Reply To: Pro License Key in config?

• kwaves

• February 6, 2019 at 5:28 pm

+1. If @elliot is concerned about security of storing one’s license key in the filesystem, here are some other ideas:

Idea 1: Check site authorization remotely–no license key required after the first time. I think this would probably go hand-in-hand with letting folks authorize a site from advancedcustomfields.com (not just de-authorize). WPML does it that way. This also seems to be how Admin Columns Pro does it, since I never need to re-authorize that one after copying from one site to another, as long as I’ve authorized it once on that domain. If I remember correctly, I think WooCommerce extensions (and maybe WC itself) also takes that approach.

Idea 2: Allow us to generate & hard-code site-specific auth tokens instead of the master license key. I don’t know what security issues @elliot is concerned about specifically (maybe that people’s license keys will start showing up on Github?) so maybe this is worthless, but if it helps get ideas going, perhaps there could be something similar to ACF’s current method of combining the license key and domain together, but instead of base64 it uses some kind of hashing algorithm. (On the other hand, perhaps doing that securely would entail the same logic/development required by idea 1 without any additional benefit?)