letsbe-hub/app/routes/activation.py

"""Instance activation endpoint.

This is the PUBLIC endpoint that client instances call to validate their license
and activate with the Hub.
"""

import hashlib
import secrets

from fastapi import APIRouter, HTTPException, status
from sqlalchemy import select

from app.db import AsyncSessionDep
from app.models.base import utc_now
from app.models.instance import Instance
from app.schemas.instance import ActivationRequest, ActivationResponse

router = APIRouter(prefix="/api/v1/instances", tags=["Activation"])


@router.post("/activate", response_model=ActivationResponse)
async def activate_instance(
    request: ActivationRequest,
    db: AsyncSessionDep,
) -> ActivationResponse:
    """
    Activate an instance with its license key.

    Called by local_bootstrap.sh before running migrations.

    Returns:
    - 200 + ActivationResponse on success
    - 400 with error details on failure

    Privacy guarantee:
    - Only receives license_key and instance_id
    - Never receives sensitive client data
    """
    # Find instance by instance_id
    result = await db.execute(
        select(Instance).where(Instance.instance_id == request.instance_id)
    )
    instance = result.scalar_one_or_none()

    if instance is None:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail={"error": "Instance not found", "code": "instance_not_found"},
        )

    # Validate license key using constant-time comparison
    provided_hash = hashlib.sha256(request.license_key.encode()).hexdigest()
    if not secrets.compare_digest(provided_hash, instance.license_key_hash):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail={"error": "Invalid license key", "code": "invalid_license"},
        )

    # Check license status
    if instance.license_status == "suspended":
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail={"error": "License suspended", "code": "suspended"},
        )

    if instance.license_status == "revoked":
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail={"error": "License revoked", "code": "revoked"},
        )

    # Check expiry
    now = utc_now()
    if instance.license_expires_at and instance.license_expires_at < now:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail={"error": "License expired", "code": "expired"},
        )

    # Update activation state
    if instance.activated_at is None:
        instance.activated_at = now
    instance.last_activation_at = now
    instance.activation_count += 1
    instance.status = "active"

    # Generate hub_api_key if not already set
    hub_api_key: str
    if instance.hub_api_key_hash:
        # Key was pre-generated, client should use existing key
        hub_api_key = "USE_EXISTING"
    else:
        # Generate new hub_api_key
        hub_api_key = f"hk_{secrets.token_hex(24)}"
        instance.hub_api_key_hash = hashlib.sha256(hub_api_key.encode()).hexdigest()

    await db.commit()

    return ActivationResponse(
        status="ok",
        instance_id=instance.instance_id,
        hub_api_key=hub_api_key,
        config={
            "telemetry_enabled": True,
            "telemetry_interval_seconds": 60,
        },
    )
feat: Initial Hub implementation Complete LetsBe Hub service for license management and telemetry: - Client and Instance CRUD APIs - License key generation and validation (lb_inst_ format) - Hub API key generation (hk_ format) for telemetry auth - Instance activation endpoint - Telemetry collection with privacy-first redactor - Key rotation and suspend/reactivate functionality - Alembic migrations for PostgreSQL - Docker Compose deployment ready - Comprehensive test suite 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2025-12-22 14:09:32 +01:00			`"""Instance activation endpoint.`

			`This is the PUBLIC endpoint that client instances call to validate their license`
			`and activate with the Hub.`
			`"""`

			`import hashlib`
			`import secrets`

			`from fastapi import APIRouter, HTTPException, status`
			`from sqlalchemy import select`

			`from app.db import AsyncSessionDep`
			`from app.models.base import utc_now`
			`from app.models.instance import Instance`
			`from app.schemas.instance import ActivationRequest, ActivationResponse`

			`router = APIRouter(prefix="/api/v1/instances", tags=["Activation"])`


			`@router.post("/activate", response_model=ActivationResponse)`
			`async def activate_instance(`
			`request: ActivationRequest,`
			`db: AsyncSessionDep,`
			`) -> ActivationResponse:`
			`"""`
			`Activate an instance with its license key.`

			`Called by local_bootstrap.sh before running migrations.`

			`Returns:`
			`- 200 + ActivationResponse on success`
			`- 400 with error details on failure`

			`Privacy guarantee:`
			`- Only receives license_key and instance_id`
			`- Never receives sensitive client data`
			`"""`
			`# Find instance by instance_id`
			`result = await db.execute(`
			`select(Instance).where(Instance.instance_id == request.instance_id)`
			`)`
			`instance = result.scalar_one_or_none()`

			`if instance is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail={"error": "Instance not found", "code": "instance_not_found"},`
			`)`

			`# Validate license key using constant-time comparison`
			`provided_hash = hashlib.sha256(request.license_key.encode()).hexdigest()`
			`if not secrets.compare_digest(provided_hash, instance.license_key_hash):`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail={"error": "Invalid license key", "code": "invalid_license"},`
			`)`

			`# Check license status`
			`if instance.license_status == "suspended":`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail={"error": "License suspended", "code": "suspended"},`
			`)`

			`if instance.license_status == "revoked":`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail={"error": "License revoked", "code": "revoked"},`
			`)`

			`# Check expiry`
			`now = utc_now()`
			`if instance.license_expires_at and instance.license_expires_at < now:`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail={"error": "License expired", "code": "expired"},`
			`)`

			`# Update activation state`
			`if instance.activated_at is None:`
			`instance.activated_at = now`
			`instance.last_activation_at = now`
			`instance.activation_count += 1`
			`instance.status = "active"`

			`# Generate hub_api_key if not already set`
			`hub_api_key: str`
			`if instance.hub_api_key_hash:`
			`# Key was pre-generated, client should use existing key`
			`hub_api_key = "USE_EXISTING"`
			`else:`
			`# Generate new hub_api_key`
			`hub_api_key = f"hk_{secrets.token_hex(24)}"`
			`instance.hub_api_key_hash = hashlib.sha256(hub_api_key.encode()).hexdigest()`

			`await db.commit()`

			`return ActivationResponse(`
			`status="ok",`
			`instance_id=instance.instance_id,`
			`hub_api_key=hub_api_key,`
			`config={`
			`"telemetry_enabled": True,`
			`"telemetry_interval_seconds": 60,`
			`},`
			`)`