New Validation System Explained
On version 23.0.0, we introduced a registration validation system to improve the already existing registration system. Until version 24.0.0 is released, it will run in the background of EmEditor as a test of the system. On version 24.0.0, the validation system may output notifications when invalid registrations are detected.
This blog serves to be transparent about our motivations and to document how the validation system works. If we update the validation system in the future, we will also update this page.
Motivation
Currently, there is no way for us to detect a user who is sharing their license with ten other people, or those who are using their license on more devices than allowed by the EULA (end-user license agreement). We would like customers to purchase enough licenses to follow the terms of the license. This would ensure fairness among customers who have purchased multiple licenses.
Requirements
This section lists the requirements we had for the validation system.
Functional
- The validation system should loosely enforce the device limit clause of the license. It should not sacrifice customer satisfaction, so we should not make this limit a surprise.
- EmEditor can be used offline. Validation will not fail if your device is offline.
- Privacy rights of users should be maintained. The collection of personal information will be opt-in.
- It should fit into the existing registration system and not make it a new way to register. Current users should be able to register without having to learn new steps.
- Uninstalling the app should unregister the device.
- Users will not need to manually register again when updating to version 24.
- Users can log in to the Emurasoft Customer Center to view devices so that devices can be unregistered outside of the app.
- Customers who have purchased from non-2Checkout resellers will have to register the product and create a customer center account. This is because there will be no way for them to see their devices online without an account.
- The system should be tested in the background in version 23. It should be fully in effect from version 24.
Technical
- The system should be simple so that it is easier to maintain.
- A machine can be identified with a machine ID.
- We determined that the registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
is a suitable ID. - EmEditor Portable can be installed on a USB, with its settings stored in the USB. The USB can be used on many machines, and the validation system would detect different machine IDs. Therefore if the app detects that it is a portable version running on a USB, registration does not occur.
- We determined that the registry value
- EmEditor can be installed per-user on a multi-user machine. We must combine all EmEditor installations on the same machine as one unit to the device count.
- There should be a way to override the limit for a given registration key, just in case.
- A signed token containing the device info should be stored on the user’s device. This associates the current device with the device record stored in the database.
- The system should be able to integrate a floating license system if we decide to in the future.
Output
- You can view a list of all devices in the Registered Devices page of customer center.
- If the device limit is reached, a notification will appear. The user can still use the app even if the device limit is exceeded.
- If the user bought the app from a non-2Checkout reseller and has not registered the product, a notification will ask the user to register the product.
Device table
The device table is stored in our database and records all devices that were registered. Note that a History
record is associated with a purchase and it is where a registration key is stored. A Device
record is defined in Go as follows.
type Device struct { DeviceID uuid.UUID UserID int HistoryID int MachineID uuid.UUID RegistrationDate time.Time ValidationDate time.Time InstallationType InstallationType Label string Unregistered bool }
The fields are explained in the documentation for Registered Devices.
Privacy measures for label
The Label
field may contain personal information. The Label device field in the Register Product dialog box defaults to {computer name} {user name}
. The personal information inside the label field is not necessary for the basic functionality of the app. Therefore, we made the label field opt-in to stick to our policy of privacy by default.
Local Device token
A LocalDevice
token is stored locally on the user’s device in the form of a JWT (JSON Web Token). It associates the current device with the database Device
record. It also allows EmEditor to do some validation even if it is offline. The token payload is defined as follows.
type LocalDevice struct { DeviceID uuid.UUID MachineID uuid.UUID }
Device count
This section describes how we determine how many devices you can register. This is subject to change if we change the terms of the EULA.
To calculate the number of units towards the device limit for a specific registration key, we use the following MySQL query.
SELECT count(DISTINCT MachineID) as deviceCount FROM devices WHERE HistoryID=? AND Unregistered=FALSE
For a given history ID, we first get all devices that are still registered. Then we count the number of unique machines. If there are multiple devices with the same MachineID
, they are likely multiple per-user installations on the same machine.
The EULA allows the licensee to install EmEditor to up to two devices per license. If EmEditor is for personal use and not installed on corporate computers, the licensee can install EmEditor to five devices per license.
Registration process
There are three scenarios where registration may happen, but the first is the most likely case.
- Most users will register through the Register Product dialog box.
- If you updated from version 22 to 23 and above, then EmEditor would have stored your registration key but a device record would not exist. In this case, EmEditor will automatically create the device record corresponding to the registration key without any input from the user.
- If you unregistered a device, then opened EmEditor on that device, the device will be registered automatically.
Below is a summary of what happens after the user clicks OK in the Register Product dialog box. “Client” refers to the local EmEditor app. “Server” is our backend server and database.
- If the app is a portable version and is running on a removable drive, registration is skipped.
- If a device token already exists, the client sends an unregister request to the server.
- The client sends a registration request to the server, which includes the registration key, machine ID, label, and installation type.
- The server queries
deviceCount
(defined in previous section) to determine if the registration key can be used to register the device. On success, aDevice
record is created. - The client receives the device ID. Using the device ID, the client requests a local device token and writes it to local storage.
Validation process
Validation occurs in registration and every time the app is opened.
- If the app is a portable version and is running on a removable drive, validation is skipped.
- If the local device token does not exist, the registration process occurs first.
- The token integrity is checked. The actual machine ID is compared with the stored machine ID. The result is ignored if the app is running on a removable drive.
- A random number generator determines if the process should stop here. This is to reduce the load of requests to our server.
- The validation function sleeps the thread for a certain duration. This is again to reduce the request load, as we assume that macros and other automated use cases that rapidly start and close the app would only run it for a short duration.
- The client requests the
Device
data for the stored device ID. - If
Device.Unregistered == true
, the client attempts to register the device.
Devices will be unregistered when version 24 is released
On the day that version 24 is released, all devices will be unregistered. In version 23, uninstallation did not unregister devices, so there are many devices that should be unregistered. After we unregister all devices, the devices that are in use will automatically register again.
Support
If you have any questions or feedback about the validation system, feel free to send us a message.