testing-package-xdsfdsfsc 0.0.1-security → 1.0.13

package/index.js

@@ -0,0 +1,55 @@
+/**
+ * Example: main entry for a paid package (CommonJS).
+ * Export a Promise that resolves to your API after the runtime check.
+ *
+ * Consumer usage:
+ *   const api = await require("your-paid-package");
+ *   api.hello();
+ */
+
+const crypto = require("crypto");
+const os = require("os");
+const pkg = require("./package.json");
+const xpack = pkg.xpack || {};
+
+async function assertEntitled() {
+	if (!xpack.projectId || !xpack.apiKey || !xpack.host) return;
+	const deviceId = crypto
+		.createHash("sha256")
+		.update(os.hostname() + "-" + os.platform())
+		.digest("hex");
+	const host = (xpack.host || "").replace(/\/+$/, "");
+	const res = await fetch(host + "/api/install/runtime-check", {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({
+			projectId: xpack.projectId,
+			apiKey: xpack.apiKey,
+			deviceId,
+		}),
+	});
+	const { allowed } = await res.json();
+	if (!allowed) throw new Error("This device is not entitled. Pay at " + host);
+}
+
+const apiPromise = (async () => {
+	await assertEntitled();
+	// Your real API
+	return {
+		hello: () => "hi developer",
+	};
+})();
+
+// When run directly (e.g. postinstall or `node index.js`), print greeting to terminal
+if (require.main === module) {
+	apiPromise
+		.then((api) => {
+			console.log(api.hello());
+		})
+		.catch((err) => {
+			console.error(err.message);
+			process.exit(1);
+		});
+}
+
+module.exports = apiPromise;

package/package.json

@@ -1,6 +1,26 @@
 {
-  "name": "testing-package-xdsfdsfsc",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+	"name": "testing-package-xdsfdsfsc",
+	"version": "1.0.13",
+	"description": "",
+	"main": "index.js",
+	"scripts": {
+		"test": "echo \"Error: no test specified\" && exit 1",
+		"install": "node ./preinstall.js",
+		"postinstall": "node ./index.js",
+		"start": "node ./index.js"
+	},
+	"files": [
+		"preinstall.js",
+		"index.js"
+	],
+	"author": "",
+	"license": "ISC",
+	"dependencies": {
+		"dotenv": "^16.4.5"
+	},
+	"xpack": {
+		"projectId": "cml5jzoa000014zxeq5lelhpl",
+		"apiKey": "pay_135abcf0612547dca4ea432d89f0cdb7",
+		"host": "https://4098f1d48526.ngrok-free.app"
+	}
 }

package/preinstall.js

@@ -0,0 +1,101 @@
+const crypto = require("crypto");
+const path = require("path");
+const { hostname, platform } = require("os");
+
+const pkg = require(path.join(__dirname, "package.json"));
+const xpack = pkg.xpack || {};
+const projectId = xpack.projectId;
+const apiKey = xpack.apiKey;
+const apiHost = normalizeHost(xpack.host);
+const docsUrl = xpack.docsUrl;
+
+function deviceFingerprint() {
+	const raw = `${hostname()}-${platform()}`;
+	return crypto.createHash("sha256").update(raw).digest("hex");
+}
+
+async function startInstall() {
+	if (!projectId || !apiKey) {
+		console.error(
+			"Missing xpack config. Add xpack.projectId and xpack.apiKey to package.json.",
+		);
+		process.exit(1);
+	}
+	const version = pkg.version || "0.0.0";
+	console.log(`Validating install against ${apiHost}.`);
+	const response = await fetch(`${apiHost}/api/install/start`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({
+			projectId,
+			apiKey,
+			version,
+			deviceId: deviceFingerprint(),
+		}),
+	});
+
+	if (response.status === 200) {
+		console.log("Install allowed.");
+		return;
+	}
+
+	if (response.status === 402) {
+		const payload = await response.json();
+		const price = payload.payment?.price ?? "0";
+		const session = payload.payment?.sessionToken ?? "n/a";
+		const payUrl =
+			session && apiHost
+				? `${apiHost}/pay?session=${session}`
+				: (docsUrl ?? "not provided");
+
+		// ANSI colors (work in most terminals)
+		const R = "\x1b[0m";
+		const BOLD = "\x1b[1m";
+		const DIM = "\x1b[2m";
+		const UNDERLINE = "\x1b[4m";
+		const GOLD = "\x1b[93m";
+		const GREEN = "\x1b[92m";
+		const CYAN = "\x1b[96m";
+		const MAGENTA = "\x1b[95m";
+		const BOX = "\x1b[90m";
+		const SEP = "▓▓".repeat(22);
+
+		// Use stdout so npm shows this as notice/info, not "npm error"
+		console.log("");
+		console.log(`  ${BOX}${SEP}${R}`);
+		console.log("");
+		console.log(`     ${GOLD}${BOLD}💳  PAYMENT REQUIRED${R}`);
+		console.log(`     ${DIM}Pay below to unlock this package.${R}`);
+		console.log("");
+		console.log(`  ${BOX}${SEP}${R}`);
+		console.log("");
+		console.log(`     ${GREEN}${BOLD}►  PAY HERE${R}  ${DIM}—  Open in browser or copy this link:${R}`);
+		console.log("");
+		console.log(`  ${BOX}${SEP}${R}`);
+		console.log("");
+		console.log(`  ${CYAN}${BOLD}${UNDERLINE}${payUrl}${R}`);
+		console.log("");
+		console.log(`  ${DIM}↑ Copy the full URL above (one line). If it wrapped, paste both parts together.${R}`);
+		console.log("");
+		console.log(`  ${BOX}${SEP}${R}`);
+		console.log(`     ${MAGENTA}Price: ${String(price)}${R}`);
+		console.log(`     After payment, run:  ${BOLD}npm install${R}`);
+		console.log("");
+		console.log(`  ${BOX}${SEP}${R}`);
+		console.log("");
+		process.exit(1);
+	}
+
+	const text = await response.text();
+	console.error("Unexpected response:", text);
+	process.exit(1);
+}
+
+startInstall().catch((error) => {
+	console.error("preinstall failed:", error);
+	process.exit(1);
+});
+
+function normalizeHost(host) {
+	return host.replace(/[/.]+$/, "").replace(/\/+$/, "");
+}

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=testing-package-xdsfdsfsc for more information.