refresh hub license token via API with ALTCHA captcha verification

tobihagemann · tobihagemann · commit a9686bcc2c00 · 2026-02-06T07:59:36.000+01:00
Instead of using the store's token directly, the billing page now
refreshes the license token through the /licenses/hub/refresh API
endpoint with captcha verification. On normal visits the token is
displayed inline; on checkout/modification flows the user is
redirected back to Hub. Also extracts captcha widget into a reusable
partial and fixes Paddle passthrough JSON serialization.
diff --git a/assets/js/hubsubscription.js b/assets/js/hubsubscription.js
@@ -5,6 +5,7 @@ const CUSTOM_BILLING_URL = LEGACY_STORE_URL + '/hub/custom-billing';
 const GENERATE_PAY_LINK_URL = LEGACY_STORE_URL + '/hub/generate-pay-link';
 const MANAGE_SUBSCRIPTION_URL = LEGACY_STORE_URL + '/hub/manage-subscription';
 const UPDATE_PAYMENT_METHOD_URL = LEGACY_STORE_URL + '/hub/update-payment-method';
+const REFRESH_LICENSE_URL = API_BASE_URL + '/licenses/hub/refresh';
 
 class HubSubscription {
 
@@ -56,14 +57,15 @@ class HubSubscription {
   }
 
   onLoadSubscriptionSucceeded(data) {
-    this._subscriptionData.token = data.token;
+    this._subscriptionData.verificationToken = data.token;
     this._subscriptionData.details = data.subscription;
     if (data.subscription.quantity) {
       this._subscriptionData.quantity = data.subscription.quantity;
     }
     this._subscriptionData.state = 'EXISTING_CUSTOMER';
     this._subscriptionData.errorMessage = '';
     this._subscriptionData.inProgress = false;
+    this._subscriptionData.needsTokenRefresh = true;
   }
 
   onLoadSubscriptionFailed(status, error) {
@@ -271,7 +273,7 @@ class HubSubscription {
         override: payLink,
         email: this._subscriptionData.email,
         locale: locale,
-        passthrough: '{"hub_id": ' + this._subscriptionData.hubId + '}',
+        passthrough: JSON.stringify({ hub_id: this._subscriptionData.hubId }),
         successCallback: data => this.getPaddleOrderDetails(data.checkout.id),
         closeCallback: () => {
           this._subscriptionData.inProgress = false;
@@ -311,7 +313,7 @@ class HubSubscription {
 
   onPostSucceeded(data) {
     this._subscriptionData.state = 'EXISTING_CUSTOMER';
-    this._subscriptionData.token = data.token;
+    this._subscriptionData.verificationToken = data.token;
     this._subscriptionData.details = data.subscription;
     this._subscriptionData.session = data.session;
     var searchParams = new URLSearchParams(window.location.search)
@@ -320,7 +322,8 @@ class HubSubscription {
     history.pushState(null, '', newRelativePathQuery);
     this._subscriptionData.errorMessage = '';
     this._subscriptionData.inProgress = false;
-    this.transferTokenToHub();
+    this._subscriptionData.shouldTransferToHub = true;
+    this._subscriptionData.needsTokenRefresh = true;
   }
 
   onPostFailed(error) {
@@ -477,12 +480,13 @@ class HubSubscription {
   }
 
   onPutSucceeded(data, shouldOpenReturnUrl) {
-    this._subscriptionData.token = data.token;
+    this._subscriptionData.verificationToken = data.token;
     this._subscriptionData.details = data.subscription;
     this._subscriptionData.errorMessage = '';
     this._subscriptionData.inProgress = false;
     if (shouldOpenReturnUrl) {
-      this.transferTokenToHub();
+      this._subscriptionData.shouldTransferToHub = true;
+      this._subscriptionData.needsTokenRefresh = true;
     }
   }
 
@@ -494,6 +498,30 @@ class HubSubscription {
     this._subscriptionData.inProgress = false;
   }
 
+  refreshToken() {
+    this._subscriptionData.inProgress = true;
+    this._subscriptionData.errorMessage = '';
+    $.ajax({
+      url: REFRESH_LICENSE_URL,
+      type: 'POST',
+      data: {
+        token: this._subscriptionData.verificationToken,
+        captcha: this._subscriptionData.captcha
+      }
+    }).done(token => {
+      this._subscriptionData.token = token;
+      this._subscriptionData.needsTokenRefresh = false;
+      this._subscriptionData.errorMessage = '';
+      this._subscriptionData.inProgress = false;
+      if (this._subscriptionData.shouldTransferToHub) {
+        this.transferTokenToHub();
+      }
+    }).fail(xhr => {
+      this._subscriptionData.errorMessage = xhr.responseJSON?.message || 'Refreshing license failed.';
+      this._subscriptionData.inProgress = false;
+    });
+  }
+
   transferTokenToHub() {
     window.open(this._subscriptionData.returnUrl + '?token=' + this._subscriptionData.token, '_self');
   }
diff --git a/layouts/hub-billing/single.html b/layouts/hub-billing/single.html
@@ -3,7 +3,7 @@
 {{ end }}
 {{ define "main" }}
   <div class="container pt-12 pb-24">
-    <form x-data="{subscriptionData: {state: 'MISSING_PARAMS', captcha: null, hubId: null, returnUrl: null, session: null, customBilling: null, billingInterval: 'yearly', savingsPercent: null, errorMessage: '', inProgress: false, restartModal: {open: false, nextPayment: null}, changeSeatsModal: {open: false, confirmation: false, immediatePayment: null}, token: null, details: null, quantity: 5, email: ''}, acceptTerms: false, hubSubscription: null, captchaState: null}" x-init="hubSubscription = new HubSubscription($refs.form, subscriptionData, new URLSearchParams(location.search))" x-ref="form" @submit.prevent="hubSubscription.createSession(); $refs.captcha.reset()">
+    <form x-data="{subscriptionData: {state: 'MISSING_PARAMS', captcha: null, hubId: null, returnUrl: null, session: null, customBilling: null, billingInterval: 'yearly', savingsPercent: null, errorMessage: '', inProgress: false, restartModal: {open: false, nextPayment: null}, changeSeatsModal: {open: false, confirmation: false, immediatePayment: null}, token: null, details: null, quantity: 5, email: '', needsTokenRefresh: false, shouldTransferToHub: false}, acceptTerms: false, hubSubscription: null, captchaState: null}" x-init="hubSubscription = new HubSubscription($refs.form, subscriptionData, new URLSearchParams(location.search))" x-ref="form" @submit.prevent="hubSubscription.createSession(); $refs.captcha.reset()">
       <template x-if="subscriptionData.state == 'MISSING_PARAMS'">
         <div class="text-center max-w-xl mx-auto">
           <h3 class="font-headline text-xl md:text-2xl leading-relaxed mb-4">
@@ -179,6 +179,14 @@ <h2 class="font-h2 mb-4 mt-12">
           <button :disabled="subscriptionData.inProgress || !subscriptionData.token" class="btn btn-primary text-center w-full md:w-64 mt-4" @click.prevent="hubSubscription.transferTokenToHub()">
             {{ i18n "hub_billing_manage_license_key_transfer_action" . }}
           </button>
+          <div x-show="subscriptionData.needsTokenRefresh && !subscriptionData.inProgress" class="mt-4">
+            {{ $challengeUrl := printf "%s/licenses/hub/challenge" .Site.Params.apiBaseUrl }}
+            {{ partial "captcha.html" (dict "challengeUrl" $challengeUrl "captchaPayload" "subscriptionData.captcha" "captchaState" "captchaState" "ref" "refreshCaptcha" "auto" "onload" "onVerified" "hubSubscription.refreshToken()") }}
+          </div>
+          <p x-show="subscriptionData.needsTokenRefresh && subscriptionData.inProgress" class="text-sm text-gray-600 mt-4">
+            <i class="fa-solid fa-spinner fa-spin"></i>
+            {{ i18n "hub_billing_loading_description" . }}
+          </p>
 
           <div x-show="subscriptionData.restartModal.open" class="relative z-10" aria-labelledby="restart-modal-title" role="dialog" aria-modal="true">
             <div class="fixed inset-0 bg-gray-500/75"></div>
diff --git a/layouts/hub-register/single.html b/layouts/hub-register/single.html
@@ -171,22 +171,8 @@ <h2 class="font-h2 mb-6">
 
               <!-- Captcha (auto-starts on load, hidden when done) -->
               <div x-show="!feedbackData.licenseText" class="mb-4">
-                <altcha-widget
-                  challengeurl="{{ .Site.Params.apiBaseUrl }}/licenses/hub/challenge"
-                  hidelogo
-                  hidefooter
-                  auto="onload"
-                  @statechange="captchaState = $event.detail.state; if ($event.detail.state === 'verified') { submitData.captcha = $event.detail.payload; hubCE.getHubLicense() }"
-                  :strings="JSON.stringify({
-                    label: '{{ i18n "altcha_label" }}',
-                    error: '{{ i18n "altcha_error" }}',
-                    expired: '{{ i18n "altcha_expired" }}',
-                    verified: '{{ i18n "altcha_verified" }}',
-                    verifying: '{{ i18n "altcha_verifying" }}',
-                    waitAlert: '{{ i18n "altcha_waitAlert" }}'
-                  })"
-                  x-ref="licenseCaptcha"
-                ></altcha-widget>
+                {{ $challengeUrl := printf "%s/licenses/hub/challenge" .Site.Params.apiBaseUrl }}
+                {{ partial "captcha.html" (dict "challengeUrl" $challengeUrl "captchaPayload" "submitData.captcha" "captchaState" "captchaState" "ref" "licenseCaptcha" "auto" "onload" "onVerified" "hubCE.getHubLicense()") }}
               </div>
 
               <!-- Loading state -->
diff --git a/layouts/partials/captcha.html b/layouts/partials/captcha.html
@@ -2,8 +2,8 @@
   challengeurl="{{ .challengeUrl }}"
   hidelogo
   hidefooter
-  floating="auto"
-  @statechange="{{ .captchaState }} = $event.detail.state; if ($event.detail.state === 'verified') { {{ .captchaPayload }} = $event.detail.payload }"
+  {{ with .auto }}auto="{{ . }}"{{ else }}floating="auto"{{ end }}
+  @statechange="{{ .captchaState }} = $event.detail.state; if ($event.detail.state === 'verified') { {{ .captchaPayload }} = $event.detail.payload{{ with .onVerified }}; {{ . }}{{ end }} }"
   :strings="JSON.stringify({
     label: '{{ i18n "altcha_label" }}',
     error: '{{ i18n "altcha_error" }}',
