From e0001c3f4eb48be2a68fb434ed25b10d305b465e Mon Sep 17 00:00:00 2001
From: magdev <magdev3.0@gmail.com>
Date: Sun, 1 Feb 2026 13:52:57 +0100
Subject: [PATCH] Fix API Verification Secret not visible in Docker
 environments

- Add ResponseSigner::getServerSecret() to check multiple sources
- Check constant, getenv(), $_ENV, and $_SERVER for server secret
- Update Plugin.php to use ResponseSigner::isSigningEnabled()
- Maintains backward compatibility with standard WordPress setups

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 src/Api/ResponseSigner.php | 42 +++++++++++++++++++++++++++++++++-----
 src/Plugin.php             |  2 +-
 2 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/src/Api/ResponseSigner.php b/src/Api/ResponseSigner.php
index 5efeca0..fa5680d 100644
--- a/src/Api/ResponseSigner.php
+++ b/src/Api/ResponseSigner.php
@@ -26,9 +26,7 @@ final class ResponseSigner
 
     public function __construct()
     {
-        $this->serverSecret = defined('WC_LICENSE_SERVER_SECRET')
-            ? WC_LICENSE_SERVER_SECRET
-            : '';
+        $this->serverSecret = self::getServerSecret();
     }
 
     /**
@@ -185,7 +183,7 @@ final class ResponseSigner
      */
     public static function getCustomerSecretForLicense(string $licenseKey): ?string
     {
-        $serverSecret = defined('WC_LICENSE_SERVER_SECRET') ? WC_LICENSE_SERVER_SECRET : '';
+        $serverSecret = self::getServerSecret();
 
         if (empty($serverSecret)) {
             return null;
@@ -201,6 +199,40 @@ final class ResponseSigner
      */
     public static function isSigningEnabled(): bool
     {
-        return defined('WC_LICENSE_SERVER_SECRET') && !empty(WC_LICENSE_SERVER_SECRET);
+        return !empty(self::getServerSecret());
+    }
+
+    /**
+     * Get the server secret from constant or environment variable
+     *
+     * Checks in order:
+     * 1. WC_LICENSE_SERVER_SECRET constant (preferred)
+     * 2. WC_LICENSE_SERVER_SECRET environment variable (Docker fallback)
+     *
+     * @return string The server secret, or empty string if not configured
+     */
+    public static function getServerSecret(): string
+    {
+        // First check the constant (standard WordPress configuration)
+        if (defined('WC_LICENSE_SERVER_SECRET') && !empty(WC_LICENSE_SERVER_SECRET)) {
+            return WC_LICENSE_SERVER_SECRET;
+        }
+
+        // Fallback to environment variable (Docker environments)
+        $envSecret = getenv('WC_LICENSE_SERVER_SECRET');
+        if ($envSecret !== false && !empty($envSecret)) {
+            return $envSecret;
+        }
+
+        // Also check $_ENV and $_SERVER (some PHP configurations)
+        if (!empty($_ENV['WC_LICENSE_SERVER_SECRET'])) {
+            return $_ENV['WC_LICENSE_SERVER_SECRET'];
+        }
+
+        if (!empty($_SERVER['WC_LICENSE_SERVER_SECRET'])) {
+            return $_SERVER['WC_LICENSE_SERVER_SECRET'];
+        }
+
+        return '';
     }
 }
diff --git a/src/Plugin.php b/src/Plugin.php
index 5e53515..f26105c 100644
--- a/src/Plugin.php
+++ b/src/Plugin.php
@@ -147,7 +147,7 @@ final class Plugin
         new LicenseEmailController($this->licenseManager);
 
         // Initialize response signing if server secret is configured
-        if (defined('WC_LICENSE_SERVER_SECRET') && WC_LICENSE_SERVER_SECRET !== '') {
+        if (ResponseSigner::isSigningEnabled()) {
             (new ResponseSigner())->register();
         }