diff --git a/src/SecureLicenseClient.php b/src/SecureLicenseClient.php index 12e2353..5f44bab 100644 --- a/src/SecureLicenseClient.php +++ b/src/SecureLicenseClient.php @@ -17,7 +17,6 @@ use Psr\Cache\CacheItemPoolInterface; use Psr\Log\LoggerInterface; use Psr\Log\NullLogger; use Symfony\Contracts\HttpClient\HttpClientInterface; -use Symfony\Contracts\HttpClient\ResponseInterface; /** * Secure license client with response signature verification. diff --git a/src/Security/IntegrityChecker.php b/src/Security/IntegrityChecker.php index a99db65..554b370 100644 --- a/src/Security/IntegrityChecker.php +++ b/src/Security/IntegrityChecker.php @@ -4,8 +4,6 @@ declare(strict_types=1); namespace Magdev\WcLicensedProductClient\Security; -use Magdev\WcLicensedProductClient\Exception\LicenseException; - /** * Verifies the integrity of critical source files. * diff --git a/tmp/openapi.json b/tmp/openapi.json index 6e98b39..09dd4a6 100644 --- a/tmp/openapi.json +++ b/tmp/openapi.json @@ -2,8 +2,8 @@ "openapi": "3.1.0", "info": { "title": "WooCommerce Licensed Product API", - "description": "REST API for validating and managing software licenses bound to domains. This API allows external applications to validate license keys, check license status, and activate licenses on specific domains.", - "version": "0.0.7", + "description": "REST API for validating and managing software licenses bound to domains. This API allows external applications to validate license keys, check license status, and activate licenses on specific domains.\n\n## Response Signing (Optional)\n\nWhen the server is configured with `WC_LICENSE_SERVER_SECRET`, all API responses include cryptographic signatures for tamper protection:\n\n- `X-License-Signature`: HMAC-SHA256 signature of the response\n- `X-License-Timestamp`: Unix timestamp when the response was generated\n\nSignature verification prevents man-in-the-middle attacks and ensures response integrity. Use the `magdev/wc-licensed-product-client` library's `SecureLicenseClient` class to automatically verify signatures.", + "version": "0.3.2", "contact": { "name": "Marco Graetsch", "url": "https://src.bundespruefstelle.ch/magdev", @@ -55,6 +55,14 @@ "responses": { "200": { "description": "License is valid for the specified domain", + "headers": { + "X-License-Signature": { + "$ref": "#/components/headers/X-License-Signature" + }, + "X-License-Timestamp": { + "$ref": "#/components/headers/X-License-Timestamp" + } + }, "content": { "application/json": { "schema": { @@ -156,6 +164,14 @@ "responses": { "200": { "description": "License status retrieved successfully", + "headers": { + "X-License-Signature": { + "$ref": "#/components/headers/X-License-Signature" + }, + "X-License-Timestamp": { + "$ref": "#/components/headers/X-License-Timestamp" + } + }, "content": { "application/json": { "schema": { @@ -221,6 +237,14 @@ "responses": { "200": { "description": "License activated successfully or already activated", + "headers": { + "X-License-Signature": { + "$ref": "#/components/headers/X-License-Signature" + }, + "X-License-Timestamp": { + "$ref": "#/components/headers/X-License-Timestamp" + } + }, "content": { "application/json": { "schema": { @@ -519,6 +543,26 @@ } } } + }, + "headers": { + "X-License-Signature": { + "description": "HMAC-SHA256 signature of the response body for tamper protection. Only present when server is configured with WC_LICENSE_SERVER_SECRET. Signature format: hex-encoded HMAC-SHA256 of (timestamp + ':' + canonical_json_body) using a per-license derived key.", + "schema": { + "type": "string", + "pattern": "^[a-f0-9]{64}$", + "example": "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456" + }, + "required": false + }, + "X-License-Timestamp": { + "description": "Unix timestamp when the response was generated. Used together with X-License-Signature to prevent replay attacks. Only present when server is configured with WC_LICENSE_SERVER_SECRET.", + "schema": { + "type": "string", + "pattern": "^[0-9]+$", + "example": "1737550000" + }, + "required": false + } } }, "tags": [