Update translations for v0.5.6

- Regenerated .pot template
- Updated German (de_CH) translations (391 strings)
- Fixed duplicate translation entries
- Compiled .mo file

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,58 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.5.6] - 2026-01-27
+
+### Fixed
+
+- License Settings tab now only shows for Licensed Product and Licensed Variable Product types
+- Previously the tab was visible on all product types due to CSS `!important` override
+
+### Changed
+
+- Improved JavaScript for License Settings tab visibility handling on product type change
+- Updated README.md with complete feature documentation for v0.5.x features:
+  - Variable Licensed Products
+  - Multi-Domain Licensing
+  - Per-License Customer Secrets
+  - Download Statistics
+  - Configurable Rate Limiting
+
+## [0.5.5] - 2026-01-26
+
+### Fixed
+
+- **CRITICAL:** Response signing key derivation now uses native `hash_hkdf()` for RFC 5869 compliance
+- Key derivation now matches client library (`SecureLicenseClient`) exactly
+- Added missing domain validation to `/activate` endpoint (1-255 characters)
+
+### Changed
+
+- `ResponseSigner::deriveCustomerSecret()` now uses `hash_hkdf('sha256', $serverSecret, 32, $licenseKey)`
+- Previous custom HKDF-like implementation was incompatible with client library
+
+### Security
+
+- Signatures generated by server now verify correctly with `magdev/wc-licensed-product-client`
+- All three API endpoints now have consistent parameter validation
+
+## [0.5.4] - 2026-01-26
+
+### Fixed
+
+- REST API `/validate` endpoint now returns HTTP 404 for `license_not_found` error (was 403)
+- License key validation now enforces minimum 8 characters per API documentation
+
+### Added
+
+- Configurable rate limiting via `WC_LICENSE_RATE_LIMIT` and `WC_LICENSE_RATE_WINDOW` constants
+- Rate limit now defaults to 30 requests per 60 second window (configurable)
+
+### Changed
+
+- Improved HTTP status code mapping: 404 for not found, 500 for server errors, 403 for all other errors
+- Rate limiting implementation now uses configurable constants instead of hardcoded values
+
 ## [0.5.3] - 2026-01-26
 
 ### Added

CLAUDE.md

@@ -1378,3 +1378,62 @@ Major feature release adding support for WooCommerce variable products. Customer
 - Order meta `_licensed_product_domains` now includes optional `variation_id` field
 - License generation uses variation settings when `variation_id` is present in order item
 - Backward compatible: existing simple licensed products continue to work unchanged
+
+### 2026-01-26 - Version 0.5.4 - API Compliance
+
+**Overview:**
+
+Bug fix release aligning server implementation with client documentation at `magdev/wc-licensed-product-client`.
+
+**Fixed:**
+
+- `/validate` endpoint now returns HTTP 404 for `license_not_found` error (was returning 403)
+- License key validation now enforces minimum 8 characters across all API endpoints
+
+**Implemented:**
+
+- Configurable rate limiting via `WC_LICENSE_RATE_LIMIT` constant (default: 30 requests)
+- Configurable rate window via `WC_LICENSE_RATE_WINDOW` constant (default: 60 seconds)
+- HTTP status code mapping: 404 for not found, 500 for server errors, 403 for all other errors
+
+**Modified files:**
+
+- `src/Api/RestApiController.php` - Added configurable rate limiting, fixed HTTP status codes, added license_key validation
+
+**Technical notes:**
+
+- Rate limiting now uses `getRateLimit()` and `getRateWindow()` methods instead of constants
+- New `getStatusCodeForResult()` method maps error codes to HTTP status codes
+- License key validation callback added to all three endpoints (validate, status, activate)
+- Uses PHP 8 match expression for status code mapping
+
+### 2026-01-26 - Version 0.5.5 - Critical Signature Fix
+
+**Overview:**
+
+Critical bug fix for response signing. The key derivation algorithm was incompatible with the client library, causing signature verification failures.
+
+**Critical Fix:**
+
+- Key derivation now uses PHP's native `hash_hkdf()` function per RFC 5869
+- Previous custom implementation produced different keys than the client library
+- Signatures now verify correctly with `magdev/wc-licensed-product-client`
+
+**Additional Fix:**
+
+- Added missing domain validation to `/activate` endpoint (1-255 characters)
+
+**Modified files:**
+
+- `src/Api/ResponseSigner.php` - Fixed key derivation to use `hash_hkdf()`
+- `src/Api/RestApiController.php` - Added domain validation to `/activate` endpoint
+
+**Technical notes:**
+
+- Old implementation: `hash_hmac('sha256', $prk . "\x01", $serverSecret)` - custom HKDF-like
+- New implementation: `bin2hex(hash_hkdf('sha256', $serverSecret, 32, $licenseKey))` - RFC 5869
+- Parameters match client's `ResponseSignature::deriveKey()` exactly:
+  - IKM (input keying material): server_secret
+  - Length: 32 bytes (256 bits)
+  - Info: license_key (context-specific info)
+- **Breaking change for existing signatures** - customer secrets will change after upgrade

README.md

@@ -11,29 +11,34 @@ WC Licensed Product adds a new product type "Licensed Product" to WooCommerce, e
 ### Core Features
 
 - **Licensed Product Type**: New WooCommerce product type for software sales
+- **Variable Licensed Products**: Create product variations with different license durations (monthly, yearly, lifetime)
 - **Automatic License Generation**: License keys generated on order completion (format: XXXX-XXXX-XXXX-XXXX)
 - **Domain Binding**: Licenses are bound to customer-specified domains
+- **Multi-Domain Licensing**: Customers can purchase multiple licenses for different domains in a single order
 - **REST API**: Public endpoints for license validation and management
 - **Response Signing**: Optional HMAC-SHA256 cryptographic signatures for API responses
+- **Per-License Secrets**: Each customer receives a unique verification secret for their license
 - **Version Binding**: Optional binding to major software versions
 - **Expiration Support**: Set license validity periods or lifetime licenses
-- **Rate Limiting**: API endpoints protected with rate limiting (30 requests/minute)
+- **Rate Limiting**: API endpoints protected with configurable rate limiting (default: 30 requests/minute)
 - **Trusted Proxy Support**: Configurable trusted proxies for accurate rate limiting behind CDNs
 - **Checkout Blocks**: Full support for WooCommerce Checkout Blocks (default since WC 8.3+)
 - **Self-Licensing**: The plugin can validate its own license (for commercial distribution)
 
 ### Customer Features
 
-- **My Account Licenses**: Customers can view their licenses in My Account
+- **My Account Licenses**: Customers can view their licenses in My Account (grouped by product)
 - **License Transfers**: Customers can transfer licenses to new domains
 - **Secure Downloads**: Download purchased software versions with license verification
+- **Version History**: Access to older versions with collapsible download section
 - **Copy to Clipboard**: Easy license key copying
+- **API Verification Secret**: Per-license secret displayed for secure API integration
 
 ### Admin Features
 
 - **License Management**: Full CRUD interface for license management
 - **License Dashboard**: Statistics and analytics (WooCommerce > Reports > Licenses)
-- **Dashboard Widget**: License statistics on WordPress admin dashboard
+- **Dashboard Widgets**: License statistics and download statistics on WordPress admin dashboard
 - **Search & Filtering**: Search by license key, domain, status, or product
 - **Live Search**: AJAX-powered instant search results
 - **Inline Editing**: Edit license status, expiry, and domain directly in the list
@@ -41,10 +46,12 @@ WC Licensed Product adds a new product type "Licensed Product" to WooCommerce, e
 - **License Transfer**: Transfer licenses to new domains
 - **CSV Export/Import**: Export and import licenses via CSV
 - **Order Integration**: View and manage licenses directly from order pages
+- **Generate Licenses**: Manually generate licenses for admin-created orders
 - **Expiration Warnings**: Automatic email notifications before license expiration
 - **Auto-Expire**: Daily cron job automatically expires licenses past their expiration date
 - **License Testing**: Test licenses against the API directly from admin interface
 - **Version Management**: Manage multiple versions per product with file attachments
+- **Download Tracking**: Track download counts per version with statistics widget
 - **SHA256 Checksums**: File integrity verification with SHA256 hash display
 - **Global Settings**: Default license settings via WooCommerce settings tab
 - **WooCommerce HPOS**: Compatible with High-Performance Order Storage
@@ -66,13 +73,27 @@ WC Licensed Product adds a new product type "Licensed Product" to WooCommerce, e
 ### Creating a Licensed Product
 
 1. Go to Products > Add New
-2. Select "Licensed Product" from the product type dropdown
+2. Select "Licensed Product" from the product type dropdown (or "Licensed Variable Product" for different license durations)
 3. Configure the product price in the General tab
 4. Set license options in the "License Settings" tab:
    - **Max Activations**: Number of domains allowed per license
    - **License Validity**: Days until expiration (empty = lifetime)
    - **Bind to Major Version**: Lock license to current major version
 
+### Creating Variable Licensed Products
+
+For selling licenses with different durations (monthly, yearly, lifetime):
+
+1. Go to Products > Add New
+2. Select "Licensed Variable Product" from the product type dropdown
+3. Create variations as you would for any variable product (e.g., by "License Duration")
+4. For each variation, set:
+   - **Variation Price**: Different prices for different durations
+   - **License Duration (Days)**: Days until expiration (0 = lifetime)
+   - **Max Activations**: Override parent product setting if needed
+
+Duration labels (Monthly, Yearly, Lifetime) are automatically displayed at checkout.
+
 ### Managing Product Versions
 
 1. Edit a Licensed Product
@@ -84,7 +105,8 @@ WC Licensed Product adds a new product type "Licensed Product" to WooCommerce, e
 
 1. Go to WooCommerce > Settings > Licensed Products
 2. Set default values for Max Activations, License Validity, and Version Binding
-3. Per-product settings override these defaults
+3. Enable Multi-Domain Licensing to allow multiple licenses per cart item
+4. Per-product settings override these defaults
 
 ### Customer Checkout
 
@@ -144,6 +166,18 @@ define('WC_LICENSE_TRUSTED_PROXIES', 'CLOUDFLARE,10.0.0.1');
 
 **Note**: Only configure trusted proxies if you actually use them. Without this configuration, rate limiting is more secure against IP spoofing attacks.
 
+### Configurable Rate Limiting
+
+The default rate limit is 30 requests per 60 seconds. You can customize this:
+
+```php
+// Requests allowed per window (default: 30)
+define('WC_LICENSE_RATE_LIMIT', 60);
+
+// Window duration in seconds (default: 60)
+define('WC_LICENSE_RATE_WINDOW', 120);
+```
+
 ## REST API
 
 Full API documentation available in `openapi.json` (OpenAPI 3.1 specification).
@@ -173,6 +207,8 @@ openssl rand -hex 32
 
 The signature prevents man-in-the-middle attacks and ensures response integrity. Use the `magdev/wc-licensed-product-client` Composer package with the `SecureLicenseClient` class to automatically verify signatures.
 
+**Per-License Customer Secrets**: Each customer receives a unique verification secret derived from their license key. This secret is displayed in their account page under "API Verification Secret" and can be used with the client library instead of sharing the master server secret.
+
 ### Client Libraries & Examples
 
 **PHP (Recommended):** Install the official client library via Composer:

assets/css/admin.css

@@ -50,9 +50,10 @@ code.file-hash {
     color: #666;
 }
 
-/* License Product Tab */
+/* License Product Tab - Hidden by default, shown via JS based on product type */
-#woocommerce-product-data .show_if_licensed {
+#woocommerce-product-data .show_if_licensed,
-    display: block !important;
+#woocommerce-product-data .show_if_licensed-variable {
+    display: none;
 }
 
 #woocommerce-product-data .hide_if_licensed {

composer.lock

@@ -12,7 +12,7 @@
             "source": {
                 "type": "git",
                 "url": "https://src.bundespruefstelle.ch/magdev/wc-licensed-product-client.git",
-                "reference": "64d215cb265a64ff318cfbb954dd128b0076dc1d"
+                "reference": "5e4b5a970f75d0163c5496581d963a24ade4f276"
             },
             "require": {
                 "php": "^8.3",
@@ -52,7 +52,7 @@
                 "issues": "https://src.bundespruefstelle.ch/magdev/wc-licensed-product-client/issues",
                 "source": "https://src.bundespruefstelle.ch/magdev/wc-licensed-product-client"
             },
-            "time": "2026-01-24T13:32:11+00:00"
+            "time": "2026-01-26T15:54:37+00:00"
         },
         {
             "name": "psr/cache",

languages/wc-licensed-product-de_CH.po

@@ -4,8 +4,8 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: WC Licensed Product 0.5.0\n"
-"Report-Msgid-Bugs-To: magdev3.0@gmail.com\n"
+"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-01-26 16:08+0100\n"
+"POT-Creation-Date: 2026-01-27 11:29+0100\n"
 "PO-Revision-Date: 2026-01-25T18:30:00+00:00\n"
 "Last-Translator: Marco Graetsch <magdev3.0@gmail.com>\n"
 "Language-Team: German (Switzerland) <de_CH@li.org>\n"
@@ -312,7 +312,7 @@ msgstr "Speichern"
 #: src/Admin/OrderLicenseController.php:260
 #: src/Admin/SettingsController.php:192 src/Product/LicensedProductType.php:136
 #: src/Product/LicensedProductType.php:184
-#: src/Product/LicensedProductType.php:379
+#: src/Product/LicensedProductType.php:385
 #: src/Product/LicensedProductVariation.php:139
 #: src/Frontend/AccountController.php:286
 msgid "Lifetime"
@@ -1282,32 +1282,32 @@ msgstr "Lizenz erfolgreich überprüft!"
 msgid "License validation failed."
 msgstr "Lizenzvalidierung fehlgeschlagen."
 
-#: src/Api/RestApiController.php:84
+#: src/Api/RestApiController.php:106
 msgid "Too many requests. Please try again later."
 msgstr "Zu viele Anfragen. Bitte versuchen Sie es später erneut."
 
-#: src/Api/RestApiController.php:345 src/Api/RestApiController.php:378
+#: src/Api/RestApiController.php:400 src/Api/RestApiController.php:433
 #: src/License/LicenseManager.php:475
 msgid "License key not found."
 msgstr "Lizenzschlüssel nicht gefunden."
 
-#: src/Api/RestApiController.php:386
+#: src/Api/RestApiController.php:441
 msgid "This license is not valid."
 msgstr "Diese Lizenz ist ungültig."
 
-#: src/Api/RestApiController.php:396
+#: src/Api/RestApiController.php:451
 msgid "License is already activated for this domain."
 msgstr "Die Lizenz ist bereits für diese Domain aktiviert."
 
-#: src/Api/RestApiController.php:405
+#: src/Api/RestApiController.php:460
 msgid "Maximum number of activations reached."
 msgstr "Maximale Anzahl der Aktivierungen erreicht."
 
-#: src/Api/RestApiController.php:416
+#: src/Api/RestApiController.php:471
 msgid "Failed to activate license."
 msgstr "Lizenz konnte nicht aktiviert werden."
 
-#: src/Api/RestApiController.php:422
+#: src/Api/RestApiController.php:477
 msgid "License activated successfully."
 msgstr "Lizenz erfolgreich aktiviert."
 
@@ -1432,6 +1432,15 @@ msgstr "Diese Lizenz ist inaktiv."
 msgid "This license is not valid for this domain."
 msgstr "Diese Lizenz ist für diese Domain nicht gültig."
 
+#: src/Product/VersionManager.php:166
+msgid "Attachment file not found."
+msgstr "Anhangs-Datei nicht gefunden."
+
+#: src/Product/VersionManager.php:177
+#, php-format
+msgid "File checksum does not match. Expected: %1$s, Got: %2$s"
+msgstr "Datei-Prüfsumme stimmt nicht überein. Erwartet: %1$s, Erhalten: %2$s"
+
 #: src/Product/LicensedProductType.php:72
 msgid "Licensed Product"
 msgstr "Lizensiertes Produkt"
@@ -1445,7 +1454,7 @@ msgid "License Settings"
 msgstr "Lizenz-Einstellungen"
 
 #: src/Product/LicensedProductType.php:135
-#: src/Product/LicensedProductType.php:378
+#: src/Product/LicensedProductType.php:384
 #, php-format
 msgid "%d days"
 msgstr "%d Tage"
@@ -1460,7 +1469,7 @@ msgid "WooCommerce > Settings > Licensed Products"
 msgstr "WooCommerce > Einstellungen > Lizensierte Produkte"
 
 #: src/Product/LicensedProductType.php:154
-#: src/Product/LicensedProductType.php:396
+#: src/Product/LicensedProductType.php:402
 msgid "Max Activations"
 msgstr "Max. Aktivierungen"
 
@@ -1499,39 +1508,30 @@ msgstr "Ja"
 msgid "No"
 msgstr "Nein"
 
-#: src/Product/LicensedProductType.php:321
+#: src/Product/LicensedProductType.php:327
 msgid "Version:"
 msgstr "Version:"
 
-#: src/Product/LicensedProductType.php:349
+#: src/Product/LicensedProductType.php:355
 msgid "Licensed products are always virtual"
 msgstr "Lizenzierte Produkte sind immer virtuell"
 
-#: src/Product/LicensedProductType.php:351
+#: src/Product/LicensedProductType.php:357
 msgid "Virtual"
 msgstr "Virtuell"
 
-#: src/Product/LicensedProductType.php:384
+#: src/Product/LicensedProductType.php:390
 msgid "License Duration (Days)"
 msgstr "Lizenz-Gültigkeit (Tage)"
 
-#: src/Product/LicensedProductType.php:393
+#: src/Product/LicensedProductType.php:399
 msgid "Leave empty for parent default. 0 = Lifetime."
 msgstr "Leer lassen für übergeordneten Standard. 0 = Lebenslang."
 
-#: src/Product/LicensedProductType.php:405
+#: src/Product/LicensedProductType.php:411
 msgid "Leave empty for parent default."
 msgstr "Leer lassen für übergeordneten Standard."
 
-#: src/Product/VersionManager.php:166
-msgid "Attachment file not found."
-msgstr "Anhangs-Datei nicht gefunden."
-
-#: src/Product/VersionManager.php:177
-#, php-format
-msgid "File checksum does not match. Expected: %1$s, Got: %2$s"
-msgstr "Datei-Prüfsumme stimmt nicht überein. Erwartet: %1$s, Erhalten: %2$s"
-
 #: src/Product/LicensedProductVariation.php:143
 msgid "Monthly"
 msgstr "Monatlich"

languages/wc-licensed-product.pot

@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: WC Licensed Product 0.5.3\n"
+"Project-Id-Version: WC Licensed Product 0.5.6\n"
-"Report-Msgid-Bugs-To: magdev3.0@gmail.com\n"
+"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-01-26 16:08+0100\n"
+"POT-Creation-Date: 2026-01-27 11:29+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -305,7 +305,7 @@ msgstr ""
 #: src/Admin/OrderLicenseController.php:260
 #: src/Admin/SettingsController.php:192 src/Product/LicensedProductType.php:136
 #: src/Product/LicensedProductType.php:184
-#: src/Product/LicensedProductType.php:379
+#: src/Product/LicensedProductType.php:385
 #: src/Product/LicensedProductVariation.php:139
 #: src/Frontend/AccountController.php:286
 msgid "Lifetime"
@@ -1238,32 +1238,32 @@ msgstr ""
 msgid "License validation failed."
 msgstr ""
 
-#: src/Api/RestApiController.php:84
+#: src/Api/RestApiController.php:106
 msgid "Too many requests. Please try again later."
 msgstr ""
 
-#: src/Api/RestApiController.php:345 src/Api/RestApiController.php:378
+#: src/Api/RestApiController.php:400 src/Api/RestApiController.php:433
 #: src/License/LicenseManager.php:475
 msgid "License key not found."
 msgstr ""
 
-#: src/Api/RestApiController.php:386
+#: src/Api/RestApiController.php:441
 msgid "This license is not valid."
 msgstr ""
 
-#: src/Api/RestApiController.php:396
+#: src/Api/RestApiController.php:451
 msgid "License is already activated for this domain."
 msgstr ""
 
-#: src/Api/RestApiController.php:405
+#: src/Api/RestApiController.php:460
 msgid "Maximum number of activations reached."
 msgstr ""
 
-#: src/Api/RestApiController.php:416
+#: src/Api/RestApiController.php:471
 msgid "Failed to activate license."
 msgstr ""
 
-#: src/Api/RestApiController.php:422
+#: src/Api/RestApiController.php:477
 msgid "License activated successfully."
 msgstr ""
 
@@ -1383,6 +1383,15 @@ msgstr ""
 msgid "This license is not valid for this domain."
 msgstr ""
 
+#: src/Product/VersionManager.php:166
+msgid "Attachment file not found."
+msgstr ""
+
+#: src/Product/VersionManager.php:177
+#, php-format
+msgid "File checksum does not match. Expected: %1$s, Got: %2$s"
+msgstr ""
+
 #: src/Product/LicensedProductType.php:72
 msgid "Licensed Product"
 msgstr ""
@@ -1396,7 +1405,7 @@ msgid "License Settings"
 msgstr ""
 
 #: src/Product/LicensedProductType.php:135
-#: src/Product/LicensedProductType.php:378
+#: src/Product/LicensedProductType.php:384
 #, php-format
 msgid "%d days"
 msgstr ""
@@ -1411,7 +1420,7 @@ msgid "WooCommerce > Settings > Licensed Products"
 msgstr ""
 
 #: src/Product/LicensedProductType.php:154
-#: src/Product/LicensedProductType.php:396
+#: src/Product/LicensedProductType.php:402
 msgid "Max Activations"
 msgstr ""
 
@@ -1448,39 +1457,30 @@ msgstr ""
 msgid "No"
 msgstr ""
 
-#: src/Product/LicensedProductType.php:321
+#: src/Product/LicensedProductType.php:327
 msgid "Version:"
 msgstr ""
 
-#: src/Product/LicensedProductType.php:349
+#: src/Product/LicensedProductType.php:355
 msgid "Licensed products are always virtual"
 msgstr ""
 
-#: src/Product/LicensedProductType.php:351
+#: src/Product/LicensedProductType.php:357
 msgid "Virtual"
 msgstr ""
 
-#: src/Product/LicensedProductType.php:384
+#: src/Product/LicensedProductType.php:390
 msgid "License Duration (Days)"
 msgstr ""
 
-#: src/Product/LicensedProductType.php:393
+#: src/Product/LicensedProductType.php:399
 msgid "Leave empty for parent default. 0 = Lifetime."
 msgstr ""
 
-#: src/Product/LicensedProductType.php:405
+#: src/Product/LicensedProductType.php:411
 msgid "Leave empty for parent default."
 msgstr ""
 
-#: src/Product/VersionManager.php:166
-msgid "Attachment file not found."
-msgstr ""
-
-#: src/Product/VersionManager.php:177
-#, php-format
-msgid "File checksum does not match. Expected: %1$s, Got: %2$s"
-msgstr ""
-
 #: src/Product/LicensedProductVariation.php:143
 msgid "Monthly"
 msgstr ""

releases/wc-licensed-product-0.5.3.zip.sha256

@@ -0,0 +1 @@
+bbd0fa8888c6990a4ba00ccfb8b2189ee6ac529a34cc11a5d8d8d28518b1f6dd  wc-licensed-product-0.5.3.zip

releases/wc-licensed-product-0.5.5.zip.sha256

@@ -0,0 +1 @@
+8c37e1c68eb6031c37d35adc516a492abdbea8498bdc3e3fc7d93eda380a4fe0  wc-licensed-product-0.5.5.zip

src/Api/ResponseSigner.php

@@ -157,16 +157,23 @@ final class ResponseSigner
      * to verify signed API responses. Each customer gets their own secret
      * derived from their license key.
      *
+     * Uses RFC 5869 HKDF via PHP's native hash_hkdf() function.
+     * Parameters match the client library (SecureLicenseClient):
+     * - IKM (input keying material): server_secret
+     * - Length: 32 bytes (256 bits for SHA-256)
+     * - Info: license_key (context-specific info)
+     *
      * @param string $licenseKey   The customer's license key
      * @param string $serverSecret The server's master secret
      * @return string The derived secret (64 hex characters)
      */
     public static function deriveCustomerSecret(string $licenseKey, string $serverSecret): string
     {
-        // HKDF-like key derivation
+        // RFC 5869 HKDF using PHP's native implementation
-        $prk = hash_hmac('sha256', $licenseKey, $serverSecret, true);
+        // Must match client's ResponseSignature::deriveKey() exactly
+        $binaryKey = hash_hkdf('sha256', $serverSecret, 32, $licenseKey);
 
-        return hash_hmac('sha256', $prk . "\x01", $serverSecret);
+        return bin2hex($binaryKey);
     }
 
     /**

src/Api/RestApiController.php

@@ -22,14 +22,34 @@ final class RestApiController
     private const NAMESPACE = 'wc-licensed-product/v1';
 
     /**
-     * Rate limit: requests per minute per IP
+     * Default rate limit: requests per window per IP
      */
-    private const RATE_LIMIT_REQUESTS = 30;
+    private const DEFAULT_RATE_LIMIT = 30;
 
     /**
-     * Rate limit window in seconds
+     * Default rate limit window in seconds
      */
-    private const RATE_LIMIT_WINDOW = 60;
+    private const DEFAULT_RATE_WINDOW = 60;
+
+    /**
+     * Get the configured rate limit (requests per window)
+     */
+    private function getRateLimit(): int
+    {
+        return defined('WC_LICENSE_RATE_LIMIT')
+            ? (int) WC_LICENSE_RATE_LIMIT
+            : self::DEFAULT_RATE_LIMIT;
+    }
+
+    /**
+     * Get the configured rate limit window in seconds
+     */
+    private function getRateWindow(): int
+    {
+        return defined('WC_LICENSE_RATE_WINDOW')
+            ? (int) WC_LICENSE_RATE_WINDOW
+            : self::DEFAULT_RATE_WINDOW;
+    }
 
     private LicenseManager $licenseManager;
 
@@ -56,12 +76,14 @@ final class RestApiController
     {
         $ip = $this->getClientIp();
         $transientKey = 'wclp_rate_' . md5($ip);
+        $rateLimit = $this->getRateLimit();
+        $rateWindow = $this->getRateWindow();
 
         $data = get_transient($transientKey);
 
         if ($data === false) {
             // First request, start counting
-            set_transient($transientKey, ['count' => 1, 'start' => time()], self::RATE_LIMIT_WINDOW);
+            set_transient($transientKey, ['count' => 1, 'start' => time()], $rateWindow);
             return null;
         }
 
@@ -69,15 +91,15 @@ final class RestApiController
         $start = (int) ($data['start'] ?? time());
 
         // Check if window has expired
-        if (time() - $start >= self::RATE_LIMIT_WINDOW) {
+        if (time() - $start >= $rateWindow) {
             // Reset counter
-            set_transient($transientKey, ['count' => 1, 'start' => time()], self::RATE_LIMIT_WINDOW);
+            set_transient($transientKey, ['count' => 1, 'start' => time()], $rateWindow);
             return null;
         }
 
         // Check if limit exceeded
-        if ($count >= self::RATE_LIMIT_REQUESTS) {
+        if ($count >= $rateLimit) {
-            $retryAfter = self::RATE_LIMIT_WINDOW - (time() - $start);
+            $retryAfter = $rateWindow - (time() - $start);
             $response = new WP_REST_Response([
                 'success' => false,
                 'error' => 'rate_limit_exceeded',
@@ -89,7 +111,7 @@ final class RestApiController
         }
 
         // Increment counter
-        set_transient($transientKey, ['count' => $count + 1, 'start' => $start], self::RATE_LIMIT_WINDOW);
+        set_transient($transientKey, ['count' => $count + 1, 'start' => $start], $rateWindow);
         return null;
     }
 
@@ -257,7 +279,8 @@ final class RestApiController
                     'type' => 'string',
                     'sanitize_callback' => 'sanitize_text_field',
                     'validate_callback' => function ($value): bool {
-                        return !empty($value) && strlen($value) <= 64;
+                        $len = strlen($value);
+                        return !empty($value) && $len >= 8 && $len <= 64;
                     },
                 ],
                 'domain' => [
@@ -281,6 +304,10 @@ final class RestApiController
                     'required' => true,
                     'type' => 'string',
                     'sanitize_callback' => 'sanitize_text_field',
+                    'validate_callback' => function ($value): bool {
+                        $len = strlen($value);
+                        return !empty($value) && $len >= 8 && $len <= 64;
+                    },
                 ],
             ],
         ]);
@@ -295,11 +322,18 @@ final class RestApiController
                     'required' => true,
                     'type' => 'string',
                     'sanitize_callback' => 'sanitize_text_field',
+                    'validate_callback' => function ($value): bool {
+                        $len = strlen($value);
+                        return !empty($value) && $len >= 8 && $len <= 64;
+                    },
                 ],
                 'domain' => [
                     'required' => true,
                     'type' => 'string',
                     'sanitize_callback' => 'sanitize_text_field',
+                    'validate_callback' => function ($value): bool {
+                        return !empty($value) && strlen($value) <= 255;
+                    },
                 ],
             ],
         ]);
@@ -320,11 +354,32 @@ final class RestApiController
 
         $result = $this->licenseManager->validateLicense($licenseKey, $domain);
 
-        $statusCode = $result['valid'] ? 200 : 403;
+        $statusCode = $this->getStatusCodeForResult($result);
 
         return new WP_REST_Response($result, $statusCode);
     }
 
+    /**
+     * Get HTTP status code based on validation result
+     *
+     * @param array $result The validation result
+     * @return int HTTP status code
+     */
+    private function getStatusCodeForResult(array $result): int
+    {
+        if ($result['valid']) {
+            return 200;
+        }
+
+        $error = $result['error'] ?? '';
+
+        return match ($error) {
+            'license_not_found' => 404,
+            'activation_failed' => 500,
+            default => 403,
+        };
+    }
+
     /**
      * Check license status endpoint
      */

src/Product/LicensedProductType.php

@@ -202,22 +202,28 @@ final class LicensedProductType
         <script type="text/javascript">
             jQuery(document).ready(function($) {
                 // Show/hide panels based on product type
-                $('select#product-type').change(function() {
+                function toggleLicensedProductOptions() {
-                    if ($(this).val() === 'licensed') {
+                    var productType = $('#product-type').val();
+                    var isLicensed = productType === 'licensed';
+                    var isLicensedVariable = productType === 'licensed-variable';
+
+                    if (isLicensed || isLicensedVariable) {
                         $('.show_if_licensed').show();
+                        $('.show_if_licensed-variable').show();
                         $('.general_options').show();
                         $('.pricing').show();
+                        $('.general_tab').show();
                     } else {
                         $('.show_if_licensed').hide();
+                        $('.show_if_licensed-variable').hide();
                     }
-                }).change();
+                }
 
-                // Show general tab for licensed products
+                // Initial state on page load
-                $('#product-type').on('change', function() {
+                toggleLicensedProductOptions();
-                    if ($(this).val() === 'licensed') {
+
-                        $('.general_tab').show();
+                // On product type change
-                    }
+                $('#product-type').on('change', toggleLicensedProductOptions);
-                });
             });
         </script>
         <?php

wc-licensed-product.php

@@ -3,7 +3,7 @@
  * Plugin Name: WooCommerce Licensed Product
  * Plugin URI: https://src.bundespruefstelle.ch/magdev/wc-licensed-product
  * Description: WooCommerce plugin to sell software products using license keys with domain-based validation.
- * Version: 0.5.3
+ * Version: 0.5.6
  * Author: Marco Graetsch
  * Author URI: https://src.bundespruefstelle.ch/magdev
  * License: GPL-2.0-or-later
@@ -28,7 +28,7 @@ if (!defined('ABSPATH')) {
 }
 
 // Plugin constants
-define('WC_LICENSED_PRODUCT_VERSION', '0.5.3');
+define('WC_LICENSED_PRODUCT_VERSION', '0.5.6');
 define('WC_LICENSED_PRODUCT_PLUGIN_FILE', __FILE__);
 define('WC_LICENSED_PRODUCT_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('WC_LICENSED_PRODUCT_PLUGIN_URL', plugin_dir_url(__FILE__));