=== CosmautDL ===
Contributors: cosmaut
Donate link: https://cosmaut.com/cosmautdl/sponsor/
Tags: download, download-manager, file-download, cloud-drive, wechat-unlock
Requires at least: 6.2
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.9
License: GPLv3
License URI: https://www.gnu.org/licenses/gpl-3.0.html

Multi-cloud download manager: unified download cards, dedicated download pages, a file-tree index, and click statistics.

== Description ==

CosmautDL is a multi-cloud download manager plugin for WordPress.
It turns scattered cloud-drive links into a clean "download card" experience, and provides dedicated download pages, a site-wide file-tree index, and click statistics for site owners.

Key features:

* Unified download card UI for posts/pages
* Dedicated download page route per post
* Redirect route to keep outbound links tidy
* File-tree page to browse all shared resources
* Click statistics stored in your own database
* Optional WeChat QR unlock workflow
* Assets loaded only when needed

== Upgrade Notice ==

= 1.0.9 =
Maintenance update: i18n and release metadata alignment for WordPress.org stable language-pack flow.

= 1.0.8 =
Maintenance update: Tested up to WordPress 6.9, minor code improvements and compatibility enhancements.

= 1.0.7 =
Maintenance update: Bundle on-site QR code generation library and tighten admin capability checks.

== Supported providers ==

Baidu Pan, 123Pan, Aliyun Drive, Tianyi Cloud, Quark, PikPak, Lanzou, Xunlei, Weiyun, OneDrive, Google Drive, Dropbox, MEGA, MediaFire, Box, and Other.

Routes (pretty permalinks recommended):

* Download page: /downloads/{post_id}.html (or ?cosmdl_download=1&post_id={id})
* File tree: /downloads/tree.html (or ?cosmdl_tree=1)
* Stats entry: /downloads/stats.html (or ?cosmdl_stats=1; admin-only)
* Redirect: /{prefix}/{post_id}/{type}.html (or ?cosmdl_redirect=1&post_id={id}&type={type})

Data and privacy overview:

* Stores download click logs in a custom table: {wp_prefix}cosmdl_clicks (post_id, type, attach_id, user_id, ip, ua, referer, success, created_at).
* Core features do not require external services.

== Privacy/External Services ==

- Data Collection: The plugin records the IP, UA, Referer, and time of download clicks only for backend statistics and troubleshooting; data is stored in your database and never sent outside.
- External Services (Optional): When "IP Geolocation Display" is enabled, the admin backend queries ipapi/ip-api/ipinfo for geolocation; results are cached and displayed in wp-admin. No external requests occur when disabled.
- WeChat QR Unlock (Optional): Redirects the visitor browser to WeChat authorization (open.weixin.qq.com) and the server calls api.weixin.qq.com endpoints to exchange code for openid and check subscription. The plugin does not persist openid; it uses a short-lived unlock flag (~10 minutes) and caches the official account access_token (up to ~2 hours).
- User Control: You can disable these optional features at any time in plugin settings; uninstalling the plugin cleans up plugin-created data and caches.
- Compliance Note: In some jurisdictions, IP addresses are personal data; obtain consent or meet legal requirements before enabling IP geolocation.

== External services ==

This plugin can connect to external services only when you enable related options.

=== 1) WeChat OAuth and subscription check ===

* Service: WeChat / Tencent
* Purpose: Used for WeChat unlock mode authentication
* Endpoints:
  * https://open.weixin.qq.com/connect/oauth2/authorize (OAuth authorize, visitor browser redirect)
  * https://api.weixin.qq.com/sns/oauth2/access_token (exchange OAuth code for openid)
  * https://api.weixin.qq.com/cgi-bin/token (fetch official account access_token)
  * https://api.weixin.qq.com/cgi-bin/user/info (check subscription status)
* When: Only if you enable WeChat unlock in CosmautDL settings and visitors open the unlock URL in WeChat after scanning the QR code.
* Data sent:
  * Visitor browser to open.weixin.qq.com: appid, redirect_uri, response_type, scope, state, and standard HTTP request metadata handled by WeChat (for example IP address and user agent).
  * Your server to api.weixin.qq.com: appid, appsecret, OAuth code, grant_type; later access_token, openid, lang.
* Data stored (local): Does not store openid permanently; stores a short-lived unlock flag transient (10 minutes) and caches the official account access_token transient (up to ~2 hours, based on API expires_in).
* User control: You can disable this feature at any time in plugin settings.
* Data deletion: Transients expire automatically.
* Terms of Service: https://www.wechat.com/en/service_terms.html
* Privacy Policy: https://www.wechat.com/en/privacy_policy.html

=== 2) IP geolocation lookup ===

* Services (selectable in settings):
  * https://ipapi.co/
  * https://ip-api.com/
  * https://ipinfo.io/
* Purpose: To display IP location in admin download statistics
* When: Only if you enable Show IP location in stats and open stats details in wp-admin.
* Data sent: IP address from your click logs, from your server to the chosen provider (requests are cached).
* Caching: Results are cached for 168 hours (7 days) by default to reduce API calls.
* User control: You can disable this feature at any time in plugin settings.
* Data Flow: Your server to IP Geolocation API and back to your server (IP addresses are sent for location lookup)
* Privacy Impact: IP addresses are considered personal data in some jurisdictions; cached results help minimize exposure
* Data Deletion: Cached geolocation data automatically expires after 7 days; IP addresses in click logs can be deleted from admin stats page
* Terms of Service:
  * ipapi: https://ipapi.co/terms/
  * ip-api: https://ip-api.com/docs/legal
  * ipinfo: https://ipinfo.io/terms-of-service
* Privacy Policies:
  * ipapi: https://ipapi.co/privacy/
  * ip-api: https://ip-api.com/docs/legal
  * ipinfo: https://ipinfo.io/privacy-policy

== Third-party libraries ==

=== phpqrcode ===
* Library: phpqrcode (LGPL-3.0)
* Purpose: On-site QR code generation for WeChat unlock functionality
* License: GNU Lesser General Public License v3.0
* License URI: https://www.gnu.org/licenses/lgpl-3.0.html
* Usage: Used for generating unlock QR codes without external dependencies
* Compatibility: LGPL-3.0 is compatible with GPLv3

== Installation ==

1. Upload the `cosmautdl` folder to `/wp-content/plugins/`.
2. Activate the plugin in Plugins.
3. Go to CosmautDL in wp-admin and configure:
   * Drive management (enable/rename/reorder)
   * Route prefix
   * Download page modules and optional unlock settings
4. Edit a post/page, fill in cloud-drive links in the CosmautDL meta box, and publish.

== Frequently Asked Questions ==

= How do I add a download card to a post? =

Edit a post/page, find the CosmautDL meta box, paste cloud-drive links (and extraction codes if any), then update/publish. The plugin renders the card automatically on the frontend.

= I see 404 on /downloads/{id}.html. What should I do? =

Go to Settings > Permalinks and click Save Changes once to refresh rewrite rules. Also ensure your site supports pretty permalinks.

= What data does CosmautDL store for statistics? =

It stores click logs in your own database table, including post_id, drive type, IP, user agent, referer, timestamp, and related fields. This is used only for download statistics and can be deleted from the stats page.

= Does the plugin make external requests by default? =

No. External requests happen only if you enable:

* WeChat unlock
* IP geolocation in stats

= Can I customize the redirect prefix and drive list? =

Yes. You can change the redirect prefix in settings, and enable/rename/reorder providers in Drive management. There is also an Other type for custom links.

= Does this plugin depend on a specific theme? =

No. CosmautDL uses WordPress routing and template hooks and aims to be compatible with most themes. If your theme or cache plugin is aggressive, clear caches after changes.

= Is multisite supported? =

CosmautDL is primarily tested on single-site installations. For multisite, please test in a staging site first.

== Screenshots ==

1. Download card UI
2. Post editor meta box
3. File tree page
4. Download statistics

== Changelog ==

= 1.0.9 =
* 2026-03-18 Maintenance: Align plugin version/readme stable tag, keep Text Domain consistency, and prepare stable release metadata for WordPress.org translation package generation.

= 1.0.8 =
* 2026-02-14 Maintenance: Tested up to WordPress 6.9, minor code improvements and compatibility enhancements.

= 1.0.7 =
* 2026-01-25 Maintenance: Bundle on-site QR code generation library for unlock QR rendering and tighten admin capability checks.

= 1.0.6 =
* 2026-01-15 Security: Comprehensive security hardening including SQL injection fix, AJAX URL hardcoding removal, nonce verification for download redirects, and full AJAX handler nonce checks.

= 1.0.5 =
* 2026-01-10 Security: Add nonce verification for admin AJAX actions.

= 1.0.4 =
* 2026-01-06 Fix download stats details expansion and ensure click logs capture IP/UA.

= 1.0.3 =
* 2026-01-03 Smart recognition of cloud drive links in the editor meta box.

= 1.0.2 =
* 2026-01-02 Initial release with download page, file tree, and click statistics.
