Refresh Hub license token via API with captcha #143
Conversation
Instead of using the store's token directly, the billing page now refreshes the license token through the /licenses/hub/refresh API endpoint with captcha verification. On normal visits the token is displayed inline; on checkout/modification flows the user is redirected back to Hub. Also extracts captcha widget into a reusable partial and fixes Paddle passthrough JSON serialization.
Show a Retry button when the license token refresh fails, allowing the user to re-trigger the captcha and refresh flow. Switch the captcha container from x-show to x-if so the ALTCHA widget is fully destroyed and recreated on retry, guaranteeing a fresh challenge.
WalkthroughAdds a license token refresh workflow: new REFRESH_LICENSE_URL constant and HubSubscription.refreshToken() POST flow that handles captcha-verified token refresh, errors, and conditional post-refresh transfer. Replaces direct token usage with verificationToken across load/post/put flows and adds subscription flags needsTokenRefresh and shouldTransferToHub to control refresh and transfer behavior. Updates UI templates to surface captcha-driven refresh states and replaces inline captcha widgets with a reusable captcha partial that supports onVerified callbacks. Adds i18n keys for a retry action. Minor changes to generate-pay-link payload formatting. Estimated code review effort🎯 3 (Moderate) | ⏱️ ~23 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
No actionable comments were generated in the recent review. 🎉 Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@layouts/hub-billing/single.html`:
- Around line 179-194: The "Retry" button is shown even when the captcha is
auto-started because x-show only checks subscriptionData.token; update the Retry
button's visibility to also require that the captcha is not active (e.g. change
its x-show to !subscriptionData.token && !subscriptionData.needsTokenRefresh) so
it is hidden while subscriptionData.needsTokenRefresh is true, or alternatively
keep it visible but change its label logic to a generic action when
subscriptionData.needsTokenRefresh is true; adjust the button that currently
references subscriptionData.token and subscriptionData.needsTokenRefresh
accordingly (the button with `@click.prevent` setting
subscriptionData.errorMessage = ''; subscriptionData.needsTokenRefresh = true).
| hidefooter | ||
| floating="auto" | ||
| @statechange="{{ .captchaState }} = $event.detail.state; if ($event.detail.state === 'verified') { {{ .captchaPayload }} = $event.detail.payload }" | ||
| {{ with .auto }}auto="{{ . }}"{{ else }}floating="auto"{{ end }} |
There was a problem hiding this comment.
What is floating="auto"? I am pretty sure this is not to be confused with auto=...
There was a problem hiding this comment.
floating="auto" displays the widget as a popup near the submit button and internally sets auto="onsubmit" (see Floating UI docs). This is the default behavior we've used for all captchas until now.
With the new hub-register and hub-billing flows, we need auto="onload" instead so the captcha starts solving immediately. In that case we shouldn't also set floating="auto" since it would override auto back to onsubmit. That's why they're mutually exclusive in the template.
Does that make sense?
2 participants
The billing page now refreshes the Hub license token through the
/licenses/hub/refreshAPI endpoint instead of exposing it directly from the store response. A captcha challenge is required before the token is issued, and on checkout/modification flows the user is redirected back to Hub automatically. If the refresh fails, a Retry button lets the user re-trigger the captcha and try again (usingx-ifto fully recreate the widget). Also extracts the captcha widget into the reusablecaptcha.htmlpartial and fixes Paddle passthrough JSON serialization.