comfino · akozubskicr · May 12, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
diff --git a/.distignore b/.distignore
@@ -0,0 +1,3 @@
+.git
+.github
+var/
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -13,14 +13,34 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php: ['7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
+        php: ['7.1', '7.2', '7.3', '7.4', '8.0']
         dependency-version: [prefer-lowest, prefer-stable]
+        exclude:
+          # PHPUnit 5.7 minimum uses each() which was removed in PHP 8.0
+          - php: '8.0'
+            dependency-version: prefer-lowest
 
     name: PHP ${{ matrix.php }} - ${{ matrix.dependency-version }}
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+
+      - name: Fetch sunrise artifact packages
+        uses: actions/checkout@v6
+        with:
+          repository: comfino/shop-plugins-lib-builder
+          token: ${{ secrets.LIB_BUILDER_TOKEN }}
+          sparse-checkout: packages/sunrise
+          sparse-checkout-cone-mode: false
+          path: .sunrise-checkout
+
+      - name: Stage sunrise zips
+        run: |
+          mkdir -p packages
+          mv .sunrise-checkout/packages/sunrise packages/sunrise
+          rm -rf .sunrise-checkout
+          ls -la packages/sunrise
 
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
@@ -37,17 +57,46 @@ jobs:
         run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ${{ steps.composer-cache.outputs.dir }}
           key: ${{ runner.os }}-composer-${{ matrix.dependency-version }}-${{ hashFiles('**/composer.lock') }}
           restore-keys: ${{ runner.os }}-composer-${{ matrix.dependency-version }}-
 
       - name: Install dependencies
-        run: composer update --${{ matrix.dependency-version }} --prefer-dist --no-interaction --no-progress
+        env:
+          COMPOSER_AUTH: '{"github-oauth": {"github.com": "${{ secrets.LIB_BUILDER_TOKEN }}"}}'
+        run: |
+          # The committed vendor/ ships scoped namespaces (ComfinoExternal\...) for
+          # runtime distribution. Tests need the unscoped packagist versions, so
+          # wipe vendor/ first to force composer to re-extract every package.
+          rm -rf vendor
+          composer update --${{ matrix.dependency-version }} --prefer-dist --no-interaction --no-progress
+
+      - name: Create writable log and cache directories
+        run: mkdir -p var/log var/cache
+
+      - name: Check autoloader
+        run: php -r "require 'vendor/autoload.php'; echo 'Autoloader OK' . PHP_EOL;"
 
       - name: Run tests
-        run: composer test
+        run: |
+          set +e
+          # Merge stderr into stdout so fatals interleave with PHPUnit's --debug
+          # "Starting test 'X'" lines, pinpointing the offending test.
+          exec 2>&1
+          php \
+            -d error_reporting=-1 \
+            -d display_errors=On \
+            -d display_startup_errors=On \
+            -d log_errors=On \
+            -d output_buffering=0 \
+            -d implicit_flush=1 \
+            -d zend.assertions=1 \
+            vendor/bin/phpunit --debug --verbose --stderr
+          status=$?
+          echo "::notice::phpunit exit code = $status"
+          exit $status
 
   coverage:
     runs-on: ubuntu-latest
@@ -56,7 +105,23 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+
+      - name: Fetch sunrise artifact packages
+        uses: actions/checkout@v6
+        with:
+          repository: comfino/shop-plugins-lib-builder
+          token: ${{ secrets.LIB_BUILDER_TOKEN }}
+          sparse-checkout: packages/sunrise
+          sparse-checkout-cone-mode: false
+          path: .sunrise-checkout
+
+      - name: Stage sunrise zips
+        run: |
+          mkdir -p packages
+          mv .sunrise-checkout/packages/sunrise packages/sunrise
+          rm -rf .sunrise-checkout
+          ls -la packages/sunrise
 
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
@@ -66,13 +131,18 @@ jobs:
           coverage: xdebug
 
       - name: Install dependencies
+        env:
+          COMPOSER_AUTH: '{"github-oauth": {"github.com": "${{ secrets.LIB_BUILDER_TOKEN }}"}}'
         run: composer update --prefer-stable --prefer-dist --no-interaction --no-progress
 
+      - name: Create writable log and cache directories
+        run: mkdir -p var/log var/cache
+
       - name: Run tests with coverage
-        run: XDEBUG_MODE=coverage vendor/bin/phpunit --coverage-clover coverage.xml
+        run: XDEBUG_MODE=coverage vendor/bin/phpunit --coverage-clover coverage.xml --coverage-html coverage --coverage-text
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v6
         with:
           files: ./coverage.xml
           fail_ci_if_error: false

diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,6 @@
 .idea
+/packages/sunrise
+/composer.lock
 /vendor/*
 !/vendor/autoload.php
 !/vendor/cache/

diff --git a/README.md b/README.md
@@ -4,6 +4,8 @@
 [![PHP Version](https://img.shields.io/badge/php-7.1%20to%208.4-blue.svg)](https://www.php.net/)
 [![License](https://img.shields.io/badge/license-OSL--3.0-green.svg)](LICENSE)
 
+> **Notice:** Version 4.3.0 is the **last release compatible with PHP 7.1**. The upcoming version 5.0.0 will require **PHP 8.1 or higher**, **WooCommerce 7.0.0 or higher**, and **WordPress 6.1 or higher**. Please plan your environment upgrade accordingly.
+
 WooCommerce payment module for Comfino deferred payments gateway - installment payments, buy now pay later (BNPL) and corporate payments.
 
 ## Installation
@@ -18,11 +20,20 @@ WooCommerce payment module for Comfino deferred payments gateway - installment p
 
 ## Compatibility
 
+### Current version (4.3.0 — last PHP 7.1 compatible release)
+
 - **WooCommerce**: 3.0.0 or higher
 - **WordPress**: 4.7 or higher
 - **PHP**: 7.1 or higher
 - **PHP extensions**: ctype, curl, json, zlib
 
+### Upcoming version (5.0.0)
+
+- **WooCommerce**: 7.0.0 or higher
+- **WordPress**: 6.1 or higher
+- **PHP**: 8.1 or higher
+- **PHP extensions**: ctype, curl, json, sodium, zlib
+
 ## Development
 
 ### Requirements
@@ -89,7 +100,7 @@ Generate translation template files for internationalization:
 4. Push to the branch (`git push origin feature/amazing-feature`).
 5. Open a Pull Request.
 
-All pull requests are automatically tested against PHP 7.1-8.4 with both lowest and stable dependencies.
+All pull requests are currently tested against PHP 7.1-8.4 with both lowest and stable dependencies. Starting with version 5.0.0, the minimum supported PHP version will be 8.1.
 
 ## License
 

diff --git a/changelog.txt b/changelog.txt
@@ -1,3 +1,15 @@
+4.3.0
+ * Paywall frontend migrated to V3 API and new frontend Comfino SDK — faster loading, improved stability.
+ * Fixed: paywall invisible when Cloudflare RocketLoader is active (added data-cfasync="false" to prevent async script deferral).
+ * Fixed: paywall invisible or broken with JS optimization plugins (PhastPress, Autoptimize, WP Rocket) that bundle or defer scripts.
+ * Fixed: paywall rendered inside hidden Elementor builder wrapper instead of the visible checkout — only the first visible paywall container is now used.
+ * Fixed: paywall invisible or malfunctioning when Google Consent Management Platform (Google CMP) is active.
+ * Fixed: paywall loan amount now updates correctly when cart items or shipping costs change.
+ * Added support for strict Content Security Policy environments: shops using a nonce-based CSP can now propagate the nonce to the dynamically injected SDK script via the comfino_csp_script_nonce WordPress filter.
+ * Added per-product-type installment term limits (allowedProductsConfig): admins can now restrict available installment terms per financial product type in the sale settings. Limits are enforced on both the paywall (financial products listing) and order creation.
+ * Added direct redirect mode: when enabled, the full paywall offer browser is skipped and the customer is redirected straight to the Comfino payment gateway with the default financial product.
+ * Added a custom paywall CSS style option: admins can inject a custom CSS file into the paywall iframe (only URLs within the store domain are accepted).
+
 4.2.8
  * Fixed a bug in webhook (payment status notifications): order not found error when "Use order reference as external ID" option is active, fixed a frontend bug concerned with Gutenberg blocks (empty comfino_loan_type error).
 

diff --git a/comfino-payment-gateway.php b/comfino-payment-gateway.php
@@ -3,14 +3,14 @@
  * Plugin Name: Comfino Payment Gateway
  * Plugin URI: https://github.com/comfino/WooCommerce.git
  * Description: Comfino Payment Gateway for WooCommerce.
- * Version: 4.2.8
+ * Version: 4.3.0
  * Author: Comfino
  * Author URI: https://github.com/comfino
  * Domain Path: /languages
  * Text Domain: comfino-payment-gateway
- * WC tested up to: 10.5.0
+ * WC tested up to: 10.7.0
  * WC requires at least: 3.0
- * Tested up to: 6.9
+ * Tested up to: 7.0
  * Requires at least: 5.0
  * Requires PHP: 7.1
  * License: GPLv3
@@ -23,9 +23,8 @@
 }
 
 /**
- * Guard clause to prevent plugin execution in incompatible environments.
- * This MUST be placed before any code which uses PHP 7.1+ syntax and before any use statements.
- * Uses PHP 5.6+ compatible syntax.
+ * Guard clause to prevent plugin execution in incompatible environments. This MUST be placed before any code that uses
+ * PHP 7.1+ syntax and before any use statements. Uses PHP 5.6+ compatible syntax.
  */
 if (PHP_VERSION_ID < 70100) {
     // Display admin notice about PHP version incompatibility.
@@ -175,7 +174,10 @@ private function __construct()
             return $methods;
         });
 
-        // Add loaded script tag filter for adding custom attribute which prevents blocking by Google CMP scripts.
+        /* Add loaded script tag filter for adding a custom attribute which prevents blocking by Google CMP scripts.
+           Also prevent Cloudflare RocketLoader and JS bundlers (PhastPress, Autoptimize, WP Rocket) from deferring
+           Comfino frontend scripts asynchronously. These scripts depend on the wp_add_inline_script data block that
+           immediately precedes them in the HTML; async delivery breaks that ordering guarantee. */
         add_filter('script_loader_tag', static function (string $tag, string $handle): string {
             if (strpos($handle, PaymentGateway::GATEWAY_ID) !== 0) {
                 return $tag;
@@ -187,13 +189,14 @@ private function __construct()
                 if (strpos($tag, 'async') === false) {
                     $attributes[] = 'async';
                 }
-            } elseif (strpos($tag, 'defer') !== false) {
+            } elseif (strpos($handle, 'defer') !== false) {
                 if (strpos($tag, 'defer') === false) {
                     $attributes[] = 'defer';
                 }
             }
 
-            $attributes[] = 'data-cmp-ab="2"';
+            $attributes[] = 'data-cmp-ab="2"'; // Google CMP blocking prevention
+            $attributes[] = 'data-cfasync="false"'; // Cloudflare RocketLoader async deferral prevention
 
             return str_replace('">', '" ' . implode(' ', $attributes) . '>', $tag);
         }, 10, 2);
@@ -253,6 +256,17 @@ public function activation_check(): void
             wp_die(wp_kses_post($environmentWarning));
         }
 
+        if (!in_array('sha3-256', hash_algos(), true)) {
+            add_action('admin_notices', static function () {
+                echo '<div class="notice notice-error"><p>'
+                    . esc_html__(
+                        'Comfino requires OpenSSL >= 1.1.0 (SHA-3 support) for the V3 paywall.',
+                        'comfino-payment-gateway'
+                    )
+                    . '</p></div>';
+            });
+        }
+
         Main::install();
     }
 
@@ -658,6 +672,22 @@ private function upgrade_plugin(): void
             update_option('comfino_plugin_current_version', $previousVersion, false);
         }
 
+        /* 4.3.0 */
+        // Remove COMFINO_SHOW_LOGO — logo is now entirely SDK/CDN-driven; stored value is dead data.
+        $comfinoSettings = get_option('woocommerce_comfino_settings', []);
+
+        if (is_array($comfinoSettings) && array_key_exists('show_logo', $comfinoSettings)) {
+            unset($comfinoSettings['show_logo']);
+            update_option('woocommerce_comfino_settings', $comfinoSettings);
+        }
+
+        if (!is_array(ConfigManager::getConfigurationValue('COMFINO_ALLOWED_PRODUCTS_CONFIG_FORBIDDEN_PROD_TYPES'))) {
+            ConfigManager::updateConfigurationValue(
+                'COMFINO_ALLOWED_PRODUCTS_CONFIG_FORBIDDEN_PROD_TYPES',
+                ['BLIK', 'PAY_LATER', 'PAY_IN_PARTS', 'INSTANT_PAYMENTS']
+            );
+        }
+
         // Update code of widget initialization script.
         ConfigManager::updateWidgetCode();
 

diff --git a/composer.json b/composer.json
@@ -4,7 +4,6 @@
     "description": "WooCommerce payment module for Comfino deferred payments gateway.",
     "homepage": "https://github.com/comfino/WooCommerce",
     "license": "OSL-3.0",
-    "author": "WooCommerce",
     "authors": [
         {
             "name": "Artur Kozubski",
@@ -18,11 +17,20 @@
         "platform": {
             "php": "7.1.3"
         },
-        "classmap-authoritative": true,
         "optimize-autoloader": true,
         "prepend-autoloader": false,
         "allow-plugins": {
             "php-http/discovery": true
+        },
+        "audit": {
+            "ignore": [
+                "PKSA-pwh8-d4fr-nywn",
+                "PKSA-z3gr-8qht-p93v",
+                "PKSA-v5yj-8nmz-sk2q",
+                "PKSA-ft77-7h5f-p3r6",
+                "PKSA-b14r-zh1d-vdrc",
+                "PKSA-xxgb-wq2d-7gpg"
+            ]
         }
     },
     "autoload": {
@@ -76,6 +84,7 @@
         "cache/hierarchical-cache": "~1.1.0",
         "league/flysystem": "~1.0.70",
         "monolog/monolog": "^1.27",
+        "psr/http-factory": "^1.0",
         "psr/log": "^1.1",
         "symfony/deprecation-contracts": "<3.0",
         "symfony/options-resolver": "~4.4.0",
@@ -85,19 +94,17 @@
         "symfony/yaml": "~4.4.0"
     },
     "require-dev": {
-        "nyholm/psr7": "^1.6",
-        "php-http/mock-client": "^1.6",
-        "phpdocumentor/reflection-common": "~2.1.0",
-        "phpdocumentor/reflection-docblock": "~4.3.4",
-        "phpdocumentor/type-resolver": "~1.0.1",
-        "phpspec/prophecy-phpunit": "^1.1",
-        "phpunit/phpunit": "^5.7",
-        "webmozart/assert": "<1.10"
+        "phpunit/phpunit": "^5.7.27"
     },
     "repositories": [
+        {
+            "type": "artifact",
+            "url": "packages/sunrise"
+        },
         {
             "type": "vcs",
-            "url": "git@github.com:comfino/shop-plugins-shared.git"
+            "url": "git@github.com:comfino/shop-plugins-shared.git",
+            "no-api": true
         }
     ]
 }
-Original file line number
+Diff line change
@@ -0,0 +1,3 @@
+    .git
+    .github
+    var/