- Fix Client ID regex to allow lowercase letters
- Update HVAC_Zoho_CRM_Auth to use encrypted storage for all operations
- Update class-zoho-admin.php to use HVAC_Secure_Storage for credential retrieval
- Update OAuth callback to use secure storage for token storage
- Update Status.md with blocking production issue (400 Bad Request)
Note: Issue persists on production - needs further investigation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1. OAuth CSRF Protection:
- Added state parameter to OAuth authorization URL
- Generate and store state in transient (10 min expiry)
- Validate state on callback with timing-safe comparison
2. Debug Log Sanitization:
- Added sanitize_log_message() to mask credentials in logs
- Patterns mask client_id, client_secret, access_token, refresh_token
- Error handlers only expose file paths in WP_DEBUG mode
3. Move Inline JS to External File:
- Moved ~100 lines of inline JS to assets/js/zoho-admin.js
- Added redirectUri and oauthUrl to wp_localize_script
- Better CSP compliance and caching
4. Updated .gitignore to track includes/admin/ and includes/zoho/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace WooCommerce sync with Event Tickets (Tickets Commerce) support
- Add sync_attendees() for Contacts + Campaign Members
- Add sync_rsvps() for Leads + Campaign Members
- Fix user roles filter (hvac_trainer/hvac_master_trainer)
- Fix event query to include past events
- Update admin UI with new sync buttons
- Correct meta keys for Tickets Commerce (_tec_tickets_commerce_*)
- Correct meta keys for RSVPs (_tribe_rsvp_*)
Dry-run tested on staging:
- Events: 20 records
- Trainers: 53 records
- Attendees: 79 records
- RSVPs: 4 records
- Orders: 52 records
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix production debug exposure in Zoho admin interface (WP_DEBUG conditional)
- Implement secure credential storage with AES-256-CBC encryption
- Add file upload size limits (5MB profiles, 2MB logos) with enhanced validation
- Fix privilege escalation via PHP Reflection bypass with public method alternative
- Add comprehensive input validation and security headers
- Update plugin version to 1.0.7 with security hardening
Security improvements:
✅ Debug information exposure eliminated in production
✅ API credentials now encrypted in database storage
✅ File upload security enhanced with size/type validation
✅ AJAX endpoints secured with proper capability checks
✅ SQL injection protection verified via parameterized queries
✅ CSRF protection maintained with nonce verification
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
- Implement singleton pattern for HVAC_Enhanced_Settings to prevent duplicate initialization
- Fix jQuery selector error by checking for valid hash selectors before using $(href)
- Add default email templates with professional copy for trainer notifications
- Update plugin version to 1.0.1 for cache busting
- Remove duplicate Enhanced Settings initialization from HVAC_Community_Events
- Add force cache refresh suffix to admin scripts
This resolves the duplicate content issue on email templates page and fixes
JavaScript errors in the admin interface.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Removed all CSS debug error_log statements from hvac-community-events.php
- Removed Request URI and OAuth callback debug messages from class-zoho-admin.php
- Updated gitignore to properly track plugin files
This eliminates the debug noise in production error logs.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
