=== BigAmbitions Membership & Login Bridge for GlueUp ===
Contributors: divemasterza
Tags: membership, login, authentication, bridge, integration
Requires at least: 6.2
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.1.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Professional membership validator and login bridge for organizations using the GlueUp platform.

== Description ==

**BigAmbitions Membership & Login Bridge for GlueUp** is an independent integration tool designed for organizations using the GlueUp platform (formerly EventBank). It provides a secure, branded gateway that bridges your WordPress site with your GlueUp database, allowing members to log in using their GlueUp credentials.

This plugin is not affiliated with, endorsed by, or officially connected to GlueUp. It simply integrates with the publicly available GlueUp API.

Unlike standard login plugins, this bridge doesn't just check passwords—it validates the user's real-time membership status. It ensures that only members in good standing (Active, Soon-to-Expire, or in a Grace Period) can access your protected content.

Key Features:
*   **Real-time API Authentication**: Authenticate members securely against the GlueUp API.
*   **Intelligent Membership Check**: Automatically verify if a member is Active, Soon-to-Expire, or in a Grace Period before allowing access.
*   **Organization-First White-Labeling**: Customize the login experience with your own company name.
*   **Seamless Profile Sync**: Automatically synchronize user names and company details from GlueUp to WordPress.
*   **Security First**: Built with CSRF protection, data sanitization, and compatibility with brute-force protection plugins.
*   **Developer Friendly**: Simple shortcode integration `[glueup_login_form]` and a clean administration dashboard.

== Installation ==

1. Upload the plugin files to the `/wp-content/plugins/bigambitions-glueup-bridge` directory.
2. Activate the plugin through the 'Plugins' screen in WordPress.
3. Configure your API Keys and Organization name under 'BA Membership Bridge' in the WordPress admin menu.
4. Add the shortcode `[glueup_login_form]` to any page.

== Frequently Asked Questions ==

= Is this an official GlueUp plugin? =
No. This is an independent integration bridge developed by Big Ambitions. It is not affiliated with, endorsed by, or officially connected to GlueUp. It works with the publicly available GlueUp API.

= Can I use this for free members? =
Yes, as long as they have a record in your GlueUp database with an allowed status.

== Screenshots ==

1. The settings dashboard where you configure your API keys.
2. The user-facing login form generated by the shortcode.
3. Successful login state showing the welcome message.

== External services ==

This plugin connects to the GlueUp API to authenticate members and verify their membership status.

= Authentication (Login) =
When a user submits the login form, the plugin sends their email address and an MD5-hashed password to the GlueUp session endpoint to obtain an authentication token.
Endpoint: `https://api.glueup.com/v2/user/session`

= Membership Verification =
After authentication, the plugin sends the session token to the GlueUp membership endpoint to check whether the user has an active membership.
Endpoint: `https://api.glueup.com/v2/membership/activeApplicationList`

= Data transmitted =
* User email address (on login)
* MD5-hashed user password (on login)
* Session token (on membership verification)
* API public and private keys (as HMAC authentication headers)

This data is only sent when a user actively submits the login form. No data is sent passively or on page load.

= Service provider =
These services are provided by GlueUp (https://www.glueup.com).
* Terms of Use: https://www.glueup.com/terms
* Privacy Policy: https://www.glueup.com/privacy

== Upgrade Notice ==

= 1.1.1 =
Bug fix: resolves login redirect loop on sites using Elementor or other plugins that output content before the login form renders.

= 1.1.0 =
Security hardening and menu placement improvements as per review guidelines.

= 1.0.0 =
Initial public release with trademark-compliant naming and security improvements.

== Changelog ==

= 1.1.1 =
*   **Bug Fix**: Resolved login redirect loop on sites where other plugins (e.g. Elementor) output content before the login shortcode executes. Moved `wp_signon()` to the `init` hook so the auth cookie is set before any HTML is sent.
*   Added optional debug logging toggle in plugin settings to aid troubleshooting.

= 1.1.0 =
*   **Security Hardening**: Replaced manual login flow with WordPress core `authenticate` filter.
*   **Account Protection**: Blocked bridge login for privileged accounts (Admin/Editor) to prevent takeover.
*   **Menu Hierarchy**: Moved settings page under the standard 'Settings' menu.
*   **Redirect Fix**: Site lockdown redirect is now opt-in via a settings toggle (off by default).
*   Updated Author and Plugin URIs.

= 1.0.0 =
*   Initial public release.
*   Enforced trademark-compliant naming for WordPress.org directory.
*   Implemented secure script enqueuing via `wp_add_inline_script()`.
*   Added strict membership status sanitization.
*   Full disclosure of external GlueUp API services.
