Description

GateLink Client is the receiving end of the GateLink ecosystem. It pairs with GateLink Manager to deliver instant, passwordless admin access to your WordPress sites. Once installed and trusted, it accepts HMAC‑signed login links from your Manager site, validates them, and redirects the user straight to wp‑admin—no passwords, no hassle. Designed for developers, freelancers and site admins who maintain multiple installations, GateLink Client makes it easy to manage trust relationships and keep your sites secure.

Key Features

Trust Management – Explicitly approve or revoke which Manager sites can access your admin.
Quick Connect & Manual Pairing – Choose between instant pairing or manual shared token setup for finer control.
HMAC‑Signed Security – Enforces HMAC‑SHA256 signatures with TTL and replay protection for every login URL.
Health Monitoring – Provides a REST endpoint for status checks, so you know when connections are healthy.
Activity Logs – Tracks connection attempts and logins for auditing and troubleshooting.
Accessible Admin Interface – Built with modern design and accessibility support for a seamless user experience.

How It Works

Establish Trust – Generate a Shared Token in the Manager and paste it under GateLink Client Trusted Manager.
Validate Links – When the Manager issues a login link, the Client verifies the HMAC signature and checks the timestamp.
Automatic Login – Upon successful validation, the user is logged into wp‑admin without needing credentials.
Expire & Revoke – Links expire after two minutes and can only be used once; you can revoke trust anytime via the admin interface.

Security & Privacy

Short‑lived Tokens – Login URLs are valid for only a couple of minutes to minimize exposure.
Server‑Side Signing – All signatures are generated on the Manager; the Client never stores admin passwords.
HTTPS Recommended – Run both Manager and Client over HTTPS and avoid caching login requests.
Peer‑to‑Peer Communication – The Client only exchanges data (site info, tokens, timestamps) with your Manager sites; no third parties are involved.

Installation

Upload the gatelink-client folder to /wp-content/plugins/.
Activate the plugin from the Plugins menu.
Go to GateLink Client Trusted Managers and approve pending requests or manually add a Manager using the Shared Token.
Once trusted, the Manager can verify the connection and perform one‑click logins.

Setup Notes

The Client plugin is free and works with any GateLink Manager plan (Free, Professional or Business).
You can connect multiple Manager sites; each must be approved separately for security.
You can revoke any Manager’s access at any time via the Trusted Managers interface.

FAQ

Do I need to set keys or tokens manually?: Yes. You must paste the Shared Token from your Manager under GateLink Client Trusted Manager. The Client can generate an initial token, but both sides must match.
It doesn’t redirect to wp-admin.: Ensure that the request reaches WordPress’s template_redirect. Temporarily disable or adjust any firewall or caching rule that blocks the query parameters (gatelink_login, cid, ts, sig) and avoid caching these requests.
Can I use it without a license?: Absolutely. The Client plugin itself requires no license and supports connections from any Manager plan. The only limit is imposed by the Manager’s plan for the number of sites.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“GateLink Client – Passwordless SSO & One‑Click Admin Access” is open source software. The following people have contributed to this plugin.

NUMAN RASHEED

Translate “GateLink Client – Passwordless SSO & One‑Click Admin Access” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.8.3

SECURITY: Fixed sanitization of $_SERVER[‘REMOTE_ADDR’] in REST API endpoints (class-rest.php lines 100, 163)
SECURITY: Implemented proper IP address validation using filter_var() with FILTER_VALIDATE_IP for both IPv4 and IPv6
COMPATIBILITY: Added defensive check for DONOTCACHEPAGE constant to prevent conflicts with caching plugins
COMPLIANCE: Resolved all WordPress.org Plugin Directory review issues – full compliance achieved
COMPLIANCE: Enhanced security measures following WordPress.org “Sanitize Early, Escape Late, Always Validate” guidelines

1.8.2

Removed trial support from Freemius configuration.

1.8.1

COMPATIBILITY: Enhanced connection handling for improved Manager Client REST handshake
SECURITY: Maintained robust HMAC signature validation and nonce replay protection
VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.8.1
No functional changes to Client plugin – maintains all existing security and connection features

1.8.0

SECURITY: Enhanced sanitization and validation of super-globals, notably $_SERVER[‘REMOTE_ADDR’]
STANDARDIZATION: Unified all prefixes to gate_client_ for consistent naming across the plugin
MIGRATION: Added automatic migration logic to map old option names and keys to new unified names
COMPATIBILITY: Maintained backward compatibility with existing installations – no data loss
VALIDATION: Verified nonces and capability checks across all AJAX endpoints and admin forms

1.7.9

VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.7.9
COMPATIBILITY: Full compatibility with Manager’s enhanced AJAX functionality and dashboard improvements
No functional changes to Client plugin – maintains all existing security and connection features

1.7.8

WORDPRESS.ORG READY: Complete WordPress.org compliance achieved – plugin ready for directory submission and approval
COMPLIANCE: All WordPress.org requirements met including unique prefixes, proper security, and coding standards
VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.7.8
COMPATIBILITY: Full compatibility with Manager’s enhanced error handling and troubleshooting guidance
SECURITY: Maintains all existing security and connection features with HMAC-SHA256 validation
No functional changes to Client plugin – maintains all existing security and connection features

1.7.7

CONNECT FLOW: New /wp-json/gatelink-client/v1/connect endpoint with proper HMAC/TTL signature validation
SECURITY: Enhanced security with HMAC-SHA256 validation, timestamp checking (±120 seconds configurable), and nonce replay protection
DEBUG: Added debug mode and comprehensive logging for connect attempts with request/response details
STORAGE: Added settings storage system for debug mode and time skew tolerance configuration
VALIDATION: Robust input sanitization and validation for all connect endpoint parameters
COMPLIANCE: Removed uninstall.php per WordPress.org requirements; cleaned contentReference placeholders from readme
API: REST endpoint validates manager_id, manager_url, timestamp, nonce, and signature; returns proper JSON responses
LOGGING: Connect attempts logged with UUID tracking, detailed context, and human-readable error messages
TIME SKEW: Configurable time skew tolerance (30-600 seconds) to handle server clock differences

1.5.5

Fix: Freemius license activation/reset flow stabilized; eliminated SDK warnings after license reset; unified plan detection; enforced site limits (Free 3 / Pro 20 / Business unlimited); dynamic Support/Contact menus via Freemius.

1.5.4

VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.5.4
COMPATIBILITY: Full compatibility with Manager’s Freemius dynamic Support/Contact menu system
No functional changes to Client plugin – maintains all existing security and connection features

1.5.3

VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.5.3
COMPATIBILITY: Full compatibility with Manager’s consolidated Support page and removed Diagnostics functionality
No functional changes to Client plugin – maintains all existing security and connection features

1.5.2

VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.5.2
COMPATIBILITY: Full compatibility with Manager’s enhanced Contact & Support system and improved diagnostics
No functional changes to Client plugin – maintains all existing security and connection features

1.5.1

VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.5.1
COMPATIBILITY: Full compatibility with Manager’s stabilized Freemius integration and unified plan API
No functional changes to Client plugin – maintains all existing security and connection features

1.5.0

VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.5.0
COMPATIBILITY: Full compatibility with Manager’s new Dashboard page and AJAX search functionality
No functional changes to Client plugin – maintains all existing security and connection features

1.4.4

Fix: Version sync with Manager plugin. Supports unified plan detection and feature gating improvements. No functional changes to Client plugin.

1.4.3

VERSION SYNC: Updated to maintain version synchronization with Manager plugin v1.4.3
COMPATIBILITY: Full compatibility with Manager’s restored Settings page and enhanced reset functionality
UNINSTALL SUPPORT: Compatible with Manager’s improved uninstall data cleanup controls
No functional changes to Client plugin – maintains all existing security and connection features

1.4.1

DOCUMENTATION: Updated plugin readme with enhanced descriptions and expanded FAQ
COMPATIBILITY: Full compatibility with Manager plugin v1.4.1 documentation updates
INSTALLATION: Improved installation instructions covering Quick Connect and Manual Pairing
Enhanced description of security features and trust management capabilities

1.4.0

Updated version numbering to match Manager plugin v1.4.0
Compatible with Manager’s enhanced trial functionality and auto-downgrade behavior
Full support for Professional and Business trial connections

1.3.2

Updated version numbering to match Manager plugin v1.3.2
Compatible with Manager’s improved free plan behavior (no license required)
Enhanced UI compatibility with Manager’s improved button states

1.3.1

Updated version numbering to match Manager plugin v1.3.1
No functional changes – Client plugin works with improved Manager licensing logic
Better compatibility with Free/Professional/Business plan enforcement

1.3.0

Enhanced WordPress.org compliance and code quality
Improved authentication flow stability and error handling
Better compatibility with security plugins and caching systems
Updated admin interface styling for consistency

1.2.2

CRITICAL FIX: Fixed SSO login authentication flow – login URLs now properly authenticate and redirect to wp-admin
WordPress.org Compliance: Removed all inline scripts and styles, properly using wp_enqueue_script/style
Enhanced copy-to-clipboard functionality for API tokens and endpoints
Improved rewrite rule handling for SSO login URLs
Added proper cache clearing for authentication cookies
Better no-cache headers implementation for SSO endpoints
Updated admin interface styling and JavaScript handling

1.2.0

Fixed authentication flow to support both “Push” and “Manual” pairing methods
Enhanced admin interface with improved API token display and copy functionality
Added support for security plugin compatibility with proper authentication handling
Improved user interface with better Manager approval workflow
Added no-cache headers to prevent caching of sensitive authentication requests
Enhanced error handling and security validation
Better integration with Manager sites for seamless connection establishment

1.0.0

Initial release: shared‑token one‑click HMAC login.