handle license validation for all paths

Author: brendan-kellam

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 - Redesigned the app layout with a new collapsible sidebar navigation, replacing the previous top navigation bar. [#1097](https://github.com/sourcebot-dev/sourcebot/pull/1097)
+- Expired offline license keys no longer crash the process. An expired key now degrades to the unlicensed state. [#1109](https://github.com/sourcebot-dev/sourcebot/pull/1109)
 
 ## [4.16.9] - 2026-04-15
 

packages/backend/src/entitlements.ts

@@ -1,7 +1,7 @@
 import {
     Entitlement,
-    hasEntitlement as _hasEntitlement,
-    getEntitlements as _getEntitlements,
+    _hasEntitlement,
+    _getEntitlements,
 } from "@sourcebot/shared";
 import { prisma } from "./prisma.js";
 import { SINGLE_TENANT_ORG_ID } from "./constants.js";

packages/shared/src/entitlements.test.ts

@@ -0,0 +1,187 @@
+import { describe, test, expect, vi, beforeEach } from 'vitest';
+import type { License } from '@sourcebot/db';
+
+const mocks = vi.hoisted(() => ({
+    env: {
+        SOURCEBOT_PUBLIC_KEY_PATH: '/tmp/test-key',
+        SOURCEBOT_EE_LICENSE_KEY: undefined as string | undefined,
+    } as Record<string, string | undefined>,
+    verifySignature: vi.fn(() => true),
+}));
+
+vi.mock('./env.server.js', () => ({
+    env: mocks.env,
+}));
+
+vi.mock('./crypto.js', () => ({
+    verifySignature: mocks.verifySignature,
+}));
+
+vi.mock('./logger.js', () => ({
+    createLogger: () => ({
+        error: vi.fn(),
+        info: vi.fn(),
+        warn: vi.fn(),
+        debug: vi.fn(),
+    }),
+}));
+
+import {
+    isAnonymousAccessAvailable,
+    getEntitlements,
+    hasEntitlement,
+} from './entitlements.js';
+
+const encodeOfflineKey = (payload: object): string => {
+    const encoded = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    return `sourcebot_ee_${encoded}`;
+};
+
+const futureDate = new Date(Date.now() + 1000 * 60 * 60 * 24 * 365).toISOString();
+const pastDate = new Date(Date.now() - 1000 * 60 * 60 * 24).toISOString();
+
+const validOfflineKey = (overrides: { seats?: number; expiryDate?: string } = {}) =>
+    encodeOfflineKey({
+        id: 'test-customer',
+        expiryDate: overrides.expiryDate ?? futureDate,
+        ...(overrides.seats !== undefined ? { seats: overrides.seats } : {}),
+        sig: 'fake-sig',
+    });
+
+const makeLicense = (overrides: Partial<License> = {}): License => ({
+    id: 'lic_1',
+    orgId: 1,
+    activationCode: 'code',
+    entitlements: [],
+    seats: null,
+    status: null,
+    lastSyncAt: null,
+    createdAt: new Date(),
+    updatedAt: new Date(),
+    ...overrides,
+});
+
+beforeEach(() => {
+    mocks.env.SOURCEBOT_EE_LICENSE_KEY = undefined;
+    mocks.verifySignature.mockReturnValue(true);
+});
+
+describe('isAnonymousAccessAvailable', () => {
+    describe('without any license', () => {
+        test('returns true when license is null', () => {
+            expect(isAnonymousAccessAvailable(null)).toBe(true);
+        });
+
+        test('returns true when license has no status', () => {
+            expect(isAnonymousAccessAvailable(makeLicense())).toBe(true);
+        });
+
+        test('returns true when license status is canceled', () => {
+            expect(isAnonymousAccessAvailable(makeLicense({ status: 'canceled' }))).toBe(true);
+        });
+    });
+
+    describe('with an active online license', () => {
+        test.each(['active', 'trialing', 'past_due'] as const)(
+            'returns false when status is %s',
+            (status) => {
+                expect(isAnonymousAccessAvailable(makeLicense({ status }))).toBe(false);
+            }
+        );
+    });
+
+    describe('with an offline license key', () => {
+        test('returns false when offline key has a seat count', () => {
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ seats: 100 });
+            expect(isAnonymousAccessAvailable(null)).toBe(false);
+        });
+
+        test('returns true when offline key has no seat count (unlimited)', () => {
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey();
+            expect(isAnonymousAccessAvailable(null)).toBe(true);
+        });
+
+        test('unlimited offline key beats an active online license', () => {
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey();
+            expect(isAnonymousAccessAvailable(makeLicense({ status: 'active' }))).toBe(true);
+        });
+
+        test('falls through to online license check when offline key is expired', () => {
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ seats: 100, expiryDate: pastDate });
+            expect(isAnonymousAccessAvailable(null)).toBe(true);
+            expect(isAnonymousAccessAvailable(makeLicense({ status: 'active' }))).toBe(false);
+        });
+
+        test('falls through when offline key is malformed', () => {
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = 'sourcebot_ee_not-valid-base64-or-json';
+            expect(isAnonymousAccessAvailable(null)).toBe(true);
+        });
+
+        test('falls through when offline key has wrong prefix', () => {
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = 'bogus_prefix_xyz';
+            expect(isAnonymousAccessAvailable(null)).toBe(true);
+        });
+
+        test('falls through when offline key signature is invalid', () => {
+            mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ seats: 100 });
+            mocks.verifySignature.mockReturnValue(false);
+            expect(isAnonymousAccessAvailable(null)).toBe(true);
+        });
+    });
+});
+
+describe('getEntitlements', () => {
+    test('returns empty array when no license and no offline key', () => {
+        expect(getEntitlements(null)).toEqual([]);
+    });
+
+    test('returns license.entitlements when license is active', () => {
+        const license = makeLicense({ status: 'active', entitlements: ['sso', 'audit'] });
+        expect(getEntitlements(license)).toEqual(['sso', 'audit']);
+    });
+
+    test('returns empty when license has no status', () => {
+        expect(getEntitlements(makeLicense({ entitlements: ['sso'] }))).toEqual([]);
+    });
+
+    test('returns all entitlements when offline key is valid', () => {
+        mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ seats: 50 });
+        const result = getEntitlements(null);
+        expect(result).toContain('sso');
+        expect(result).toContain('audit');
+        expect(result).toContain('search-contexts');
+    });
+
+    test('falls through when offline key is expired', () => {
+        mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ seats: 50, expiryDate: pastDate });
+        expect(getEntitlements(null)).toEqual([]);
+        expect(
+            getEntitlements(makeLicense({ status: 'active', entitlements: ['sso'] }))
+        ).toEqual(['sso']);
+    });
+
+    test('falls through when offline key is malformed', () => {
+        mocks.env.SOURCEBOT_EE_LICENSE_KEY = 'sourcebot_ee_not-a-valid-payload';
+        expect(getEntitlements(null)).toEqual([]);
+    });
+});
+
+describe('hasEntitlement', () => {
+    test('returns true when entitlement is present in license', () => {
+        expect(
+            hasEntitlement('sso', makeLicense({ status: 'active', entitlements: ['sso'] }))
+        ).toBe(true);
+    });
+
+    test('returns false when entitlement is absent from license', () => {
+        expect(
+            hasEntitlement('audit', makeLicense({ status: 'active', entitlements: ['sso'] }))
+        ).toBe(false);
+    });
+
+    test('returns true for any entitlement when offline key is valid', () => {
+        mocks.env.SOURCEBOT_EE_LICENSE_KEY = validOfflineKey({ seats: 50 });
+        expect(hasEntitlement('sso', null)).toBe(true);
+        expect(hasEntitlement('audit', null)).toBe(true);
+    });
+});

packages/shared/src/entitlements.ts

@@ -2,23 +2,23 @@ import { base64Decode } from "./utils.js";
 import { z } from "zod";
 import { createLogger } from "./logger.js";
 import { env } from "./env.server.js";
-import { SOURCEBOT_SUPPORT_EMAIL } from "./constants.js";
 import { verifySignature } from "./crypto.js";
 import { License } from "@sourcebot/db";
 
 const logger = createLogger('entitlements');
 
-const eeLicenseKeyPrefix = "sourcebot_ee_";
-
-const eeLicenseKeyPayloadSchema = z.object({
+const offlineLicensePrefix = "sourcebot_ee_";
+const offlineLicensePayloadSchema = z.object({
     id: z.string(),
     seats: z.number().optional(),
     // ISO 8601 date string
     expiryDate: z.string().datetime(),
     sig: z.string(),
 });
 
-type LicenseKeyPayload = z.infer<typeof eeLicenseKeyPayloadSchema>;
+type getValidOfflineLicense = z.infer<typeof offlineLicensePayloadSchema>;
+
+const ACTIVE_ONLINE_LICENSE_STATUSES = ['active', 'trialing', 'past_due'] as const;
 
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
 const ALL_ENTITLEMENTS = [
@@ -35,20 +35,11 @@ const ALL_ENTITLEMENTS = [
 ] as const;
 export type Entitlement = (typeof ALL_ENTITLEMENTS)[number];
 
-const ACTIVE_LICENSE_STATUSES = ['active', 'trialing', 'past_due'] as const;
-
-const isLicenseActive = (license: License): boolean => {
-    if (!license.status) {
-        return false;
-    }
-    return ACTIVE_LICENSE_STATUSES.includes(license.status as typeof ACTIVE_LICENSE_STATUSES[number]);
-}
-
-const decodeLicenseKeyPayload = (payload: string): LicenseKeyPayload => {
+const decodeOfflineLicenseKeyPayload = (payload: string): getValidOfflineLicense | null => {
     try {
         const decodedPayload = base64Decode(payload);
         const payloadJson = JSON.parse(decodedPayload);
-        const licenseData = eeLicenseKeyPayloadSchema.parse(payloadJson);
+        const licenseData = offlineLicensePayloadSchema.parse(payloadJson);
 
         const dataToVerify = JSON.stringify({
             expiryDate: licenseData.expiryDate,
@@ -59,57 +50,85 @@ const decodeLicenseKeyPayload = (payload: string): LicenseKeyPayload => {
         const isSignatureValid = verifySignature(dataToVerify, licenseData.sig, env.SOURCEBOT_PUBLIC_KEY_PATH);
         if (!isSignatureValid) {
             logger.error('License key signature verification failed');
-            process.exit(1);
+            return null;
         }
 
         return licenseData;
     } catch (error) {
         logger.error(`Failed to decode license key payload: ${error}`);
-        process.exit(1);
+        return null;
     }
 }
 
-export const getOfflineLicenseKey = (): LicenseKeyPayload | null => {
+const getValidOfflineLicense = (): getValidOfflineLicense | null => {
     const licenseKey = env.SOURCEBOT_EE_LICENSE_KEY;
-    if (licenseKey && licenseKey.startsWith(eeLicenseKeyPrefix)) {
-        const payload = licenseKey.substring(eeLicenseKeyPrefix.length);
-        return decodeLicenseKeyPayload(payload);
+    if (!licenseKey || !licenseKey.startsWith(offlineLicensePrefix)) {
+        return null;
     }
-    return null;
+
+    const payload = decodeOfflineLicenseKeyPayload(licenseKey.substring(offlineLicensePrefix.length));
+    if (!payload) {
+        return null;
+    }
+
+    const expiryDate = new Date(payload.expiryDate);
+    if (expiryDate.getTime() < new Date().getTime()) {
+        return null;
+    }
+
+    return payload;
 }
 
-export const hasEntitlement = (entitlement: Entitlement, license: License | null) => {
-    const entitlements = getEntitlements(license);
-    return entitlements.includes(entitlement);
+const getValidOnlineLicense = (_license: License | null): License | null => {
+    if (
+        _license &&
+        _license.status &&
+        ACTIVE_ONLINE_LICENSE_STATUSES.includes(_license.status as typeof ACTIVE_ONLINE_LICENSE_STATUSES[number])
+    ) {
+        return _license;
+    }
+
+    return null;
 }
 
-export const isAnonymousAccessAvailable = (license: License | null): boolean => {
-    const offlineKey = getOfflineLicenseKey();
+export const isAnonymousAccessAvailable = (_license: License | null): boolean => {
+    const offlineKey = getValidOfflineLicense();
     if (offlineKey) {
         return offlineKey.seats === undefined;
     }
 
-    if (license && isLicenseActive(license)) {
+    const onlineLicense = getValidOnlineLicense(_license);
+    if (onlineLicense) {
         return false;
     }
     return true;
 }
 
-export const getEntitlements = (license: License | null): Entitlement[] => {
-    const licenseKey = getOfflineLicenseKey();
-    if (licenseKey) {
-        const expiryDate = new Date(licenseKey.expiryDate);
-        if (expiryDate.getTime() < new Date().getTime()) {
-            logger.error(`The provided license key has expired (${expiryDate.toLocaleString()}). Please contact ${SOURCEBOT_SUPPORT_EMAIL} for support.`);
-            process.exit(1);
-        }
-
+export const getEntitlements = (_license: License | null): Entitlement[] => {
+    const offlineLicense = getValidOfflineLicense();
+    if (offlineLicense) {
         return ALL_ENTITLEMENTS as unknown as Entitlement[];
     }
-    else if (license && isLicenseActive(license)) {
-        return license.entitlements as unknown as Entitlement[];
+
+    const onlineLicense = getValidOnlineLicense(_license);
+    if (onlineLicense) {
+        return onlineLicense.entitlements as unknown as Entitlement[];
     }
     else {
         return [];
     }
 }
+
+export const hasEntitlement = (entitlement: Entitlement, _license: License | null) => {
+    const entitlements = getEntitlements(_license);
+    return entitlements.includes(entitlement);
+}
+
+export const getSeatCap = (): number | undefined => {
+    const offlineLicense = getValidOfflineLicense();
+    if (offlineLicense?.seats && offlineLicense.seats > 0) {
+        return offlineLicense.seats;
+    }
+
+    return undefined;
+}

packages/shared/src/index.server.ts

@@ -1,8 +1,11 @@
+// types prefixed with _ are intended to be wrapped
+// by the consumer. See web/entitlements.ts and
+// backend/entitlements.ts
 export {
-    hasEntitlement,
-    getOfflineLicenseKey,
-    getEntitlements,
-    isAnonymousAccessAvailable as isAnonymousAccessEnabled,
+    hasEntitlement as _hasEntitlement,
+    getEntitlements as _getEntitlements,
+    isAnonymousAccessAvailable as _isAnonymousAccessAvailable,
+    getSeatCap,
 } from "./entitlements.js";
 export type {
     Entitlement,