Harden server-side API

[mnelson4]

Right now someone could try to guess a license ID and then use that to generate PDFs.

It would be good to instead to

• [x] when sending the credit summary request, sign something (license ID? site url?) with the private key, and send that key in instead of the license ID
• [x] ask Freemius for the license's site's public key
• [x] use the public key to verify the signature; if it matches return the results

[mnelson4]

Client-side emcypt the public key with the private key using https://www.geeksforgeeks.org/how-to-encrypt-and-decrypt-a-php-string/ and put it in a query param called signature. Also send the site ID.

server-side, require that signature and site ID.

find the site by ID, including keys, then decrypt the signature using the private key. It should match the public key. If so, yippee! Otherwise, no-go.

[mnelson4]

Actually I probably want to use an algorithm like this http://hgogonis.me/symmetric-encryption-php/ but first make sure the private key is the right length for the encryption algorithm, then make sure it’s only ascii characters, and it might just work

[mnelson4]

On the user's server I use their private key and the date to generate a hash. I pass that to the JS. JS passes it to PMB central, and the site ID. PMB central fetches the site with that ID, and its private key. PMB central computes what the hash should be too. If the hashes match, its valid.

[mnelson4]

One more issue: I need to verify the site ID corresponds to the correct license. Otherwise someone with a valid site could piggy back off others licenses