You've already forked wc-licensed-product-client
magdev
7fc838ada7
Security improvements and server implementation alignment. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
71 lines
2.3 KiB
Markdown
71 lines
2.3 KiB
Markdown
# Changelog
|
|
|
|
All notable changes to this project will be documented in this file.
|
|
|
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
|
|
## [Unreleased]
|
|
|
|
## [0.2.0] - 2026-01-26
|
|
|
|
### Added
|
|
|
|
- SSRF protection with URL validation and private IP range blocking
|
|
- `allowInsecureHttp` constructor parameter for development environments
|
|
- Input validation in all DTO `fromArray()` methods
|
|
- DateTime exception handling in DTOs
|
|
- Recursive key sorting in `ResponseSignature` for nested objects
|
|
|
|
### Changed
|
|
|
|
- Key derivation now uses RFC 5869 compliant `hash_hkdf()` instead of custom HMAC
|
|
- Exception messages sanitized to prevent information disclosure
|
|
- Header normalization treats empty values as null
|
|
|
|
### Fixed
|
|
|
|
- JSON encoding error handling in `ResponseSignature::buildSignaturePayload()`
|
|
- Header normalization null risk in `SecureLicenseClient`
|
|
|
|
### Security
|
|
|
|
- Comprehensive security audit performed
|
|
- SSRF vulnerability mitigated
|
|
- Information disclosure in error messages fixed
|
|
- Improved cryptographic key derivation
|
|
|
|
## [0.1.0] - 2026-01-22
|
|
|
|
### Added
|
|
|
|
- Object-oriented client library (`LicenseClient`, `LicenseClientInterface`)
|
|
- DTO classes for API responses (`LicenseInfo`, `LicenseStatus`, `ActivationResult`)
|
|
- `LicenseState` enum for license status values
|
|
- Comprehensive exception hierarchy for error handling
|
|
- PSR-3 logging support (optional)
|
|
- PSR-6 caching support (optional)
|
|
- PSR dependencies (`psr/log`, `psr/cache`, `psr/http-client`)
|
|
- PHPUnit test suite with 32 tests covering DTOs, exceptions, and client
|
|
- `SecureLicenseClient` with response signature verification (HMAC-SHA256)
|
|
- `ResponseSignature` class for signing and verifying API responses
|
|
- `StringEncoder` for basic string obfuscation in source code
|
|
- `IntegrityChecker` for verifying source file integrity
|
|
- `SignatureException` and `IntegrityException` for security errors
|
|
- Server implementation documentation (`docs/server-implementation.md`)
|
|
- Security test suite (34 additional tests)
|
|
|
|
### Changed
|
|
|
|
- Updated README with usage examples
|
|
|
|
## [0.0.1] - 2026-01-22
|
|
|
|
### Added
|
|
|
|
- Initial composer project setup
|
|
- Package configuration with PSR-4 autoloading
|
|
- Symfony HttpClient dependency (^7.0)
|
|
- Project documentation (README.md, CHANGELOG.md)
|
|
- OpenAPI specification reference in tmp/openapi.json
|