magdev/wc-licensed-product
1
Fork 0
Code Issues Pull Requests Actions Releases 4 Activity
Files
b50969f7014d95f6b566c9fcb6503d891edb34df
wc-licensed-product/src/Frontend/DownloadController.php

266 lines
8.1 KiB
PHP
Raw Normal View History

Implement version 0.0.3 features - Add file attachment support for product versions (Media Library) - Add version auto-detection from uploaded filenames - Implement secure customer downloads with hash verification - Add license key copy-to-clipboard functionality - Redesign customer licenses page with card-based UI - Fix product versions meta box visibility for non-licensed types - Add DownloadController for secure file delivery - Update CLAUDE.md roadmap and session history Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 19:46:50 +01:00
<?php
/**
* Download Controller
*
* @package Jeremias\WcLicensedProduct\Frontend
*/
declare(strict_types=1);
namespace Jeremias\WcLicensedProduct\Frontend;
Release v0.7.0 - Security Hardening Security Fixes: - Fixed XSS vulnerability in checkout blocks DOM injection (replaced innerHTML with safe DOM methods) - Unified IP detection for rate limiting across all API endpoints (new IpDetectionTrait) - Added rate limiting to license transfers (5/hour) and downloads (30/hour) (new RateLimitTrait) - Added file size limit (2MB), row limit (1000), and rate limiting to CSV import - Added JSON decode error handling in StoreApiExtension - Added license ID validation in frontend.js to prevent selector injection New Files: - src/Api/IpDetectionTrait.php - Shared IP detection with proxy support - src/Common/RateLimitTrait.php - Reusable rate limiting for frontend operations Breaking Changes: - None Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 11:27:08 +01:00
use Jeremias\WcLicensedProduct\Common\RateLimitTrait;
Implement version 0.0.3 features - Add file attachment support for product versions (Media Library) - Add version auto-detection from uploaded filenames - Implement secure customer downloads with hash verification - Add license key copy-to-clipboard functionality - Redesign customer licenses page with card-based UI - Fix product versions meta box visibility for non-licensed types - Add DownloadController for secure file delivery - Update CLAUDE.md roadmap and session history Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 19:46:50 +01:00
use Jeremias\WcLicensedProduct\License\LicenseManager;
use Jeremias\WcLicensedProduct\Product\VersionManager;
/**
* Handles secure file downloads for licensed customers
*/
final class DownloadController
{
Release v0.7.0 - Security Hardening Security Fixes: - Fixed XSS vulnerability in checkout blocks DOM injection (replaced innerHTML with safe DOM methods) - Unified IP detection for rate limiting across all API endpoints (new IpDetectionTrait) - Added rate limiting to license transfers (5/hour) and downloads (30/hour) (new RateLimitTrait) - Added file size limit (2MB), row limit (1000), and rate limiting to CSV import - Added JSON decode error handling in StoreApiExtension - Added license ID validation in frontend.js to prevent selector injection New Files: - src/Api/IpDetectionTrait.php - Shared IP detection with proxy support - src/Common/RateLimitTrait.php - Reusable rate limiting for frontend operations Breaking Changes: - None Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 11:27:08 +01:00
use RateLimitTrait;
Implement version 0.0.3 features - Add file attachment support for product versions (Media Library) - Add version auto-detection from uploaded filenames - Implement secure customer downloads with hash verification - Add license key copy-to-clipboard functionality - Redesign customer licenses page with card-based UI - Fix product versions meta box visibility for non-licensed types - Add DownloadController for secure file delivery - Update CLAUDE.md roadmap and session history Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 19:46:50 +01:00
private LicenseManager $licenseManager;
private VersionManager $versionManager;
public function __construct(LicenseManager $licenseManager, VersionManager $versionManager)
{
$this->licenseManager = $licenseManager;
$this->versionManager = $versionManager;
$this->registerHooks();
}
/**
* Register WordPress hooks
*/
private function registerHooks(): void
{
// Add download endpoint
add_action('init', [$this, 'addDownloadEndpoint']);
Dashboard widget improvements and download counter feature (v0.3.7) - Fixed: Dashboard widget "View All Licenses" link used wrong page slug - Fixed: Download links in customer account resulted in 404 errors - Removed: Redundant "Status Breakdown" section from dashboard widget - Changed: License Types section now uses card style layout - Added: Download counter for licensed product versions - Added: Download Statistics admin dashboard widget - Updated translations (356 strings) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-24 10:17:46 +01:00
// Register query var for the endpoint
add_filter('query_vars', [$this, 'addDownloadQueryVar']);
Implement version 0.0.3 features - Add file attachment support for product versions (Media Library) - Add version auto-detection from uploaded filenames - Implement secure customer downloads with hash verification - Add license key copy-to-clipboard functionality - Redesign customer licenses page with card-based UI - Fix product versions meta box visibility for non-licensed types - Add DownloadController for secure file delivery - Update CLAUDE.md roadmap and session history Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 19:46:50 +01:00
// Handle download requests
add_action('template_redirect', [$this, 'handleDownloadRequest']);
}
/**
* Add download endpoint
*/
public function addDownloadEndpoint(): void
{
add_rewrite_endpoint('license-download', EP_ROOT | EP_PAGES);
}
Dashboard widget improvements and download counter feature (v0.3.7) - Fixed: Dashboard widget "View All Licenses" link used wrong page slug - Fixed: Download links in customer account resulted in 404 errors - Removed: Redundant "Status Breakdown" section from dashboard widget - Changed: License Types section now uses card style layout - Added: Download counter for licensed product versions - Added: Download Statistics admin dashboard widget - Updated translations (356 strings) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-24 10:17:46 +01:00
/**
* Register the download query var
*/
public function addDownloadQueryVar(array $vars): array
{
$vars[] = 'license-download';
return $vars;
}
Implement version 0.0.3 features - Add file attachment support for product versions (Media Library) - Add version auto-detection from uploaded filenames - Implement secure customer downloads with hash verification - Add license key copy-to-clipboard functionality - Redesign customer licenses page with card-based UI - Fix product versions meta box visibility for non-licensed types - Add DownloadController for secure file delivery - Update CLAUDE.md roadmap and session history Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 19:46:50 +01:00
/**
* Handle download request
*/
public function handleDownloadRequest(): void
{
global $wp_query;
if (!isset($wp_query->query_vars['license-download'])) {
return;
}
$downloadKey = sanitize_text_field($wp_query->query_vars['license-download']);
if (empty($downloadKey)) {
wp_die(
__('Invalid download link.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 403]
);
}
// Parse download key: format is "license_id-version_id-hash"
$parts = explode('-', $downloadKey);
if (count($parts) < 3) {
wp_die(
__('Invalid download link format.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 403]
);
}
$licenseId = absint($parts[0]);
$versionId = absint($parts[1]);
$hash = $parts[2];
// Verify hash
$expectedHash = $this->generateDownloadHash($licenseId, $versionId);
if (!hash_equals($expectedHash, $hash)) {
wp_die(
__('Invalid download link.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 403]
);
}
// Check user authentication
if (!is_user_logged_in()) {
wp_redirect(wp_login_url(home_url('license-download/' . $downloadKey)));
exit;
}
Release v0.7.0 - Security Hardening Security Fixes: - Fixed XSS vulnerability in checkout blocks DOM injection (replaced innerHTML with safe DOM methods) - Unified IP detection for rate limiting across all API endpoints (new IpDetectionTrait) - Added rate limiting to license transfers (5/hour) and downloads (30/hour) (new RateLimitTrait) - Added file size limit (2MB), row limit (1000), and rate limiting to CSV import - Added JSON decode error handling in StoreApiExtension - Added license ID validation in frontend.js to prevent selector injection New Files: - src/Api/IpDetectionTrait.php - Shared IP detection with proxy support - src/Common/RateLimitTrait.php - Reusable rate limiting for frontend operations Breaking Changes: - None Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 11:27:08 +01:00
// Rate limit: 30 downloads per hour per user
if (!$this->checkUserRateLimit('download', 30, 3600)) {
wp_die(
__('Too many download attempts. Please try again later.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 429]
);
}
Implement version 0.0.3 features - Add file attachment support for product versions (Media Library) - Add version auto-detection from uploaded filenames - Implement secure customer downloads with hash verification - Add license key copy-to-clipboard functionality - Redesign customer licenses page with card-based UI - Fix product versions meta box visibility for non-licensed types - Add DownloadController for secure file delivery - Update CLAUDE.md roadmap and session history Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 19:46:50 +01:00
// Get license
$license = $this->licenseManager->getLicenseById($licenseId);
if (!$license) {
wp_die(
__('License not found.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 404]
);
}
// Verify user owns the license
$currentUserId = get_current_user_id();
if ($license->getCustomerId() !== $currentUserId) {
wp_die(
__('You do not have permission to download this file.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 403]
);
}
// Check license status
if ($license->getStatus() !== 'active') {
wp_die(
__('Your license is not active. Please contact support.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 403]
);
}
// Get version
$version = $this->versionManager->getVersionById($versionId);
if (!$version) {
wp_die(
__('Version not found.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 404]
);
}
// Verify version belongs to licensed product
if ($version->getProductId() !== $license->getProductId()) {
wp_die(
__('Version does not match your licensed product.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 403]
);
}
// Check if version is active
if (!$version->isActive()) {
wp_die(
__('This version is no longer available for download.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 403]
);
}
// Get download file
$attachmentId = $version->getAttachmentId();
$downloadUrl = $version->getDownloadUrl();
if ($attachmentId) {
Dashboard widget improvements and download counter feature (v0.3.7) - Fixed: Dashboard widget "View All Licenses" link used wrong page slug - Fixed: Download links in customer account resulted in 404 errors - Removed: Redundant "Status Breakdown" section from dashboard widget - Changed: License Types section now uses card style layout - Added: Download counter for licensed product versions - Added: Download Statistics admin dashboard widget - Updated translations (356 strings) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-24 10:17:46 +01:00
// Increment download count before serving
$this->versionManager->incrementDownloadCount($versionId);
Implement version 0.0.3 features - Add file attachment support for product versions (Media Library) - Add version auto-detection from uploaded filenames - Implement secure customer downloads with hash verification - Add license key copy-to-clipboard functionality - Redesign customer licenses page with card-based UI - Fix product versions meta box visibility for non-licensed types - Add DownloadController for secure file delivery - Update CLAUDE.md roadmap and session history Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 19:46:50 +01:00
$this->serveAttachment($attachmentId, $version->getVersion());
} elseif ($downloadUrl) {
Dashboard widget improvements and download counter feature (v0.3.7) - Fixed: Dashboard widget "View All Licenses" link used wrong page slug - Fixed: Download links in customer account resulted in 404 errors - Removed: Redundant "Status Breakdown" section from dashboard widget - Changed: License Types section now uses card style layout - Added: Download counter for licensed product versions - Added: Download Statistics admin dashboard widget - Updated translations (356 strings) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-24 10:17:46 +01:00
// Increment download count before redirect
$this->versionManager->incrementDownloadCount($versionId);
Implement version 0.0.3 features - Add file attachment support for product versions (Media Library) - Add version auto-detection from uploaded filenames - Implement secure customer downloads with hash verification - Add license key copy-to-clipboard functionality - Redesign customer licenses page with card-based UI - Fix product versions meta box visibility for non-licensed types - Add DownloadController for secure file delivery - Update CLAUDE.md roadmap and session history Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 19:46:50 +01:00
// Redirect to external URL
wp_redirect($downloadUrl);
exit;
} else {
wp_die(
__('No download file available for this version.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 404]
);
}
}
/**
* Serve attachment file for download
*/
private function serveAttachment(int $attachmentId, string $version): void
{
$filePath = get_attached_file($attachmentId);
if (!$filePath || !file_exists($filePath)) {
wp_die(
__('Download file not found.', 'wc-licensed-product'),
__('Download Error', 'wc-licensed-product'),
['response' => 404]
);
}
$filename = wp_basename($filePath);
$mimeType = mime_content_type($filePath) ?: 'application/octet-stream';
$fileSize = filesize($filePath);
// Prevent caching
nocache_headers();
// Set headers for download
header('Content-Type: ' . $mimeType);
header('Content-Disposition: attachment; filename="' . $filename . '"');
header('Content-Length: ' . $fileSize);
header('Content-Transfer-Encoding: binary');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Expires: 0');
header('Pragma: public');
// Clear output buffer
if (ob_get_level()) {
ob_end_clean();
}
// Read file and output
readfile($filePath);
exit;
}
/**
* Generate download hash for security
*/
public function generateDownloadHash(int $licenseId, int $versionId): string
{
$data = $licenseId . '-' . $versionId . '-' . wp_salt('auth');
return substr(hash('sha256', $data), 0, 16);
}
/**
* Generate download URL for a license and version
*/
public function generateDownloadUrl(int $licenseId, int $versionId): string
{
$hash = $this->generateDownloadHash($licenseId, $versionId);
$downloadKey = $licenseId . '-' . $versionId . '-' . $hash;
return home_url('license-download/' . $downloadKey);
}
}
Reference in New Issue Copy Permalink