# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [6.2.3] - 2026-07-15

### Fixed
- **Admin:** Financial product dropdown on the **Settings** tab showed “Please enter API Key” after a successful installment sync (6.2.2 regression — products were only loaded on the wrong admin panel).
- **Admin:** `leanpay_resolve_admin_market_endpoint()` aligns financial product and Advanced settings promotion fields with the saved market endpoint; invalid or stale URL `lng` no longer shows an empty product list.
- **Admin:** Financial product transient cache is flushed when **Market Endpoint** is changed.

### Technical
- Tested with WooCommerce **10.9.4** (plugin header).

## [6.2.2] - 2026-05-20

### Fixed
- **Performance:** `dbDelta()` / `SHOW COLUMNS` / `ALTER TABLE` for Leanpay tables no longer run on every frontend request. Schema changes use versioned migrations (`leanpay_db_version`) on activation and admin init (privileged users only).
- **Performance:** `includes/leanpay_admin_settings.php` no longer calls table install or uncached financial product queries when the gateway boots on the storefront.

### Changed
- **Admin:** `leanpay_get_financial_product()` uses a 12-hour transient cache; invalidated on installment plan sync.
- **Admin:** `init_form_fields()` loads only when `is_admin()` is true; checkout and widgets use `init_settings()` values only.

### Technical
- New `includes/leanpay_db_migrations.php` with `LEANPAY_DB_VERSION` and `leanpay_maybe_run_db_migrations()`.

## [6.2.1] - 2026-05-20

### Fixed
- **Checkout:** `successUrl` sent to Leanpay could be malformed (missing shop domain, host `order-received`) when WooCommerce returned a broken order-received URL or when custom failure URL was enabled but success URL settings were misread. Uses `success_url_checkbox` correctly and builds a reliable absolute URL via `leanpay_get_order_success_url()`.

### Changed
- **Debug log:** Details always log redacted request and response bodies for API calls, including failed HTTP status codes.

### Technical
- Tested with WordPress **7.0** (plugin header and readme).

## [6.2.0] - 2026-05-19

### Added
- **Visual settings (main feature):** Admin **color scheme** picker with four storefront themes — **orange**, **pink**, **light**, and **dark** — under WooCommerce → Payments → Leanpay → **Visual settings**.
- **Visual settings:** **Leanpay widget fonts** option — use your theme’s fonts or load **Roboto** from Google Fonts.
- **Visual settings:** **Live widget previews** in admin (catalog, product page, checkout) that update in real time when color scheme, fonts, or display toggles change.
- Storefront widgets (catalog, product banner, installment overlay, checkout) and Gutenberg block widgets inherit the selected color scheme and fonts.
- **Admin:** New **Advanced settings** tab for **Leanpay price display (promotion)**; promotion options removed from Payment configuration.
- **Admin:** JavaScript confirmation before saving when **Promotion type** has changed.
- **i18n:** Slovenian plural forms for installment labels on promotional banners (`obrok` / `obroka` / `obroki` / `obrokov`).

### Changed
- **Installment overlay:** Redesigned **installment plan slider** (track, bullets, highlighted/active states) to align with the new color schemes and visual design.
- **Block widgets:** Redesigned vertical and horizontal Gutenberg widgets; horizontal bar is **40px** tall (desktop: logo, divider, copy, CTA; mobile: logo and CTA only).
- **Promotion:** Installment shown in 0% promotional display is the highest plan still within the configured threshold (not only an exact match).
- **Catalog:** Redesigned **catalog Leanpay banner** — two-part layout (installment text + scheme-colored logo), styling per color scheme; hover highlight removed.
- **Admin:** Hidden `panel` field on gateway settings save so the correct tab’s fields load reliably.

### Technical
- Scheme-colored SVG logos, CSS custom properties per scheme, inline overlay/chevron icons.
- Updated `.pot` and translation files for new strings.
- Tested with WooCommerce **10.7.0** (plugin header).

## [6.1.1] - 2026-05-13

### Fixed
- Checkout: `leanpay_payment_confirmation.php` could fail nonce validation on the first attempt in some setups. Added WooCommerce order key fallback for more reliable confirmation flow.

### Technical
- Tested with WooCommerce **10.7.0** (plugin header).

## [6.1.0] - 2026-04-02

### Added
- **Product pages:** setting **Position on product pages** to choose where the Leanpay block appears (e.g. before/after price via `woocommerce_get_price_html`, summary hooks, before/after add to cart, meta, after summary, or a dedicated product tab).
- **Catalog / shop loops:** setting **Position on catalog pages** to place Leanpay before or after the loop title, or before or after the add to cart link (`woocommerce_loop_add_to_cart_link`).
- **Admin:** clearer display of automatic installment price update scheduling (last successful update, next WP-Cron run, queued manual update) under manual price update.

### Changed
- **Major redesign** of front-end Leanpay widgets (catalog, product page, checkout).
- Renamed loop callback from `leanpay_before_cart_btn` to `leanpay_show_loop` for clarity.
- Admin: position select fields are toggled when **On catalog pages** / **On product pages** are disabled; user-facing labels for placement options.
- Updated translations.

### Removed
- Unused legacy gateway options no longer shown in settings (e.g. legacy color keys and installment font-size keys).

### Fixed
- Saving WooCommerce payment settings no longer risks wiping other gateway options when the custom tab link nonce is absent on POST (reliable `panel` / `lng` detection on save).

### Technical
- Tested with WooCommerce **10.6.2** (plugin header and README).

## [6.0.4] - 2026-03-30

### Changed
- Markets limited to Slovenia (SI) and Romania (RO); Croatia and Hungary removed from settings and logic.
- Removed the "Double price" feature (settings and front-end display).

### Added
- Added market-specific 0% interest price threshold (Romania does not support 0% interest rate); exposed to leanpay.js via localized params.

### Fixed
- Variable products: fixed AJAX HTML for Leanpay block (banner + modal), nonce security, and locale switching so translated strings load on variation change.
- Translations: AJAX requests send `determine_locale()` and use `switch_to_locale()` so strings match the current language.

### Technical
- Enqueued JS for reliable cache busting.

## [6.0.3] - 2026-03-27

### Changed
- WordPress.org release version.
- Updated readme/changelog packaging and release metadata for WordPress.org distribution.

## [6.0.2] - 2026-02-03

### Added
- Added new "Advanced" settings panel with custom CSS field for front-end styling customization
- Users can now add custom CSS code that will be automatically applied to Leanpay elements on the front-end

### Fixed
- Fixed duplicate CSS enqueue issue where `leanpay_cene_css` was being loaded multiple times on page load
- Fixed plugin textdomain loading issue that was preventing translations from being loaded correctly
- Minor CSS fixes and improvements for better front-end display
- Improved code comments and documentation
- API vendor URL bugfix when upgrading

## [6.0.1] - 2025-01-21

### Fixed
- Fixed frontend checkout display issue where HTML content was being escaped incorrectly, preventing proper rendering of Leanpay information on checkout page

## [6.0.0] - 2025-12-18

### Changed - Preparation for WordPress.org Release
- **Security Improvements**: 
  - Added comprehensive input sanitization for all user inputs (GET, POST, REQUEST, SERVER variables)
  - Implemented proper output escaping using WordPress escaping functions (esc_html, esc_attr, esc_url, etc.)
  - Replaced all SQL queries with prepared statements using $wpdb->prepare()
  - Added input validation for webhook data and API responses
  - Sanitized all URLs, colors, and text inputs before use
  - Escaped all output in HTML attributes, URLs, and inline content

### Security
- Fixed potential SQL injection vulnerabilities by using prepared statements
- Fixed potential XSS vulnerabilities by escaping all output
- Sanitized all user inputs before database operations
- Validated and sanitized JSON webhook data
- Added proper escaping for admin order meta data display
- Secured all API calls with proper input sanitization

### Code Quality
- Improved code standards compliance with WordPress Coding Standards
- Replaced `json_encode()` with `wp_json_encode()` for better compatibility
- Replaced `addslashes()` with proper `sanitize_text_field()` and validation
- Improved error handling with proper WordPress functions (wp_die, wp_send_json_error)
- Enhanced URL construction with proper escaping

### Technical
- All $_GET, $_POST, $_REQUEST variables now properly sanitized
- All $_SERVER variables sanitized before use
- All database queries use prepared statements
- All HTML output properly escaped
- All JavaScript output properly escaped
- All URL parameters properly escaped

### Documentation
- Added comprehensive README.md
- Added CHANGELOG.md file
- Improved inline code documentation

---

## Previous Versions

For changes in versions prior to 6.0.0, please refer to previous release notes or contact support.

