WalletPress — Python backend (FastAPI) + WordPress plugin. Wallet engine, x402 service, chain vault, hosting. CLI for wallet management. Production-grade wallet-as-a-service.
P2-12 — Hosted email verification (opt-in)
Added verify_email() method + /hosting/verify-email endpoint.
When WP_REQUIRE_EMAIL_VERIFY=1:
- Registration returns a verification_token in the response
- User calls POST /hosting/verify-email with the token to activate
- Token expires in 24 hours
Email sending is documented but not automated (caller must wire
core/email_notify.py). For community/self-hosted, verification is
auto-skipped (email_verified=1 by default).
P2-18 — WP plugin AES-CBC → AES-GCM
class-walletpress.php encrypt()/decrypt() was using AES-256-CBC
with no authentication, making stored values vulnerable to
padding-oracle and bit-flipping attacks.
New format: base64(iv[12] || ciphertext || tag[16]) using AES-256-GCM.
decrypt() auto-detects format and falls back to legacy CBC for
backwards compat with existing encrypted values (e.g. the API
key option in wp_options).
P2-10 — register() api_key plaintext note
api_key in response body is intentional (the user MUST save it).
But added a clearer 'warning' note and documented why.
Test results: 80 passed, 5 skipped (no regressions).
Refs: AUDIT.md P2-12, P2-18, P2-10
|
||
|---|---|---|
| backend | ||
| cli | ||
| installers | ||
| wp-plugin | ||
| .gitignore | ||
| .pre-commit-config.yaml | ||
| about.html | ||
| ADDRESS_GENERATION.md | ||
| ARCHITECTURE.md | ||
| AUDIT.md | ||
| BUILDER.md | ||
| buy.html | ||
| contact.html | ||
| CONTRIBUTING.md | ||
| docs.html | ||
| features.html | ||
| index.html | ||
| logo.svg | ||
| privacy.html | ||
| PROGRESS.md | ||
| ROADMAP.md | ||
| ROADMAP_V2.md | ||
| robots.txt | ||
| SECURITY.md | ||
| sitemap.xml | ||
| STRATEGY.md | ||
| terms.html | ||
| thanks.html | ||
| verify.html | ||
| walletpress-docs.pdf | ||
| WALLETPRESS.md | ||