Secure, zero‑config SSO for WordPress sites—validate HMAC‑signed links and log users into wp‑admin automatically.
GateLink Client is the receiving end of the GateLink ecosystem. It pairs with GateLink Manager to deliver instant, passwordless admin access to your WordPress sites. Once installed and trusted, it accepts HMAC‑signed login links from your Manager site, validates them, and redirects the user straight to wp‑admin—no passwords, no hassle. Designed for developers, freelancers and site admins who maintain multiple installations, GateLink Client makes it easy to manage trust relationships and keep your sites secure.
Key Features
- Trust Management – Explicitly approve or revoke which Manager sites can access your admin.
- Quick Connect & Manual Pairing – Choose between instant pairing or manual shared token setup for finer control.
- HMAC‑Signed Security – Enforces HMAC‑SHA256 signatures with TTL and replay protection for every login URL.
- Health Monitoring – Provides a REST endpoint for status checks, so you know when connections are healthy.
- Activity Logs – Tracks connection attempts and logins for auditing and troubleshooting.
- Accessible Admin Interface – Built with modern design and accessibility support for a seamless user experience.
How It Works
- Establish Trust – Generate a Shared Token in the Manager and paste it under GateLink Client → Trusted Manager.
- Validate Links – When the Manager issues a login link, the Client verifies the HMAC signature and checks the timestamp.
- Automatic Login – Upon successful validation, the user is logged into wp‑admin without needing credentials.
- Expire & Revoke – Links expire after two minutes and can only be used once; you can revoke trust anytime via the admin interface.
Security & Privacy
- Short‑lived Tokens – Login URLs are valid for only a couple of minutes to minimize exposure.
- Server‑Side Signing – All signatures are generated on the Manager; the Client never stores admin passwords.
- HTTPS Recommended – Run both Manager and Client over HTTPS and avoid caching login requests.
- Peer‑to‑Peer Communication – The Client only exchanges data (site info, tokens, timestamps) with your Manager sites; no third parties are involved.
FAQ
Do I need to set keys or tokens manually?
Yes. You must paste the Shared Token from your Manager under GateLink Client → Trusted Manager. The Client can generate an initial token, but both sides must match.
It doesn’t redirect to wp-admin.
Ensure that the request reaches WordPress’s template_redirect. Temporarily disable or adjust any firewall or caching rule that blocks the query parameters (gatelink_login, cid, ts, sig) and avoid caching these requests.
Can I use it without a license?
Absolutely. The Client plugin itself requires no license and supports connections from any Manager plan. The only limit is imposed by the Manager’s plan for the number of sites.
ChangeLog
1.8.3
- SECURITY: Fixed sanitization of $_SERVER[‘REMOTE_ADDR’] in REST API endpoints (class-rest.php lines 100, 163)
- SECURITY: Implemented proper IP address validation using filter_var() with FILTER_VALIDATE_IP for both IPv4 and IPv6
- COMPATIBILITY: Added defensive check for DONOTCACHEPAGE constant to prevent conflicts with caching plugins
- COMPLIANCE: Resolved all WordPress.org Plugin Directory review issues – full compliance achieved
- COMPLIANCE: Enhanced security measures following WordPress.org “Sanitize Early, Escape Late, Always Validate” guidelines
1.8.2
- Removed trial support from Freemius configuration.
1.8.1
- COMPATIBILITY: Enhanced connection handling for improved Manager → Client REST handshake
- SECURITY: Maintained robust HMAC signature validation and nonce replay protection
- VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.8.1
- No functional changes to Client plugin – maintains all existing security and connection features
1.8.0
- SECURITY: Enhanced sanitization and validation of super-globals, notably $_SERVER[‘REMOTE_ADDR’]
- STANDARDIZATION: Unified all prefixes to gate_client_ for consistent naming across the plugin
- MIGRATION: Added automatic migration logic to map old option names and keys to new unified names
- COMPATIBILITY: Maintained backward compatibility with existing installations – no data loss
- VALIDATION: Verified nonces and capability checks across all AJAX endpoints and admin forms
1.7.9
- VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.7.9
- COMPATIBILITY: Full compatibility with Manager’s enhanced AJAX functionality and dashboard improvements
- No functional changes to Client plugin – maintains all existing security and connection features
1.7.8
- WORDPRESS.ORG READY: Complete WordPress.org compliance achieved – plugin ready for directory submission and approval
- COMPLIANCE: All WordPress.org requirements met including unique prefixes, proper security, and coding standards
- VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.7.8
- COMPATIBILITY: Full compatibility with Manager’s enhanced error handling and troubleshooting guidance
- SECURITY: Maintains all existing security and connection features with HMAC-SHA256 validation
- No functional changes to Client plugin – maintains all existing security and connection features
1.7.7
- CONNECT FLOW: New
/wp-json/gatelink-client/v1/connect endpoint with proper HMAC/TTL signature validation
- SECURITY: Enhanced security with HMAC-SHA256 validation, timestamp checking (±120 seconds configurable), and nonce replay protection
- DEBUG: Added debug mode and comprehensive logging for connect attempts with request/response details
- STORAGE: Added settings storage system for debug mode and time skew tolerance configuration
- VALIDATION: Robust input sanitization and validation for all connect endpoint parameters
- COMPLIANCE: Removed uninstall.php per WordPress.org requirements; cleaned contentReference placeholders from readme
- API: REST endpoint validates manager_id, manager_url, timestamp, nonce, and signature; returns proper JSON responses
- LOGGING: Connect attempts logged with UUID tracking, detailed context, and human-readable error messages
- TIME SKEW: Configurable time skew tolerance (30-600 seconds) to handle server clock differences
1.5.5
- Fix: Freemius license activation/reset flow stabilized; eliminated SDK warnings after license reset; unified plan detection; enforced site limits (Free 3 / Pro 20 / Business unlimited); dynamic Support/Contact menus via Freemius.
1.5.4
- VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.5.4
- COMPATIBILITY: Full compatibility with Manager’s Freemius dynamic Support/Contact menu system
- No functional changes to Client plugin – maintains all existing security and connection features
1.5.3
- VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.5.3
- COMPATIBILITY: Full compatibility with Manager’s consolidated Support page and removed Diagnostics functionality
- No functional changes to Client plugin – maintains all existing security and connection features
1.5.2
- VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.5.2
- COMPATIBILITY: Full compatibility with Manager’s enhanced Contact & Support system and improved diagnostics
- No functional changes to Client plugin – maintains all existing security and connection features
1.5.1
- VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.5.1
- COMPATIBILITY: Full compatibility with Manager’s stabilized Freemius integration and unified plan API
- No functional changes to Client plugin – maintains all existing security and connection features
1.5.0
- VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.5.0
- COMPATIBILITY: Full compatibility with Manager’s new Dashboard page and AJAX search functionality
- No functional changes to Client plugin – maintains all existing security and connection features
1.4.4
- Fix: Version sync with Manager plugin. Supports unified plan detection and feature gating improvements. No functional changes to Client plugin.
1.4.3
- VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.4.3
- COMPATIBILITY: Full compatibility with Manager’s restored Settings page and enhanced reset functionality
- UNINSTALL SUPPORT: Compatible with Manager’s improved uninstall data cleanup controls
- No functional changes to Client plugin – maintains all existing security and connection features
1.4.1
- DOCUMENTATION: Updated plugin readme with enhanced descriptions and expanded FAQ
- COMPATIBILITY: Full compatibility with Manager plugin v1.4.1 documentation updates
- INSTALLATION: Improved installation instructions covering Quick Connect and Manual Pairing
- Enhanced description of security features and trust management capabilities
1.4.0
- Updated version numbering to match Manager plugin v1.4.0
- Compatible with Manager’s enhanced trial functionality and auto-downgrade behavior
- Full support for Professional and Business trial connections
1.3.2
- Updated version numbering to match Manager plugin v1.3.2
- Compatible with Manager’s improved free plan behavior (no license required)
- Enhanced UI compatibility with Manager’s improved button states
1.3.1
- Updated version numbering to match Manager plugin v1.3.1
- No functional changes – Client plugin works with improved Manager licensing logic
- Better compatibility with Free/Professional/Business plan enforcement
1.3.0
- Enhanced WordPress.org compliance and code quality
- Improved authentication flow stability and error handling
- Better compatibility with security plugins and caching systems
- Updated admin interface styling for consistency
1.2.2
- CRITICAL FIX: Fixed SSO login authentication flow – login URLs now properly authenticate and redirect to wp-admin
- WordPress.org Compliance: Removed all inline scripts and styles, properly using wp_enqueue_script/style
- Enhanced copy-to-clipboard functionality for API tokens and endpoints
- Improved rewrite rule handling for SSO login URLs
- Added proper cache clearing for authentication cookies
- Better no-cache headers implementation for SSO endpoints
- Updated admin interface styling and JavaScript handling
1.2.0
- Fixed authentication flow to support both “Push” and “Manual” pairing methods
- Enhanced admin interface with improved API token display and copy functionality
- Added support for security plugin compatibility with proper authentication handling
- Improved user interface with better Manager approval workflow
- Added no-cache headers to prevent caching of sensitive authentication requests
- Enhanced error handling and security validation
- Better integration with Manager sites for seamless connection establishment
1.0.0
Initial release: shared‑token one‑click HMAC login.
