feat: license JWT/JWKS and verify parity updates

Author: VoxHash

lib/licensechain/license_assertion.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'json'
+require 'uri'
+require 'net/http'
+
+module LicenseChain
+  # RS256 license_token verification via JWKS (parity with Node verifyLicenseAssertionJwt).
+  module LicenseAssertion
+    LICENSE_TOKEN_USE_CLAIM = 'licensechain_license_v1'
+
+    module_function
+
+    # @param expected_app_id [String, nil]
+    # @param issuer [String, nil]
+    # @return [Hash] decoded JWT payload
+    def verify_license_assertion_jwt(token, jwks_url, expected_app_id: nil, issuer: nil)
+      token = token.to_s.strip
+      raise ArgumentError, 'empty token' if token.empty?
+
+      jwks_url = jwks_url.to_s.strip
+      raise ArgumentError, 'empty jwks_url' if jwks_url.empty?
+
+      jwks = fetch_jwks(jwks_url)
+      decode_opts = {
+        algorithms: ['RS256'],
+        jwks: jwks,
+        verify_aud: false
+      }
+      if issuer && !issuer.to_s.strip.empty?
+        decode_opts[:verify_iss] = true
+        decode_opts[:iss] = issuer.to_s.strip
+      end
+
+      payload, = JWT.decode(token, nil, true, decode_opts)
+
+      tu = payload['token_use']
+      if tu != LICENSE_TOKEN_USE_CLAIM
+        raise JWT::DecodeError, %(Invalid license token: expected token_use "#{LICENSE_TOKEN_USE_CLAIM}")
+      end
+
+      if expected_app_id && !expected_app_id.to_s.strip.empty?
+        want = expected_app_id.to_s.strip
+        aud = payload['aud']
+        ok = aud == want || (aud.is_a?(Array) && aud.include?(want))
+        raise JWT::DecodeError, 'Invalid license token: aud does not match expected app id' unless ok
+      end
+
+      payload
+    end
+
+    def fetch_jwks(jwks_url)
+      uri = URI.parse(jwks_url)
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = uri.scheme == 'https'
+      http.open_timeout = 20
+      http.read_timeout = 20
+      req = Net::HTTP::Get.new(uri.request_uri)
+      res = http.request(req)
+      raise JWT::DecodeError, "JWKS HTTP #{res.code}" unless res.is_a?(Net::HTTPSuccess)
+
+      JSON.parse(res.body)
+    end
+    private_class_method :fetch_jwks
+  end
+end

lib/licensechain/services/license_service.rb

@@ -1,100 +1,108 @@
-module LicenseChain
-  module Services
-    class LicenseService
-      def initialize(client)
-        @client = client
-      end
-
-      def create(app_id, user_email, metadata = {})
-        Utils.validate_not_empty(app_id, 'app_id')
-        Utils.validate_not_empty(user_email, 'user_email')
-        
-        data = {
-          appId: app_id,
-          plan: 'FREE',
-          issuedEmail: user_email,
-          metadata: Utils.sanitize_metadata(metadata)
-        }
-
-        response = @client.post("/apps/#{app_id}/licenses", data)
-        License.new(normalize_license_payload(response[:data] || response))
-      end
-
-      def get(license_id)
-        Utils.validate_not_empty(license_id, 'license_id')
-        
-        response = @client.get("/licenses/#{license_id}")
-        License.new(normalize_license_payload(response[:data] || response))
-      end
-
-      def update(license_id, updates = {})
-        Utils.validate_not_empty(license_id, 'license_id')
-        
-        response = @client.patch("/licenses/#{license_id}", Utils.sanitize_metadata(updates))
-        License.new(normalize_license_payload(response[:data] || response))
-      end
-
-      def revoke(license_id)
-        Utils.validate_not_empty(license_id, 'license_id')
-        
-        @client.delete("/licenses/#{license_id}")
-        true
-      end
-
-      def validate(license_key, hwuid = nil)
-        Utils.validate_not_empty(license_key, 'license_key')
-        body = { key: license_key }
-        body[:hwuid] = hwuid.to_s.strip != '' ? hwuid.to_s.strip : Utils.default_hwuid
-        response = @client.post('/licenses/verify', body)
-        response[:valid]
-      end
-
-      def list_user_licenses(user_id, page = 1, limit = 10)
-        Utils.validate_not_empty(user_id, 'user_id')
-        page, limit = Utils.validate_pagination(page, limit)
-        
-        response = @client.get('/licenses', { page: page, limit: limit })
-        items = response[:data] || response[:licenses] || []
-        filtered = items.select do |license|
-          license[:issuedEmail] == user_id || license[:email] == user_id || license[:user_id] == user_id
-        end
-        {
-          data: filtered.map { |license| License.new(normalize_license_payload(license)) },
-          total: filtered.length,
-          page: page,
-          limit: limit
-        }
-      end
-
-      def stats
-        response = @client.get('/licenses/stats')
-        LicenseStats.new(response[:data] || response)
-      end
-
-      private
-
-      def validate_uuid(id, field_name)
-        Utils.validate_not_empty(id, field_name)
-        raise ValidationError, "Invalid #{field_name} format" unless Utils.validate_uuid(id)
-      end
-
-      def normalize_license_payload(payload)
-        {
-          id: payload[:id],
-          key: payload[:key] || payload[:licenseKey],
-          app_id: payload[:app_id] || payload[:appId] || '',
-          user_id: payload[:user_id],
-          user_email: payload[:user_email] || payload[:issuedEmail] || payload[:email] || '',
-          user_name: payload[:user_name] || payload[:issuedTo],
-          status: (payload[:status] || 'active').to_s.downcase,
-          expires_at: payload[:expires_at] || payload[:expiresAt],
-          created_at: payload[:created_at] || payload[:createdAt],
-          updated_at: payload[:updated_at] || payload[:updatedAt],
-          metadata: payload[:metadata] || {},
-          features: payload[:features] || [],
-          usage_count: payload[:usage_count] || 0
-        }
-      end
-    end
-  end
-end
+module LicenseChain
+  module Services
+    class LicenseService
+      def initialize(client)
+        @client = client
+      end
+
+      def create(app_id, user_email, metadata = {})
+        Utils.validate_not_empty(app_id, 'app_id')
+        Utils.validate_not_empty(user_email, 'user_email')
+        
+        data = {
+          appId: app_id,
+          plan: 'FREE',
+          issuedEmail: user_email,
+          metadata: Utils.sanitize_metadata(metadata)
+        }
+
+        response = @client.post("/apps/#{app_id}/licenses", data)
+        License.new(normalize_license_payload(response[:data] || response))
+      end
+
+      def get(license_id)
+        Utils.validate_not_empty(license_id, 'license_id')
+        
+        response = @client.get("/licenses/#{license_id}")
+        License.new(normalize_license_payload(response[:data] || response))
+      end
+
+      def update(license_id, updates = {})
+        Utils.validate_not_empty(license_id, 'license_id')
+        
+        response = @client.patch("/licenses/#{license_id}", Utils.sanitize_metadata(updates))
+        License.new(normalize_license_payload(response[:data] || response))
+      end
+
+      def revoke(license_id)
+        Utils.validate_not_empty(license_id, 'license_id')
+        
+        @client.delete("/licenses/#{license_id}")
+        true
+      end
+
+      def validate(license_key, hwuid = nil)
+        Utils.validate_not_empty(license_key, 'license_key')
+        body = { key: license_key }
+        body[:hwuid] = hwuid.to_s.strip != '' ? hwuid.to_s.strip : Utils.default_hwuid
+        response = @client.post('/licenses/verify', body)
+        response[:valid]
+      end
+
+      # Full POST /licenses/verify body (valid, optional license_token, license_jwks_uri, etc.).
+      def verify_with_details(license_key, hwuid = nil)
+        Utils.validate_not_empty(license_key, 'license_key')
+        body = { key: license_key }
+        body[:hwuid] = hwuid.to_s.strip != '' ? hwuid.to_s.strip : Utils.default_hwuid
+        @client.post('/licenses/verify', body)
+      end
+
+      def list_user_licenses(user_id, page = 1, limit = 10)
+        Utils.validate_not_empty(user_id, 'user_id')
+        page, limit = Utils.validate_pagination(page, limit)
+        
+        response = @client.get('/licenses', { page: page, limit: limit })
+        items = response[:data] || response[:licenses] || []
+        filtered = items.select do |license|
+          license[:issuedEmail] == user_id || license[:email] == user_id || license[:user_id] == user_id
+        end
+        {
+          data: filtered.map { |license| License.new(normalize_license_payload(license)) },
+          total: filtered.length,
+          page: page,
+          limit: limit
+        }
+      end
+
+      def stats
+        response = @client.get('/licenses/stats')
+        LicenseStats.new(response[:data] || response)
+      end
+
+      private
+
+      def validate_uuid(id, field_name)
+        Utils.validate_not_empty(id, field_name)
+        raise ValidationError, "Invalid #{field_name} format" unless Utils.validate_uuid(id)
+      end
+
+      def normalize_license_payload(payload)
+        {
+          id: payload[:id],
+          key: payload[:key] || payload[:licenseKey],
+          app_id: payload[:app_id] || payload[:appId] || '',
+          user_id: payload[:user_id],
+          user_email: payload[:user_email] || payload[:issuedEmail] || payload[:email] || '',
+          user_name: payload[:user_name] || payload[:issuedTo],
+          status: (payload[:status] || 'active').to_s.downcase,
+          expires_at: payload[:expires_at] || payload[:expiresAt],
+          created_at: payload[:created_at] || payload[:createdAt],
+          updated_at: payload[:updated_at] || payload[:updatedAt],
+          metadata: payload[:metadata] || {},
+          features: payload[:features] || [],
+          usage_count: payload[:usage_count] || 0
+        }
+      end
+    end
+  end
+end

lib/licensechain_ruby_sdk.rb

@@ -1,35 +1,36 @@
-require 'logger'
-require 'securerandom'
-require 'time'
-require 'json'
-require 'net/http'
-require 'uri'
-
-require_relative 'licensechain_ruby_sdk/version'
-require_relative 'licensechain/configuration'
-require_relative 'licensechain/errors'
-require_relative 'licensechain/utils'
-require_relative 'licensechain/models'
-require_relative 'licensechain/api_client'
-require_relative 'licensechain/client'
-require_relative 'licensechain/webhook_handler'
-require_relative 'licensechain/services/license_service'
-require_relative 'licensechain/services/user_service'
-require_relative 'licensechain/services/product_service'
-require_relative 'licensechain/services/webhook_service'
-
-module LicenseChainRubySdk
-  class Error < StandardError; end
-
-  def self.configure
-    yield(LicenseChain.configuration)
-  end
-
-  def self.configuration
-    LicenseChain.configuration
-  end
-
-  def self.client(config = nil)
-    LicenseChain::Client.new(config)
-  end
+require 'logger'
+require 'securerandom'
+require 'time'
+require 'json'
+require 'net/http'
+require 'uri'
+
+require_relative 'licensechain_ruby_sdk/version'
+require_relative 'licensechain/configuration'
+require_relative 'licensechain/errors'
+require_relative 'licensechain/utils'
+require_relative 'licensechain/license_assertion'
+require_relative 'licensechain/models'
+require_relative 'licensechain/api_client'
+require_relative 'licensechain/client'
+require_relative 'licensechain/webhook_handler'
+require_relative 'licensechain/services/license_service'
+require_relative 'licensechain/services/user_service'
+require_relative 'licensechain/services/product_service'
+require_relative 'licensechain/services/webhook_service'
+
+module LicenseChainRubySdk
+  class Error < StandardError; end
+
+  def self.configure
+    yield(LicenseChain.configuration)
+  end
+
+  def self.configuration
+    LicenseChain.configuration
+  end
+
+  def self.client(config = nil)
+    LicenseChain::Client.new(config)
+  end
 end