Require exp field in license validation

AbanoubGhadban · AbanoubGhadban · commit 97ece1e31f50 · 2025-10-12T13:43:11.000+03:00
diff --git a/react_on_rails_pro/lib/react_on_rails_pro/license_validator.rb b/react_on_rails_pro/lib/react_on_rails_pro/license_validator.rb
@@ -36,8 +36,15 @@ def validate_license
           license = load_and_decode_license
           return false unless license
 
-          # Check expiry if present
-          if license["exp"] && Time.now.to_i > license["exp"]
+          # Check that exp field exists
+          unless license["exp"]
+            @validation_error = "License is missing required expiration field"
+            handle_invalid_license(development_mode, @validation_error)
+            return development_mode
+          end
+
+          # Check expiry
+          if Time.now.to_i > license["exp"]
             @validation_error = "License has expired"
             handle_invalid_license(development_mode, @validation_error)
             return development_mode
@@ -63,6 +70,9 @@ def load_and_decode_license
           license_string,
           public_key,
           true,
+          # NOTE: Never remove the 'algorithm' parameter from JWT.decode to prevent algorithm bypassing vulnerabilities.
+          # Ensure to hardcode the expected algorithm.
+          # See: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
           algorithm: "RS256"
         ).first
       end
diff --git a/react_on_rails_pro/packages/node-renderer/src/shared/licenseValidator.ts b/react_on_rails_pro/packages/node-renderer/src/shared/licenseValidator.ts
@@ -6,7 +6,7 @@ import { PUBLIC_KEY } from './licensePublicKey';
 interface LicenseData {
   sub?: string;
   iat?: number;
-  exp?: number;
+  exp: number; // Required: expiration timestamp
   [key: string]: any;
 }
 
@@ -60,8 +60,15 @@ class LicenseValidator {
         return false;
       }
 
-      // Check expiry if present
-      if (license.exp && Date.now() / 1000 > license.exp) {
+      // Check that exp field exists
+      if (!license.exp) {
+        this.validationError = 'License is missing required expiration field';
+        this.handleInvalidLicense(isDevelopment, this.validationError);
+        return isDevelopment;
+      }
+
+      // Check expiry
+      if (Date.now() / 1000 > license.exp) {
         this.validationError = 'License has expired';
         this.handleInvalidLicense(isDevelopment, this.validationError);
         return isDevelopment;
