Add offline JWT-based license validation system for React on Rails Pro (#1857)

* Add offline JWT-based license validation system for React on Rails Pro

Implements a pure offline license validation system using JWT tokens signed
with RSA-256. No internet connectivity required for validation.

Key features:
- JWT-based licenses verified with embedded public key (RSA-256)
- Offline validation in Ruby gem and Node renderer
- Environment variable or config file support
- Development-friendly (warnings) vs production (errors)
- Zero impact on browser bundle size
- Comprehensive test coverage

Changes:
- Add JWT dependencies (Ruby jwt gem, Node jsonwebtoken)
- Create license validation modules for Ruby and Node
- Integrate validation into Rails context (rorPro field)
- Add license check on Node renderer startup
- Update .gitignore for license file
- Add comprehensive tests for both Ruby and Node
- Create LICENSE_SETUP.md documentation

The system validates licenses at:
1. Ruby gem initialization (Rails startup)
2. Node renderer startup
3. Browser relies on server validation (railsContext.rorPro)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Add React on Rails Pro license file to .gitignore in multiple locations

* add needed licence rake tasks

* Require exp field in license validation

* Add tests for required exp field validation

* Require valid license in all environments (dev, test, prod)

Breaking Change: All environments now require valid licenses

* Add license validation on startup for both Rails and Node renderer

* Change license field from 'license_type' to 'plan' and add 'issued_by' support

* Remove obsolete license key file from the dummy config

* Add React on Rails Pro license file to .gitignore and Gemfile.lock

* Fix require statement in license validator spec to use spec_helper

* update yarn.lock

* Fix license validator spec by stubbing Rails.logger and Rails.root

* Fix Node.js license validator tests and disable auto-expiration check

- Add ignoreExpiration: true to jwt.verify() to match Ruby behavior
- Mock process.exit globally in tests to prevent actual exit
- Mock console.error and console.log to suppress test output
- Update all invalid license tests to check process.exit was called
- Simplify file-based license test to use ENV variable
- All 9 Node.js tests now passing

Changes align Node.js validator with Ruby validator:
- Both manually check expiration after disabling auto-check
- Both call exit/raise on invalid licenses
- Both provide consistent error messages

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Remove react_on_rails_pro_licence_valid? and consolidate to react_on_rails_pro?

* Make react_on_rails_pro? actively validate license and remove backward compatibility

* Remove redundant 'before: :load_config_initializers' hook from license validation

* Rename validation methods to use ! convention for exception-throwing

* Update license public key documentation and source URL

* Refactor license validation to remove unnecessary conditional logging

* Refactor LicensePublicKey module documentation for clarity and consistency

* Refactor LicenseValidator to simplify validation logic and remove unnecessary checks

* Refactor Node.js license validator from singleton class to functional pattern

* Enhance license data structure and improve security in license validation

* Refactor validateLicense to void function for clearer API semantics

* Enhance public key update task with local URL handling and add usage instructions

* Enhance ReactOnRailsHelper spec by mocking additional utility methods for improved test coverage

* Enhance pro features context by allowing multiple message stubs for improved test flexibility

* Enhance pro features context by adding support for RSC in immediate hydration

* fix TS problems

* Enhance license validation test by generating a separate key pair for invalid signature scenario

* Refactor license claims in JWT to use standard 'iss' identifier and update related tests for improved clarity and consistency

* Implement license expiration handling with a 1-month grace period for production environments and update related tests for clarity and coverage

* Add license attribution comment and refactor license validation methods for clarity

* Refactor license validation methods to use 'validated_license_data!' for improved clarity and consistency

* Add tests for react_on_rails_attribution_comment to verify Pro and open source license comments

* Add tests for Pro and open source attribution comments in rendered output

* Add tests for single attribution comment inclusion in React on Rails Pro and non-Pro scenarios

* Refactor license evaluation logic and improve error handling for missing license

* Remove unnecessary setup in pro_attribution_comment tests for cleaner context

* Stub ReactOnRailsPro::Utils.pro_attribution_comment for consistent test behavior across all contexts

* Update tests to expect HTML comments instead of script tags for React components

* Stub ReactOnRailsPro::Utils.pro_attribution_comment for consistent test behavior

* Update documentation to clarify license usage and add HTML comment attribution for React on Rails

* Refactor license validation logic to use getValidatedLicenseData and update tests for consistency

* Update grace period message format to use "day(s)" for consistency in attribution comments

---------

Co-authored-by: Claude <[email protected]>

Author: AbanoubGhadban

CHANGELOG.md

@@ -23,6 +23,10 @@ After a release, please make sure to run `bundle exec rake update_changelog`. Th
 
 Changes since the last non-beta release.
 
+#### Added
+
+- **Attribution Comment**: Added HTML comment attribution to Rails views containing React on Rails functionality. The comment automatically displays which version is in use (open source React on Rails or React on Rails Pro) and, for Pro users, shows the license status. This helps identify React on Rails usage across your application. [PR #1857](https://github.com/shakacode/react_on_rails/pull/1857) by [AbanoubGhadban](https://github.com/AbanoubGhadban).
+
 #### Breaking Changes
 
 - **React on Rails Core Package**: Several Pro-only methods have been removed from the core package and are now exclusively available in the `react-on-rails-pro` package. If you're using any of the following methods, you'll need to migrate to React on Rails Pro:
@@ -65,7 +69,7 @@ To migrate to React on Rails Pro:
    import ReactOnRails from 'react-on-rails-pro';
    ```
 
-4. If you're using a free license for personal (non-production) use, you can obtain one at [React on Rails Pro License](https://www.shakacode.com/react-on-rails-pro). The Pro package is free for personal, educational, and non-production usage.
+4. If you're using a free license, you can obtain one at [React on Rails Pro License](https://www.shakacode.com/react-on-rails-pro). **Important: The free 3-month evaluation license is intended for personal, educational, and evaluation purposes only. It should NOT be used for production deployments.** Production use requires a paid license.
 
 **Note:** If you're not using any of the Pro-only methods listed above, no changes are required.
 

lib/react_on_rails/helper.rb

@@ -620,10 +620,23 @@ def rails_context_if_not_already_rendered
 
       @rendered_rails_context = true
 
-      content_tag(:script,
-                  json_safe_and_pretty(data).html_safe,
-                  type: "application/json",
-                  id: "js-react-on-rails-context")
+      attribution_comment = react_on_rails_attribution_comment
+      script_tag = content_tag(:script,
+                               json_safe_and_pretty(data).html_safe,
+                               type: "application/json",
+                               id: "js-react-on-rails-context")
+
+      "#{attribution_comment}\n#{script_tag}".html_safe
+    end
+
+    # Generates the HTML attribution comment
+    # Pro version calls ReactOnRailsPro::Utils for license-specific details
+    def react_on_rails_attribution_comment
+      if ReactOnRails::Utils.react_on_rails_pro?
+        ReactOnRailsPro::Utils.pro_attribution_comment
+      else
+        "<!-- Powered by React on Rails (c) ShakaCode | Open Source -->"
+      end
     end
 
     # prepend the rails_context if not yet applied

lib/react_on_rails/pro_utils.rb

@@ -5,9 +5,9 @@ module ProUtils
     PRO_ONLY_OPTIONS = %i[immediate_hydration].freeze
 
     # Checks if React on Rails Pro features are available
-    # @return [Boolean] true if Pro license is valid, false otherwise
+    # @return [Boolean] true if Pro is installed and licensed, false otherwise
     def self.support_pro_features?
-      ReactOnRails::Utils.react_on_rails_pro_licence_valid?
+      ReactOnRails::Utils.react_on_rails_pro?
     end
 
     def self.disable_pro_render_options_if_not_licensed(raw_options)

lib/react_on_rails/utils.rb

@@ -228,11 +228,19 @@ def self.gem_available?(name)
       end
     end
 
-    # Todo -- remove this for v13, as we don't need both boolean and number
+    # Checks if React on Rails Pro is installed and licensed.
+    # This method validates the license and will raise an exception if invalid.
+    #
+    # @return [Boolean] true if Pro is available with valid license
+    # @raise [ReactOnRailsPro::Error] if license is invalid
     def self.react_on_rails_pro?
       return @react_on_rails_pro if defined?(@react_on_rails_pro)
 
-      @react_on_rails_pro = gem_available?("react_on_rails_pro")
+      @react_on_rails_pro = begin
+        return false unless gem_available?("react_on_rails_pro")
+
+        ReactOnRailsPro::Utils.validated_license_data!.present?
+      end
     end
 
     # Return an empty string if React on Rails Pro is not installed
@@ -246,21 +254,6 @@ def self.react_on_rails_pro_version
                                     end
     end
 
-    def self.react_on_rails_pro_licence_valid?
-      return @react_on_rails_pro_licence_valid if defined?(@react_on_rails_pro_licence_valid)
-
-      @react_on_rails_pro_licence_valid = begin
-        return false unless react_on_rails_pro?
-
-        # Maintain compatibility with legacy versions of React on Rails Pro:
-        # Earlier releases did not require license validation, as they were distributed as private gems.
-        # This check ensures that the method works correctly regardless of the installed version.
-        return true unless ReactOnRailsPro::Utils.respond_to?(:licence_valid?)
-
-        ReactOnRailsPro::Utils.licence_valid?
-      end
-    end
-
     def self.rsc_support_enabled?
       return false unless react_on_rails_pro?
 

react_on_rails_pro/.gitignore

@@ -72,3 +72,6 @@ yalc.lock
 
 # File Generated by ROR FS-based Registry
 **/generated
+
+# React on Rails Pro License Key
+config/react_on_rails_pro_license.key

react_on_rails_pro/CHANGELOG.md

@@ -18,6 +18,7 @@ You can find the **package** version numbers from this repo's tags and below in
 
 ### Added
 - Added `cached_stream_react_component` helper method, similar to `cached_react_component` but for streamed components.
+- **License Validation System**: Implemented comprehensive JWT-based license validation with offline verification using RSA-256 signatures. License validation occurs at startup in both Ruby and Node.js environments. Supports required fields (`sub`, `iat`, `exp`) and optional fields (`plan`, `organization`, `iss`). FREE evaluation licenses are available for 3 months at [shakacode.com/react-on-rails-pro](https://shakacode.com/react-on-rails-pro). [PR #1857](https://github.com/shakacode/react_on_rails/pull/1857) by [AbanoubGhadban](https://github.com/AbanoubGhadban).
 
 ### Changed (Breaking)
 - `config.prerender_caching`, which controls caching for non-streaming components, now also controls caching for streamed components. To disable caching for an individual render, pass `internal_option(:skip_prerender_cache)`.