feat: verify_license_assertion_jwt + verify_with_details (PyJWT)

Author: VoxHash

licensechain/__init__.py

@@ -11,6 +11,7 @@
     SerializationError, DeserializationError, ConfigurationError, UnknownError
 )
 from .webhook_handler import WebhookHandler, WebhookEvents
+from .license_assertion import LICENSE_TOKEN_USE_CLAIM, verify_license_assertion_jwt
 from .utils import (
     validate_email, validate_license_key, validate_uuid, validate_amount,
     validate_currency, validate_status, sanitize_input, sanitize_metadata,
@@ -28,6 +29,8 @@
 __email__ = 'support@licensechain.app'
 
 __all__ = [
+    'LICENSE_TOKEN_USE_CLAIM',
+    'verify_license_assertion_jwt',
     'Client',
     'WebhookHandler',
     'WebhookEvents',

licensechain/license_assertion.py

@@ -0,0 +1,38 @@
+"""Verify LicenseChain license_token (RS256) via JWKS."""
+
+from __future__ import annotations
+
+from typing import Any, Dict, Optional
+
+LICENSE_TOKEN_USE_CLAIM = "licensechain_license_v1"
+
+
+def verify_license_assertion_jwt(
+    token: str,
+    jwks_url: str,
+    *,
+    expected_app_id: Optional[str] = None,
+    issuer: Optional[str] = None,
+) -> Dict[str, Any]:
+    """
+    Verify license_token from POST /v1/licenses/verify using license_jwks_uri or GET /v1/licenses/jwks.
+
+    Requires: PyJWT and cryptography (see requirements.txt).
+    """
+    import jwt
+    from jwt import PyJWKClient
+
+    jwks_client = PyJWKClient(jwks_url)
+    signing_key = jwks_client.get_signing_key_from_jwt(token)
+    decode_kw: Dict[str, Any] = {
+        "algorithms": ["RS256"],
+        "options": {"verify_aud": False},
+    }
+    if issuer:
+        decode_kw["issuer"] = issuer
+    payload = jwt.decode(token, signing_key.key, **decode_kw)
+    if payload.get("token_use") != LICENSE_TOKEN_USE_CLAIM:
+        raise ValueError(f'Invalid license token: expected token_use "{LICENSE_TOKEN_USE_CLAIM}"')
+    if expected_app_id is not None and expected_app_id != "" and payload.get("aud") != expected_app_id:
+        raise ValueError("Invalid license token: aud does not match expected app id")
+    return payload

licensechain/services/license_service.py

@@ -64,6 +64,17 @@ def validate(self, license_key: str, hwuid: Optional[str] = None) -> bool:
             payload['hwuid'] = hashlib.sha256(raw.encode("utf-8")).hexdigest()
         response = self.api_client.post('/licenses/verify', payload)
         return response.get('valid', False)
+
+    def verify_with_details(self, license_key: str, hwuid: Optional[str] = None) -> Dict[str, Any]:
+        """Full POST /licenses/verify response (optional license_token, license_jwks_uri)."""
+        validate_not_empty(license_key, 'license_key')
+        payload: Dict[str, Any] = {'key': license_key}
+        if hwuid and hwuid.strip():
+            payload['hwuid'] = hwuid.strip()
+        else:
+            raw = f"licensechain|python|{socket.gethostname()}|{platform.system()}|{platform.machine()}"
+            payload['hwuid'] = hashlib.sha256(raw.encode("utf-8")).hexdigest()
+        return self.api_client.post('/licenses/verify', payload)
 
     def list_user_licenses(self, user_id: str, page: Optional[int] = None, limit: Optional[int] = None) -> Dict[str, Any]:
         """List licenses for a user."""

requirements.txt

@@ -7,3 +7,4 @@ typing-extensions>=4.5.0
 # Optional dependencies for enhanced functionality
 cryptography>=41.0.0
 python-dateutil>=2.8.0
+PyJWT>=2.8.0