Version 1.3.1 - Switch to SecureLicenseClient with signature verification

- Upgraded from LicenseClient to SecureLicenseClient with HMAC-SHA256 response signature verification - Added Server Secret configuration field for secure communication - Added rate limit exception handling with retry time display - Added signature verification error handling - Added URL validation error handling (SSRF protection) - Updated all translation files with new strings - Compiled .mo files for all 7 language variants Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-27 19:23:42 +01:00
parent cbe758267e
commit 7286459ff2
19 changed files with 317 additions and 51 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,46 @@ All notable changes to WooCommerce Tier and Package Prices will be documented in
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [1.3.1] - 2026-01-27
+
+### Changed
+
+- **Switched to SecureLicenseClient**: Upgraded from basic `LicenseClient` to `SecureLicenseClient` with HMAC-SHA256 response signature verification for enhanced security against tampering and replay attacks
+
+- **Added Server Secret Configuration**: New "Server Secret" field in License settings for secure communication with the license server
+
+### Added
+
+- **Rate Limit Handling**: Added proper handling of `RateLimitExceededException` with user-friendly messages showing retry wait time
+- **Signature Verification Error Handling**: Added dedicated handling for `SignatureException` when response signatures fail verification
+- **URL Validation Error Handling**: Added handling for `InvalidArgumentException` from SSRF protection in the license client
+
+### Security
+
+- Response signatures are now verified using HMAC-SHA256 with license-specific derived keys (RFC 5869 HKDF)
+- The license client now validates server URLs to prevent SSRF attacks (blocks private IP ranges)
+- HTTP connections require HTTPS unless explicitly allowed for localhost testing
+
+### Technical Details
+
+**License Client Upgrade**:
+
+- Changed from `LicenseClient` to `SecureLicenseClient`
+- Added `serverSecret` parameter for signature verification
+- Library updated from `v0.1.0` to `dev-main` with new security features
+
+**New Exception Handling**:
+
+- `RateLimitExceededException` - shows retry time to user
+- `SignatureException` - indicates server secret mismatch
+- `InvalidArgumentException` - invalid/blocked URL detected
+
+**New Settings Field**:
+
+- `wc_tpp_license_server_secret` (password type) for the shared secret
+
+---
+
 ## [1.3.0] - 2026-01-25

 ### Breaking Changes