=== SMSTunnel ===
Contributors: narboweb, narcisbodea, nicunarcisbodea
Tags: sms, gateway, two-factor authentication, 2fa, notifications
Requires at least: 5.0
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.6
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Send SMS messages directly from WordPress using your own Android phone as the SMS gateway.

== Description ==

SMSTunnel transforms your Android phone into a powerful SMS gateway for WordPress.

= Key Features =

* Use Your Own Phone - No third-party SMS gateway costs
* Two-Factor Authentication - Secure WordPress login with SMS 2FA
* End-to-End Encryption - Messages encrypted with RSA keys
* Quick Setup - Scan QR code from the mobile app

== Installation ==

1. Upload the plugin to /wp-content/plugins/
2. Activate the plugin
3. Go to SMSTunnel > Quick Setup
4. Download the SMSTunnel app and scan the QR code

== External Services ==

This plugin connects to external services to provide certain functionality. Below are the details of each service:

= SMSTunnel API =
* **Purpose**: Core service that enables the plugin to communicate with the SMSTunnel mobile app for sending SMS messages from your phone
* **When data is sent**: During Quick Setup (when pairing via QR code), when sending SMS messages, and when verifying API connections
* **Data sent**:
  * During setup: Site URL, site token (random identifier), admin email (for account creation)
  * When sending SMS: Phone number, message content (encrypted if E2E is enabled), API key for authentication
* **Service provider**: SMSTunnel.io (NARBOWEB SRL)
* **Privacy Policy**: https://smstunnel.io/privacy
* **Terms of Service**: https://smstunnel.io/terms

= SMSTunnel Authentication =
* **Purpose**: Optional sign-in via Google, Facebook, or email to link your SMSTunnel account with WordPress
* **When data is sent**: Only when the admin uses the "Connect with Google/Facebook/Email" options on the plugin settings page
* **Data sent**:
  * Google/Facebook: Redirects to smstunnel.io/auth/google or smstunnel.io/auth/facebook with a callback URL and CSRF state token
  * Email login: Email and password sent to smstunnel.io/api/v1/auth/login
  * After authentication: Fetches user profile from smstunnel.io/auth/me and creates an API key via smstunnel.io/api/v1/api-keys
* **Service provider**: SMSTunnel.io (NARBOWEB SRL)
* **Privacy Policy**: https://smstunnel.io/privacy
* **Terms of Service**: https://smstunnel.io/terms

**Note**: QR codes are generated locally using an embedded JavaScript library (qrcode.min.js). No external QR code generation services are used. All SMS messages are sent through your own Android phone - the SMSTunnel server only acts as a relay to connect WordPress with your phone.

== Changelog ==

= 1.0.6 =
* Security: Added nonce validation (check_ajax_referer) to all nopriv AJAX endpoints including 2FA login and phone setup
* Security: Fixed DOM XSS in quick-setup.js, social-login.js, and admin-settings.js - all server/URL data now uses .text() instead of .html()
* Security: Escaped all remaining unescaped outputs in SMS history table
* Security: API key verification now uses X-API-Key header and configurable server URL (consistent with rest of plugin)
* Fix: Corrected AJAX action name mismatch for API key verification
* Documentation: Added SMSTunnel Authentication section to External Services (auth endpoints)

= 1.0.5 =
* Security: Moved all inline JavaScript to external files using wp_enqueue_script and wp_localize_script
* Security: Added OAuth state parameter validation to prevent CSRF attacks on OAuth callback
* Security: REST API /setup-callback now validates site_token in permission_callback instead of callback body
* Security: Removed all wp_add_inline_script calls - all scripts now in external .js files
* Code: Added $request parameter to all REST API permission_callback methods for PHP 8+ compatibility

= 1.0.4 =
* Documentation: Updated External Services section with complete service documentation

= 1.0.3 =
* Security: Replaced __return_true with documented custom permission_callback methods

= 1.0.2 =
* Security: Replaced inline scripts with wp_add_inline_script for proper enqueueing
* Security: Fixed XSS vulnerabilities by using textContent instead of innerHTML for server responses
* Security: Removed external QR code generation services (Google Charts, QR Server API) - all QR codes now generated locally
* Security: Improved escaping for all JavaScript strings using esc_js()
* Documentation: Updated External Services section to accurately reflect service usage

= 1.0.1 =
* Security: Added sanitization callbacks for all settings
* Security: Fixed escape output for translatable strings
* Security: Database queries now use prepared statements
* Security: Changed wp_redirect to wp_safe_redirect
* Security: Changed mt_rand to wp_rand
* Compatibility: Tested up to WordPress 6.7.1

= 1.0.0 =
* Initial release

== Upgrade Notice ==

= 1.0.2 =
Security update - removed external QR services, fixed XSS vulnerabilities, improved script enqueueing.

= 1.0.1 =
Security update with improved input sanitization and output escaping.
