Go to file

magdev da84bbad43 Update OpenAPI spec and clean up security classes

- Update OpenAPI spec to v0.3.2 with signature header documentation
- Add X-License-Signature and X-License-Timestamp header definitions
- Clean up unused imports in security classes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-22 21:04:53 +01:00

docs

Fix markdown table formatting in server documentation

2026-01-22 16:19:20 +01:00

src

Update OpenAPI spec and clean up security classes

2026-01-22 21:04:53 +01:00

tests

Add security layer with response signature verification

2026-01-22 16:16:59 +01:00

tmp

Update OpenAPI spec and clean up security classes

2026-01-22 21:04:53 +01:00

.editorconfig

Initialize composer project for WooCommerce Licensed Product Client

2026-01-22 15:37:20 +01:00

.gitignore

Add PHPUnit test suite

2026-01-22 16:05:28 +01:00

CHANGELOG.md

Release version 0.1.0

2026-01-22 16:24:57 +01:00

CLAUDE.md

Release version 0.1.0

2026-01-22 16:24:57 +01:00

composer.json

Add PHPUnit test suite

2026-01-22 16:05:28 +01:00

composer.lock

Add PHPUnit test suite

2026-01-22 16:05:28 +01:00

phpunit.xml

Add PHPUnit test suite

2026-01-22 16:05:28 +01:00

README.md

Add security layer with response signature verification

2026-01-22 16:16:59 +01:00

README.md

WooCommerce Licensed Product Client

A PHP client library for the WooCommerce Licensed Product Plugin REST API. Activate, validate, and check the status of software licenses.

Requirements

PHP 8.3 or higher
Composer

Installation

composer require magdev/wc-licensed-product-client

Features

Object-oriented client library
Secure client with response signature verification (HMAC-SHA256)
PSR-3 logging support
PSR-6 caching support
PSR-18 HTTP client compatible
License validation against domains
License activation on domains
License status checking
Comprehensive exception handling
Code integrity verification
Built on Symfony HttpClient

Usage

Basic Usage

use Magdev\WcLicensedProductClient\LicenseClient;
use Symfony\Component\HttpClient\HttpClient;

$httpClient = HttpClient::create();
$client = new LicenseClient(
    httpClient: $httpClient,
    baseUrl: 'https://your-wordpress-site.com',
);

// Validate a license
$licenseInfo = $client->validate('ABCD-1234-EFGH-5678', 'example.com');
echo "Product ID: " . $licenseInfo->productId;

// Check license status
$status = $client->status('ABCD-1234-EFGH-5678');
echo "Status: " . $status->status->value;

// Activate a license
$result = $client->activate('ABCD-1234-EFGH-5678', 'example.com');
echo "Activated: " . ($result->success ? 'Yes' : 'No');

With Logging

use Magdev\WcLicensedProductClient\LicenseClient;
use Psr\Log\LoggerInterface;
use Symfony\Component\HttpClient\HttpClient;

$client = new LicenseClient(
    httpClient: HttpClient::create(),
    baseUrl: 'https://your-wordpress-site.com',
    logger: $yourPsrLogger, // Any PSR-3 compatible logger
);

With Caching

use Magdev\WcLicensedProductClient\LicenseClient;
use Psr\Cache\CacheItemPoolInterface;
use Symfony\Component\HttpClient\HttpClient;

$client = new LicenseClient(
    httpClient: HttpClient::create(),
    baseUrl: 'https://your-wordpress-site.com',
    cache: $yourPsrCache, // Any PSR-6 compatible cache
    cacheTtl: 600, // Cache TTL in seconds (default: 300)
);

Exception Handling

use Magdev\WcLicensedProductClient\Exception\LicenseNotFoundException;
use Magdev\WcLicensedProductClient\Exception\LicenseExpiredException;
use Magdev\WcLicensedProductClient\Exception\DomainMismatchException;
use Magdev\WcLicensedProductClient\Exception\RateLimitExceededException;
use Magdev\WcLicensedProductClient\Exception\LicenseException;

try {
    $licenseInfo = $client->validate($licenseKey, $domain);
} catch (LicenseNotFoundException $e) {
    // License key does not exist
} catch (LicenseExpiredException $e) {
    // License has expired
} catch (DomainMismatchException $e) {
    // License is not valid for this domain
} catch (RateLimitExceededException $e) {
    // Too many requests, retry after $e->retryAfter seconds
} catch (LicenseException $e) {
    // Other license-related errors
}

Secure Client

For enhanced security, use SecureLicenseClient which verifies response signatures:

use Magdev\WcLicensedProductClient\SecureLicenseClient;
use Magdev\WcLicensedProductClient\Security\SignatureException;
use Symfony\Component\HttpClient\HttpClient;

$client = new SecureLicenseClient(
    httpClient: HttpClient::create(),
    baseUrl: 'https://your-wordpress-site.com',
    serverSecret: 'shared-secret-with-server', // Must match server configuration
);

try {
    $licenseInfo = $client->validate('ABCD-1234-EFGH-5678', 'example.com');
} catch (SignatureException $e) {
    // Response signature invalid - possible tampering!
}

Important: The secure client requires the server to sign responses. See docs/server-implementation.md for server setup instructions.

Security Features

Response Signatures: HMAC-SHA256 verification prevents response tampering
Timestamp Validation: Prevents replay attacks (5-minute tolerance)
Per-License Keys: Each license has a unique verification key
Code Integrity: Optional verification of source file integrity

Testing

Run the test suite with PHPUnit:

./vendor/bin/phpunit

API Endpoints

This client interacts with the following WooCommerce Licensed Product API endpoints:

POST /validate - Validate a license key for a specific domain
POST /status - Get detailed license status information
POST /activate - Activate a license on a domain

License

GPL-2.0-or-later

Author

Marco Graetsch

Website: https://src.bundespruefstelle.ch/magdev
Email: magdev3.0@gmail.com

Contributing

Issues and pull requests are welcome at https://src.bundespruefstelle.ch/magdev/wc-licensed-product-client/issues