CosmautDL

CosmautDL is a multi-cloud download manager plugin for WordPress.
It turns scattered cloud-drive links into a clean “download card” experience, and provides dedicated download pages, a site-wide file-tree index, and click statistics for site owners.

（中文概述）把零散的网盘链接统一整理成下载卡片，并提供独立下载页、文件树索引与下载统计，让资源分享更规范、更好用。

Key features (核心能力):

• Unified download card UI for posts/pages（下载卡片：文章/页面统一展示）
• Dedicated download page route per post（独立下载页：每篇文章一个下载页）
• Redirect route to keep outbound links tidy（跳转中转：可配置路由前缀）
• File-tree page to browse all shared resources（文件树：全站资源索引）
• Click statistics stored in your own database（下载统计：记录点击次数，后台可查看）
• Optional WeChat QR unlock workflow（可选微信扫码解锁）
• Assets loaded only when needed（按需加载，减少全站负担）

Supported providers ==(built-in defaults / 内置默认网盘):

Baidu Pan, 123Pan, Aliyun Drive, Tianyi Cloud, Quark, PikPak, Lanzou, Xunlei, Weiyun, OneDrive, Google Drive, Dropbox, MEGA, MediaFire, Box, and “Other”.

（说明）你可以在后台启用/禁用、重命名、排序网盘，并支持“其他网盘”用于自定义链接类型。

Routes (pretty permalinks recommended / 建议开启固定链接):

• Download page: /downloads/{post_id}.html (or ?cosmdl_download=1&post_id={id})
• File tree: /downloads/tree.html (or ?cosmdl_tree=1)
• Stats entry: /downloads/stats.html (or ?cosmdl_stats=1; admin-only)
• Redirect: /{prefix}/{post_id}/{type}.html (or ?cosmdl_redirect=1&post_id={id}&type={type})

Data & privacy (overview / 数据与隐私概述):

• Stores download click logs in a custom table: {wp_prefix}cosmdl_clicks (post_id, type, attach_id, user_id, ip, ua, referer, success, created_at).（用于统计；可在后台删除记录）
• Core features do not require external services.（核心功能不依赖外部服务）

Privacy/External Services

中文：
– 数据收集：插件会记录下载点击的 IP、UA、Referer 与时间，仅用于站点后台统计与问题排查；数据存储于站点数据库，未出站。
– 外部服务（可选）：开启“IP 归属地显示”后，后台会调用 ipapi/ip-api/ipinfo 查询归属地，并对结果做缓存后在后台显示；不开启则不触发任何外部请求。
– 微信扫码解锁（可选）：仅在扫码场景将访客浏览器跳转到微信授权页（open.weixin.qq.com），并由站点服务器调用 api.weixin.qq.com 接口换取 openid 与查询关注状态；不长期保存 openid，仅短期缓存解锁状态（10 分钟），公众号 access_token 最多缓存约 2 小时。
– 用户控制：可在插件设置中随时关闭上述可选功能；卸载插件会清理插件创建的数据与缓存。
– 合规提示：部分司法辖区将 IP 地址视为个人数据；启用“IP 归属地显示”前请确保已获得用户授权或满足合法合规要求。

English:
– Data Collection: The plugin records the IP, UA, Referer, and time of download clicks only for backend statistics and troubleshooting; data is stored in your database and never sent outside.
– External Services (Optional): When “IP Geolocation Display” is enabled, the admin backend queries ipapi/ip-api/ipinfo for geolocation; results are cached and displayed in wp-admin. No external requests occur when disabled.
– WeChat QR Unlock (Optional): Redirects the visitor browser to WeChat authorization (open.weixin.qq.com) and the server calls api.weixin.qq.com endpoints to exchange code for openid and check subscription. The plugin does not persist openid; it uses a short-lived unlock flag (~10 minutes) and caches the official account access_token (up to ~2 hours).
– User Control: You can disable these optional features at any time in plugin settings; uninstalling the plugin cleans up plugin-created data and caches.
– Compliance Note: In some jurisdictions, IP addresses are personal data; obtain consent or meet legal requirements before enabling IP geolocation.

External services

This plugin can connect to external services only when you enable related options.
（中文说明）仅在你启用相关功能后才会发起外部请求。

1) WeChat (微信) OAuth & subscription check

• Service: WeChat / Tencent（微信/腾讯）
• Purpose: Used for “WeChat unlock” mode authentication
• Endpoints:
  • https://open.weixin.qq.com/connect/oauth2/authorize (OAuth authorize, visitor browser redirect)
  • https://api.weixin.qq.com/sns/oauth2/access_token (exchange OAuth code for openid)
  • https://api.weixin.qq.com/cgi-bin/token (fetch official account access_token)
  • https://api.weixin.qq.com/cgi-bin/user/info (check subscription status)
• When: Only if you enable “WeChat unlock” in CosmautDL settings and visitors open the unlock URL in WeChat after scanning the QR code.
• Data sent:
  • Visitor browser → open.weixin.qq.com: appid, redirect_uri, response_type, scope, state, and standard HTTP request metadata handled by WeChat (e.g., IP address, user agent).
  • Your server → api.weixin.qq.com: appid, appsecret, OAuth code, grant_type; later access_token, openid, lang.
• Data stored (local): Does not store openid permanently; stores a short-lived unlock flag transient (10 minutes) and caches the official account access_token transient (up to ~2 hours, based on API expires_in).
• User control: You can disable this feature at any time in plugin settings.（可在插件设置中随时禁用此功能）
• Data deletion: Transients expire automatically.（临时缓存自动过期）
• Terms of Service: https://www.wechat.com/en/service_terms.html
• Privacy Policy: https://www.wechat.com/en/privacy_policy.html

2) IP geolocation lookup

• Services (selectable in settings / 后台可选服务商):
  • https://ipapi.co/
  • https://ip-api.com/
  • https://ipinfo.io/
• Purpose: To display “IP location” in admin download statistics
• When: Only if you enable “Show IP location in stats” and open stats details in wp-admin.
• Data sent: IP address from your click logs, from your server to the chosen provider (requests are cached).（仅用于展示归属地，且有缓存减少请求）
• Caching: Results are cached for 168 hours (7 days) by default to reduce API calls.（默认缓存 168 小时（7 天）以减少 API 调用）
• User control: You can disable this feature at any time in plugin settings.（可在插件设置中随时禁用此功能）
• Data Flow: Your server → IP Geolocation API → Your server (IP addresses are sent for location lookup)
• Privacy Impact: IP addresses are considered personal data in some jurisdictions; cached results help minimize exposure
• Data Deletion: Cached geolocation data automatically expires after 7 days; IP addresses in click logs can be deleted from admin stats page
• Terms of Service:
  • ipapi: https://ipapi.co/terms/
  • ip-api: https://ip-api.com/docs/legal
  • ipinfo: https://ipinfo.io/terms-of-service
• Privacy Policies:
  • ipapi: https://ipapi.co/privacy/
  • ip-api: https://ip-api.com/docs/legal
  • ipinfo: https://ipinfo.io/privacy-policy

Third-party libraries

phpqrcode

• Library: phpqrcode (LGPL-3.0)
• Purpose: On-site QR code generation for WeChat unlock functionality
• License: GNU Lesser General Public License v3.0
• License URI: https://www.gnu.org/licenses/lgpl-3.0.html
• Usage: Used for generating unlock QR codes without external dependencies
• Compatibility: LGPL-3.0 is compatible with GPLv3