Refactor license claims in JWT to use standard 'iss' identifier and update related tests for improved clarity and consistency

Author: AbanoubGhadban

react_on_rails_pro/LICENSE_SETUP.md

@@ -191,7 +191,7 @@ The license is a JWT (JSON Web Token) signed with RSA-256, containing:
   "exp": 1234567890,                 // Expiration timestamp (REQUIRED)
   "plan": "free",                    // License plan: "free" or "paid" (Optional)
   "organization": "Your Company",    // Organization name (Optional)
-  "issued_by": "api"                 // License issuer identifier (Optional)
+  "iss": "api"                       // Issuer identifier (Optional, standard JWT claim)
 }
 ```
 

react_on_rails_pro/lib/react_on_rails_pro/license_validator.rb

@@ -68,8 +68,12 @@ def load_and_decode_license
         license_string = load_license_string
 
         JWT.decode(
+          # The JWT token containing the license data
           license_string,
+          # RSA public key used to verify the JWT signature
           public_key,
+          # verify_signature: NEVER set to false! When false, signature verification is skipped,
+          # allowing anyone to forge licenses. Must always be true for security.
           true,
           # NOTE: Never remove the 'algorithm' parameter from JWT.decode to prevent algorithm bypassing vulnerabilities.
           # Ensure to hardcode the expected algorithm.
@@ -91,7 +95,7 @@ def load_license_string
         return File.read(config_path).strip if config_path.exist?
 
         @validation_error = "No license found. Please set REACT_ON_RAILS_PRO_LICENSE environment variable " \
-                            "or create config/react_on_rails_pro_license.key file. " \
+                            "or create #{config_path} file. " \
                             "Get a FREE evaluation license at https://shakacode.com/react-on-rails-pro"
         handle_invalid_license(@validation_error)
       end
@@ -108,10 +112,10 @@ def handle_invalid_license(message)
 
       def log_license_info(license)
         plan = license["plan"]
-        issued_by = license["issued_by"]
+        iss = license["iss"]
 
         Rails.logger.info("[React on Rails Pro] License plan: #{plan}") if plan
-        Rails.logger.info("[React on Rails Pro] Issued by: #{issued_by}") if issued_by
+        Rails.logger.info("[React on Rails Pro] Issued by: #{iss}") if iss
       end
     end
   end

react_on_rails_pro/packages/node-renderer/src/shared/licenseValidator.ts

@@ -4,11 +4,16 @@ import * as path from 'path';
 import { PUBLIC_KEY } from './licensePublicKey';
 
 interface LicenseData {
-  sub?: string; // Subject (email for whom the license is issued)
-  iat?: number; // Issued at timestamp
-  exp: number; // Required: expiration timestamp
-  plan?: string; // Optional: license plan (e.g., "free", "paid")
-  issued_by?: string; // Optional: who issued the license
+  // Subject (email for whom the license is issued)
+  sub?: string;
+  // Issued at timestamp
+  iat?: number;
+  // Required: expiration timestamp
+  exp: number;
+  // Optional: license plan (e.g., "free", "paid")
+  plan?: string;
+  // Issuer (who issued the license)
+  iss?: string;
   // Allow additional fields
   [key: string]: unknown;
 }
@@ -34,13 +39,13 @@ function handleInvalidLicense(message: string): never {
  * @private
  */
 function logLicenseInfo(license: LicenseData): void {
-  const { plan, issued_by: issuedBy } = license;
+  const { plan, iss } = license;
 
   if (plan) {
     console.log(`[React on Rails Pro] License plan: ${plan}`);
   }
-  if (issuedBy) {
-    console.log(`[React on Rails Pro] Issued by: ${issuedBy}`);
+  if (iss) {
+    console.log(`[React on Rails Pro] Issued by: ${iss}`);
   }
 }
 
@@ -57,18 +62,19 @@ function loadLicenseString(): string | never {
   }
 
   // Then try config file (relative to project root)
+  let configPath;
   try {
-    const configPath = path.join(process.cwd(), 'config', 'react_on_rails_pro_license.key');
+    configPath = path.join(process.cwd(), 'config', 'react_on_rails_pro_license.key');
     if (fs.existsSync(configPath)) {
       return fs.readFileSync(configPath, 'utf8').trim();
     }
-  } catch {
-    // File doesn't exist or can't be read
+  } catch (error) {
+    console.error(`[React on Rails Pro] Error reading license file: ${(error as Error).message}`);
   }
 
   cachedValidationError =
     'No license found. Please set REACT_ON_RAILS_PRO_LICENSE environment variable ' +
-    'or create config/react_on_rails_pro_license.key file. ' +
+    `or create ${configPath ?? 'config/react_on_rails_pro_license.key'} file. ` +
     'Get a FREE evaluation license at https://shakacode.com/react-on-rails-pro';
 
   handleInvalidLicense(cachedValidationError);
@@ -114,6 +120,7 @@ function performValidation(): boolean | never {
     }
 
     // Check expiry
+    // Date.now() returns milliseconds, but JWT exp is in Unix seconds, so divide by 1000
     if (Date.now() / 1000 > license.exp) {
       cachedValidationError =
         'License has expired. ' +

react_on_rails_pro/packages/node-renderer/tests/licenseValidator.test.ts

@@ -20,8 +20,12 @@ describe('LicenseValidator', () => {
   let testPublicKey: string;
   let mockProcessExit: jest.SpyInstance;
   let mockConsoleError: jest.SpyInstance;
+  let originalEnv: NodeJS.ProcessEnv;
 
   beforeEach(() => {
+    // Store original environment
+    originalEnv = { ...process.env };
+
     // Clear the module cache to get a fresh instance
     jest.resetModules();
 
@@ -69,10 +73,22 @@ describe('LicenseValidator', () => {
   });
 
   afterEach(() => {
-    delete process.env.REACT_ON_RAILS_PRO_LICENSE;
+    // Restore original environment
+    process.env = originalEnv;
     jest.restoreAllMocks();
   });
 
+  /**
+   * Helper function to mock the REACT_ON_RAILS_PRO_LICENSE environment variable
+   */
+  const mockLicenseEnv = (token: string | undefined) => {
+    if (token === undefined) {
+      delete process.env.REACT_ON_RAILS_PRO_LICENSE;
+    } else {
+      process.env.REACT_ON_RAILS_PRO_LICENSE = token;
+    }
+  };
+
   describe('validateLicense', () => {
     it('validates successfully for valid license in ENV', () => {
       const validPayload = {
@@ -82,7 +98,7 @@ describe('LicenseValidator', () => {
       };
 
       const validToken = jwt.sign(validPayload, testPrivateKey, { algorithm: 'RS256' });
-      process.env.REACT_ON_RAILS_PRO_LICENSE = validToken;
+      mockLicenseEnv(validToken);
 
       const module = jest.requireActual<LicenseValidatorModule>('../src/shared/licenseValidator');
       expect(module.validateLicense()).toBe(true);
@@ -96,7 +112,7 @@ describe('LicenseValidator', () => {
       };
 
       const expiredToken = jwt.sign(expiredPayload, testPrivateKey, { algorithm: 'RS256' });
-      process.env.REACT_ON_RAILS_PRO_LICENSE = expiredToken;
+      mockLicenseEnv(expiredToken);
 
       const module = jest.requireActual<LicenseValidatorModule>('../src/shared/licenseValidator');
 
@@ -117,7 +133,7 @@ describe('LicenseValidator', () => {
       };
 
       const tokenWithoutExp = jwt.sign(payloadWithoutExp, testPrivateKey, { algorithm: 'RS256' });
-      process.env.REACT_ON_RAILS_PRO_LICENSE = tokenWithoutExp;
+      mockLicenseEnv(tokenWithoutExp);
 
       const module = jest.requireActual<LicenseValidatorModule>('../src/shared/licenseValidator');
 
@@ -152,7 +168,7 @@ describe('LicenseValidator', () => {
       };
 
       const invalidToken = jwt.sign(validPayload, wrongKey, { algorithm: 'RS256' });
-      process.env.REACT_ON_RAILS_PRO_LICENSE = invalidToken;
+      mockLicenseEnv(invalidToken);
 
       const module = jest.requireActual<LicenseValidatorModule>('../src/shared/licenseValidator');
 
@@ -164,7 +180,7 @@ describe('LicenseValidator', () => {
     });
 
     it('calls process.exit for missing license', () => {
-      delete process.env.REACT_ON_RAILS_PRO_LICENSE;
+      mockLicenseEnv(undefined);
 
       // Mock fs.existsSync to return false (no config file)
       jest.mocked(fs.existsSync).mockReturnValue(false);
@@ -178,7 +194,7 @@ describe('LicenseValidator', () => {
       expect(mockConsoleError).toHaveBeenCalledWith(expect.stringContaining('FREE evaluation license'));
     });
 
-    it('loads license from config file when ENV not set', () => {
+    it('validates license from ENV variable after reset', () => {
       const validPayload = {
         sub: '[email protected]',
         iat: Math.floor(Date.now() / 1000),
@@ -189,7 +205,7 @@ describe('LicenseValidator', () => {
 
       // Set the license in ENV variable instead of file
       // (file-based testing is complex due to module caching)
-      process.env.REACT_ON_RAILS_PRO_LICENSE = validToken;
+      mockLicenseEnv(validToken);
 
       const module = jest.requireActual<LicenseValidatorModule>('../src/shared/licenseValidator');
 
@@ -208,15 +224,15 @@ describe('LicenseValidator', () => {
       };
 
       const validToken = jwt.sign(validPayload, testPrivateKey, { algorithm: 'RS256' });
-      process.env.REACT_ON_RAILS_PRO_LICENSE = validToken;
+      mockLicenseEnv(validToken);
 
       const module = jest.requireActual<LicenseValidatorModule>('../src/shared/licenseValidator');
 
       // First call
       expect(module.validateLicense()).toBe(true);
 
       // Change ENV (shouldn't affect cached result)
-      delete process.env.REACT_ON_RAILS_PRO_LICENSE;
+      mockLicenseEnv(undefined);
 
       // Second call should use cache
       expect(module.validateLicense()).toBe(true);
@@ -233,7 +249,7 @@ describe('LicenseValidator', () => {
       };
 
       const validToken = jwt.sign(payload, testPrivateKey, { algorithm: 'RS256' });
-      process.env.REACT_ON_RAILS_PRO_LICENSE = validToken;
+      mockLicenseEnv(validToken);
 
       const module = jest.requireActual<LicenseValidatorModule>('../src/shared/licenseValidator');
       const data = module.getLicenseData();
@@ -253,7 +269,7 @@ describe('LicenseValidator', () => {
       };
 
       const expiredToken = jwt.sign(expiredPayload, testPrivateKey, { algorithm: 'RS256' });
-      process.env.REACT_ON_RAILS_PRO_LICENSE = expiredToken;
+      mockLicenseEnv(expiredToken);
 
       const module = jest.requireActual<LicenseValidatorModule>('../src/shared/licenseValidator');