=== Legion SSO ===
Contributors: legionhand
Tags: sso, woocommerce, single sign-on, legion
Requires at least: 5.8
Tested up to: 6.5
Requires PHP: 7.4
Stable tag: 2.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Secure SSO bridge between WordPress/WooCommerce and the Legion Hand platform.

== Description ==
Legion SSO lets a logged-in WordPress user transparently authenticate to Legion
web components hosted on the same page (e.g. `<legion-profile>`, `<legion-wallet>`).

The plugin **does not** ship the Legion client secret to the browser. Instead,
it exposes `GET /wp-json/legion-sso/v1/token` which is callable only by a
logged-in WordPress user with a valid `X-WP-Nonce`, and proxies the call to the
Legion `/api/auth/sso` endpoint server-side using `wp_remote_post`.

Front-end pages call `window.legionAuth.getToken()` to retrieve the issued JWT
and the bridge auto-injects it as the `auth-token` attribute on any
`<legion-*>` web component on the page.

== Configuration ==
1. Install and activate the plugin.
2. Visit **Settings → Legion SSO** and fill in:
   - Client ID (from the Legion admin dashboard)
   - Client Secret (one-time reveal in the Legion admin dashboard)
   - user-x Base URL (defaults to `https://app.legionhand.com`)
   - Shop slug (matches the tenant configured in Legion)
3. Click **Run Test** to verify the upstream connection.

== WooCommerce ==
When WooCommerce is active, the plugin pulls `billing_phone` from the user
meta and includes it in the SSO sync payload, and the JS bridge re-fetches
the token whenever WooCommerce fires `wc_fragment_refreshed`.

== Distribution ==
Releases are published to the Legion Hand DigitalOcean Spaces bucket. The
canonical install instructions and download links live in the user-x developer
documentation under the **WordPress Plugin** section.

== Changelog ==
= 2.0.0 =
* Replace insecure browser-side login form with REST-proxied flow.
* Add admin settings page with one-time secret reveal and Test Connection.
* Add `window.legionAuth` JS bridge with in-memory token caching.
* Add WooCommerce hooks (`wc_fragment_refreshed`, `billing_phone`).
* Auto-inject `auth-token` onto `<legion-*>` web components.

= 1.0.0 =
* Initial prototype (deprecated).
