-]/g, '').toLowerCase();
-    }
-
-    // Fallback to network interfaces
-    const interfaces = os.networkInterfaces();
-    for (const name in interfaces) {
-      const iface = interfaces[name];
-      if (iface) {
-        for (const entry of iface) {
-          if (entry.mac && entry.mac !== '00:00:00:00:00:00') {
-            return entry.mac.replace(/[:-]/g, '').toLowerCase();
-          }
-        }
-      }
-    }
-    return 'fallback-mac';
-  } catch (error) {
-    console.error('[Hardware] Error getting MAC:', error);
-    return 'error-mac';
-  }
-}
-
-/**
- * Generate hardware-based device fingerprint
- * Format: hw-{platform}-{macHash}-{cpuHash}
- */
-function generateHardwareFingerprint(): string {
-  const platform = os.platform();
-  const macAddress = getMacAddress();
-  const cpuCount = os.cpus().length;
-  const totalMem = Math.round(os.totalmem() / (1024 * 1024 * 1024)); // GB
-  const hostname = os.hostname();
-
-  // Create hashes
-  const macHash = crypto.createHash('sha256')
-    .update(macAddress)
-    .digest('hex')
-    .substring(0, 8);
-
-  const systemHash = crypto.createHash('sha256')
-    .update(`${cpuCount}:${totalMem}:${hostname}`)
-    .digest('hex')
-    .substring(0, 6);
-
-  return `hw-${platform}-${macHash}-${systemHash}`;
-}
-
-/**
- * Generate a device fingerprint from request headers
- * Combines hardware fingerprint with browser characteristics
- */
-async function getDeviceFingerprint(request: NextRequest): Promise<string> {
-  // In development with CLI auth, generate hardware-based fingerprint
-  if (process.env.NODE_ENV === 'development') {
-    // Use hardware fingerprint for maximum security
-    const hardwareId = generateHardwareFingerprint();
-
-    // If CLI device ID is set, validate it matches hardware
-    if (process.env.NEXT_PUBLIC_MOONUI_DEVICE_ID) {
-      const cliDeviceId = process.env.NEXT_PUBLIC_MOONUI_DEVICE_ID;
-
-      // For backward compatibility, accept both old and new format
-      if (cliDeviceId.startsWith('hw-')) {
-        return cliDeviceId; // New hardware-based format
-      } else {
-        console.log('[MoonUI] Migrating to hardware-based device ID');
-        return hardwareId; // Use new hardware ID
-      }
-    }
-
-    return hardwareId;
-  }
-
-  // In production, use hardware fingerprint
-  return generateHardwareFingerprint();
-}
-
-/**
- * Check rate limiting
- */
-function checkRateLimit(identifier: string): boolean {
-  const now = Date.now();
-  const limit = rateLimitCache.get(identifier);
-
-  if (!limit || limit.resetAt < now) {
-    rateLimitCache.set(identifier, {
-      count: 1,
-      resetAt: now + 60 * 1000, // Reset after 1 minute
-    });
-    return true;
-  }
-
-  if (limit.count >= 10) { // Max 10 requests per minute
-    return false;
-  }
-
-  limit.count++;
-  return true;
-}
-
-/**
- * Validate license with MoonUI server (server-to-server)
- */
-async function validateWithMoonUIServer(
-  token: string,
-  deviceId: string
-): Promise<{ valid: boolean; hasProAccess: boolean; plan?: string }> {
-  // Development mode with CLI authentication
-  if (process.env.NODE_ENV === 'development') {
-    // Check for CLI dev tokens
-    const devToken = process.env.NEXT_PUBLIC_MOONUI_DEV_TOKEN;
-    const devDeviceId = process.env.NEXT_PUBLIC_MOONUI_DEVICE_ID;
-
-    console.log('[MoonUI Dev Auth] Checking CLI authentication:');
-    console.log('[MoonUI Dev Auth] Device IDs match:', devDeviceId === deviceId);
-
-    // STRICT DEVICE ID VALIDATION - Prevent token sharing
-    if (devToken && devDeviceId && devDeviceId === deviceId) {
-      try {
-        // Decode the dev token
-        const decoded = JSON.parse(Buffer.from(devToken, 'base64').toString());
-
-        // Verify token structure and session
-        if (!decoded.deviceId || !decoded.session || !decoded.security) {
-          console.error('[MoonUI Security] Invalid token structure');
-          return { valid: false, hasProAccess: false };
-        }
-
-        // Verify device ID in token matches
-        if (decoded.deviceId !== devDeviceId) {
-          console.error('[MoonUI Security] Token device ID mismatch');
-          return { valid: false, hasProAccess: false };
-        }
-
-        // Verify session hasn't expired
-        if (decoded.session?.expiresAt && decoded.session.expiresAt < Date.now()) {
-          console.error('[MoonUI Security] Token session expired');
-          return { valid: false, hasProAccess: false };
-        }
-
-        console.log('[MoonUI Dev Auth] Token validated successfully');
-        console.log('[MoonUI Dev Auth] User plan:', decoded.user?.plan);
-
-        if (decoded.user?.plan === 'pro_lifetime' || decoded.user?.hasProAccess) {
-          console.log('[MoonUI Dev Auth] Pro access granted via CLI token');
-          return {
-            valid: true,
-            hasProAccess: true,
-            plan: decoded.user?.plan || 'lifetime'
-          };
-        }
-      } catch (e) {
-        console.error('[MoonUI Security] Error parsing dev token:', e);
-        return { valid: false, hasProAccess: false };
-      }
-    } else if (devToken && !devDeviceId) {
-      console.warn('[MoonUI Security] Token found but no device ID - possible token sharing attempt');
-      return { valid: false, hasProAccess: false };
-    } else if (devDeviceId !== deviceId) {
-      console.warn('[MoonUI Security] Device ID mismatch - token not valid for this device');
-      console.warn('[MoonUI Security] This token is locked to device:', devDeviceId);
-      console.warn('[MoonUI Security] Current device:', deviceId);
-      return { valid: false, hasProAccess: false };
-    }
-  }
-
-  // Production validation with license key
-  const licenseKey = process.env.MOONUI_LICENSE_KEY;
-
-  if (!licenseKey) {
-    console.error('[MoonUI] No license key configured');
-    return { valid: false, hasProAccess: false };
-  }
-
-  try {
-    const response = await fetch('https://api.moonui.dev/v1/license/validate', {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Authorization': `Bearer ${licenseKey}`,
-        'X-Device-ID': deviceId,
-      },
-      body: JSON.stringify({
-        token: licenseKey,
-        deviceId,
-        domain: process.env.NEXT_PUBLIC_DOMAIN || 'localhost',
-        timestamp: Date.now(),
-      }),
-      signal: AbortSignal.timeout(10000), // 10 second timeout
-    });
-
-    if (!response.ok) {
-      console.error('[MoonUI] License validation failed:', response.status);
-      return { valid: false, hasProAccess: false };
-    }
-
-    const data = await response.json();
-
-    return {
-      valid: data.valid,
-      hasProAccess: data.valid && (
-        data.user?.hasLifetimeAccess ||
-        data.user?.features?.includes('pro_components') ||
-        data.plan === 'pro_lifetime' ||
-        false
-      ),
-      plan: data.user?.plan || data.plan,
-    };
-
-  } catch (error) {
-    console.error('[MoonUI] Error validating license:', error);
-    return { valid: false, hasProAccess: false };
-  }
-}
-
-/**
- * Verify request integrity
- */
-function verifyRequestIntegrity(request: NextRequest): boolean {
-  // Check for suspicious patterns
-  const url = new URL(request.url);
-
-  // Reject if trying to bypass with query params
-  if (url.searchParams.has('bypass') ||
-      url.searchParams.has('force') ||
-      url.searchParams.has('admin')) {
-    console.warn('[MoonUI Security] Suspicious query params detected');
-    return false;
-  }
-
-  // Check request headers for tampering
-  const suspiciousHeaders = [
-    'x-moonui-bypass',
-    'x-force-pro',
-    'x-admin-override',
-    'x-moonui-device-override',
-    'x-moonui-token-override'
-  ];
-
-  for (const header of suspiciousHeaders) {
-    if (request.headers.has(header)) {
-      console.warn(`[MoonUI Security] Suspicious header detected: ${header}`);
-      return false;
-    }
-  }
-
-  // Check for proxy/VPN indicators
-  const proxyHeaders = [
-    'x-proxy-connection',
-    'x-forwarded-server',
-    'x-originating-ip',
-    'x-remote-ip'
-  ];
-
-  const hasProxy = proxyHeaders.some(header => request.headers.has(header));
-  if (hasProxy) {
-    console.warn('[MoonUI Security] Proxy/VPN detected - additional validation required');
-  }
-
-  return true;
-}
-
-/**
- * Generate validation signature for response
- */
-function generateValidationSignature(data: any): string {
-  const payload = JSON.stringify({
-    ...data,
-    timestamp: Date.now(),
-    checksum: SECURITY_CHECKSUM,
-  });
-
-  return crypto
-    .createHash('sha256')
-    .update(payload)
-    .digest('hex')
-    .substring(0, 16);
-}
-
-/**
- * Main API route handler with enhanced security
- */
-export async function GET(request: NextRequest) {
-  try {
-    // Security check
-    if (!verifyRequestIntegrity(request)) {
-      return NextResponse.json(
-        {
-          error: 'Invalid request',
-          valid: false,
-          hasProAccess: false
-        },
-        { status: 403 }
-      );
-    }
-
-    // Generate device fingerprint
-    const deviceId = await getDeviceFingerprint(request);
-
-    // Check rate limiting
-    if (!checkRateLimit(deviceId)) {
-      return NextResponse.json(
-        { error: 'Rate limit exceeded', valid: false },
-        { status: 429 }
-      );
-    }
-
-    // Check in-memory cache first
-    const cacheKey = `validation:${deviceId}`;
-    const cached = validationCache.get(cacheKey);
-
-    if (cached && cached.expiresAt > Date.now()) {
-      console.log('[MoonUI] Using cached validation result');
-
-      return NextResponse.json({
-        valid: cached.valid,
-        hasProAccess: cached.hasProAccess,
-        cached: true,
-      });
-    }
-
-    // Get license token
-    const licenseToken = process.env.MOONUI_LICENSE_KEY ||
-                        process.env.NEXT_PUBLIC_MOONUI_DEV_TOKEN ||
-                        '';
-
-    // Validate with MoonUI server
-    const validation = await validateWithMoonUIServer(licenseToken, deviceId);
-
-    // Cache the result
-    const expiresAt = Date.now() + CACHE_DURATION;
-    validationCache.set(cacheKey, {
-      ...validation,
-      timestamp: Date.now(),
-      expiresAt,
-    });
-
-    // Set status cookie for client (readable)
-    const cookieStore = await cookies();
-    cookieStore.set('moonui_pro_status', JSON.stringify({
-      valid: validation.valid,
-      hasProAccess: validation.hasProAccess,
-      timestamp: Date.now(),
-    }), {
-      httpOnly: false, // Client needs to read this
-      secure: process.env.NODE_ENV === 'production',
-      sameSite: 'lax',
-      maxAge: CACHE_DURATION / 1000, // Convert to seconds
-    });
-
-    // Prepare response data
-    const responseData = {
-      valid: validation.valid,
-      hasProAccess: validation.hasProAccess,
-      isAuthenticated: validation.valid,
-      subscriptionPlan: validation.hasProAccess ? 'lifetime' : 'free',
-      subscription: {
-        status: validation.hasProAccess ? 'active' : 'inactive',
-        plan: validation.hasProAccess ? 'lifetime' : 'free',
-      },
-      _signature: generateValidationSignature({
-        valid: validation.valid,
-        hasProAccess: validation.hasProAccess,
-        deviceId: deviceId,
-      }),
-    };
-
-    // Log security events
-    if (validation.hasProAccess) {
-      console.log(`[MoonUI Security] Pro access granted for device: ${deviceId.substring(0, 8)}...`);
-    }
-
-    return NextResponse.json(responseData);
-
-  } catch (error) {
-    console.error('[MoonUI] Validation error:', error);
-
-    return NextResponse.json(
-      {
-        error: 'Internal server error',
-        valid: false,
-        hasProAccess: false,
-      },
-      { status: 500 }
-    );
-  }
-}
-
-// Support for Pages Router
-export async function handler(req: any, res: any) {
-  if (req.method !== 'GET') {
-    return res.status(405).json({ error: 'Method not allowed' });
-  }
-
-  // Convert to NextRequest for consistent handling
-  const url = new URL(req.url!, `http://${req.headers.host}`);
-  const request = new NextRequest(url, {
-    headers: req.headers,
-  });
-
-  const response = await GET(request);
-  const data = await response.json();
-
-  return res.status(response.status).json(data);
-}