search

surveyjs / survey-library

Free JavaScript form builder library with integration for React, Angular, Vue, jQuery, and Knockout.
https://surveyjs.io/form-library
MIT License
4.12k stars 802 forks source link

setLicenseKey will leak the license key? #7646

Closed JosephBrooksbank closed 8 months ago

JosephBrooksbank commented 8 months ago

Are you requesting a feature, reporting a bug or asking a question?

Reporting a security concern?

What is the current behavior?

We are in the process of updating our libraries, and see this: 

As of v1.9.101, the haveCommercialLicense property is not supported. To activate your license, use the setLicenseKey(key) method as shown on the following page: https://surveyjs.io/remove-alert-banner

To me, this implies that you would have us call setLicenseKey() with our actual license key in places where we show the surveyJS player. This is unacceptable. This code runs on client machines, which means any user could grab our license key at will.

I assume I must be misunderstanding the process. Please let me know if this is true.

andrewtelnov commented 8 months ago

@JosephBrooksbank We are in client JavaScript world. The alternative is to setup a license server and require everybody to get the result from it. I myself, would not use a JavaScript library that requires to make a trip to a third-party server everytime on requesting my page. That is why it is not an option to us.

You will able to add a domain(s) into the license key soon. It means that the license key will work on domains you set on license key generation. We are working on this functionality right now. It will be optional.

PS: We are talking about SurveyJS Creator, Pdf Export and Dashboard. SurveyJS Library (this repo) is under MIT license and it doesn't require any key.

Thank you, Andrew

JosephBrooksbank commented 8 months ago

Personally, I would rather a system where once a day, our backend called a license server and got a token, which we then used for the day. I understand the concern there though.

I'll have to speak to my team and see if this is fine. I suppose at the end of the day, it is not really that great of a concern to our application, as long as you are aware of the potential concerns. Locking the key to our domain(s) will probably make folks in our business department a little less worried about it.

My mistake on the SurveyJS Library vs SurveyJS Creator licensing.

Thanks for the quick response, Joseph

andrewtelnov commented 8 months ago

@JosephBrooksbank It would be ideal to make a check on the server. The problem that we don't have the server part at all. Anyway, I hope that we will implement the domain support soon and the problem will be solved somehow.

Thank you for using our libraries!

Thank you, Andrew

andrewtelnov commented 8 months ago

@JosephBrooksbank We have added this functionality into our web app. You can go to https://surveyjs.io/remove-alert-banner and add domains. Example: surveyjs.io,google.com

Thank you, Andrew