Update OpenAPI spec and clean up security classes

- Update OpenAPI spec to v0.3.2 with signature header documentation - Add X-License-Signature and X-License-Timestamp header definitions - Clean up unused imports in security classes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 21:04:53 +01:00
parent 83037ea0c2
commit da84bbad43
3 changed files with 46 additions and 5 deletions
--- a/src/SecureLicenseClient.php
+++ b/src/SecureLicenseClient.php
@@ -17,7 +17,6 @@ use Psr\Cache\CacheItemPoolInterface;
 use Psr\Log\LoggerInterface;
 use Psr\Log\NullLogger;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
-use Symfony\Contracts\HttpClient\ResponseInterface;

 /**
 * Secure license client with response signature verification.
--- a/src/Security/IntegrityChecker.php
+++ b/src/Security/IntegrityChecker.php
@@ -4,8 +4,6 @@ declare(strict_types=1);

 namespace Magdev\WcLicensedProductClient\Security;

-use Magdev\WcLicensedProductClient\Exception\LicenseException;
-
 /**
 * Verifies the integrity of critical source files.
 *
--- a/tmp/openapi.json
+++ b/tmp/openapi.json
@@ -2,8 +2,8 @@
  "openapi": "3.1.0",
  "info": {
    "title": "WooCommerce Licensed Product API",
-    "description": "REST API for validating and managing software licenses bound to domains. This API allows external applications to validate license keys, check license status, and activate licenses on specific domains.",
-    "version": "0.0.7",
+    "description": "REST API for validating and managing software licenses bound to domains. This API allows external applications to validate license keys, check license status, and activate licenses on specific domains.\n\n## Response Signing (Optional)\n\nWhen the server is configured with `WC_LICENSE_SERVER_SECRET`, all API responses include cryptographic signatures for tamper protection:\n\n- `X-License-Signature`: HMAC-SHA256 signature of the response\n- `X-License-Timestamp`: Unix timestamp when the response was generated\n\nSignature verification prevents man-in-the-middle attacks and ensures response integrity. Use the `magdev/wc-licensed-product-client` library's `SecureLicenseClient` class to automatically verify signatures.",
+    "version": "0.3.2",
    "contact": {
      "name": "Marco Graetsch",
      "url": "https://src.bundespruefstelle.ch/magdev",
@@ -55,6 +55,14 @@
        "responses": {
          "200": {
            "description": "License is valid for the specified domain",
+            "headers": {
+              "X-License-Signature": {
+                "$ref": "#/components/headers/X-License-Signature"
+              },
+              "X-License-Timestamp": {
+                "$ref": "#/components/headers/X-License-Timestamp"
+              }
+            },
            "content": {
              "application/json": {
                "schema": {
@@ -156,6 +164,14 @@
        "responses": {
          "200": {
            "description": "License status retrieved successfully",
+            "headers": {
+              "X-License-Signature": {
+                "$ref": "#/components/headers/X-License-Signature"
+              },
+              "X-License-Timestamp": {
+                "$ref": "#/components/headers/X-License-Timestamp"
+              }
+            },
            "content": {
              "application/json": {
                "schema": {
@@ -221,6 +237,14 @@
        "responses": {
          "200": {
            "description": "License activated successfully or already activated",
+            "headers": {
+              "X-License-Signature": {
+                "$ref": "#/components/headers/X-License-Signature"
+              },
+              "X-License-Timestamp": {
+                "$ref": "#/components/headers/X-License-Timestamp"
+              }
+            },
            "content": {
              "application/json": {
                "schema": {
@@ -519,6 +543,26 @@
          }
        }
      }
+    },
+    "headers": {
+      "X-License-Signature": {
+        "description": "HMAC-SHA256 signature of the response body for tamper protection. Only present when server is configured with WC_LICENSE_SERVER_SECRET. Signature format: hex-encoded HMAC-SHA256 of (timestamp + ':' + canonical_json_body) using a per-license derived key.",
+        "schema": {
+          "type": "string",
+          "pattern": "^[a-f0-9]{64}$",
+          "example": "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456"
+        },
+        "required": false
+      },
+      "X-License-Timestamp": {
+        "description": "Unix timestamp when the response was generated. Used together with X-License-Signature to prevent replay attacks. Only present when server is configured with WC_LICENSE_SERVER_SECRET.",
+        "schema": {
+          "type": "string",
+          "pattern": "^[0-9]+$",
+          "example": "1737550000"
+        },
+        "required": false
+      }
    }
  },
  "tags": [