Add self-licensing prevention to PluginLicenseChecker

- Add isSelfLicensing() method to detect when license server URL points to same installation - Bypass license validation when self-licensing detected (prevents circular dependency) - Add normalizeDomain() helper for domain comparison - Update translations Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-24 16:41:56 +01:00
parent a4561057fa
commit 4817175f99
5 changed files with 1866 additions and 1788 deletions
--- a/src/License/PluginLicenseChecker.php
+++ b/src/License/PluginLicenseChecker.php
@@ -52,6 +52,11 @@ final class PluginLicenseChecker
     */
    private ?bool $isLocalhostCached = null;

+    /**
+     * Cached self-licensing check result
+     */
+    private ?bool $isSelfLicensingCached = null;
+
    /**
     * Get singleton instance
     */
@@ -84,6 +89,11 @@ final class PluginLicenseChecker
            return true;
        }

+        // Always valid when self-licensing (server URL points to this installation)
+        if ($this->isSelfLicensing()) {
+            return true;
+        }
+
        // Check cache first
        $cached = get_transient(self::CACHE_KEY);
        if ($cached !== false) {
@@ -107,6 +117,11 @@ final class PluginLicenseChecker
            return true;
        }

+        // Always valid when self-licensing (server URL points to this installation)
+        if ($this->isSelfLicensing()) {
+            return true;
+        }
+
        // Check settings are configured
        $serverUrl = $this->getLicenseServerUrl();
        $licenseKey = $this->getLicenseKey();
@@ -176,6 +191,7 @@ final class PluginLicenseChecker
        delete_transient(self::CACHE_KEY);
        delete_transient(self::ERROR_CACHE_KEY);
        $this->isLocalhostCached = null;
+        $this->isSelfLicensingCached = null;
    }

    /**
@@ -215,6 +231,60 @@ final class PluginLicenseChecker
        return false;
    }

+    /**
+     * Check if self-licensing (license server URL points to this installation)
+     *
+     * Prevents circular dependency where plugin tries to validate against itself.
+     * Plugins can only be validated against the original store from which they were obtained.
+     */
+    public function isSelfLicensing(): bool
+    {
+        if ($this->isSelfLicensingCached !== null) {
+            return $this->isSelfLicensingCached;
+        }
+
+        $serverUrl = $this->getLicenseServerUrl();
+
+        // No server URL configured - not self-licensing
+        if (empty($serverUrl)) {
+            $this->isSelfLicensingCached = false;
+            return false;
+        }
+
+        // Parse both URLs to compare domains
+        $serverParsed = parse_url($serverUrl);
+        $siteUrl = get_site_url();
+        $siteParsed = parse_url($siteUrl);
+
+        // Get normalized domains (lowercase, no www prefix)
+        $serverDomain = $this->normalizeDomain($serverParsed['host'] ?? '');
+        $siteDomain = $this->normalizeDomain($siteParsed['host'] ?? '');
+
+        // If domains match, this is self-licensing
+        if ($serverDomain === $siteDomain) {
+            $this->isSelfLicensingCached = true;
+            return true;
+        }
+
+        $this->isSelfLicensingCached = false;
+        return false;
+    }
+
+    /**
+     * Normalize a domain for comparison (lowercase, strip www)
+     */
+    private function normalizeDomain(string $domain): string
+    {
+        $domain = strtolower(trim($domain));
+
+        // Strip www. prefix
+        if (str_starts_with($domain, 'www.')) {
+            $domain = substr($domain, 4);
+        }
+
+        return $domain;
+    }
+
    /**
     * Get the current domain from the site URL
     */