store activation code at rest

Author: brendan-kellam

packages/shared/src/crypto.ts

@@ -27,6 +27,21 @@ export function encrypt(text: string): { iv: string; encryptedData: string } {
     return { iv: iv.toString('hex'), encryptedData: encrypted };
 }
 
+export function decrypt(iv: string, encryptedText: string): string {
+    const encryptionKey = Buffer.from(env.SOURCEBOT_ENCRYPTION_KEY, 'ascii');
+
+    const ivBuffer = Buffer.from(iv, 'hex');
+    const encryptedBuffer = Buffer.from(encryptedText, 'hex');
+
+    const decipher = crypto.createDecipheriv(algorithm, encryptionKey, ivBuffer);
+
+    let decrypted = decipher.update(encryptedBuffer, undefined, 'utf8');
+    decrypted += decipher.final('utf8');
+
+    return decrypted;
+}
+
+
 export function hashSecret(text: string): string {
     return crypto.createHmac('sha256', env.SOURCEBOT_ENCRYPTION_KEY).update(text).digest('hex');
 }
@@ -61,20 +76,6 @@ export function generateOAuthRefreshToken(): { token: string; hash: string } {
     };
 }
 
-export function decrypt(iv: string, encryptedText: string): string {
-    const encryptionKey = Buffer.from(env.SOURCEBOT_ENCRYPTION_KEY, 'ascii');
-
-    const ivBuffer = Buffer.from(iv, 'hex');
-    const encryptedBuffer = Buffer.from(encryptedText, 'hex');
-
-    const decipher = crypto.createDecipheriv(algorithm, encryptionKey, ivBuffer);
-
-    let decrypted = decipher.update(encryptedBuffer, undefined, 'utf8');
-    decrypted += decipher.final('utf8');
-
-    return decrypted;
-}
-
 export function verifySignature(data: string, signature: string, publicKeyPath: string): boolean {
     try {
         let publicKey = publicKeyCache.get(publicKeyPath);
@@ -226,3 +227,13 @@ export function decryptOAuthToken(encryptedText: string | null | undefined): str
         return encryptedText;
     }
 }
+
+export function encryptActivationCode(code: string): string {
+    const { iv, encryptedData } = encrypt(code);
+    return Buffer.from(JSON.stringify({ iv, encryptedData })).toString('base64');
+}
+
+export function decryptActivationCode(encrypted: string): string {
+    const { iv, encryptedData } = JSON.parse(Buffer.from(encrypted, 'base64').toString('utf8'));
+    return decrypt(iv, encryptedData);
+}

packages/shared/src/index.server.ts

@@ -49,6 +49,8 @@ export {
     verifySignature,
     encryptOAuthToken,
     decryptOAuthToken,
+    encryptActivationCode,
+    decryptActivationCode,
 } from "./crypto.js";
 export {
     getDBConnectionString,

packages/web/src/app/(app)/settings/license/purchaseButton.tsx

@@ -5,10 +5,12 @@ import { LoadingButton } from "@/components/ui/loading-button";
 import { createCheckoutSession } from "@/ee/features/lighthouse/actions";
 import { isServiceError } from "@/lib/utils";
 import { useToast } from "@/components/hooks/use-toast";
+import { useRouter } from "next/navigation";
 
 export function PurchaseButton() {
     const [isLoading, setIsLoading] = useState(false);
     const { toast } = useToast();
+    const router = useRouter();
 
     const handleClick = useCallback(() => {
         setIsLoading(true);
@@ -23,14 +25,12 @@ export function PurchaseButton() {
                         description: `Failed to start checkout: ${response.message}`,
                         variant: "destructive",
                     });
+                    setIsLoading(false);
                 } else {
-                    window.location.href = response.url;
+                    router.push(response.url);
                 }
             })
-            .finally(() => {
-                setIsLoading(false);
-            });
-    }, [toast]);
+    }, [router, toast]);
 
     return (
         <LoadingButton

packages/web/src/ee/features/lighthouse/actions.ts

@@ -7,7 +7,7 @@ import { OrgRole } from "@sourcebot/db";
 import { ServiceError } from "@/lib/serviceError";
 import { StatusCodes } from "http-status-codes";
 import { ErrorCode } from "@/lib/errorCodes";
-import { env } from "@sourcebot/shared";
+import { env, encryptActivationCode } from "@sourcebot/shared";
 import { sendServicePing } from "@/ee/features/lighthouse/servicePing";
 import { fetchWithRetry } from "@/lib/utils";
 import { checkoutResponseSchema } from "./types";
@@ -28,11 +28,10 @@ export const activateLicense = async (activationCode: string): Promise<{ success
                 } satisfies ServiceError;
             }
 
-            // Create the license record
             await prisma.license.create({
                 data: {
                     orgId: org.id,
-                    activationCode,
+                    activationCode: encryptActivationCode(activationCode),
                 },
             });
 

packages/web/src/ee/features/lighthouse/servicePing.ts

@@ -1,6 +1,6 @@
 import { fetchWithRetry } from "@/lib/utils";
 import { __unsafePrisma } from "@/prisma";
-import { createLogger, env, SOURCEBOT_VERSION } from "@sourcebot/shared";
+import { createLogger, env, SOURCEBOT_VERSION, decryptActivationCode } from "@sourcebot/shared";
 import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
 import { lighthouseResponseSchema } from "./types";
 
@@ -14,10 +14,14 @@ export const sendServicePing = async () => {
         where: { orgId: SINGLE_TENANT_ORG_ID },
     });
 
+    const activationCode = license?.activationCode
+        ? decryptActivationCode(license.activationCode)
+        : undefined;
+
     const payload = {
         installId: env.SOURCEBOT_INSTALL_ID,
         version: SOURCEBOT_VERSION,
-        ...(license?.activationCode && { activationCode: license.activationCode }),
+        ...(activationCode && { activationCode }),
     };
 
     try {