From a9686bcc2c00db5078e5f84a145eacbbfa969262 Mon Sep 17 00:00:00 2001
From: Tobias Hagemann <tobias.hagemann@skymatic.de>
Date: Fri, 6 Feb 2026 07:59:36 +0100
Subject: [PATCH 1/3] refresh hub license token via API with ALTCHA captcha
 verification

Instead of using the store's token directly, the billing page now
refreshes the license token through the /licenses/hub/refresh API
endpoint with captcha verification. On normal visits the token is
displayed inline; on checkout/modification flows the user is
redirected back to Hub. Also extracts captcha widget into a reusable
partial and fixes Paddle passthrough JSON serialization.
---
 assets/js/hubsubscription.js     | 40 +++++++++++++++++++++++++++-----
 layouts/hub-billing/single.html  | 10 +++++++-
 layouts/hub-register/single.html | 18 ++------------
 layouts/partials/captcha.html    |  4 ++--
 4 files changed, 47 insertions(+), 25 deletions(-)

diff --git a/assets/js/hubsubscription.js b/assets/js/hubsubscription.js
index db82044b0..727dfb790 100644
--- a/assets/js/hubsubscription.js
+++ b/assets/js/hubsubscription.js
@@ -5,6 +5,7 @@ const CUSTOM_BILLING_URL = LEGACY_STORE_URL + '/hub/custom-billing';
 const GENERATE_PAY_LINK_URL = LEGACY_STORE_URL + '/hub/generate-pay-link';
 const MANAGE_SUBSCRIPTION_URL = LEGACY_STORE_URL + '/hub/manage-subscription';
 const UPDATE_PAYMENT_METHOD_URL = LEGACY_STORE_URL + '/hub/update-payment-method';
+const REFRESH_LICENSE_URL = API_BASE_URL + '/licenses/hub/refresh';
 
 class HubSubscription {
 
@@ -56,7 +57,7 @@ class HubSubscription {
   }
 
   onLoadSubscriptionSucceeded(data) {
-    this._subscriptionData.token = data.token;
+    this._subscriptionData.verificationToken = data.token;
     this._subscriptionData.details = data.subscription;
     if (data.subscription.quantity) {
       this._subscriptionData.quantity = data.subscription.quantity;
@@ -64,6 +65,7 @@ class HubSubscription {
     this._subscriptionData.state = 'EXISTING_CUSTOMER';
     this._subscriptionData.errorMessage = '';
     this._subscriptionData.inProgress = false;
+    this._subscriptionData.needsTokenRefresh = true;
   }
 
   onLoadSubscriptionFailed(status, error) {
@@ -271,7 +273,7 @@ class HubSubscription {
         override: payLink,
         email: this._subscriptionData.email,
         locale: locale,
-        passthrough: '{"hub_id": ' + this._subscriptionData.hubId + '}',
+        passthrough: JSON.stringify({ hub_id: this._subscriptionData.hubId }),
         successCallback: data => this.getPaddleOrderDetails(data.checkout.id),
         closeCallback: () => {
           this._subscriptionData.inProgress = false;
@@ -311,7 +313,7 @@ class HubSubscription {
 
   onPostSucceeded(data) {
     this._subscriptionData.state = 'EXISTING_CUSTOMER';
-    this._subscriptionData.token = data.token;
+    this._subscriptionData.verificationToken = data.token;
     this._subscriptionData.details = data.subscription;
     this._subscriptionData.session = data.session;
     var searchParams = new URLSearchParams(window.location.search)
@@ -320,7 +322,8 @@ class HubSubscription {
     history.pushState(null, '', newRelativePathQuery);
     this._subscriptionData.errorMessage = '';
     this._subscriptionData.inProgress = false;
-    this.transferTokenToHub();
+    this._subscriptionData.shouldTransferToHub = true;
+    this._subscriptionData.needsTokenRefresh = true;
   }
 
   onPostFailed(error) {
@@ -477,12 +480,13 @@ class HubSubscription {
   }
 
   onPutSucceeded(data, shouldOpenReturnUrl) {
-    this._subscriptionData.token = data.token;
+    this._subscriptionData.verificationToken = data.token;
     this._subscriptionData.details = data.subscription;
     this._subscriptionData.errorMessage = '';
     this._subscriptionData.inProgress = false;
     if (shouldOpenReturnUrl) {
-      this.transferTokenToHub();
+      this._subscriptionData.shouldTransferToHub = true;
+      this._subscriptionData.needsTokenRefresh = true;
     }
   }
 
@@ -494,6 +498,30 @@ class HubSubscription {
     this._subscriptionData.inProgress = false;
   }
 
+  refreshToken() {
+    this._subscriptionData.inProgress = true;
+    this._subscriptionData.errorMessage = '';
+    $.ajax({
+      url: REFRESH_LICENSE_URL,
+      type: 'POST',
+      data: {
+        token: this._subscriptionData.verificationToken,
+        captcha: this._subscriptionData.captcha
+      }
+    }).done(token => {
+      this._subscriptionData.token = token;
+      this._subscriptionData.needsTokenRefresh = false;
+      this._subscriptionData.errorMessage = '';
+      this._subscriptionData.inProgress = false;
+      if (this._subscriptionData.shouldTransferToHub) {
+        this.transferTokenToHub();
+      }
+    }).fail(xhr => {
+      this._subscriptionData.errorMessage = xhr.responseJSON?.message || 'Refreshing license failed.';
+      this._subscriptionData.inProgress = false;
+    });
+  }
+
   transferTokenToHub() {
     window.open(this._subscriptionData.returnUrl + '?token=' + this._subscriptionData.token, '_self');
   }
diff --git a/layouts/hub-billing/single.html b/layouts/hub-billing/single.html
index f7ee27147..65c895959 100644
--- a/layouts/hub-billing/single.html
+++ b/layouts/hub-billing/single.html
@@ -3,7 +3,7 @@
 {{ end }}
 {{ define "main" }}
   <div class="container pt-12 pb-24">
-    <form x-data="{subscriptionData: {state: 'MISSING_PARAMS', captcha: null, hubId: null, returnUrl: null, session: null, customBilling: null, billingInterval: 'yearly', savingsPercent: null, errorMessage: '', inProgress: false, restartModal: {open: false, nextPayment: null}, changeSeatsModal: {open: false, confirmation: false, immediatePayment: null}, token: null, details: null, quantity: 5, email: ''}, acceptTerms: false, hubSubscription: null, captchaState: null}" x-init="hubSubscription = new HubSubscription($refs.form, subscriptionData, new URLSearchParams(location.search))" x-ref="form" @submit.prevent="hubSubscription.createSession(); $refs.captcha.reset()">
+    <form x-data="{subscriptionData: {state: 'MISSING_PARAMS', captcha: null, hubId: null, returnUrl: null, session: null, customBilling: null, billingInterval: 'yearly', savingsPercent: null, errorMessage: '', inProgress: false, restartModal: {open: false, nextPayment: null}, changeSeatsModal: {open: false, confirmation: false, immediatePayment: null}, token: null, details: null, quantity: 5, email: '', needsTokenRefresh: false, shouldTransferToHub: false}, acceptTerms: false, hubSubscription: null, captchaState: null}" x-init="hubSubscription = new HubSubscription($refs.form, subscriptionData, new URLSearchParams(location.search))" x-ref="form" @submit.prevent="hubSubscription.createSession(); $refs.captcha.reset()">
       <template x-if="subscriptionData.state == 'MISSING_PARAMS'">
         <div class="text-center max-w-xl mx-auto">
           <h3 class="font-headline text-xl md:text-2xl leading-relaxed mb-4">
@@ -179,6 +179,14 @@ <h2 class="font-h2 mb-4 mt-12">
           <button :disabled="subscriptionData.inProgress || !subscriptionData.token" class="btn btn-primary text-center w-full md:w-64 mt-4" @click.prevent="hubSubscription.transferTokenToHub()">
             {{ i18n "hub_billing_manage_license_key_transfer_action" . }}
           </button>
+          <div x-show="subscriptionData.needsTokenRefresh && !subscriptionData.inProgress" class="mt-4">
+            {{ $challengeUrl := printf "%s/licenses/hub/challenge" .Site.Params.apiBaseUrl }}
+            {{ partial "captcha.html" (dict "challengeUrl" $challengeUrl "captchaPayload" "subscriptionData.captcha" "captchaState" "captchaState" "ref" "refreshCaptcha" "auto" "onload" "onVerified" "hubSubscription.refreshToken()") }}
+          </div>
+          <p x-show="subscriptionData.needsTokenRefresh && subscriptionData.inProgress" class="text-sm text-gray-600 mt-4">
+            <i class="fa-solid fa-spinner fa-spin"></i>
+            {{ i18n "hub_billing_loading_description" . }}
+          </p>
 
           <div x-show="subscriptionData.restartModal.open" class="relative z-10" aria-labelledby="restart-modal-title" role="dialog" aria-modal="true">
             <div class="fixed inset-0 bg-gray-500/75"></div>
diff --git a/layouts/hub-register/single.html b/layouts/hub-register/single.html
index 1b4eb40d6..b6b7ec40d 100644
--- a/layouts/hub-register/single.html
+++ b/layouts/hub-register/single.html
@@ -171,22 +171,8 @@ <h2 class="font-h2 mb-6">
 
               <!-- Captcha (auto-starts on load, hidden when done) -->
               <div x-show="!feedbackData.licenseText" class="mb-4">
-                <altcha-widget
-                  challengeurl="{{ .Site.Params.apiBaseUrl }}/licenses/hub/challenge"
-                  hidelogo
-                  hidefooter
-                  auto="onload"
-                  @statechange="captchaState = $event.detail.state; if ($event.detail.state === 'verified') { submitData.captcha = $event.detail.payload; hubCE.getHubLicense() }"
-                  :strings="JSON.stringify({
-                    label: '{{ i18n "altcha_label" }}',
-                    error: '{{ i18n "altcha_error" }}',
-                    expired: '{{ i18n "altcha_expired" }}',
-                    verified: '{{ i18n "altcha_verified" }}',
-                    verifying: '{{ i18n "altcha_verifying" }}',
-                    waitAlert: '{{ i18n "altcha_waitAlert" }}'
-                  })"
-                  x-ref="licenseCaptcha"
-                ></altcha-widget>
+                {{ $challengeUrl := printf "%s/licenses/hub/challenge" .Site.Params.apiBaseUrl }}
+                {{ partial "captcha.html" (dict "challengeUrl" $challengeUrl "captchaPayload" "submitData.captcha" "captchaState" "captchaState" "ref" "licenseCaptcha" "auto" "onload" "onVerified" "hubCE.getHubLicense()") }}
               </div>
 
               <!-- Loading state -->
diff --git a/layouts/partials/captcha.html b/layouts/partials/captcha.html
index 0b50ae0b0..12ce1fe66 100644
--- a/layouts/partials/captcha.html
+++ b/layouts/partials/captcha.html
@@ -2,8 +2,8 @@
   challengeurl="{{ .challengeUrl }}"
   hidelogo
   hidefooter
-  floating="auto"
-  @statechange="{{ .captchaState }} = $event.detail.state; if ($event.detail.state === 'verified') { {{ .captchaPayload }} = $event.detail.payload }"
+  {{ with .auto }}auto="{{ . }}"{{ else }}floating="auto"{{ end }}
+  @statechange="{{ .captchaState }} = $event.detail.state; if ($event.detail.state === 'verified') { {{ .captchaPayload }} = $event.detail.payload{{ with .onVerified }}; {{ . }}{{ end }} }"
   :strings="JSON.stringify({
     label: '{{ i18n "altcha_label" }}',
     error: '{{ i18n "altcha_error" }}',

From 5be4c9bef794be8ddeab27a28ef255b978f8e561 Mon Sep 17 00:00:00 2001
From: Tobias Hagemann <tobias.hagemann@skymatic.de>
Date: Fri, 6 Feb 2026 09:34:18 +0100
Subject: [PATCH 2/3] add retry button for failed token refresh and use x-if
 for captcha

Show a Retry button when the license token refresh fails, allowing
the user to re-trigger the captcha and refresh flow. Switch the
captcha container from x-show to x-if so the ALTCHA widget is fully
destroyed and recreated on retry, guaranteeing a fresh challenge.
---
 assets/js/hubsubscription.js    |  1 +
 i18n/de.yaml                    |  2 ++
 i18n/en.yaml                    |  2 ++
 layouts/hub-billing/single.html | 15 ++++++++++-----
 4 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/assets/js/hubsubscription.js b/assets/js/hubsubscription.js
index 727dfb790..319835a5d 100644
--- a/assets/js/hubsubscription.js
+++ b/assets/js/hubsubscription.js
@@ -518,6 +518,7 @@ class HubSubscription {
       }
     }).fail(xhr => {
       this._subscriptionData.errorMessage = xhr.responseJSON?.message || 'Refreshing license failed.';
+      this._subscriptionData.needsTokenRefresh = false;
       this._subscriptionData.inProgress = false;
     });
   }
diff --git a/i18n/de.yaml b/i18n/de.yaml
index 819eba3fe..11388e0fe 100644
--- a/i18n/de.yaml
+++ b/i18n/de.yaml
@@ -546,6 +546,8 @@
   translation: "Dies ist dein Lizenzschlüssel, der an deine Hub-ID gebunden ist. Drück auf den Button unten, um ihn automatisch auf deine Hub-Instanz zu übertragen."
 - id: hub_billing_manage_license_key_transfer_action
   translation: "Zum Hub übertragen"
+- id: hub_billing_manage_license_key_retry_action
+  translation: "Erneut versuchen"
 
 - id: hub_billing_manage_modal_charge_amount_description
   translation: "Rechnungsbetrag"
diff --git a/i18n/en.yaml b/i18n/en.yaml
index b5046e9c6..4f471a594 100644
--- a/i18n/en.yaml
+++ b/i18n/en.yaml
@@ -546,6 +546,8 @@
   translation: "This is your license key that is bound to your Hub ID. Press the button below to transfer it to your Hub instance automatically."
 - id: hub_billing_manage_license_key_transfer_action
   translation: "Transfer to Hub"
+- id: hub_billing_manage_license_key_retry_action
+  translation: "Retry"
 
 - id: hub_billing_manage_modal_charge_amount_description
   translation: "Charge Amount"
diff --git a/layouts/hub-billing/single.html b/layouts/hub-billing/single.html
index 65c895959..664aa5216 100644
--- a/layouts/hub-billing/single.html
+++ b/layouts/hub-billing/single.html
@@ -176,13 +176,18 @@ <h2 class="font-h2 mb-4 mt-12">
             {{ i18n "hub_billing_manage_license_key_instruction" . }}
           </p>
           <textarea x-model="subscriptionData.token" class="input-box w-full text-sm md:text-base leading-relaxed break-all" rows="6" readonly></textarea>
-          <button :disabled="subscriptionData.inProgress || !subscriptionData.token" class="btn btn-primary text-center w-full md:w-64 mt-4" @click.prevent="hubSubscription.transferTokenToHub()">
+          <button x-show="!subscriptionData.token" :disabled="subscriptionData.inProgress" @click.prevent="subscriptionData.errorMessage = ''; subscriptionData.needsTokenRefresh = true" class="btn btn-primary text-center w-full md:w-64 mt-4">
+            {{ i18n "hub_billing_manage_license_key_retry_action" . }}
+          </button>
+          <button x-show="subscriptionData.token" :disabled="subscriptionData.inProgress" class="btn btn-primary text-center w-full md:w-64 mt-4" @click.prevent="hubSubscription.transferTokenToHub()">
             {{ i18n "hub_billing_manage_license_key_transfer_action" . }}
           </button>
-          <div x-show="subscriptionData.needsTokenRefresh && !subscriptionData.inProgress" class="mt-4">
-            {{ $challengeUrl := printf "%s/licenses/hub/challenge" .Site.Params.apiBaseUrl }}
-            {{ partial "captcha.html" (dict "challengeUrl" $challengeUrl "captchaPayload" "subscriptionData.captcha" "captchaState" "captchaState" "ref" "refreshCaptcha" "auto" "onload" "onVerified" "hubSubscription.refreshToken()") }}
-          </div>
+          <template x-if="subscriptionData.needsTokenRefresh && !subscriptionData.inProgress">
+            <div class="mt-4">
+              {{ $challengeUrl := printf "%s/licenses/hub/challenge" .Site.Params.apiBaseUrl }}
+              {{ partial "captcha.html" (dict "challengeUrl" $challengeUrl "captchaPayload" "subscriptionData.captcha" "captchaState" "captchaState" "ref" "refreshCaptcha" "auto" "onload" "onVerified" "hubSubscription.refreshToken()") }}
+            </div>
+          </template>
           <p x-show="subscriptionData.needsTokenRefresh && subscriptionData.inProgress" class="text-sm text-gray-600 mt-4">
             <i class="fa-solid fa-spinner fa-spin"></i>
             {{ i18n "hub_billing_loading_description" . }}

From 366e96a782e31cd0a15bd5b089689fa968fe329d Mon Sep 17 00:00:00 2001
From: Tobias Hagemann <tobias.hagemann@skymatic.de>
Date: Sat, 7 Feb 2026 19:23:50 +0100
Subject: [PATCH 3/3] hide retry button while captcha is active

---
 layouts/hub-billing/single.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/layouts/hub-billing/single.html b/layouts/hub-billing/single.html
index 664aa5216..4266a7dd7 100644
--- a/layouts/hub-billing/single.html
+++ b/layouts/hub-billing/single.html
@@ -176,7 +176,7 @@ <h2 class="font-h2 mb-4 mt-12">
             {{ i18n "hub_billing_manage_license_key_instruction" . }}
           </p>
           <textarea x-model="subscriptionData.token" class="input-box w-full text-sm md:text-base leading-relaxed break-all" rows="6" readonly></textarea>
-          <button x-show="!subscriptionData.token" :disabled="subscriptionData.inProgress" @click.prevent="subscriptionData.errorMessage = ''; subscriptionData.needsTokenRefresh = true" class="btn btn-primary text-center w-full md:w-64 mt-4">
+          <button x-show="!subscriptionData.token && !subscriptionData.needsTokenRefresh" :disabled="subscriptionData.inProgress" @click.prevent="subscriptionData.errorMessage = ''; subscriptionData.needsTokenRefresh = true" class="btn btn-primary text-center w-full md:w-64 mt-4">
             {{ i18n "hub_billing_manage_license_key_retry_action" . }}
           </button>
           <button x-show="subscriptionData.token" :disabled="subscriptionData.inProgress" class="btn btn-primary text-center w-full md:w-64 mt-4" @click.prevent="hubSubscription.transferTokenToHub()">