diff --git a/CHANGELOG.md b/CHANGELOG.md
index b2aa417..e0d8403 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,49 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
+## [0.2.0] - 2026-01-22
+
+### Added
+
+- Response signing for REST API using HMAC-SHA256
+- SHA256 hash field for product version uploads with checksum validation
+- File integrity verification before storing uploaded version files
+- New `ResponseSigner` class for automatic API response signing
+- Database column `file_hash` in versions table for storing checksums
+
+### Changed
+
+- Version uploads now require file attachments (external URL option removed)
+- API responses now include `X-License-Signature` and `X-License-Timestamp` headers when `WC_LICENSE_SERVER_SECRET` is configured
+
+### Removed
+
+- External download URL field from product version form
+- Direct URL support in version uploads (use Media Library uploads only)
+
+### Security
+
+- API response signing prevents tampering and replay attacks
+- Per-license key derivation using HKDF-like approach
+- SHA256 checksum validation ensures file integrity
+
+### Technical Details
+
+- New class: `ResponseSigner` for HMAC-SHA256 response signing
+- VersionManager extended with `$fileHash` parameter and validation
+- ProductVersion model extended with `fileHash` property
+- Signature algorithm: `HMAC-SHA256(derived_key, timestamp + ':' + canonical_json)`
+- Key derivation: `HMAC-SHA256(HMAC-SHA256(license_key, server_secret) + "\x01", server_secret)`
+- Compatible with `magdev/wc-licensed-product-client` SecureLicenseClient
+
+### Configuration
+
+To enable response signing, add to `wp-config.php`:
+
+```php
+define('WC_LICENSE_SERVER_SECRET', 'your-secure-random-string-min-32-chars');
+```
+
## [0.1.0] - 2026-01-22
### Added
@@ -297,7 +340,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- WordPress REST API integration
- Custom WooCommerce product type extending WC_Product
-[Unreleased]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.1.0...HEAD
+[Unreleased]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.2.0...HEAD
+[0.2.0]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.1.0...v0.2.0
[0.1.0]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.0.11...v0.1.0
[0.0.11]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.0.10...v0.0.11
[0.0.10]: https://src.bundespruefstelle.ch/magdev/wc-licensed-product/compare/v0.0.9...v0.0.10
diff --git a/CLAUDE.md b/CLAUDE.md
index 9278d2d..8d98ed6 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -36,12 +36,7 @@ This project is proudly **"vibe-coded"** using Claude.AI - the entire codebase w
No known bugs at the moment
-### Release 0.1.0
-
-- Check the code for wordpress best practices, WooCommerce best practices and common security pitfalls. Refactor if needed.
-- Update the README.md according to the current featureset
-- Update all translations
-- Create a release package 0.1.0
+No planned features at this time. See Session History for completed work.
## Technical Stack
@@ -624,3 +619,101 @@ Full API documentation available in `openapi.json` (OpenAPI 3.1 specification).
- Created release package: `releases/wc-licensed-product-0.0.11.zip` (473 KB)
- SHA256: `c3f66c4ac54741053f87ce1a63b4ddb49ad9707d5c194a271311bb95518ab13c`
- Tagged as `v0.0.11` and pushed to `main` branch
+
+### 2026-01-22 - Version 0.1.0 - First Stable Minor Release
+
+**Overview:**
+
+First stable minor release after comprehensive code review for WordPress/WooCommerce best practices and security.
+
+**Code Review Findings:**
+
+Security practices verified:
+
+- Input sanitization with `sanitize_text_field()`, `absint()`, `esc_attr()`, `esc_html()`, `esc_url()`
+- Nonce verification on all forms and AJAX handlers
+- Capability checks with `current_user_can('manage_woocommerce')`
+- SQL injection prevention using `$wpdb->prepare()` throughout
+- Secure download URLs with hash verification using `hash_equals()`
+- Rate limiting on REST API (30 requests/minute)
+- Cryptographically secure license key generation with `random_int()`
+
+**Bug Fixes:**
+
+- Fixed `VersionManager::updateVersion()` null format handling for attachment ID updates
+- Improved input sanitization in `AdminController::enqueueAdminAssets()` for page context checks
+
+**Documentation Updates:**
+
+- Updated README.md with complete feature documentation
+- Added new features: Live Search, Inline Editing, Order Integration, WooCommerce HPOS compatibility, Checkout Blocks support
+- Removed outdated "Current Version" field from usage instructions
+
+**Translation Updates:**
+
+- Regenerated .pot template with all current strings
+- Updated German (de_CH) translation with new strings
+- Compiled .mo file for production use
+
+**Modified files:**
+
+- `src/Product/VersionManager.php` - Fixed null format handling in attachment update
+- `src/Admin/AdminController.php` - Improved $_GET sanitization for page context
+- `README.md` - Updated feature documentation
+- `CHANGELOG.md` - Added 0.1.0 release notes
+- `wc-licensed-product.php` - Version bump to 0.1.0
+- `languages/*` - Updated all translation files
+
+**Release v0.1.0:**
+
+- Created release package: `releases/wc-licensed-product-0.1.0.zip` (478 KB)
+- SHA256: `62638e240315107098be4cb40faff8395e9e1b719d79b73d80e69d680b305e87`
+- Tagged as `v0.1.0` and pushed to `main` branch
+
+### 2026-01-22 - Version 0.2.0 - Security & Integrity Features
+
+**Overview:**
+
+Added response signing for REST API security and SHA256 checksum validation for uploaded version files.
+
+**Implemented:**
+
+- REST API response signing using HMAC-SHA256 for tamper-proof responses
+- SHA256 hash field for product version uploads with server-side validation
+- Per-license key derivation using HKDF-like approach
+- Automatic signature headers on license API endpoints
+
+**Removed:**
+
+- External download URL field from product version form
+- Direct URL support in version uploads (Media Library only now)
+
+**New files:**
+
+- `src/Api/ResponseSigner.php` - HMAC-SHA256 response signing class
+
+**Modified files:**
+
+- `src/Installer.php` - Added `file_hash` column to versions table schema
+- `src/Product/ProductVersion.php` - Added `fileHash` property and getter
+- `src/Product/VersionManager.php` - Removed `$downloadUrl` parameter, added `$fileHash` with validation
+- `src/Admin/VersionAdminController.php` - Removed URL field, added SHA256 hash field
+- `assets/js/versions.js` - Updated form handling for hash field
+- `src/Plugin.php` - Initialize ResponseSigner when server secret is configured
+
+**Technical notes:**
+
+- Response signing only activates when `WC_LICENSE_SERVER_SECRET` constant is defined
+- Signature algorithm: `HMAC-SHA256(derived_key, timestamp + ':' + canonical_json)`
+- Key derivation: `HMAC-SHA256(HMAC-SHA256(license_key, server_secret) + "\x01", server_secret)`
+- Hash validation throws `InvalidArgumentException` on mismatch
+- Compatible with `magdev/wc-licensed-product-client` SecureLicenseClient
+- Database migration handled by WordPress `dbDelta()` function
+
+**Configuration:**
+
+To enable response signing, add to `wp-config.php`:
+
+```php
+define('WC_LICENSE_SERVER_SECRET', 'your-secure-random-string-min-32-chars');
+```
diff --git a/assets/js/versions.js b/assets/js/versions.js
index 9500747..92205d6 100644
--- a/assets/js/versions.js
+++ b/assets/js/versions.js
@@ -78,14 +78,14 @@
$('#selected_file_name').text(attachment.filename);
$('#remove-version-file-btn').show();
+ // Show SHA256 hash field
+ $('#sha256-hash-row').show();
+
// Try to extract version from filename
var extractedVersion = self.extractVersionFromFilename(attachment.filename);
if (extractedVersion && !$('#new_version').val().trim()) {
$('#new_version').val(extractedVersion);
}
-
- // Clear external URL when file is selected
- $('#new_download_url').val('');
});
this.mediaFrame.open();
@@ -100,6 +100,10 @@
$('#new_attachment_id').val('');
$('#selected_file_name').text('');
$('#remove-version-file-btn').hide();
+
+ // Hide and clear SHA256 hash field
+ $('#sha256-hash-row').hide();
+ $('#new_file_hash').val('');
},
/**
@@ -134,9 +138,9 @@
var $spinner = $btn.siblings('.spinner');
var productId = $btn.data('product-id');
var version = $('#new_version').val().trim();
- var downloadUrl = $('#new_download_url').val().trim();
var releaseNotes = $('#new_release_notes').val().trim();
var attachmentId = $('#new_attachment_id').val();
+ var fileHash = $('#new_file_hash').val().trim();
// Validate version
if (!version) {
@@ -160,9 +164,9 @@
nonce: wcLicensedProductVersions.nonce,
product_id: productId,
version: version,
- download_url: downloadUrl,
release_notes: releaseNotes,
- attachment_id: attachmentId
+ attachment_id: attachmentId,
+ file_hash: fileHash
},
success: function(response) {
if (response.success) {
@@ -174,11 +178,12 @@
// Clear form
$('#new_version').val('');
- $('#new_download_url').val('');
$('#new_release_notes').val('');
$('#new_attachment_id').val('');
$('#selected_file_name').text('');
$('#remove-version-file-btn').hide();
+ $('#sha256-hash-row').hide();
+ $('#new_file_hash').val('');
} else {
alert(response.data.message || wcLicensedProductVersions.strings.error);
}
diff --git a/docs/server-implementation.md b/docs/server-implementation.md
new file mode 100644
index 0000000..f7fde97
--- /dev/null
+++ b/docs/server-implementation.md
@@ -0,0 +1,393 @@
+# Server-Side Response Signing Implementation
+
+This document describes how to implement response signing on the server side (e.g., in the WooCommerce Licensed Product plugin) to work with the `SecureLicenseClient`.
+
+## Overview
+
+The security model works as follows:
+
+1. Server generates a unique signature for each response using HMAC-SHA256
+2. Signature includes a timestamp to prevent replay attacks
+3. Client verifies the signature using a shared secret
+4. Invalid signatures cause the client to reject the response
+
+This prevents attackers from:
+
+- Faking valid license responses
+- Replaying old responses
+- Tampering with response data
+
+## Requirements
+
+- PHP 7.4+ (8.0+ recommended)
+- A server secret stored securely (not in version control)
+
+## Server Configuration
+
+### 1. Store the Server Secret
+
+Add a secret key to your WordPress configuration:
+
+```php
+// wp-config.php or secure configuration file
+define('WC_LICENSE_SERVER_SECRET', 'your-secure-random-string-min-32-chars');
+```
+
+Generate a secure secret:
+
+```bash
+# Using OpenSSL
+openssl rand -hex 32
+
+# Or using PHP
+php -r "echo bin2hex(random_bytes(32));"
+```
+
+**IMPORTANT:** Never commit this secret to version control!
+
+## Implementation
+
+### Key Derivation
+
+Each license key gets a unique signing key derived from the server secret:
+
+```php
+/**
+ * Derive a unique signing key for a license.
+ *
+ * @param string $licenseKey The license key
+ * @param string $serverSecret The server's master secret
+ * @return string The derived key (hex encoded)
+ */
+function derive_signing_key(string $licenseKey, string $serverSecret): string
+{
+ // HKDF-like key derivation
+ $prk = hash_hmac('sha256', $licenseKey, $serverSecret, true);
+
+ return hash_hmac('sha256', $prk . "\x01", $serverSecret);
+}
+```
+
+### Response Signing
+
+Sign every API response before sending:
+
+```php
+/**
+ * Sign an API response.
+ *
+ * @param array $responseData The response body (before JSON encoding)
+ * @param string $licenseKey The license key from the request
+ * @param string $serverSecret The server's master secret
+ * @return array Headers to add to the response
+ */
+function sign_response(array $responseData, string $licenseKey, string $serverSecret): array
+{
+ $timestamp = time();
+ $signingKey = derive_signing_key($licenseKey, $serverSecret);
+
+ // Sort keys for consistent ordering
+ ksort($responseData);
+
+ // Build signature payload
+ $jsonBody = json_encode($responseData, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+ $payload = $timestamp . ':' . $jsonBody;
+
+ // Generate HMAC signature
+ $signature = hash_hmac('sha256', $payload, $signingKey);
+
+ return [
+ 'X-License-Signature' => $signature,
+ 'X-License-Timestamp' => (string) $timestamp,
+ ];
+}
+```
+
+### WordPress REST API Integration
+
+Example integration with WooCommerce REST API:
+
+```php
+/**
+ * Add signature headers to license API responses.
+ */
+add_filter('rest_post_dispatch', function($response, $server, $request) {
+ // Only sign license API responses
+ if (!str_starts_with($request->get_route(), '/wc-licensed-product/v1/')) {
+ return $response;
+ }
+
+ // Get the response data
+ $data = $response->get_data();
+
+ // Get the license key from the request
+ $licenseKey = $request->get_param('license_key');
+
+ if (empty($licenseKey) || !is_array($data)) {
+ return $response;
+ }
+
+ // Sign the response
+ $serverSecret = defined('WC_LICENSE_SERVER_SECRET')
+ ? WC_LICENSE_SERVER_SECRET
+ : '';
+
+ if (empty($serverSecret)) {
+ // Log warning: server secret not configured
+ return $response;
+ }
+
+ $signatureHeaders = sign_response($data, $licenseKey, $serverSecret);
+
+ // Add headers to response
+ foreach ($signatureHeaders as $name => $value) {
+ $response->header($name, $value);
+ }
+
+ return $response;
+}, 10, 3);
+```
+
+### Complete WordPress Plugin Example
+
+```php
+serverSecret = defined('WC_LICENSE_SERVER_SECRET')
+ ? WC_LICENSE_SERVER_SECRET
+ : '';
+ }
+
+ public function register(): void
+ {
+ add_filter('rest_post_dispatch', [$this, 'signResponse'], 10, 3);
+ }
+
+ public function signResponse($response, $server, $request)
+ {
+ if (!$this->shouldSign($request)) {
+ return $response;
+ }
+
+ $data = $response->get_data();
+ $licenseKey = $request->get_param('license_key');
+
+ if (empty($licenseKey) || !is_array($data) || empty($this->serverSecret)) {
+ return $response;
+ }
+
+ $headers = $this->createSignatureHeaders($data, $licenseKey);
+
+ foreach ($headers as $name => $value) {
+ $response->header($name, $value);
+ }
+
+ return $response;
+ }
+
+ private function shouldSign($request): bool
+ {
+ $route = $request->get_route();
+
+ return str_starts_with($route, '/wc-licensed-product/v1/validate')
+ || str_starts_with($route, '/wc-licensed-product/v1/status')
+ || str_starts_with($route, '/wc-licensed-product/v1/activate');
+ }
+
+ private function createSignatureHeaders(array $data, string $licenseKey): array
+ {
+ $timestamp = time();
+ $signingKey = $this->deriveKey($licenseKey);
+
+ ksort($data);
+ $payload = $timestamp . ':' . json_encode(
+ $data,
+ JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE
+ );
+
+ return [
+ 'X-License-Signature' => hash_hmac('sha256', $payload, $signingKey),
+ 'X-License-Timestamp' => (string) $timestamp,
+ ];
+ }
+
+ private function deriveKey(string $licenseKey): string
+ {
+ $prk = hash_hmac('sha256', $licenseKey, $this->serverSecret, true);
+
+ return hash_hmac('sha256', $prk . "\x01", $this->serverSecret);
+ }
+}
+
+// Initialize
+add_action('init', function() {
+ (new ResponseSigner())->register();
+});
+```
+
+## Response Format
+
+### Headers
+
+Every signed response includes:
+
+| Header | Description | Example |
+| -------- | ------------- | --------- |
+| `X-License-Signature` | HMAC-SHA256 signature (hex) | `a1b2c3d4...` (64 chars) |
+| `X-License-Timestamp` | Unix timestamp when signed | `1706000000` |
+
+### Signature Algorithm
+
+```text
+signature = HMAC-SHA256(
+ key = derive_signing_key(license_key, server_secret),
+ message = timestamp + ":" + canonical_json(response_body)
+)
+```
+
+Where:
+
+- `derive_signing_key` uses HKDF-like derivation (see above)
+- `canonical_json` sorts keys alphabetically, no escaping of slashes/unicode
+- Result is hex-encoded (64 characters)
+
+## Testing
+
+### Verify Signing Works
+
+```php
+// Test script
+$serverSecret = 'test-secret-key-for-development-only';
+$licenseKey = 'ABCD-1234-EFGH-5678';
+$responseData = [
+ 'valid' => true,
+ 'license' => [
+ 'product_id' => 123,
+ 'expires_at' => '2027-01-21',
+ 'version_id' => null,
+ ],
+];
+
+$headers = sign_response($responseData, $licenseKey, $serverSecret);
+
+echo "X-License-Signature: " . $headers['X-License-Signature'] . "\n";
+echo "X-License-Timestamp: " . $headers['X-License-Timestamp'] . "\n";
+```
+
+### Test with Client
+
+```php
+use Magdev\WcLicensedProductClient\SecureLicenseClient;
+use Symfony\Component\HttpClient\HttpClient;
+
+$client = new SecureLicenseClient(
+ httpClient: HttpClient::create(),
+ baseUrl: 'https://your-site.com',
+ serverSecret: 'same-secret-as-server',
+);
+
+try {
+ $info = $client->validate('ABCD-1234-EFGH-5678', 'example.com');
+ echo "License valid! Product ID: " . $info->productId;
+} catch (SignatureException $e) {
+ echo "Signature verification failed - possible tampering!";
+}
+```
+
+## Security Considerations
+
+### Timestamp Tolerance
+
+The client allows a 5-minute window for timestamp verification. This:
+
+- Prevents replay attacks (old responses rejected)
+- Allows for reasonable clock skew between server and client
+
+Adjust if needed:
+
+```php
+// Client-side: custom tolerance
+$signature = new ResponseSignature($key, timestampTolerance: 600); // 10 minutes
+```
+
+### Secret Key Rotation
+
+To rotate the server secret:
+
+1. Deploy new secret to server
+2. Update client configurations
+3. Old signatures become invalid immediately
+
+For zero-downtime rotation, implement versioned secrets:
+
+```php
+// Server supports both old and new secrets during transition
+$secrets = [
+ 'v2' => 'new-secret',
+ 'v1' => 'old-secret',
+];
+
+// Add version to signature header
+$response->header('X-License-Signature-Version', 'v2');
+```
+
+### Error Responses
+
+Sign error responses too! Otherwise attackers could craft fake error messages:
+
+```php
+// Sign both success and error responses
+$errorData = [
+ 'valid' => false,
+ 'error' => 'license_expired',
+ 'message' => 'This license has expired.',
+];
+
+$headers = sign_response($errorData, $licenseKey, $serverSecret);
+```
+
+## Troubleshooting
+
+### "Response is not signed by the server"
+
+- Server not configured with `WC_LICENSE_SERVER_SECRET`
+- Filter not registered (check plugin activation)
+- Route mismatch (check `shouldSign()` paths)
+
+### "Response signature verification failed"
+
+- Different secrets on server/client
+- Clock skew > 5 minutes
+- Response body modified after signing (e.g., by caching plugin)
+- JSON encoding differences (check `ksort` and flags)
+
+### Debugging
+
+Enable detailed logging:
+
+```php
+// Server-side
+error_log('Signing response for: ' . $licenseKey);
+error_log('Timestamp: ' . $timestamp);
+error_log('Payload: ' . $payload);
+error_log('Signature: ' . $signature);
+
+// Client-side: use a PSR-3 logger
+$client = new SecureLicenseClient(
+ // ...
+ logger: new YourDebugLogger(),
+);
+```
diff --git a/languages/wc-licensed-product-de_CH.mo b/languages/wc-licensed-product-de_CH.mo
index 44faa48..cb9618d 100644
Binary files a/languages/wc-licensed-product-de_CH.mo and b/languages/wc-licensed-product-de_CH.mo differ
diff --git a/languages/wc-licensed-product-de_CH.po b/languages/wc-licensed-product-de_CH.po
index efd2903..2d4d852 100644
--- a/languages/wc-licensed-product-de_CH.po
+++ b/languages/wc-licensed-product-de_CH.po
@@ -3,7 +3,7 @@
# This file is distributed under the GPL-2.0-or-later.
msgid ""
msgstr ""
-"Project-Id-Version: WC Licensed Product 0.1.0\n"
+"Project-Id-Version: WC Licensed Product 0.2.0\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2026-01-22 11:52+0100\n"
"PO-Revision-Date: 2026-01-21T00:00:00+00:00\n"
@@ -44,18 +44,16 @@ msgid "Overview"
msgstr "Übersicht"
#: src/Admin/AdminController.php:138
-#, fuzzy
msgid "No licenses found"
-msgstr "Keine Lizenzen gefunden."
+msgstr "Keine Lizenzen gefunden"
#: src/Admin/AdminController.php:139
msgid "Searching..."
msgstr "Suche..."
#: src/Admin/AdminController.php:140
-#, fuzzy
msgid "Search failed"
-msgstr "Speichern fehlgeschlagen"
+msgstr "Suche fehlgeschlagen"
#: src/Admin/AdminController.php:141 src/Admin/OrderLicenseController.php:285
msgid "Saving..."
@@ -249,11 +247,11 @@ msgid "Attention:"
msgstr "Achtung:"
#: src/Admin/AdminController.php:910
-#, fuzzy, php-format
+#, php-format
msgid "%d license is expiring within the next 30 days."
msgid_plural "%d licenses are expiring within the next 30 days."
-msgstr[0] "läuft innerhalb der nächsten 30 Tage ab."
-msgstr[1] "läuft innerhalb der nächsten 30 Tage ab."
+msgstr[0] "%d Lizenz läuft innerhalb der nächsten 30 Tage ab."
+msgstr[1] "%d Lizenzen laufen innerhalb der nächsten 30 Tage ab."
#: src/Admin/AdminController.php:918
msgid "View Licenses"
@@ -657,25 +655,21 @@ msgid "No domain specified"
msgstr "Keine Domain angegeben"
#: src/Admin/OrderLicenseController.php:56
-#, fuzzy
msgid "Product Licenses"
-msgstr "Top-Produkte nach Lizenzen"
+msgstr "Produktlizenzen"
#: src/Admin/OrderLicenseController.php:77
#: src/Admin/OrderLicenseController.php:313
-#, fuzzy
msgid "Order not found."
-msgstr "Version nicht gefunden."
+msgstr "Bestellung nicht gefunden."
#: src/Admin/OrderLicenseController.php:92
-#, fuzzy
msgid "This order does not contain licensed products."
-msgstr "Version stimmt nicht mit Ihrem lizensierten Produkt überein."
+msgstr "Diese Bestellung enthält keine lizensierten Produkte."
#: src/Admin/OrderLicenseController.php:106
-#, fuzzy
msgid "Order Domain"
-msgstr "Neue Domain"
+msgstr "Bestellungs-Domain"
#: src/Admin/OrderLicenseController.php:108
msgid ""
@@ -706,22 +700,25 @@ msgstr ""
#: src/Admin/OrderLicenseController.php:137
msgid "Licenses will be generated when the order is marked as paid/completed."
-msgstr "Lizenzen werden generiert, sobald die Bestellung als bezahlt/abgeschlossen markiert wird."
+msgstr ""
+"Lizenzen werden generiert, sobald die Bestellung als bezahlt/abgeschlossen "
+"markiert wird."
#: src/Admin/OrderLicenseController.php:178
msgid "Edit domain"
msgstr "Domain bearbeiten"
#: src/Admin/OrderLicenseController.php:208
-#, fuzzy
msgid "View in Licenses"
-msgstr "Lizenzen anzeigen"
+msgstr "In Lizenzen anzeigen"
#. translators: %s: Link to licenses page
#: src/Admin/OrderLicenseController.php:221
#, php-format
msgid "For more actions (revoke, extend, delete), go to the %s page."
-msgstr "Für weitere Aktionen (widerrufen, verlängern, löschen), gehen Sie zur Seite %s."
+msgstr ""
+"Für weitere Aktionen (widerrufen, verlängern, löschen), gehen Sie zur Seite "
+"%s."
#: src/Admin/OrderLicenseController.php:286
msgid "Saved!"
@@ -738,20 +735,17 @@ msgid "Please enter a valid domain."
msgstr "Bitte geben Sie eine gültige Domain ein."
#: src/Admin/OrderLicenseController.php:308
-#, fuzzy
msgid "Invalid order ID."
-msgstr "Ungültige Lizenz-ID."
+msgstr "Ungültige Bestellungs-ID."
#: src/Admin/OrderLicenseController.php:319
#: src/Admin/OrderLicenseController.php:357
-#, fuzzy
msgid "Invalid domain format."
-msgstr "Ungültiges Datumsformat."
+msgstr "Ungültiges Domain-Format."
#: src/Admin/OrderLicenseController.php:327
-#, fuzzy
msgid "Order domain updated."
-msgstr "%d aktualisiert."
+msgstr "Bestellungs-Domain aktualisiert."
#: src/Admin/OrderLicenseController.php:363
#: src/Frontend/AccountController.php:351
@@ -760,9 +754,8 @@ msgid "License not found."
msgstr "Lizenz nicht gefunden."
#: src/Admin/OrderLicenseController.php:371
-#, fuzzy
msgid "License domain updated."
-msgstr "Lizenz-Domain"
+msgstr "Lizenz-Domain aktualisiert."
#: src/Admin/OrderLicenseController.php:375
msgid "Failed to update license domain."
@@ -973,14 +966,12 @@ msgid "This version already exists."
msgstr "Diese Version existiert bereits."
#: src/Admin/VersionAdminController.php:266
-#, fuzzy
msgid "Product not found."
-msgstr "Version nicht gefunden."
+msgstr "Produkt nicht gefunden."
#: src/Admin/VersionAdminController.php:270
-#, fuzzy
msgid "This product is not a licensed product."
-msgstr "Version stimmt nicht mit Ihrem lizensierten Produkt überein."
+msgstr "Dieses Produkt ist kein lizensiertes Produkt."
#: src/Admin/VersionAdminController.php:283
msgid "Failed to create version."
@@ -1077,12 +1068,10 @@ msgid "License Domain:"
msgstr "Lizenz-Domain:"
#: src/Checkout/CheckoutBlocksIntegration.php:105
-#, fuzzy
msgid "Please enter a valid domain for your license activation."
-msgstr "Bitte geben Sie eine Domain für Ihre Lizenz-Aktivierung ein."
+msgstr "Bitte geben Sie eine gültige Domain für Ihre Lizenz-Aktivierung ein."
#: src/Checkout/StoreApiExtension.php:85
-#, fuzzy
msgid "Domain for license activation"
msgstr "Domain für Lizenz-Aktivierung"
@@ -1332,9 +1321,8 @@ msgid "The new domain is the same as the current domain."
msgstr "Die neue Domain ist dieselbe wie die aktuelle Domain."
#: src/Frontend/AccountController.php:381
-#, fuzzy
msgid "Failed to transfer license. Please try again."
-msgstr "Übertragung fehlgeschlagen. Bitte versuchen Sie es erneut."
+msgstr "Lizenzübertragung fehlgeschlagen. Bitte versuchen Sie es erneut."
#: src/Frontend/DownloadController.php:65
#: src/Frontend/DownloadController.php:89
@@ -1468,6 +1456,32 @@ msgstr "Ja"
msgid "No"
msgstr "Nein"
+#: src/Admin/VersionAdminController.php:101
+msgid "SHA256 Hash"
+msgstr "SHA256 Prüfsumme"
+
+#: src/Admin/VersionAdminController.php:103
+msgid "Enter SHA256 checksum..."
+msgstr "SHA256 Prüfsumme eingeben..."
+
+#: src/Admin/VersionAdminController.php:104
+msgid ""
+"SHA256 checksum of the uploaded file (optional but recommended for integrity "
+"verification)."
+msgstr ""
+"SHA256 Prüfsumme der hochgeladenen Datei (optional, aber empfohlen zur "
+"Integritätsprüfung)."
+
+#: src/Product/VersionManager.php:67
+msgid "Attachment file not found."
+msgstr "Anhangs-Datei nicht gefunden."
+
+#. translators: 1: provided hash, 2: calculated hash
+#: src/Product/VersionManager.php:73
+#, php-format
+msgid "File checksum does not match. Expected: %1$s, Got: %2$s"
+msgstr "Datei-Prüfsumme stimmt nicht überein. Erwartet: %1$s, Erhalten: %2$s"
+
#~ msgid "Maximum number of domain activations per license. Default: 1"
#~ msgstr "Maximale Anzahl der Domain-Aktivierungen pro Lizenz. Standard: 1"
diff --git a/languages/wc-licensed-product.pot b/languages/wc-licensed-product.pot
index 307ecbb..d82df74 100644
--- a/languages/wc-licensed-product.pot
+++ b/languages/wc-licensed-product.pot
@@ -6,7 +6,7 @@
#, fuzzy
msgid ""
msgstr ""
-"Project-Id-Version: WooCommerce Licensed Product 0.1.0\n"
+"Project-Id-Version: WooCommerce Licensed Product 0.2.0\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2026-01-22 11:52+0100\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
@@ -1408,3 +1408,25 @@ msgstr ""
#: src/Product/LicensedProductType.php:162
msgid "No"
msgstr ""
+
+#: src/Admin/VersionAdminController.php:101
+msgid "SHA256 Hash"
+msgstr ""
+
+#: src/Admin/VersionAdminController.php:103
+msgid "Enter SHA256 checksum..."
+msgstr ""
+
+#: src/Admin/VersionAdminController.php:104
+msgid "SHA256 checksum of the uploaded file (optional but recommended for integrity verification)."
+msgstr ""
+
+#: src/Product/VersionManager.php:67
+msgid "Attachment file not found."
+msgstr ""
+
+#. translators: 1: provided hash, 2: calculated hash
+#: src/Product/VersionManager.php:73
+#, php-format
+msgid "File checksum does not match. Expected: %1$s, Got: %2$s"
+msgstr ""
diff --git a/src/Admin/VersionAdminController.php b/src/Admin/VersionAdminController.php
index 7fa7881..c65b659 100644
--- a/src/Admin/VersionAdminController.php
+++ b/src/Admin/VersionAdminController.php
@@ -98,11 +98,11 @@ final class VersionAdminController
-
- |
+
+ |
-
-
+
+
|
@@ -242,9 +242,9 @@ final class VersionAdminController
$productId = absint($_POST['product_id'] ?? 0);
$version = sanitize_text_field($_POST['version'] ?? '');
- $downloadUrl = esc_url_raw($_POST['download_url'] ?? '');
$releaseNotes = sanitize_textarea_field($_POST['release_notes'] ?? '');
$attachmentId = absint($_POST['attachment_id'] ?? 0);
+ $fileHash = sanitize_text_field($_POST['file_hash'] ?? '');
if (!$productId || !$version) {
wp_send_json_error(['message' => __('Product ID and version are required.', 'wc-licensed-product')]);
@@ -270,13 +270,17 @@ final class VersionAdminController
wp_send_json_error(['message' => __('This product is not a licensed product.', 'wc-licensed-product')]);
}
- $newVersion = $this->versionManager->createVersion(
- $productId,
- $version,
- $releaseNotes ?: null,
- $downloadUrl ?: null,
- $attachmentId ?: null
- );
+ try {
+ $newVersion = $this->versionManager->createVersion(
+ $productId,
+ $version,
+ $releaseNotes ?: null,
+ $attachmentId ?: null,
+ $fileHash ?: null
+ );
+ } catch (\InvalidArgumentException $e) {
+ wp_send_json_error(['message' => $e->getMessage()]);
+ }
if (!$newVersion) {
global $wpdb;
diff --git a/src/Api/ResponseSigner.php b/src/Api/ResponseSigner.php
new file mode 100644
index 0000000..d1e085e
--- /dev/null
+++ b/src/Api/ResponseSigner.php
@@ -0,0 +1,128 @@
+serverSecret = defined('WC_LICENSE_SERVER_SECRET')
+ ? WC_LICENSE_SERVER_SECRET
+ : '';
+ }
+
+ /**
+ * Register WordPress hooks
+ */
+ public function register(): void
+ {
+ add_filter('rest_post_dispatch', [$this, 'signResponse'], 10, 3);
+ }
+
+ /**
+ * Sign REST API response
+ *
+ * @param \WP_REST_Response $response The response object
+ * @param \WP_REST_Server $server The REST server
+ * @param \WP_REST_Request $request The request object
+ * @return \WP_REST_Response
+ */
+ public function signResponse($response, $server, $request)
+ {
+ // Only sign license API responses
+ if (!$this->shouldSign($request)) {
+ return $response;
+ }
+
+ $data = $response->get_data();
+ $licenseKey = $request->get_param('license_key');
+
+ if (empty($licenseKey) || !is_array($data) || empty($this->serverSecret)) {
+ return $response;
+ }
+
+ $headers = $this->createSignatureHeaders($data, $licenseKey);
+
+ foreach ($headers as $name => $value) {
+ $response->header($name, $value);
+ }
+
+ return $response;
+ }
+
+ /**
+ * Check if request should be signed
+ */
+ private function shouldSign(\WP_REST_Request $request): bool
+ {
+ $route = $request->get_route();
+
+ return str_starts_with($route, '/wc-licensed-product/v1/validate')
+ || str_starts_with($route, '/wc-licensed-product/v1/status')
+ || str_starts_with($route, '/wc-licensed-product/v1/activate');
+ }
+
+ /**
+ * Create signature headers for response
+ *
+ * @param array $data The response data
+ * @param string $licenseKey The license key from the request
+ * @return array Associative array of headers
+ */
+ private function createSignatureHeaders(array $data, string $licenseKey): array
+ {
+ $timestamp = time();
+ $signingKey = $this->deriveKey($licenseKey);
+
+ // Sort keys for consistent ordering
+ ksort($data);
+
+ // Build signature payload
+ $payload = $timestamp . ':' . json_encode(
+ $data,
+ JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE
+ );
+
+ return [
+ 'X-License-Signature' => hash_hmac('sha256', $payload, $signingKey),
+ 'X-License-Timestamp' => (string) $timestamp,
+ ];
+ }
+
+ /**
+ * Derive a unique signing key for a license
+ *
+ * Uses HKDF-like key derivation to create a unique signing key
+ * for each license key, preventing cross-license signature attacks.
+ *
+ * @param string $licenseKey The license key
+ * @return string The derived signing key (hex encoded)
+ */
+ private function deriveKey(string $licenseKey): string
+ {
+ // HKDF-like key derivation
+ $prk = hash_hmac('sha256', $licenseKey, $this->serverSecret, true);
+
+ return hash_hmac('sha256', $prk . "\x01", $this->serverSecret);
+ }
+}
diff --git a/src/Installer.php b/src/Installer.php
index ee7ff80..57824b4 100644
--- a/src/Installer.php
+++ b/src/Installer.php
@@ -102,6 +102,7 @@ final class Installer
release_notes TEXT DEFAULT NULL,
download_url VARCHAR(512) DEFAULT NULL,
attachment_id BIGINT UNSIGNED DEFAULT NULL,
+ file_hash VARCHAR(64) DEFAULT NULL,
is_active TINYINT(1) NOT NULL DEFAULT 1,
released_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
diff --git a/src/Plugin.php b/src/Plugin.php
index 6a6d4ce..d429b8c 100644
--- a/src/Plugin.php
+++ b/src/Plugin.php
@@ -13,6 +13,7 @@ use Jeremias\WcLicensedProduct\Admin\AdminController;
use Jeremias\WcLicensedProduct\Admin\OrderLicenseController;
use Jeremias\WcLicensedProduct\Admin\SettingsController;
use Jeremias\WcLicensedProduct\Admin\VersionAdminController;
+use Jeremias\WcLicensedProduct\Api\ResponseSigner;
use Jeremias\WcLicensedProduct\Api\RestApiController;
use Jeremias\WcLicensedProduct\Checkout\CheckoutBlocksIntegration;
use Jeremias\WcLicensedProduct\Checkout\CheckoutController;
@@ -128,6 +129,11 @@ final class Plugin
new RestApiController($this->licenseManager);
new LicenseEmailController($this->licenseManager);
+ // Initialize response signing if server secret is configured
+ if (defined('WC_LICENSE_SERVER_SECRET') && WC_LICENSE_SERVER_SECRET !== '') {
+ (new ResponseSigner())->register();
+ }
+
if (is_admin()) {
new AdminController($this->twig, $this->licenseManager);
new VersionAdminController($this->versionManager);
diff --git a/src/Product/ProductVersion.php b/src/Product/ProductVersion.php
index 52dadc5..0fda75c 100644
--- a/src/Product/ProductVersion.php
+++ b/src/Product/ProductVersion.php
@@ -23,6 +23,7 @@ class ProductVersion
private ?string $releaseNotes;
private ?string $downloadUrl;
private ?int $attachmentId;
+ private ?string $fileHash;
private bool $isActive;
private \DateTimeInterface $releasedAt;
private \DateTimeInterface $createdAt;
@@ -42,6 +43,7 @@ class ProductVersion
$version->releaseNotes = $data['release_notes'] ?: null;
$version->downloadUrl = $data['download_url'] ?: null;
$version->attachmentId = !empty($data['attachment_id']) ? (int) $data['attachment_id'] : null;
+ $version->fileHash = $data['file_hash'] ?? null;
$version->isActive = (bool) $data['is_active'];
$version->releasedAt = new \DateTimeImmutable($data['released_at']);
$version->createdAt = new \DateTimeImmutable($data['created_at']);
@@ -137,15 +139,20 @@ class ProductVersion
return $this->attachmentId;
}
+ public function getFileHash(): ?string
+ {
+ return $this->fileHash;
+ }
+
/**
- * Get the effective download URL (from attachment or direct URL)
+ * Get the download URL from attachment
*/
public function getEffectiveDownloadUrl(): ?string
{
if ($this->attachmentId) {
return wp_get_attachment_url($this->attachmentId) ?: null;
}
- return $this->downloadUrl;
+ return null;
}
/**
@@ -156,9 +163,6 @@ class ProductVersion
if ($this->attachmentId) {
return wp_basename(get_attached_file($this->attachmentId) ?: '');
}
- if ($this->downloadUrl) {
- return wp_basename($this->downloadUrl);
- }
return null;
}
@@ -192,6 +196,7 @@ class ProductVersion
'release_notes' => $this->releaseNotes,
'download_url' => $this->downloadUrl,
'attachment_id' => $this->attachmentId,
+ 'file_hash' => $this->fileHash,
'is_active' => $this->isActive,
'released_at' => $this->releasedAt->format('Y-m-d H:i:s'),
'created_at' => $this->createdAt->format('Y-m-d H:i:s'),
diff --git a/src/Product/VersionManager.php b/src/Product/VersionManager.php
index cb851b4..065dbf6 100644
--- a/src/Product/VersionManager.php
+++ b/src/Product/VersionManager.php
@@ -92,16 +92,27 @@ class VersionManager
/**
* Create a new version
+ *
+ * @throws \InvalidArgumentException If file hash validation fails
*/
public function createVersion(
int $productId,
string $version,
?string $releaseNotes = null,
- ?string $downloadUrl = null,
- ?int $attachmentId = null
+ ?int $attachmentId = null,
+ ?string $fileHash = null
): ?ProductVersion {
global $wpdb;
+ // Validate file hash if both attachment and hash are provided
+ if ($attachmentId !== null && $attachmentId > 0 && $fileHash !== null && $fileHash !== '') {
+ $validatedHash = $this->validateFileHash($attachmentId, $fileHash);
+ if ($validatedHash === false) {
+ return null;
+ }
+ $fileHash = $validatedHash;
+ }
+
$parsed = ProductVersion::parseVersion($version);
$tableName = Installer::getVersionsTable();
@@ -114,10 +125,9 @@ class VersionManager
'minor_version' => $parsed['minor'],
'patch_version' => $parsed['patch'],
'release_notes' => $releaseNotes,
- 'download_url' => $downloadUrl,
'is_active' => 1,
];
- $formats = ['%d', '%s', '%d', '%d', '%d', '%s', '%s', '%d'];
+ $formats = ['%d', '%s', '%d', '%d', '%d', '%s', '%d'];
// Only include attachment_id if it's set
if ($attachmentId !== null && $attachmentId > 0) {
@@ -125,6 +135,12 @@ class VersionManager
$formats[] = '%d';
}
+ // Only include file_hash if it's set
+ if ($fileHash !== null && $fileHash !== '') {
+ $data['file_hash'] = $fileHash;
+ $formats[] = '%s';
+ }
+
$result = $wpdb->insert($tableName, $data, $formats);
if ($result === false) {
@@ -136,13 +152,44 @@ class VersionManager
return $this->getVersionById((int) $wpdb->insert_id);
}
+ /**
+ * Validate file hash against attachment
+ *
+ * @return string|false The validated hash (lowercase) or false on mismatch
+ * @throws \InvalidArgumentException If hash doesn't match
+ */
+ private function validateFileHash(int $attachmentId, string $providedHash): string|false
+ {
+ $filePath = get_attached_file($attachmentId);
+ if (!$filePath || !file_exists($filePath)) {
+ throw new \InvalidArgumentException(
+ __('Attachment file not found.', 'wc-licensed-product')
+ );
+ }
+
+ $calculatedHash = hash_file('sha256', $filePath);
+ $providedHash = strtolower(trim($providedHash));
+
+ if (!hash_equals($calculatedHash, $providedHash)) {
+ throw new \InvalidArgumentException(
+ sprintf(
+ /* translators: 1: provided hash, 2: calculated hash */
+ __('File checksum does not match. Expected: %1$s, Got: %2$s', 'wc-licensed-product'),
+ $providedHash,
+ $calculatedHash
+ )
+ );
+ }
+
+ return $calculatedHash;
+ }
+
/**
* Update a version
*/
public function updateVersion(
int $versionId,
?string $releaseNotes = null,
- ?string $downloadUrl = null,
?bool $isActive = null,
?int $attachmentId = null
): bool {
@@ -156,11 +203,6 @@ class VersionManager
$formats[] = '%s';
}
- if ($downloadUrl !== null) {
- $data['download_url'] = $downloadUrl;
- $formats[] = '%s';
- }
-
if ($isActive !== null) {
$data['is_active'] = $isActive ? 1 : 0;
$formats[] = '%d';
diff --git a/wc-licensed-product.php b/wc-licensed-product.php
index 9bdb942..99db79b 100644
--- a/wc-licensed-product.php
+++ b/wc-licensed-product.php
@@ -3,7 +3,7 @@
* Plugin Name: WooCommerce Licensed Product
* Plugin URI: https://src.bundespruefstelle.ch/magdev/wc-licensed-product
* Description: WooCommerce plugin to sell software products using license keys with domain-based validation.
- * Version: 0.1.0
+ * Version: 0.2.0
* Author: Marco Graetsch
* Author URI: https://src.bundespruefstelle.ch/magdev
* License: GPL-2.0-or-later
@@ -28,7 +28,7 @@ if (!defined('ABSPATH')) {
}
// Plugin constants
-define('WC_LICENSED_PRODUCT_VERSION', '0.1.0');
+define('WC_LICENSED_PRODUCT_VERSION', '0.2.0');
define('WC_LICENSED_PRODUCT_PLUGIN_FILE', __FILE__);
define('WC_LICENSED_PRODUCT_PLUGIN_DIR', plugin_dir_path(__FILE__));
define('WC_LICENSED_PRODUCT_PLUGIN_URL', plugin_dir_url(__FILE__));