Release v0.2.0 - Security and integrity features

- Add REST API response signing using HMAC-SHA256 - Add SHA256 hash validation for version file uploads - Add ResponseSigner class for automatic API response signing - Add file_hash column to database schema - Remove external URL support from version uploads - Update translations with all fuzzy strings resolved Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 16:57:54 +01:00
parent 8420734f37
commit 23bbc24c5f
14 changed files with 789 additions and 75 deletions
--- a/src/Admin/VersionAdminController.php
+++ b/src/Admin/VersionAdminController.php
@@ -98,11 +98,11 @@ final class VersionAdminController
                            <p class="description"><?php esc_html_e('Upload or select a file from the media library. Version will be auto-detected from filename (e.g., plugin-v1.2.3.zip).', 'wc-licensed-product'); ?></p>
                        </td>
                    </tr>
-                    <tr>
-                        <th><label for="new_download_url"><?php esc_html_e('Or External URL', 'wc-licensed-product'); ?></label></th>
+                    <tr id="sha256-hash-row" style="display: none;">
+                        <th><label for="new_file_hash"><?php esc_html_e('SHA256 Hash', 'wc-licensed-product'); ?></label></th>
                        <td>
-                            <input type="url" id="new_download_url" name="new_download_url" class="large-text" placeholder="https://" />
-                            <p class="description"><?php esc_html_e('Alternative: Enter an external download URL instead of uploading a file.', 'wc-licensed-product'); ?></p>
+                            <input type="text" id="new_file_hash" name="new_file_hash" class="large-text" placeholder="<?php esc_attr_e('Enter SHA256 checksum...', 'wc-licensed-product'); ?>" pattern="[a-fA-F0-9]{64}" />
+                            <p class="description"><?php esc_html_e('SHA256 checksum of the uploaded file (optional but recommended for integrity verification).', 'wc-licensed-product'); ?></p>
                        </td>
                    </tr>
                    <tr>
@@ -242,9 +242,9 @@ final class VersionAdminController

        $productId = absint($_POST['product_id'] ?? 0);
        $version = sanitize_text_field($_POST['version'] ?? '');
-        $downloadUrl = esc_url_raw($_POST['download_url'] ?? '');
        $releaseNotes = sanitize_textarea_field($_POST['release_notes'] ?? '');
        $attachmentId = absint($_POST['attachment_id'] ?? 0);
+        $fileHash = sanitize_text_field($_POST['file_hash'] ?? '');

        if (!$productId || !$version) {
            wp_send_json_error(['message' => __('Product ID and version are required.', 'wc-licensed-product')]);
@@ -270,13 +270,17 @@ final class VersionAdminController
            wp_send_json_error(['message' => __('This product is not a licensed product.', 'wc-licensed-product')]);
        }

-        $newVersion = $this->versionManager->createVersion(
-            $productId,
-            $version,
-            $releaseNotes ?: null,
-            $downloadUrl ?: null,
-            $attachmentId ?: null
-        );
+        try {
+            $newVersion = $this->versionManager->createVersion(
+                $productId,
+                $version,
+                $releaseNotes ?: null,
+                $attachmentId ?: null,
+                $fileHash ?: null
+            );
+        } catch (\InvalidArgumentException $e) {
+            wp_send_json_error(['message' => $e->getMessage()]);
+        }

        if (!$newVersion) {
            global $wpdb;