Add tests for required exp field validation

AbanoubGhadban · AbanoubGhadban · commit d7fc4f0f0691 · 2025-10-12T13:54:04.000+03:00
diff --git a/react_on_rails_pro/lib/react_on_rails_pro/license_validator.rb b/react_on_rails_pro/lib/react_on_rails_pro/license_validator.rb
@@ -34,7 +34,8 @@ def validate_license
 
         begin
           license = load_and_decode_license
-          return false unless license
+          # If no license found, load_license_string already handled the error
+          return development_mode unless license
 
           # Check that exp field exists
           unless license["exp"]
@@ -51,6 +52,9 @@ def validate_license
           end
 
           true
+        rescue ReactOnRailsPro::Error
+          # Re-raise errors from handle_invalid_license in production mode
+          raise
         rescue JWT::DecodeError => e
           @validation_error = "Invalid license signature: #{e.message}"
           handle_invalid_license(development_mode, @validation_error)
@@ -73,7 +77,9 @@ def load_and_decode_license
           # NOTE: Never remove the 'algorithm' parameter from JWT.decode to prevent algorithm bypassing vulnerabilities.
           # Ensure to hardcode the expected algorithm.
           # See: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
-          algorithm: "RS256"
+          algorithm: "RS256",
+          # Disable automatic expiration verification so we can handle it manually with custom logic
+          verify_expiration: false
         ).first
       end
 
diff --git a/react_on_rails_pro/packages/node-renderer/tests/licenseValidator.test.ts b/react_on_rails_pro/packages/node-renderer/tests/licenseValidator.test.ts
@@ -112,6 +112,49 @@ describe('LicenseValidator', () => {
       consoleSpy.mockRestore();
     });
 
+    it('returns false for license missing exp field in production', () => {
+      const payloadWithoutExp = {
+        sub: 'test@example.com',
+        iat: Math.floor(Date.now() / 1000)
+        // exp field is missing
+      };
+
+      const tokenWithoutExp = jwt.sign(payloadWithoutExp, testPrivateKey, { algorithm: 'RS256' });
+      process.env.REACT_ON_RAILS_PRO_LICENSE = tokenWithoutExp;
+      process.env.NODE_ENV = 'production';
+
+      const module = require('../src/shared/licenseValidator');
+      const consoleSpy = jest.spyOn(console, 'error').mockImplementation();
+
+      expect(module.isLicenseValid()).toBe(false);
+      expect(consoleSpy).toHaveBeenCalledWith(expect.stringContaining('License is missing required expiration field'));
+
+      consoleSpy.mockRestore();
+    });
+
+    it('returns true for license missing exp field in development with warning', () => {
+      const payloadWithoutExp = {
+        sub: 'test@example.com',
+        iat: Math.floor(Date.now() / 1000)
+        // exp field is missing
+      };
+
+      const tokenWithoutExp = jwt.sign(payloadWithoutExp, testPrivateKey, { algorithm: 'RS256' });
+      process.env.REACT_ON_RAILS_PRO_LICENSE = tokenWithoutExp;
+      process.env.NODE_ENV = 'development';
+
+      const module = require('../src/shared/licenseValidator');
+      const consoleSpy = jest.spyOn(console, 'warn').mockImplementation();
+
+      expect(module.isLicenseValid()).toBe(true);
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.any(String),
+        expect.stringContaining('License is missing required expiration field')
+      );
+
+      consoleSpy.mockRestore();
+    });
+
     it('returns false for invalid signature', () => {
       // Generate a different key pair for invalid signature
       const { privateKey: wrongKey } = crypto.generateKeyPairSync('rsa', {
diff --git a/react_on_rails_pro/spec/react_on_rails_pro/license_validator_spec.rb b/react_on_rails_pro/spec/react_on_rails_pro/license_validator_spec.rb
@@ -30,8 +30,8 @@
 
   before do
     described_class.reset!
-    # Stub the public key to use our test key
-    allow(ReactOnRailsPro::LicensePublicKey).to receive(:KEY).and_return(test_public_key)
+    # Stub the public key constant to use our test key
+    stub_const("ReactOnRailsPro::LicensePublicKey::KEY", test_public_key)
     # Clear ENV variable
     ENV.delete("REACT_ON_RAILS_PRO_LICENSE")
   end
@@ -65,10 +65,10 @@
         ENV["REACT_ON_RAILS_PRO_LICENSE"] = expired_token
       end
 
-      it "returns false in production" do
+      it "raises error in production" do
         allow(Rails.env).to receive(:development?).and_return(false)
         allow(Rails.env).to receive(:test?).and_return(false)
-        expect(described_class.valid?).to be false
+        expect { described_class.valid? }.to raise_error(ReactOnRailsPro::Error, /License has expired/)
       end
 
       it "returns true in development with warning" do
@@ -78,17 +78,51 @@
       end
     end
 
+    context "with license missing exp field" do
+      let(:payload_without_exp) do
+        {
+          sub: "test@example.com",
+          iat: Time.now.to_i
+          # exp field is missing
+        }
+      end
+
+      before do
+        token_without_exp = JWT.encode(payload_without_exp, test_private_key, "RS256")
+        ENV["REACT_ON_RAILS_PRO_LICENSE"] = token_without_exp
+      end
+
+      it "raises error in production" do
+        allow(Rails.env).to receive(:development?).and_return(false)
+        allow(Rails.env).to receive(:test?).and_return(false)
+        expect { described_class.valid? }.to raise_error(ReactOnRailsPro::Error, /License is missing required expiration field/)
+      end
+
+      it "returns true in development with warning" do
+        allow(Rails.env).to receive(:development?).and_return(true)
+        expect(Rails.logger).to receive(:warn).with(/License is missing required expiration field/)
+        expect(described_class.valid?).to be true
+      end
+
+      it "sets appropriate validation error in development" do
+        allow(Rails.env).to receive(:development?).and_return(true)
+        allow(Rails.logger).to receive(:warn)
+        described_class.valid?
+        expect(described_class.validation_error).to eq("License is missing required expiration field")
+      end
+    end
+
     context "with invalid signature" do
       before do
         wrong_key = OpenSSL::PKey::RSA.new(2048)
         invalid_token = JWT.encode(valid_payload, wrong_key, "RS256")
         ENV["REACT_ON_RAILS_PRO_LICENSE"] = invalid_token
       end
 
-      it "returns false in production" do
+      it "raises error in production" do
         allow(Rails.env).to receive(:development?).and_return(false)
         allow(Rails.env).to receive(:test?).and_return(false)
-        expect(described_class.valid?).to be false
+        expect { described_class.valid? }.to raise_error(ReactOnRailsPro::Error, /Invalid license signature/)
       end
 
       it "returns true in development with warning" do
@@ -99,9 +133,11 @@
     end
 
     context "with missing license" do
+      let(:config_path) { double("Pathname", exist?: false) }
+
       before do
         ENV.delete("REACT_ON_RAILS_PRO_LICENSE")
-        allow(File).to receive(:read).and_raise(Errno::ENOENT)
+        allow(Rails.root).to receive(:join).with("config", "react_on_rails_pro_license.key").and_return(config_path)
       end
 
       it "returns false in production with error" do
@@ -152,8 +188,8 @@
       before do
         expired_token = JWT.encode(expired_payload, test_private_key, "RS256")
         ENV["REACT_ON_RAILS_PRO_LICENSE"] = expired_token
-        allow(Rails.env).to receive(:development?).and_return(false)
-        allow(Rails.env).to receive(:test?).and_return(false)
+        allow(Rails.env).to receive(:development?).and_return(true)
+        allow(Rails.logger).to receive(:warn)
       end
 
       it "returns the error message" do
