implement encrypted key logic

msukkari · msukkari · commit 2048083b3ba0 · 2025-06-05T20:04:28.000-07:00
diff --git a/.env.development b/.env.development
@@ -24,6 +24,7 @@ AUTH_URL="http://localhost:3000"
 # AUTH_EE_GOOGLE_CLIENT_SECRET=""
 
 DATA_CACHE_DIR=${PWD}/.sourcebot  # Path to the sourcebot cache dir (ex. ~/sourcebot/.sourcebot)
+SOURCEBOT_PUBLIC_KEY_PATH=${PWD}/public.pem
 # CONFIG_PATH=${PWD}/config.json # Path to the sourcebot config file (if one exists)
 
 # Email
diff --git a/Dockerfile b/Dockerfile
@@ -174,14 +174,15 @@ ENV REDIS_DATA_DIR=$DATA_CACHE_DIR/redis
 ENV DATABASE_URL="postgresql://postgres@localhost:5432/sourcebot"
 ENV REDIS_URL="redis://localhost:6379"
 ENV SRC_TENANT_ENFORCEMENT_MODE=strict
+ENV SOURCEBOT_PUBLIC_KEY_PATH=/app/public.pem
 
 # Valid values are: debug, info, warn, error
 ENV SOURCEBOT_LOG_LEVEL=info
 
 # Sourcebot collects anonymous usage data using [PostHog](https://posthog.com/). Uncomment this line to disable.
 # ENV SOURCEBOT_TELEMETRY_DISABLED=1
 
-COPY package.json yarn.lock* .yarnrc.yml ./
+COPY package.json yarn.lock* .yarnrc.yml public.pem ./
 COPY .yarn ./.yarn
 
 # Configure zoekt
diff --git a/packages/crypto/src/index.ts b/packages/crypto/src/index.ts
@@ -1,4 +1,5 @@
 import crypto from 'crypto';
+import fs from 'fs';
 import { SOURCEBOT_ENCRYPTION_KEY } from './environment';
 
 const algorithm = 'aes-256-cbc';
@@ -63,3 +64,22 @@ export function decrypt(iv: string, encryptedText: string): string {
 
     return decrypted;
 }
+
+export function verifySignature(data: string, signature: string, publicKeyPath: string): boolean {
+    try {
+        if (!fs.existsSync(publicKeyPath)) {
+            throw new Error(`Public key file not found at: ${publicKeyPath}`);
+        }
+
+        const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
+
+        const base64Signature = signature.replace(/-/g, '+').replace(/_/g, '/');
+        const paddedSignature = base64Signature + '='.repeat((4 - base64Signature.length % 4) % 4);
+        const signatureBuffer = Buffer.from(paddedSignature, 'base64');
+        
+        return crypto.verify(null, Buffer.from(data, 'utf8'), publicKey, signatureBuffer);
+    } catch (error) {
+        console.error('Error verifying signature:', error);
+        return false;
+    }
+}
diff --git a/packages/web/src/app/[domain]/settings/license/page.tsx b/packages/web/src/app/[domain]/settings/license/page.tsx
@@ -109,12 +109,13 @@ export default async function LicensePage({ params: { domain } }: LicensePagePro
                         <div className="grid grid-cols-2 gap-4">
                             <div className="text-sm text-muted-foreground">Expiry Date</div>
                             <div className={`text-sm font-mono ${isExpired ? 'text-destructive' : ''}`}>
-                                {expiryDate.toLocaleDateString("en-US", {
+                                {expiryDate.toLocaleString("en-US", {
                                     hour: "2-digit",
                                     minute: "2-digit",
                                     month: "long",
                                     day: "numeric",
-                                    year: "numeric"
+                                    year: "numeric",
+                                    timeZoneName: "short"
                                 })} {isExpired && '(Expired)'}
                             </div>
                         </div>
diff --git a/packages/web/src/env.mjs b/packages/web/src/env.mjs
@@ -55,6 +55,8 @@ export const env = createEnv({
 
         DATA_CACHE_DIR: z.string(),
 
+        SOURCEBOT_PUBLIC_KEY_PATH: z.string().optional(),
+
         // Email
         SMTP_CONNECTION_URL: z.string().url().optional(),
         EMAIL_FROM_ADDRESS: z.string().email().optional(),
diff --git a/packages/web/src/features/entitlements/server.ts b/packages/web/src/features/entitlements/server.ts
@@ -4,6 +4,7 @@ import { base64Decode } from "@/lib/utils";
 import { z } from "zod";
 import { SOURCEBOT_SUPPORT_EMAIL } from "@/lib/constants";
 import { createLogger } from "@sourcebot/logger";
+import { verifySignature } from "@sourcebot/crypto";
 
 const logger = createLogger('entitlements');
 
@@ -15,6 +16,7 @@ const eeLicenseKeyPayloadSchema = z.object({
     seats: z.number(),
     // ISO 8601 date string
     expiryDate: z.string().datetime(),
+    sig: z.string(),
 });
 
 type LicenseKeyPayload = z.infer<typeof eeLicenseKeyPayloadSchema>;
@@ -23,7 +25,26 @@ const decodeLicenseKeyPayload = (payload: string): LicenseKeyPayload => {
     try {
         const decodedPayload = base64Decode(payload);
         const payloadJson = JSON.parse(decodedPayload);
-        return eeLicenseKeyPayloadSchema.parse(payloadJson);
+        const licenseData = eeLicenseKeyPayloadSchema.parse(payloadJson);
+        
+        if (env.SOURCEBOT_PUBLIC_KEY_PATH) {
+            const dataToVerify = JSON.stringify({
+                expiryDate: licenseData.expiryDate,
+                id: licenseData.id,
+                seats: licenseData.seats
+            });
+            
+            const isSignatureValid = verifySignature(dataToVerify, licenseData.sig, env.SOURCEBOT_PUBLIC_KEY_PATH);
+            if (!isSignatureValid) {
+                logger.error('License key signature verification failed');
+                process.exit(1);
+            }
+        } else {
+            logger.error('No public key path provided, unable to verify license key signature');
+            process.exit(1);
+        }
+        
+        return licenseData;
     } catch (error) {
         logger.error(`Failed to decode license key payload: ${error}`);
         process.exit(1);
diff --git a/public.pem b/public.pem
@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAJ8fwB3wMcuNPput/El4bK2F8vt/algcGxC6MiJqrT+c=
+-----END PUBLIC KEY-----

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+-----BEGIN PUBLIC KEY-----`
	`2`	`+MCowBQYDK2VwAyEAJ8fwB3wMcuNPput/El4bK2F8vt/algcGxC6MiJqrT+c=`
	`3`	`+-----END PUBLIC KEY-----`