Skip to content

/ee/license endpoint returns "OK" when required licenseKey field is missing / miss-spelled #1152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
danielshawellis opened this issue May 16, 2025 · 0 comments
Open

/ee/license endpoint returns "OK" when required licenseKey field is missing / miss-spelled #1152

danielshawellis opened this issue May 16, 2025 · 0 comments

Comments

@danielshawellis
Copy link

Environment

  • SuperTokens Core: latest Docker image (registry.supertokens.io/supertokens/supertokens-postgresql)
  • Self-hosted, Postgres backend

Steps to reproduce

# 1. Core starts with a fresh DB (no licence key saved)

# 2. Call the endpoint with a malformed body
PUT /ee/license
Headers:
  Content-Type: application/json
  api-key: CORE_API_KEY
Body:
{
  "licenceKey": "ABC..."   // <-- British spelling, or even {}
}

# 3. Response
HTTP 200
{ "status": "OK" }

# 4. Check feature flags
GET /ee/featureflag
→ { "features": [] }

Expected behaviour

The endpoint should reject the request (4xx or a JSON error such as FIELD_MISSING / INVALID_INPUT) when the required licenseKey property is absent or mis-spelled.

Actual behaviour

The handler ignores unknown / missing properties, falls back to the (empty) stored key, and returns "OK", causing silent misconfiguration.

Impact

Startup scripts think the licence has been activated, but Enterprise features actually stay disabled until someone manually calls the endpoint with the correct payload.

Please tighten validation so the call fails explicitly whenever licenseKey is missing or mis-spelled.
Thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@danielshawellis
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy