Adds support for encrypted license keys

[msukkari]

Summary by CodeRabbit

• New Features

  • Added cryptographic signature verification for license keys to enhance security.
  • Introduced support for specifying a public key path via environment variables.

• Improvements

  • License expiry date now displays both date and time, including time zone information, for clearer license status visibility.

• Chores

  • Updated environment and build configurations to support new public key requirements.
  • Added documentation for the new public key environment variable.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The changes introduce cryptographic signature verification for license key payloads. A new verifySignature function is added, environment variables for the public key path are set up in development, Docker, and runtime environments, and the license decoding logic now requires and validates a signature using the specified public key. License expiry date formatting is also updated for improved display.

Changes

File(s)	Change Summary
.env.development, Dockerfile, packages/web/src/env.mjs	Add SOURCEBOT_PUBLIC_KEY_PATH environment variable for public key usage in dev, Docker, and runtime.
packages/crypto/src/index.ts	Add and export verifySignature function for cryptographic signature verification.
packages/web/src/features/entitlements/server.ts	Require and verify license signature using the new function and public key environment variable.
packages/web/src/app/[domain]/settings/license/page.tsx	Update license expiry date formatting to include time and timezone.
docs/docs/configuration/environment-variables.mdx	Document new SOURCEBOT_PUBLIC_KEY_PATH environment variable with default and description.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant WebApp
    participant Crypto
    participant FileSystem

    User->>WebApp: Submit license key
    WebApp->>WebApp: Decode and parse payload (includes signature)
    WebApp->>FileSystem: Read public key from path (env variable)
    WebApp->>Crypto: Call verifySignature(data, signature, publicKeyPath)
    Crypto->>FileSystem: Check and read public key file
    Crypto-->>WebApp: Return verification result
    alt Signature valid
        WebApp-->>User: Accept license and display info
    else Signature invalid or missing
        WebApp-->>User: Reject license and log error
    end

Loading

Poem

In the warren, secrets kept,
Now with keys and signatures swept.
A public path for every hare,
Ensures our licenses are fair.
With crypto checks and dates anew,
We hop ahead—secure and true!
🐇🔑

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 808f32d and 83cfcd5.

📒 Files selected for processing (3)

• CHANGELOG.md (1 hunks)
• packages/crypto/src/index.ts (2 hunks)
• packages/web/src/env.mjs (1 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff23066 and 2048083.

⛔ Files ignored due to path filters (1)

• public.pem is excluded by !**/*.pem

📒 Files selected for processing (6)

• .env.development (1 hunks)
• Dockerfile (1 hunks)
• packages/crypto/src/index.ts (2 hunks)
• packages/web/src/app/[domain]/settings/license/page.tsx (1 hunks)
• packages/web/src/env.mjs (1 hunks)
• packages/web/src/features/entitlements/server.ts (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: build
• GitHub Check: build
• GitHub Check: build

🔇 Additional comments (8)

packages/crypto/src/index.ts (1)

2-2: LGTM: Import added for file system operations.

The fs import is necessary for reading the public key file in the new verifySignature function.

packages/web/src/env.mjs (1)

58-58: LGTM: Environment variable properly added to schema.

The addition of SOURCEBOT_PUBLIC_KEY_PATH as an optional string in the server schema is correctly implemented and appropriately placed.

Dockerfile (2)

177-177: LGTM: Environment variable correctly configured for container.

The SOURCEBOT_PUBLIC_KEY_PATH environment variable is properly set to match the file location in the container.

---

185-185:

✅ Verification successful

Verify public key file availability during Docker build.

The public.pem file is correctly added to the COPY command. Ensure that this file exists in the build context when building the Docker image.

Check if the public key file exists in the project root for Docker builds:

---

🏁 Script executed:

#!/bin/bash
# Description: Verify that public.pem exists for Docker builds
# Expected: File should exist in build context or build will fail

if [ -f "public.pem" ]; then
    echo "✅ public.pem found in build context"
    ls -la public.pem
else
    echo "❌ public.pem not found in build context - Docker build will fail"
    echo "Files in root directory:"
    ls -la | head -10
fi

# Also check if there are any .pem files that might be the intended file
echo "Other .pem files in directory:"
find . -maxdepth 2 -name "*.pem" 2>/dev/null || echo "No .pem files found"

Length of output: 302

---

public.pem found in build context – no further action required

The verification confirms that public.pem exists at the project root and will be successfully included by the COPY instruction in the Dockerfile. No additional changes needed.

packages/web/src/app/[domain]/settings/license/page.tsx (1)

112-119: LGTM! Enhanced timestamp display improves user experience.

The change from toLocaleDateString to toLocaleString with timezone information provides users with more precise license expiry details, which is beneficial for license management.

packages/web/src/features/entitlements/server.ts (3)

7-7: LGTM! Proper import of cryptographic verification function.

The import of verifySignature from the crypto package aligns with the PR objective of adding encrypted license key support.

---

19-19: LGTM! Schema properly extended for signature verification.

Adding the required sig field to the schema ensures that license keys must include a signature for validation.

---

31-35: ⚠️ Potential issue

Critical: JSON.stringify property order is not guaranteed.

The signature verification creates a JSON string for verification, but JSON.stringify doesn't guarantee property order across different JavaScript engines or versions. This could cause valid signatures to fail verification.

Use a deterministic serialization approach:

-        const dataToVerify = JSON.stringify({
-            expiryDate: licenseData.expiryDate,
-            id: licenseData.id,
-            seats: licenseData.seats
-        });
+        // Ensure deterministic serialization by manually constructing the string
+        const dataToVerify = `{"expiryDate":"${licenseData.expiryDate}","id":"${licenseData.id}","seats":${licenseData.seats}}`;

Or consider using a deterministic JSON serialization library like canonical-json or fast-json-stable-stringify.

Likely an incorrect or invalid review comment.

[brendan-kellam]

Could you add a changelog entry?