Skip to content

feat: resolved errorsf for self hosted license v2#7062

Merged
akhilmhdh merged 1 commit into
mainfrom
feat/license-v2-fix
Jun 29, 2026
Merged

feat: resolved errorsf for self hosted license v2#7062
akhilmhdh merged 1 commit into
mainfrom
feat/license-v2-fix

Conversation

@akhilmhdh

Copy link
Copy Markdown
Member

Context

  • Recognize new infisical_lk_ license keys (legacy QVHK-HIGYH keys still work) and run the instance in a new EnterpriseOnPremV2 mode.
  • Resolve features/usage from License Server v2, authenticating with the license key as a bearer token (single-tenant, no org id).
  • Sync entitlements + subscription on boot and via background refresh; report usage via snapshots (recorded, not charged).
  • Only read/refresh/usage endpoints are wired for self-hosted; Stripe billing (checkout/portal/subscription changes) is rejected.
  • Billing page shows a read-only "managed by your license" view (plan, products, shared members + machine-identity usage; payment/invoices/checkout hidden).
  • Tested old license key working

Screenshots

Steps to verify the change

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

@akhilmhdh akhilmhdh requested a review from PrestigePvP June 28, 2026 19:10
@infisical-review-police

Copy link
Copy Markdown

💬 Discussion in Slack: #pr-review-infisical-7062-feat-resolved-errorsf-for-self-hosted-license-v2

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

@greptile-apps

greptile-apps Bot commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds first-class support for self-hosted License Server v2 instances: new infisical_lk_ key prefix is detected and routes initialization to the new EnterpriseOnPremV2 path, which fetches entitlements and subscription data directly from License Server v2 using the license key as a bearer token rather than the cloud's RS256 service JWT.

  • Adds licenseServerSelfHostedBackend — a single-tenant HTTP client that authenticates with the raw license key; Stripe billing operations are explicitly rejected with informative errors, and redirect: \"manual\" prevents credential forwarding on redirects.
  • syncSelfHostedV2Features projects v2 entitlements into the v1 feature shape on boot and via a 10-minute cron, mirroring the existing on-prem sync loop.
  • Billing UI now detects mode === \"managed\" to display a read-only description for self-hosted license holders.

Confidence Score: 4/5

Safe to merge with the HTTP-allowance in the license client reviewed or accepted as intentional for local/dev setups.

The new self-hosted backend correctly isolates Stripe operations, uses redirect: "manual" on every outbound fetch, and the v2 entitlement sync mirrors the well-tested v1 on-prem path. The one real concern is that buildBackend accepts plain http: while the usage reporter in the same PR enforces HTTPS — an operator pointing LICENSE_SERVER_V2_URL at an HTTP endpoint would transmit the license key in cleartext. Everything else — type additions, cron scheduling, billing UI — is straightforward and low-risk.

backend/src/services/license-client/license-client.ts — the URL protocol check allows plain HTTP for the bearer credential.

Security Review

  • Plaintext credential exposure (license-client.ts line 56): buildBackend accepts http: protocol for LICENSE_SERVER_V2_URL, so if an operator points the license client at a non-TLS endpoint the raw infisical_lk_… bearer token is transmitted unencrypted. usage-reporter.ts in this same PR already enforces HTTPS for the identical bearer — the inconsistency leaves the main entitlement and refresh client without the same protection. No user-controlled data drives the destination URL, so this is an operator misconfiguration risk rather than an external SSRF vector.

Important Files Changed

Filename Overview
backend/src/services/license-client/license-client.ts Routes self-hosted v2 keys to the new backend. The URL validation accepts plain http:, which can expose the license key bearer token in plaintext — usage-reporter.ts in the same PR rejects non-HTTPS.
backend/src/services/license-client/license-client-backends.ts Adds licenseServerSelfHostedBackend — single-tenant HTTP client using the raw license key as bearer. All sensitive ops use redirect: "manual". Stubs out unsupported Stripe ops with explicit rejections.
backend/src/services/license-client/usage/usage-reporter.ts Extends bearer selection to prefer the self-hosted license key when detected. Correctly enforces HTTPS before forwarding the credential. Minor: duplicates the prefix constant.
backend/src/ee/services/license/license-service.ts Adds EnterpriseOnPremV2 init path, background cron sync, syncSelfHostedV2Features, and refreshEntitlements on manual refresh. Guards on LICENSE_SERVER_KEY for cloud-only seat ops look intentional for the migration.
backend/src/ee/services/license/license-fns.ts Exports isV2SelfHostedLicenseKey helper and SELF_HOSTED_V2_LICENSE_KEY_PREFIX; routes infisical_lk_ keys to LicenseType.OnlineV2. Logic is clean.
backend/src/ee/services/license/license-types.ts Adds EnterpriseOnPremV2 to InstanceType and OnlineV2 to LicenseType. Clean enum extension.
backend/src/ee/services/license-v2/license-v2-service.ts Self-hosted billing overview now reads seat caps from entitlements instead of cloud plan, skips Stripe billing profile, and sets isCloud: false / mode: "managed". Logic is clear and correctly branched.
backend/src/services/license-client/license-client-types.ts Adds refreshEntitlements to TLicenseClientBackend. Interface update is consistent with both implementations.
frontend/src/pages/organization/BillingV2Page/BillingV2Page.tsx Detects mode === "managed" to swap the billing page description text for self-hosted license holders. Simple, safe change.

Comments Outside Diff (1)

  1. backend/src/services/license-client/license-client.ts, line 56-59 (link)

    P1 security Bearer credential sent over plain HTTP

    buildBackend explicitly allows http: in the URL check, so if an operator configures LICENSE_SERVER_V2_URL with an http:// address the raw license key (infisical_lk_…) is transmitted in plaintext. usage-reporter.ts in this same PR already enforces HTTPS for the same bearer — the inconsistency means the main entitlement/refresh client has weaker protection than the usage reporter.

Reviews (1): Last reviewed commit: "feat: resolved errorsf for self hosted l..." | Re-trigger Greptile

Comment thread backend/src/services/license-client/usage/usage-reporter.ts

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f03e991ba8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread backend/src/ee/services/license/license-service.ts
Comment thread backend/src/services/license-client/usage/usage-reporter.ts
@akhilmhdh akhilmhdh merged commit 15a0476 into main Jun 29, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants