npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@dghila/walther

v0.4.1

Published

Lightweight server-side license verification library for Node.js and Next.js applications.

Downloads

1,906

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

dghiladghila

Keywords

Readme

walther

walther is a lightweight, strictly server-side licensing library designed to be embedded directly into host applications (such as Next.js backends). It serves as the local enforcer of the licensing system: securely identifying the host machine, activating licenses against double-o, and validating license chains offline.

🔒 Security & Validation Model

walther operates on a Zero Trust model regarding license payloads. It executes a two-phase cryptographic validation sequence completely offline:

  1. Infrastructure Validation (X.509):

    • Cryptographically validates the Intermediate Certificate against a hardcoded Public Root CA Certificate.
    • Assures the Intermediate Certificate is within its validity dates (NotBefore/NotAfter).
    • Checks the Intermediate Certificate against the local Certificate Revocation List (CRL) cache.

  2. Application Validation (JWT):

    • Extracts the public key from the validated Intermediate Certificate.
    • Validates the license JWT signature using the extracted key.
    • Validates expiration (exp) and active entitlements.
    • Computes the local hardware fingerprint and checks that it strictly matches the machine_id bound to the JWT.

🛠️ Technology Stack

  • Language: TypeScript
  • Runtime: Node.js (specifically targeting server-side environments like Next.js Server Components / API Routes). It cannot run in the browser due to hardware access requirements.
  • Cryptography: Node.js native crypto module and jose for secure JWT parsing and signature verification.
  • Storage: Local file system cache (.walther_cache/) for CRLs, Intermediate Certificates, and JWT payloads.

📁 Fingerprinting Engine

walther generates a stable, reproducible machine_id without requiring internet access.

  • Identifiers used: Motherboard UUID, primary MAC address, and OS installation ID.
  • Privacy: Data is combined and hashed using SHA-256 to generate an opaque machine_id, preserving privacy while enforcing strict node-locking.

🚀 Public API

import { Walther } from '@dghila/walther';

// Initialize the library (e.g. for Double-O provider with background scheduling)
Walther.init({
  provider: "double-o",
  config: {
    rootCertificate: "-----BEGIN CERTIFICATE-----\n...",
    backendUrl: "https://licensing.double-o.com",
    cacheDir: "./.walther_cache",
    licenseKey: "XXXX-XXXX-XXXX-XXXX", // Optional, enables background JWT auto-renewal
    checkIntervalMs: 3600000,           // Check every hour (unreferenced timer)
    refreshThresholdMs: 86400000,       // Preemptively refresh if expiring in < 24 hours
  }
});

// Perform initial online activation (binds machine and downloads JWT/certs)
const activated = await Walther.activate("XXXX-XXXX-XXXX-XXXX");

// Verify license status locally & synchronously
if (Walther.isValid()) {
  // Retrieve cryptographically validated entitlements
  const entitlements = Walther.getEntitlements();
  console.log("Active Tier:", entitlements?.tier);
  console.log("Expires At:", entitlements?.expiresAt);
}

// Clean up background timers on application teardown
Walther.stopScheduler();

🔄 License Check & Refresh Scheduler

walther supports automated background checking and proactive license renewal. This prevents application downtime by renewing the license before it actually expires.

Configuration Properties

Specify these options in the configuration object under the config field when calling Walther.init():

  • checkIntervalMs (number): Frequency (in milliseconds) at which a background job is run to check license expiration. If specified, walther will run a timer using Node.js setInterval(). The timer is unreferenced (.unref()), meaning it will not prevent the Node.js process from exiting when the main application shuts down.
  • refreshThresholdMs (number): Duration before expiration (in milliseconds) under which the license will attempt a refresh. E.g., setting it to 86400000 (24 hours) will trigger a refresh attempt if the license is expiring in less than 24 hours.

Operational Modes

  1. Active Background Scheduling (Timer-based):
    • Triggered when checkIntervalMs is set to a positive number.
    • Runs periodically in the background.
    • For tests or hot-reloading environments, call Walther.stopScheduler() to clear active background timers.
  2. Passive/Lazy Background Trigger:
    • Triggered when refreshThresholdMs is set but checkIntervalMs is not.
    • Every time Walther.isValid() is called, it checks the license expiration time. If the remaining time is below the threshold, it triggers the check-refresh process asynchronously in the background as a floating promise (without blocking the calling code).
    • Utilizes a concurrency lock to ensure only one refresh runs at a time.

Provider-Specific Refresh Actions

  • m-license: Calls /licenses/:key/token to fetch and cache a newly-extended JWT token.
  • double-o:
    • If licenseKey is provided in DoubleOProviderConfig, it executes a re-activation step (activate(licenseKey)) to fetch and cache a new JWT.
    • If licenseKey is absent, it only runs a refresh of the infrastructure (refreshOnline()) to update the Intermediate Certificate and CRL list.
  • local (offline): Executes a forced validation reload from the local disk cache (validateOffline(true, true)). This allows walther to seamlessly detect new license files written to disk by an external process or sidecar container.

🧪 Development & Testing

Installation

npm install

Run Tests

npm test

Linting & Formatting

npm run lint
npm run format

🗺️ Roadmap (Tamper Resistance)

To counter active code tampering (e.g., modifying JS files to bypass isValid()), the core cryptographic and fingerprinting components of walther will be migrated to Rust via napi-rs post-MVP. This will compile into a native .node binary, providing:

  • Memory safety and high performance.
  • Direct hardware access without shell child-processes.
  • Strong binary obfuscation while maintaining the identical TypeScript API interface.