magdev/wc-licensed-product-client
1
Fork 0
Code Issues Pull Requests Activity
Files
5e4b5a970f75d0163c5496581d963a24ade4f276
wc-licensed-product-client/CHANGELOG.md
magdev 7fc838ada7 Release version 0.2.0 
Security improvements and server implementation alignment.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-26 16:36:29 +01:00

2.3 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[0.2.0] - 2026-01-26

Added

  • SSRF protection with URL validation and private IP range blocking
  • allowInsecureHttp constructor parameter for development environments
  • Input validation in all DTO fromArray() methods
  • DateTime exception handling in DTOs
  • Recursive key sorting in ResponseSignature for nested objects

Changed

  • Key derivation now uses RFC 5869 compliant hash_hkdf() instead of custom HMAC
  • Exception messages sanitized to prevent information disclosure
  • Header normalization treats empty values as null

Fixed

  • JSON encoding error handling in ResponseSignature::buildSignaturePayload()
  • Header normalization null risk in SecureLicenseClient

Security

  • Comprehensive security audit performed
  • SSRF vulnerability mitigated
  • Information disclosure in error messages fixed
  • Improved cryptographic key derivation

[0.1.0] - 2026-01-22

Added

  • Object-oriented client library (LicenseClient, LicenseClientInterface)
  • DTO classes for API responses (LicenseInfo, LicenseStatus, ActivationResult)
  • LicenseState enum for license status values
  • Comprehensive exception hierarchy for error handling
  • PSR-3 logging support (optional)
  • PSR-6 caching support (optional)
  • PSR dependencies (psr/log, psr/cache, psr/http-client)
  • PHPUnit test suite with 32 tests covering DTOs, exceptions, and client
  • SecureLicenseClient with response signature verification (HMAC-SHA256)
  • ResponseSignature class for signing and verifying API responses
  • StringEncoder for basic string obfuscation in source code
  • IntegrityChecker for verifying source file integrity
  • SignatureException and IntegrityException for security errors
  • Server implementation documentation (docs/server-implementation.md)
  • Security test suite (34 additional tests)

Changed

  • Updated README with usage examples

[0.0.1] - 2026-01-22

Added

  • Initial composer project setup
  • Package configuration with PSR-4 autoloading
  • Symfony HttpClient dependency (^7.0)
  • Project documentation (README.md, CHANGELOG.md)
  • OpenAPI specification reference in tmp/openapi.json
Reference in New Issue View Git Blame Copy Permalink