WERM

[1.0.4] - 2026-01-02

⚡ Performance & Reliability Release

This release adds batch delivery confirmation and async file I/O to improve performance and reliability during high-load scenarios.

Added

Batch Delivery Confirmation (Improvement 1.3)

• New Batch API - Confirmations are now batched (up to 10 at a time) and sent in a single API call
• Backend Support - New batch-confirm-delivery endpoint processes multiple confirmations atomically
• Reduced API Overhead - Up to 90% reduction in confirmation API calls during bulk deliveries
• Graceful Fallback - Automatically falls back to individual confirmations if batch fails

Async File I/O (Improvement 1.4)

• Non-blocking File Writes - Confirmation queue saves now run on a dedicated background thread
• ExecutorService - Single-thread daemon executor prevents main thread blocking
• Debounced Saves - Multiple queue changes are coalesced into fewer disk writes
• Graceful Shutdown - Synchronous save on server stop ensures no data loss

Changed

• DeliveryConfirmationQueue.java - Complete rewrite with batch processing and async I/O
• VerificationAPI.java - Added batchConfirmDeliveries() method for batch API calls
• WERMPlugin.java - Updated onDisable() to properly shutdown confirmation queue

Technical Details

• Batch Size: 10 confirmations per API call
• I/O Thread: Daemon thread named WERM-ConfirmationQueue-IO
• Shutdown Timeout: 5 seconds for graceful termination
• New Classes:
  • BatchConfirmation - Data class for batch confirmation items
  • BatchConfirmResult - Result wrapper for batch API responses

Performance Impact

• ~90% reduction in confirmation API calls during bulk deliveries
• Zero main thread blocking from file I/O operations
• Faster server shutdown due to optimized queue persistence
• Lower disk I/O through debounced writes

[1.0.3] - 2025-01-11

🚀 Performance Optimization Release

This release focuses on network performance improvements with connection pooling and smart polling to reduce server load and API traffic.

Added

Performance Features

• HTTP Connection Pooling (Improvement 1.1) - New HttpClientManager.java using OkHttp for efficient connection reuse

  • Maintains pool of 5 idle connections with 5-minute keep-alive
  • Eliminates connection setup overhead for repeated API calls
  • Proper TLS 1.2+ enforcement built into the connection pool
  • Configurable timeouts: 10s connect, 30s read, 10s write

• Smart Polling with Exponential Backoff (Improvement 1.2) - Dynamic polling based on server activity

  • Increases polling interval when no deliveries are found (up to 4x base interval)
  • Automatically resets to base interval when deliveries are found
  • Instantly checks for deliveries when players join
  • Reduces API load during low-activity periods by up to 75%

Changed

• Replaced all HttpURLConnection usage with OkHttp client in VerificationAPI.java
• Refactored DeliveryTask.java with backoff state management
• Updated WERMPlugin.java to properly shutdown HTTP client on disable
• Updated API connectivity test to use connection pool

Technical Details

• New Dependency: OkHttp 4.12.0 (Java 8 compatible)
• Relocated Packages: okhttp3, okio, kotlin → com.werm.libs.*
• Backoff Configuration:
  • Max backoff multiplier: 4x
  • Backoff triggers after 3 consecutive empty responses
  • Backoff resets on delivery found or player join

Performance Impact

• ~50% reduction in connection overhead through reuse
• Up to 75% reduction in API calls during idle periods
• Faster response times due to keep-alive connections
• Lower memory footprint from connection reuse

[1.0.2] - 2025-12-27

🔧 Maintenance Release

This release updates the bStats plugin ID for proper metrics tracking.

Changed

• Updated bStats plugin ID from 24691 to 28553 for correct metrics tracking
• Updated internal version constant to 1.0.2

Notes

• No functional changes from 1.0.1
• All security hardening from 1.0.1 remains in place

---

[1.0.1] - 2025-12-27

🔒 Security Hardening Release

This release focuses on comprehensive security improvements based on a full security audit.

Added

Security Features

• Command Validator - New CommandValidator.java blocks dangerous commands (op, deop, ban, stop, reload, whitelist, etc.) from being executed via deliveries
• Delivery Confirmation Queue - New DeliveryConfirmationQueue.java persists pending confirmations to survive server restarts
• TLS 1.2+ Enforcement - All API connections now require TLS 1.2 or higher
• Debug Log Redaction - Sensitive data (tokens, UUIDs, delivery IDs) automatically redacted in debug logs
• Input Sanitization - Player names and UUIDs sanitized before command placeholder substitution
• API Endpoint Validation - HTTPS requirement and domain whitelist enforcement
• Verification Rate Limiting - 5-second cooldown between /werm verify attempts
• IP Change Detection - Backend logs security events when tokens are used from new IPs
• Configurable Fallback - Fallback endpoints now require explicit opt-in (disabled by default)
• Auto-Discovery - Appwrite Project ID now auto-discovered from API /config endpoint

Admin Dashboard

• Audit Logs Page - New page in admin dashboard to view security events

Changed

• Removed hardcoded Appwrite Project ID from VerificationAPI.java
• Improved error handling for SSL/TLS connections
• Enhanced debug logging with automatic data redaction

Security Fixes

• CVE-like Fixes:
  • Command injection via delivery commands (Critical)
  • Debug mode exposing sensitive tokens (High)
  • No rate limiting on verification attempts (Medium)
  • Delivery confirmation atomicity issues (Medium)
  • Player name injection in commands (Medium)
  • Hardcoded project ID (High)
  • SSL certificate validation (High)
  • Unconfigured fallback endpoints (Low)
  • No endpoint validation (Low)

Files Added

• CommandValidator.java - Command blacklist and pattern validation
• DeliveryConfirmationQueue.java - Persistent confirmation queue

---

[1.0.0] - 2025-12-23

🎉 Initial Release

The first official release of the WERM (Web Engine for Realm Monetization) Minecraft plugin.

Added

Core Features

• Account Verification System - Players can link their Minecraft account to WERM using /werm verify <code> with 6-character verification codes
• Automatic Delivery System - Automatically delivers purchased products to players by executing configured console commands
• Server Heartbeat - Sends periodic status updates to the WERM dashboard including player counts and server version
• Player Join Detection - Checks for and delivers pending purchases when players join the server
• Player Online Notification - Notifies the WERM API when players come online for real-time status tracking

Commands

• /werm verify <code> - Link Minecraft account with WERM platform
• /werm help - Display plugin help and information
• /werm status - View plugin connection status (admin only)
• /werm reload - Reload plugin configuration (admin only)
• /w - Command alias for /werm

Permissions

• werm.verify - Allows players to verify their account (default: true)
• werm.admin - Access to admin commands like reload and status (default: op)

Configuration

• Configurable plugin token authentication
• Adjustable heartbeat interval (default: 60 seconds)
• Adjustable delivery polling interval (default: 15 seconds)
• Toggle player count in heartbeat
• Debug mode for verbose logging
• Fully customizable messages with color code support (& codes)

Delivery System

• Support for multiple delivery commands per product
• Command placeholder support:
  • {player} / {player_name} - Player's username
  • {uuid} / {player_uuid} - Player's UUID
  • {quantity} - Quantity purchased
  • {product_id} - Product ID
  • {product_name} - Product name
  • {order_id} - Order ID
  • {delivery_id} - Delivery ID
• Option to require player online for delivery
• Automatic delivery confirmation to WERM API
• Failed delivery reporting with error messages
• Duplicate delivery prevention

Technical

• Fully asynchronous API communication (no server lag)
• Tab completion for all commands and subcommands
• Console command support for /werm reload
• API connectivity testing on startup
• Endpoint fallback support for reliability
• GSON-based JSON parsing for API communication
• Secure token-based authentication with X-Plugin-Token header

Compatibility

• Spigot API 1.13+ support
• Compatible with Paper, Purpur, and all Spigot-based forks
• Java 8+ support

---

Links

• Website: https://wermpay.com
• Dashboard: https://wermpay.com/dashboard
• Support: https://discord.gg/werm
• Short URL: https://werm.gg