Add security layer with response signature verification

Security classes: - ResponseSignature: HMAC-SHA256 signing and verification - StringEncoder: XOR-based string obfuscation for source code - IntegrityChecker: Source file hash verification - SignatureException, IntegrityException for error handling SecureLicenseClient: - Verifies server response signatures - Prevents response tampering and replay attacks - Per-license derived signing keys - Optional code integrity checking Documentation: - docs/server-implementation.md with complete WordPress/WooCommerce integration guide for signing responses Tests: - 34 new security tests (66 total, all passing) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 16:16:59 +01:00
parent af735df260
commit e87a60926b
12 changed files with 1717 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@ composer require magdev/wc-licensed-product-client
 ## Features

 - Object-oriented client library
+- **Secure client with response signature verification (HMAC-SHA256)**
 - PSR-3 logging support
 - PSR-6 caching support
 - PSR-18 HTTP client compatible
@@ -23,6 +24,7 @@ composer require magdev/wc-licensed-product-client
 - License activation on domains
 - License status checking
 - Comprehensive exception handling
+- Code integrity verification
 - Built on Symfony HttpClient

 ## Usage
@@ -105,6 +107,37 @@ try {
 }
 ```

+## Secure Client
+
+For enhanced security, use `SecureLicenseClient` which verifies response signatures:
+
+```php
+use Magdev\WcLicensedProductClient\SecureLicenseClient;
+use Magdev\WcLicensedProductClient\Security\SignatureException;
+use Symfony\Component\HttpClient\HttpClient;
+
+$client = new SecureLicenseClient(
+    httpClient: HttpClient::create(),
+    baseUrl: 'https://your-wordpress-site.com',
+    serverSecret: 'shared-secret-with-server', // Must match server configuration
+);
+
+try {
+    $licenseInfo = $client->validate('ABCD-1234-EFGH-5678', 'example.com');
+} catch (SignatureException $e) {
+    // Response signature invalid - possible tampering!
+}
+```
+
+**Important:** The secure client requires the server to sign responses. See [docs/server-implementation.md](docs/server-implementation.md) for server setup instructions.
+
+### Security Features
+
+- **Response Signatures**: HMAC-SHA256 verification prevents response tampering
+- **Timestamp Validation**: Prevents replay attacks (5-minute tolerance)
+- **Per-License Keys**: Each license has a unique verification key
+- **Code Integrity**: Optional verification of source file integrity
+
 ## Testing

 Run the test suite with PHPUnit: