Initial commit: DashCaddy v1.0

Full codebase including API server (32 modules + routes), dashboard frontend, DashCA certificate distribution, installer script, and deployment skills.
2026-03-05 02:26:12 -08:00
commit f61e85d9a7
337 changed files with 75282 additions and 0 deletions
--- a/dashcaddy-api/license-keygen.js
+++ b/dashcaddy-api/license-keygen.js
@@ -0,0 +1,313 @@
+#!/usr/bin/env node
+/**
+ * DashCaddy License Code Generator
+ *
+ * Admin-only CLI tool for generating license codes.
+ * NOT shipped with the product — runs only on the developer's machine.
+ *
+ * Usage:
+ *   node license-keygen.js --duration 365 --count 10
+ *   node license-keygen.js --duration 30 --count 1 --output codes.txt
+ *   node license-keygen.js --verify DC-XXXXX-XXXXX-XXXXX-XXXXX
+ *   node license-keygen.js --init-secret
+ */
+
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+
+// Master secret file — lives only on admin machine, NEVER shipped
+const SECRET_FILE = path.join(__dirname, '.license-secret');
+
+// License code format: DC-AAAAA-BBBBB-CCCCC-DDDDD
+// Encodes: version(4bit) + duration_days(12bit) + code_id(32bit) + created_ts(32bit) + hmac(48bit)
+// Total: 128 bits = 16 bytes, base32-encoded into 4 groups of 5 chars
+
+const VALID_DURATIONS = [30, 90, 180, 365];
+const LIFETIME_DURATION = 0; // Admin-only, not publicly available
+const VERSION = 1;
+
+// Base32 alphabet (Crockford variant — no I/L/O/U to avoid confusion)
+const BASE32 = '0123456789ABCDEFGHJKMNPQRSTVWXYZ';
+
+function base32Encode(buffer) {
+  let bits = '';
+  for (const byte of buffer) {
+    bits += byte.toString(2).padStart(8, '0');
+  }
+  // Pad to multiple of 5
+  while (bits.length % 5 !== 0) bits += '0';
+  let result = '';
+  for (let i = 0; i < bits.length; i += 5) {
+    const index = parseInt(bits.substring(i, i + 5), 2);
+    result += BASE32[index];
+  }
+  return result;
+}
+
+function base32Decode(str) {
+  let bits = '';
+  for (const char of str.toUpperCase()) {
+    const index = BASE32.indexOf(char);
+    if (index === -1) throw new Error(`Invalid base32 character: ${char}`);
+    bits += index.toString(2).padStart(5, '0');
+  }
+  const bytes = [];
+  for (let i = 0; i + 8 <= bits.length; i += 8) {
+    bytes.push(parseInt(bits.substring(i, i + 8), 2));
+  }
+  return Buffer.from(bytes);
+}
+
+function getSecret() {
+  if (!fs.existsSync(SECRET_FILE)) {
+    console.error('No master secret found. Run with --init-secret first.');
+    process.exit(1);
+  }
+  return fs.readFileSync(SECRET_FILE, 'utf8').trim();
+}
+
+function initSecret() {
+  if (fs.existsSync(SECRET_FILE)) {
+    console.error('Master secret already exists at', SECRET_FILE);
+    console.error('Delete it first if you want to regenerate (WARNING: invalidates all existing codes).');
+    process.exit(1);
+  }
+  const secret = crypto.randomBytes(32).toString('hex');
+  fs.writeFileSync(SECRET_FILE, secret, { mode: 0o600 });
+  console.log('Master secret generated and saved to', SECRET_FILE);
+  console.log('KEEP THIS FILE SAFE. It is needed to generate and validate all license codes.');
+  console.log('DO NOT ship this file with the product.');
+}
+
+function generateCode(secret, durationDays, codeId) {
+  // Pack payload: version(4b) + duration_days(12b) + code_id(32b) + created_ts(32b) = 80 bits = 10 bytes
+  const payload = Buffer.alloc(10);
+
+  // Byte 0-1: version (4 bits) + duration (12 bits) = 16 bits
+  const versionAndDuration = ((VERSION & 0x0F) << 12) | (durationDays & 0x0FFF);
+  payload.writeUInt16BE(versionAndDuration, 0);
+
+  // Byte 2-5: code_id (32 bits)
+  payload.writeUInt32BE(codeId, 2);
+
+  // Byte 6-9: created timestamp (32 bits, seconds since epoch)
+  const createdTs = Math.floor(Date.now() / 1000);
+  payload.writeUInt32BE(createdTs, 6);
+
+  // HMAC the payload to get signature
+  const hmac = crypto.createHmac('sha256', secret).update(payload).digest();
+  // Take first 5 bytes of HMAC (40 bits) — fits exactly in 25 base32 chars with 10-byte payload
+  const signature = hmac.subarray(0, 5);
+
+  // Combine: payload (10 bytes) + signature (5 bytes) = 15 bytes = 120 bits
+  // 25 base32 chars = 125 bits, comfortably fits 120 bits
+  const combined = Buffer.concat([payload, signature]);
+
+  let encoded = base32Encode(combined);
+  while (encoded.length < 25) encoded += '0';
+  encoded = encoded.substring(0, 25);
+  const groups = [];
+  for (let i = 0; i < 25; i += 5) {
+    groups.push(encoded.substring(i, i + 5));
+  }
+
+  return `DC-${groups.join('-')}`;
+}
+
+function parseCode(code) {
+  // Strip prefix and dashes
+  const cleaned = code.replace(/^DC-/, '').replace(/-/g, '');
+  if (cleaned.length !== 25) {
+    throw new Error(`Invalid code length: expected 25 base32 chars, got ${cleaned.length}`);
+  }
+
+  // Decode base32 — 25 chars = 125 bits = 15 full bytes
+  const decoded = base32Decode(cleaned);
+  if (decoded.length < 15) {
+    const padded = Buffer.alloc(15);
+    decoded.copy(padded);
+    return parsePayload(padded);
+  }
+  return parsePayload(decoded.subarray(0, 15));
+}
+
+function parsePayload(buffer) {
+  const payload = buffer.subarray(0, 10);
+  const signature = buffer.subarray(10, 15);
+
+  const versionAndDuration = payload.readUInt16BE(0);
+  const version = (versionAndDuration >> 12) & 0x0F;
+  const durationDays = versionAndDuration & 0x0FFF;
+  const codeId = payload.readUInt32BE(2);
+  const createdTs = payload.readUInt32BE(6);
+
+  return { version, durationDays, codeId, createdTs, payload, signature };
+}
+
+function verifyCode(secret, code) {
+  try {
+    const { version, durationDays, codeId, createdTs, payload, signature } = parseCode(code);
+
+    // Verify HMAC (5-byte signature)
+    const expectedHmac = crypto.createHmac('sha256', secret).update(payload).digest();
+    const expectedSig = expectedHmac.subarray(0, 5);
+
+    if (!crypto.timingSafeEqual(signature, expectedSig)) {
+      return { valid: false, reason: 'Invalid signature — code is forged or corrupted' };
+    }
+
+    if (version !== VERSION) {
+      return { valid: false, reason: `Unsupported version: ${version}` };
+    }
+
+    // Accept lifetime (0) and standard durations
+    if (durationDays !== LIFETIME_DURATION && !VALID_DURATIONS.includes(durationDays)) {
+      return { valid: false, reason: `Invalid duration: ${durationDays} days` };
+    }
+
+    const createdDate = new Date(createdTs * 1000);
+    const isLifetime = durationDays === LIFETIME_DURATION;
+    const expiresDate = isLifetime ? null : new Date(createdTs * 1000 + durationDays * 86400000);
+
+    return {
+      valid: true,
+      version,
+      durationDays,
+      codeId,
+      createdAt: createdDate.toISOString(),
+      expiresAt: isLifetime ? null : expiresDate.toISOString(),
+      expired: isLifetime ? false : Date.now() > expiresDate.getTime()
+    };
+  } catch (error) {
+    return { valid: false, reason: error.message };
+  }
+}
+
+// CLI
+function main() {
+  const args = process.argv.slice(2);
+
+  if (args.includes('--help') || args.length === 0) {
+    console.log(`
+DashCaddy License Code Generator
+
+Usage:
+  node license-keygen.js --init-secret              Initialize master secret (first time only)
+  node license-keygen.js --duration <days> [options] Generate license codes
+  node license-keygen.js --verify <code>             Verify a license code
+  node license-keygen.js --decode <code>             Decode and display code details
+
+Options:
+  --duration <days>    Code validity: 30, 90, 180, or 365 days (required for generation)
+  --count <n>          Number of codes to generate (default: 1)
+  --start-id <n>       Starting code ID (default: auto from counter file)
+  --output <file>      Write codes to file instead of stdout
+  --json               Output as JSON
+
+Valid durations: ${VALID_DURATIONS.join(', ')} days
+    `);
+    process.exit(0);
+  }
+
+  if (args.includes('--init-secret')) {
+    initSecret();
+    return;
+  }
+
+  if (args.includes('--verify') || args.includes('--decode')) {
+    const codeIndex = args.indexOf('--verify') !== -1 ? args.indexOf('--verify') : args.indexOf('--decode');
+    const code = args[codeIndex + 1];
+    if (!code) {
+      console.error('Please provide a code to verify.');
+      process.exit(1);
+    }
+    const secret = getSecret();
+    const result = verifyCode(secret, code);
+    if (args.includes('--json')) {
+      console.log(JSON.stringify(result, null, 2));
+    } else if (result.valid) {
+      const isLifetime = result.durationDays === 0;
+      console.log('Code is VALID');
+      console.log(`  Version:    ${result.version}`);
+      console.log(`  Duration:   ${isLifetime ? 'LIFETIME' : result.durationDays + ' days'}`);
+      console.log(`  Code ID:    ${result.codeId}`);
+      console.log(`  Created:    ${result.createdAt}`);
+      console.log(`  Expires:    ${isLifetime ? 'NEVER' : result.expiresAt}`);
+      console.log(`  Status:     ${isLifetime ? 'LIFETIME' : (result.expired ? 'EXPIRED' : 'ACTIVE')}`);
+    } else {
+      console.log('Code is INVALID');
+      console.log(`  Reason: ${result.reason}`);
+    }
+    return;
+  }
+
+  // Generate codes
+  const isLifetime = args.includes('--lifetime');
+  const durationIndex = args.indexOf('--duration');
+  if (!isLifetime && durationIndex === -1) {
+    console.error('--duration is required. Use --help for usage.');
+    process.exit(1);
+  }
+  const duration = isLifetime ? LIFETIME_DURATION : parseInt(args[durationIndex + 1]);
+  if (!isLifetime && !VALID_DURATIONS.includes(duration)) {
+    console.error(`Invalid duration: ${duration}. Valid: ${VALID_DURATIONS.join(', ')}`);
+    process.exit(1);
+  }
+
+  const countIndex = args.indexOf('--count');
+  const count = countIndex !== -1 ? parseInt(args[countIndex + 1]) : 1;
+
+  // Load or create counter file for auto-incrementing code IDs
+  const counterFile = path.join(__dirname, '.license-counter');
+  let startId;
+  const startIdIndex = args.indexOf('--start-id');
+  if (startIdIndex !== -1) {
+    startId = parseInt(args[startIdIndex + 1]);
+  } else if (fs.existsSync(counterFile)) {
+    startId = parseInt(fs.readFileSync(counterFile, 'utf8').trim()) + 1;
+  } else {
+    startId = 1;
+  }
+
+  const secret = getSecret();
+  const codes = [];
+
+  for (let i = 0; i < count; i++) {
+    const codeId = startId + i;
+    const code = generateCode(secret, duration, codeId);
+    codes.push({ code, codeId, durationDays: duration });
+  }
+
+  // Save counter
+  fs.writeFileSync(counterFile, String(startId + count - 1));
+
+  // Output
+  const outputIndex = args.indexOf('--output');
+  if (args.includes('--json')) {
+    const output = JSON.stringify(codes, null, 2);
+    if (outputIndex !== -1) {
+      fs.writeFileSync(args[outputIndex + 1], output);
+      console.log(`${count} code(s) written to ${args[outputIndex + 1]}`);
+    } else {
+      console.log(output);
+    }
+  } else {
+    const lines = codes.map(c => `${c.code}  (${c.durationDays === 0 ? 'LIFETIME' : c.durationDays + ' days'}, ID: ${c.codeId})`);
+    if (outputIndex !== -1) {
+      fs.writeFileSync(args[outputIndex + 1], codes.map(c => c.code).join('\n') + '\n');
+      console.log(`${count} code(s) written to ${args[outputIndex + 1]}`);
+    } else {
+      lines.forEach(l => console.log(l));
+    }
+  }
+
+  console.log(`\nGenerated ${count} code(s) for ${duration === 0 ? 'LIFETIME' : duration + ' days'}. Next ID: ${startId + count}`);
+}
+
+// Also export for use by license-manager.js
+module.exports = { verifyCode, parseCode, VALID_DURATIONS, VERSION };
+
+if (require.main === module) {
+  main();
+}