magdev/wc-licensed-product-client
1
Fork 0
Code Issues Pull Requests Activity
20 Commits 2 Branches 4 Tags
5e4b5a970f75d0163c5496581d963a24ade4f276
Commit Graph

5 Commits

Author SHA1 Message Date
magdev
8062e1be77 Align client and server signature implementation 
- Update server docs to use RFC 5869 hash_hkdf() for key derivation
- Add recursive key sorting to client ResponseSignature
- Ensures client and server produce matching signatures for nested objects

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-26 16:33:44 +01:00
magdev
fa748d61d3 Fix security vulnerabilities identified in audit 
- Add JSON encoding error handling in ResponseSignature to prevent silent failures
- Sanitize exception messages to prevent information disclosure
- Fix header normalization to treat empty values as null
- Add SSRF protection with URL validation and private IP blocking
- Replace custom key derivation with RFC 5869 compliant hash_hkdf()
- Add input validation in DTO fromArray() methods
- Add DateTime exception handling in DTOs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-24 14:31:13 +01:00
magdev
da84bbad43 Update OpenAPI spec and clean up security classes 
- Update OpenAPI spec to v0.3.2 with signature header documentation
- Add X-License-Signature and X-License-Timestamp header definitions
- Clean up unused imports in security classes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-22 21:04:53 +01:00
magdev
e87a60926b Add security layer with response signature verification 
Security classes:
- ResponseSignature: HMAC-SHA256 signing and verification
- StringEncoder: XOR-based string obfuscation for source code
- IntegrityChecker: Source file hash verification
- SignatureException, IntegrityException for error handling

SecureLicenseClient:
- Verifies server response signatures
- Prevents response tampering and replay attacks
- Per-license derived signing keys
- Optional code integrity checking

Documentation:
- docs/server-implementation.md with complete WordPress/WooCommerce
  integration guide for signing responses

Tests:
- 34 new security tests (66 total, all passing)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-22 16:16:59 +01:00
magdev
9e0cf0825f Add object-oriented license client library (v0.0.2) 
- Add LicenseClient with PSR-3 logging and PSR-6 caching support
- Add DTO classes: LicenseInfo, LicenseStatus, ActivationResult
- Add LicenseState enum for license status values
- Add comprehensive exception hierarchy for error handling
- Add PSR dependencies (psr/log, psr/cache, psr/http-client)
- Update README with usage examples
- Update CHANGELOG for v0.0.2

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-22 15:51:05 +01:00