magdev/wc-licensed-product-client
1
Fork 0
Code Issues Pull Requests Activity

Add security layer with response signature verification

Browse Source 
Security classes:
- ResponseSignature: HMAC-SHA256 signing and verification
- StringEncoder: XOR-based string obfuscation for source code
- IntegrityChecker: Source file hash verification
- SignatureException, IntegrityException for error handling

SecureLicenseClient:
- Verifies server response signatures
- Prevents response tampering and replay attacks
- Per-license derived signing keys
- Optional code integrity checking

Documentation:
- docs/server-implementation.md with complete WordPress/WooCommerce
  integration guide for signing responses

Tests:
- 34 new security tests (66 total, all passing)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-01-22 16:16:59 +01:00
parent af735df260
commit e87a60926b
12 changed files with 1717 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGELOG.md
View File

@@ -19,6 +19,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- PSR-6 caching support (optional)
- PSR dependencies (`psr/log`, `psr/cache`, `psr/http-client`)
- PHPUnit test suite with 32 tests covering DTOs, exceptions, and client
- `SecureLicenseClient` with response signature verification (HMAC-SHA256)
- `ResponseSignature` class for signing and verifying API responses
- `StringEncoder` for basic string obfuscation in source code
- `IntegrityChecker` for verifying source file integrity
- `SignatureException` and `IntegrityException` for security errors
- Server implementation documentation (`docs/server-implementation.md`)
- Security test suite (34 additional tests)
### Changed