Message:

Subscribe rss
Blog categories
All | Backendless features
Building Simple License Manager API Services
February 22, 2019 by Vladimir Upirov

One of the most powerful features that Backendless 5 has available is the capability for you to implement your own License Manager for creating and checking licenses for your product/customers. In this article, we will touch on some Backendless services such as data management and Business Logic and we will use one of the Backendless Client SDKs.API Service Simple Licenses Manager

Setup Backendless

Make sure you have a Backendless developer account. If you do not have one, you can register for free at develop.backendless.com.

Register For Backendless Account

Create a new Backendless application, or in case if you already have one, you can use your pre-existing app. My application for this article will be called LicenseManager .

Database Schema

First, we should create a new Table in DataService . Let’s call it Licenses . Specify some columns as described on the following image:

Simple Licenses Manager Database Schema

As you can see, there are only two additional columns:

  • token  {String}: a random string, and going forward, this is not actually the license token that we send to the client
  • expired  {Date}: the date when the license becomes invalid

And we also should setup Roles Permissions for the table to prevent any manipulation with the table records except ServerCode ; see the next screenshot:

Simple Licenses Manager Data Management Permissions

You can check this out through the REST Console; just go there and try to execute CRUD methods. From the GET method, you will get an empty array of licenses even if there are a few records and for others, you will get exceptions.

Simple Licenses Manager REST Console

Simple Licenses Manager REST Console 2

License API Service

Our License Manager will work through an API Service. It gives us some security and the ability to write our custom logic as well. I’m going to create that service using JavaScript, which will be running in a NodeJS environment, and we will use some NodeJS modules for implementing our needs.

So let’s create a new API Service and call it LicenseManager . For that, you will go to BusinessLogic -> Coding and create a new JS file with the following content:

Click the Save & Deploy button to deploy the service onto the server.

Simple Licenses Manager Server Code

Once it is deployed, you can go to the API Service section and in the left sidebar, you will see the service.

Simple Licenses Manager API Services

As you can see, now all of the methods have no logic. We will walk through each method of the service in more detail.

Create a new License

As I mentioned before, we will not give the generated license token to the client; we will generate a new, long license token string and the long token will be sent to the client. In the database, we will keep only the encrypted version of the token. NodeJS has its own “crypto” module. It will help us generate the long token and then encrypt the token. So let’s add a few functions for that to the top of our service.

The SECRET  variable contains a secret passphrase. A little bit later we will move the value to ServiceConfiguration .

And as you recall, we are going to keep our licenses in the Licenses table. Specify a dataStore  for the table somewhere before the LicensesManager  service class.

It looks like we have everything that we need to generate a new license; let’s add some logic to the create  method.

As you can see, the method logic is pretty simple and doesn’t require any additional explanation, except for the ONE_DAY  variable. In most cases, licenses generate for a long period of months or days, so the create  method expects only one argument: expiredIn  (days). For example, if we want to generate a new license for a month we just pass 30, for a week just pass 7, and so on.

Just specify the constant at the top of the service’s file.

Let’s see how our service looks now:

Let’s check what we have. Just invoke the method from the console and take a look at the returned result:

Simple Licenses Manager API Services

And also take a look at the Licenses Table:

Simple Licenses Manager Licenses Table

You probably noticed that the tokens are different. The service returns a longer result than it saved in the table. That’s because the service returns a long license token and then, before we save it in the table, we encrypt it.

Verify License

In the previous section, we completed a license generation, but we also need to have logic that will check the license. Replace the verify  method with the following code:

As it was before, the method looks quite simple as well. Here’s what it’s doing: The method is expecting two arguments, id  and token . Then, we try to find a license object with the query objectId = '${id}' AND token = '${encryptToken(token)}' . As you can see, before building the query, we transform the token with the encryptToken  function as we did in the create  method before saving the new license.

Then if the license doesn’t exist, we just throw an exception. Otherwise, we check if the license isn’t expired yet. In the case where everything is OK, just return true .

Let’s check how it works. I’m going to use the licenseId  and licenseToken  that I got from the previous section:

If you didn’t save that value, don’t worry, just create a new license and use the result for verification.

Simple Licenses Manager License Check Test

It works, now let’s change the id  or token  value and see what result will be returned.

Simple Licenses Manager License Check Fail

Ok, that works as expected as well, but what about license expiration? Let’s simulate a case where the license is already expired. For that, go to your Data Browser and change the expired  value for the license:

Simple Licenses Manager Expiration Date Test

Now let’s go back to the API Service and try to verify the license:

Simple Licenses Manager Verify License

Remove License

In some cases, you may want to remove a license by licenseId . Of course, you can always do that via the Data Browser, but let’s add a simple method for that.

Service Configuration

As you recall, I promised you that we’d move the SECRET  variable into the service configuration. It’s one the most important features in our API Service. Through that, you can create reusable services or change your configuration without changing code.

Just replace the last line where you register the LicenseManager  service with the following:

Remove the SECRET  variable and replace where it’s used in the create  and verify  methods with the value from config 'this.config.secretKey'  and deploy it.

Simple Licenses Manager Secret Key

Now you can change the secret key value really easily: open service configuration, change the value and click the “Save” button. But be aware, when you change the secret key, all the existing licenses will be invalid.

Simple Licenses Manager Secret Key Configuration

Service Security

This is the most important step because we must deny creating new licenses from outside, otherwise anyone would able to create a new license and the service becomes useless. A new license must be created based on some action such as when we receive payment from a customer. Let’s create another service. It will be a billing service, but since this article is about licenses, it will simply be a dummy service that we will call FooBar  service. Inside the service method, we will call our LicenseManager  service:

Simple Licenses Manager Billing Service

Ok, check this out: go to API Services and invoke the service.

Simple Licenses Manager Billing Service Test

It works! But one important thing remains: the  LicensesManager.create  method is still insecure because we can invoke it directly. Let’s fix that. We will deny access to the create  method for everyone except ServerCode .

Simple Licenses Manager Access Limitation

Simple Licenses Manager Limit Access with Permissions

As you can see, now it’s impossible to invoke the service method directly, but it works from the FooBar  service.

Simple Licenses Manager Access Denied

Remove Expired Licenses by Timer

When a license becomes expired, we don’t need to keep that license in the Licenses table, so let’s create a new timer for removing expired licenses each hour.

Simple Licenses Manager Create Timer

Replace the execute  function with the following code:

Now deploy the changes:

Simple Licenses Manager Deploy Timer

That’s all, every expired license will be removed automatically.   

How to Check the License from the Client

Most likely, you will want to check if the current license is still valid. This is not hard to implement; we need just to call the verify  method of our LicensesManager  service. As you recall, we only deny invocation from the outside for the create  method for security reasons, but the verify  method is still available for invoking from outside. Backendless has the ability to generate code for services by doing what’s described in the next screenshot:

Simple Licenses Manager Client-Side Verification

It will generate a JS project with the code of the API Service. Open the html file in your browser and you will see something like this:

Simple Licenses Manager Verify License App

In the browser’s console, you can play with all the methods of the service. Let’s generate a new license, remember licenseId  and licenseToken , and check the license from the client.

As expected, it works.

Simple Licenses Manager Client Test Success

Conclusion

Today we have done a simple API service for managing licenses. It isn’t too difficult to implement and can be quite helpful in many cases. We also touched on Permissions, learned how to create Timers, and showed what Service Configurations are.

Thanks for reading, I hope you’ve enjoyed it and see you soon.

Share this post
Tweet about this on TwitterShare on FacebookGoogle+