WPSDK/v-wordpress-plugin-updater
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/djav1985/v-wordpress-plugin-updater.git synced 2026-04-25 04:12:14 +08:00
Code Issues Packages Activity Actions
v-wordpress-plugin-updater/CHANGELOG.md

69 lines
7.5 KiB
Markdown
Raw Permalink Blame History

# Changelog
All notable changes to this project will be documented in this file.
See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
## Unreleased
- Replaced login-session CSRF token regeneration in `LoginController` with cryptographically secure output using `bin2hex(random_bytes(32))` while preserving existing timeout and session ID regeneration flow.
- Fixed API query argument construction in `PluginUpdater` and `ThemeUpdater` by removing pre-encoding (`rawurlencode`) so `add_query_arg` performs a single RFC3986 encoding pass.
- Hardened package delete parsing in `PluginModel::deletePlugin` and `ThemeModel::deleteTheme` using strict `^([A-Za-z0-9_-]+)_([0-9.]+)\.zip$` extraction, including regression coverage for underscore-containing slugs and non-matching filenames.
- Hardened file response streaming:
- `ApiController` now validates update package readability and `filesize()` before building a file response.
- `Router` rejects unreadable file responses and emits deterministic `500` text responses.
- `Response::send` now suppresses raw `readfile` warnings, logs failures, and follows a controlled `500` fallback path for unreadable files.
- Dependency follow-up (`nikic/fast-route`):
- Reviewed upgrade path from `v1.3.0` to `2.0.0-beta1` (composer dry-run succeeds but targets a beta line and introduces `psr/simple-cache`).
- Deferred immediate upgrade and added explicit migration tracking in `README.md` and `update-api/docs/dependency-tracking.md` (ticket `DEP-001`).
- Constrained FastRoute usage behind `App\Core\RouteDispatcherFactory` to reduce migration surface for the eventual v2 adoption.
- **Aligned update-check contract (Option A):** Unified the request/response protocol used between
the WordPress client plugin and the Update API server.
- `PluginUpdater::fetch_package` now sends `type=plugin&slug=<slug>` instead of `plugin=<slug>`.
- `ThemeUpdater::fetch_package` now sends `type=theme&slug=<slug>` instead of `theme=<slug>`.
- Both updaters now treat HTTP `403` as the auth-failure signal (replacing the previous incorrect
`401` check) to match the status code returned by `ApiController`.
- Both updaters now handle the direct binary ZIP response on HTTP `200` (no JSON `zip_url`
parsing) and return the authenticated API URL as `download_url` for `AbstractRemoteUpdater`.
- Added `tests/ApiControllerTest.php` covering request validation, auth failure (`403`),
no-update (`204`), and successful update (`200`) for both `plugin` and `theme` types.
- Added `tests/UpdaterFetchPackageTest.php` with 22 tests locking parameter names, status-code
branches, WP_Error handling, and a regression test proving a valid request reaches the
install path.
- Updated `v-wp-updater/api/API_SCHEMA.md` with the canonical update-check endpoint contract.
- Updated `update-api/cron.php` to accept the positional `worker` argument, reject unknown CLI options, and propagate non-zero exit codes when cron work fails via `ErrorManager`.
- Added integration tests covering worker invocation, argument validation, and CLI error handling, plus lightweight mu-plugin fixtures required for the suite.
- **Updated README.md to match current codebase**: Replaced all references to obsolete `mu-plugin/` directory with `v-wp-updater/`. Updated project structure documentation to reflect dual-component architecture (Update API Server + WordPress Client Plugin). Removed references to non-existent files (HOSTS, autoload.php) and controllers (AccountsController, InfoController, UsersController). Added documentation for SiteLogsController and cron.php with worker mode. Updated installation and usage sections with accurate paths and separate setup procedures for API server and client plugin.
- Removed legacy key-exchange workflow; clients now use a stored API key.
- Updated installation to use `VONTMNT_UPDATE_KEYREGEN` instead of `VONTMENT_KEY`.
- Consolidated `VONTMENT_PLUGINS` and `VONTMENT_THEMES` into a single `VONTMNT_API_URL` constant.
- **Split update loops into single-item tasks**: Refactored plugin and theme updaters to use asynchronous per-item processing. Daily update checks now schedule individual `wp_schedule_single_event()` tasks for each plugin/theme instead of processing all items synchronously. Added `vontmnt_plugin_update_single()` and `vontmnt_theme_update_single()` callback functions.
- **Expanded test coverage to reflect current codebase**: Added comprehensive tests for ThemeModel, Encryption, Blacklist, CronWorker, Validation, Response, Csrf, and MessageHelper classes. Test suite expanded from 37 to 105 tests with 241 assertions, providing coverage for all major components including models, helpers, and core classes.
- Stored admin password as a hash and verified with `password_verify` during login.
- Controllers now return structured `Response` objects; router and session handling updated accordingly.
- Expanded filename validation to allow digits and underscores in slugs and updated tests.
- Introduced configurable `LOG_FILE` and centralized logging through `ErrorManager`.
- Made `SessionManager::requireAuth` non-terminating, returning a boolean instead.
- Enhanced `vontmnt_get_api_key` with wp-config backups and validation.
- Streamlined plugin updates using a single streaming `wp_remote_get` call.
- Removed HTML escaping in `HostsModel` in favor of parameterized queries.
## 4.0.0
- Added PHP_CodeSniffer with WordPress Coding Standards for linting.
- Moved validation helpers to `App\Helpers\Validation` and encryption helpers to `App\Helpers\Encryption`.
- Added `App\Models\Blacklist` for IP blacklist management and removed `App\Core\Utility`.
- Introduced centralized `SessionManager` and `Csrf` utilities, refactored controllers and routing to use them, and replaced `AuthController` with `LoginController`.
- Switched router to instantiate controllers, dropped unused account/user/info routes, and added `/api` endpoint.
- Updated `LoginController` to render views through `$this` instead of creating a new instance.
- Converted controllers to instance methods using `$this->render` and removed the feeds controller and route.
- Refined router dispatch to include HTTP method and validate API requests before enforcing authentication.
- Streamlined session validation to check only timeout and user agent, moved IP blacklist enforcement to authentication, and added unit tests for session expiry, user-agent changes, and blacklist handling.
- Refactored router into a singleton and documented root URL redirection to `/home`.
- Restricted table generation helpers in controllers and `SessionManager::isValid` to internal use and updated tests accordingly.
- Fixed PHPStan reported issues by initializing variables, adding explicit type annotations, and excluding vendor code from analysis.
- Introduced SQLite persistence using Doctrine DBAL with install and cron scripts, and migrated models and controllers to use the database.
- Replaced JSON-based blacklist with SQLite table that automatically resets entries after three days.
- Moved blacklist table creation to installer script.
- Removed `rawurlencode` from updater request parameters to prevent double encoding.
- Added `WP_Error` checks after `wp_remote_get` calls to log network failures and skip processing.
- Corrected the header in `v-sys-theme-updater.php` so it loads as a plugin.
- Updated `SessionManager::requireAuth` to return a boolean and halt routing for blacklisted IPs.
- Logged failed package writes in plugin and theme updaters and skipped installation when writes fail.
Reference in a new issue View git blame Copy permalink