(feat): upgrade to php8

.github/dependabot.yml

@@ -0,0 +1,29 @@
+# Basic set up for two package managers
+
+version: 2
+updates:
+    # Maintain dependencies for GitHub Actions
+    - package-ecosystem: 'github-actions'
+      # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
+      directory: '/'
+      schedule:
+          interval: 'weekly'
+      groups:
+          actions:
+              patterns:
+                  - '*'
+      commit-message:
+          prefix: 'chore'
+
+    # Maintain dependencies for Composer
+    - package-ecosystem: 'composer'
+      directory: '/'
+      schedule:
+          interval: 'weekly'
+      groups:
+          composer:
+              patterns:
+                  - '*'
+      commit-message:
+          prefix: 'chore'
+      versioning-strategy: lockfile-only

.github/workflows/composer-lock-diff.yml

@@ -0,0 +1,11 @@
+name: Composer Diff
+
+on:
+  pull_request:
+    paths:
+      - 'composer.lock'
+
+jobs:
+  composer-diff:
+    uses: yardinternet/workflows/.github/workflows/composer-lock-diff.yml@main
+    secrets: inherit

.github/workflows/dependabot-automerge.yml

@@ -0,0 +1,22 @@
+name: Dependabot automerge
+
+on:
+    - pull_request
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
+permissions:
+    contents: write
+    pull-requests: write
+
+jobs:
+    dependabot:
+        runs-on: ubuntu-latest
+        if: github.event.pull_request.user.login == 'dependabot[bot]'
+        steps:
+            - name: Enable auto-merge for Dependabot PRs
+              run: gh pr comment "$PR_URL" --body "@dependabot merge"
+              env:
+                  PR_URL: ${{github.event.pull_request.html_url}}

.github/workflows/release.yml

@@ -0,0 +1,15 @@
+name: Auto Release
+
+on:
+    push:
+        tags:
+            - '*'
+
+jobs:
+    release:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Create GitHub Release
+              uses: softprops/action-gh-release@v2
+              with:
+                  generate_release_notes: true

.gitignore

@@ -36,7 +36,9 @@
 # track this file .gitignore (i.e. do NOT ignore it)
 !.gitignore
 
+!.github
 !.php-cs-fixer.php
+.php-cs-fixer.cache
 
 # Eslint
 !.eslintrc
@@ -64,6 +66,7 @@ Thumbs.db
 *.log
 *.sql
 *.sqlite
+pg-log-*.json
 
 # ignore compiled files
 *.com

.php-cs-fixer.php

@@ -3,39 +3,40 @@
 declare(strict_types=1);
 
 $finder = PhpCsFixer\Finder::create()
-	->notPath('vendor')
-	->notPath('node_modules')
-	->in(__DIR__)
-	->in('./resources/views')
-	->in('./config')
-	->name('*.php')
-	->notName('*.blade.php')
-	->ignoreDotFiles(true)
-	->ignoreVCS(true);
+    ->notPath('vendor')
+    ->notPath('node_modules')
+    ->in(__DIR__)
+    ->in('./resources/views')
+    ->in('./config')
+    ->name('*.php')
+    ->notName('*.blade.php')
+    ->ignoreDotFiles(true)
+    ->ignoreVCS(true);
 
 return (new PhpCsFixer\Config)
-	->setRules([
-		'@PSR2' => true,
-		'array_syntax' => [
-			'syntax' => 'short',
-		],
-		'ordered_imports' => [
-			'sort_algorithm' => 'alpha',
-		],
-		'no_unused_imports' => true,
-		'binary_operator_spaces' => [
-			'default' => 'single_space',
-			'operators' => [
-				'=>' => null,
-				'|' => 'no_space',
-			],
-		],
-		'full_opening_tag' => true,
-		'yoda_style' => [
-			'always_move_variable' => true,
-			'equal' => true,
-			'identical' => true,
-			'less_and_greater' => true,
-		],
-	])
-	->setFinder($finder);
+    ->setRules([
+        '@PSR2' => true,
+        'array_syntax' => [
+            'syntax' => 'short',
+        ],
+        'ordered_imports' => [
+            'sort_algorithm' => 'alpha',
+        ],
+        'no_unused_imports' => true,
+        'array_indentation' => true,
+        'binary_operator_spaces' => [
+            'default' => 'single_space',
+            'operators' => [
+                '=>' => 'single_space',
+                '|' => 'no_space',
+            ],
+        ],
+        'full_opening_tag' => true,
+        'yoda_style' => [
+            'always_move_variable' => true,
+            'equal' => true,
+            'identical' => true,
+            'less_and_greater' => true,
+        ],
+    ])
+    ->setFinder($finder);

CHANGELOG.md

@@ -1,6 +1,33 @@
 # Changelog
 
--   Tested up to: WordPress 6.8.3
+## [v2.0.0] - 2026-06-03
+
+- Added: upgrade to PHP 8
+- Added: user object model class with fullName support
+- Added: mTLS certificate configuration with passphrase support and improved tooltips
+- Added: conditional usage of SSL certificates
+- Added: Pink and EnableU v2 implementation
+- Fix: prevent octal conversion from stripping leading zeros in BSN
+- Fix: path traversal bypass
+- Fix: validate SSL certificates and their paths
+- Fix: set supplier certificate as CA to support self-signed certificates
+- Fix: use general goal binding when none is used in the request
+- Fix: mapping options VrijBRP
+- Fix: broken cURL error handling
+- Fix: separate cache for personal data service and form requests
+- Fix: personal data service class, also improves V2 usage
+- Fix: BSN location in response
+- Fix: escape output and strip version suffix in personal data row block
+- Fix: personal data row inner block
+- Fix: remove some default values in GF Addon settings
+- Change: VrijBRP controller uses specific cURL headers
+- Change: rename doelBinding to goalBinding
+- Change: update block registration and prefix to make blocks visible in editor
+- Change: verify SSL peer and host when using client certificates
+- Chore: update mapping options BRP V2
+- Chore: remove EnableU as supplier
+- Chore: add missing information to personal data block for mijngegevens page
+- Chore: improve README.md
 
 ## v1.9.1
 

README.md

@@ -2,16 +2,18 @@
 
 ## Description
 
-Prefill GravityForms fields, based on the dutch BSN number. Retrieve personal information and place these values in the corrensponding fields.
+Prefill GravityForms fields, based on the Dutch BSN number. Retrieve personal information and place these values in the corrensponding fields.
 
 ## Dependencies
 
-In order to use this plug-in there are two required plug-ins:
+To use this plug-in, the following dependencies are required:
 
 - GravityForms (premium)
-- Yard | GravityForms DigiD (private repo, contact [Yard | Digital Agency](https://www.yard.nl/) for access)
 
-See [here](https://github.com/OpenWebconcept/plugin-prefill-gravity-forms/blob/main/config/core.php) for more details.
+In addition, at least one of the following plug-ins must be installed to enable authentication by BSN:
+
+- Yard | GravityForms DigiD (<https://github.com/yardinternet/owc-gravityforms-digid>)
+- OWC Signicat OpenID (<https://github.com/yardinternet/plugin-owc-signicat-openid>)
 
 ## Features
 
@@ -39,14 +41,14 @@ See [here](https://github.com/OpenWebconcept/plugin-prefill-gravity-forms/blob/m
 
 1. Go to '/wp-admin/admin.php?page=gf_settings&subview=owc-gravityforms-iconnect' and configure all the required settings.
 
-- 1. Suppliers will provide the needed certificates which need to be selected in order to make prefilling form fields work.
-- 2. Suppliers will also provide an API-key, certificates password (if needed) and a base URL.
-- 3. [OIN](https://logius.nl/domeinen/toegang/organisatie-identificatienummer/wat-is-het) is a unique number for organizations provided by Logius.
+-   1. Suppliers will provide the needed certificates which need to be selected in order to make prefilling form fields work.
+-   2. Suppliers will also provide an API-key, certificates password (if needed) and a base URL.
+-   3. [OIN](https://logius.nl/domeinen/toegang/organisatie-identificatienummer/wat-is-het) is a unique number for organizations provided by Logius.
 
 2. Go to the form settings of the form you want to configure.
-3. Scroll down and look for the 'iConnect' panel and configure the settings.
+3. Scroll down and look for the 'OWC Prefill' panel and configure the settings.
 
-### 🔐 Cache Encryption
+### Cache Encryption
 
 To enable secure caching of sensitive data, you **must define an encryption key** in your `wp-config.php` file. This key is used to encrypt and decrypt the cached data and should be kept secret at all times.
 
@@ -66,3 +68,83 @@ Important:
 ## License
 
 The source code is made available under the [EUPL 1.2 license](https://github.com/OpenWebconcept/plugin-prefill-gravity-forms/blob/main/LICENSE.md). Some of the dependencies are licensed differently, with the BSD or MIT license, for example.
+
+## User model
+
+The `UserModel` provides a simple way to access BRP (Basisregistratie Personen) data that has been retrieved after a valid DigiD login.
+It automatically detects which data supplier is configured (in the add-on settings), loads the correct controller, and exposes a small set of helper methods for use in templates or form-prefill logic.
+
+Before accessing any user attributes, always check whether the user is authenticated using DigiD.
+
+### Usage
+
+```php
+$user = new \OWC\PrefillGravityForms\Models\UserModel();
+
+if ( $user->isLoggedIn() ) {
+    $bsn  = $user->bsn();
+    $age  = $user->age();
+}
+```
+
+This model does not handle authentication itself, it only exposes data retrieved by the underlying BRP supplier controller.
+If a controller fails to load (e.g., misconfiguration or missing supplier), the model gracefully returns default values.
+
+To use this model, make sure it is enabled in the settings available at '/wp-admin/admin.php?page=gf_settings&subview=owc-gravityforms-iconnect'.
+Otherwise, the object will be instantiated but will not contain any data.
+
+## Gutenberg blocks
+
+This plugin ships with two Gutenberg blocks for displaying personal data of the logged-in user on any page.
+
+- **Personal Data Table** (`owc-prefill-gravity-forms/personal-data-table`) — a container block that wraps rows in an HTML table (`<table>`).
+- **Personal Data Row** (`owc-prefill-gravity-forms/personal-data-row`) — displays a single personal data field. When placed inside the table block it renders as a `<tr>`, otherwise as a configurable HTML element (`<div>`, `<p>`, or `<span>`).
+
+Each Personal Data Row block must be configured in the block sidebar:
+
+| Setting | Description |
+|---|---|
+| Supplier | Must match the supplier configured in the plugin settings. |
+| Goal binding | Required for HaalCentraal API v2 — determines which fields are returned. |
+| Processing | Optional processing context for HaalCentraal API v2. |
+| Personal data field | The specific BRP attribute to display (e.g. name, date of birth). |
+
+## Logging
+
+Enable logging to monitor errors during communication with the BRP suppliers.
+
+- Logs are written daily to `pg-log{-date}.json` in the WordPress webroot directory.
+- A rotating file handler keeps up to 7 log files by default, deleting the oldest as needed.
+- You can change the maximum number of log files using the filter described below.
+
+## Hooks
+
+### Change the maximum number of log files
+
+Use the following filter to alter the rotating file handler's max files setting:
+
+```php
+apply_filters('pg::logger/rotating_filer_handler_max_files', PG_LOGGER_DEFAULT_MAX_FILES)
+```
+
+### Intercept exceptions for custom handling
+
+You can intercept exceptions caught by the plugin for additional processing or custom logging using this filter:
+
+```php
+do_action('pg::exception/intercept', $exception, $method)
+```
+
+The `$exception` parameter contains the caught exception object.
+
+### Provide Custom Mapping Options from a Theme Directory
+
+This plugin includes supplier-specific mapping option files. In version 1 of the "HaalCentraal API", all available fields were returned, even when only a subset was needed.
+
+Since version 2 of HaalCentraal, this has changed: the goal binding (doelbinding) now determines which fields are returned. This results in a more concise dataset that contains only the necessary fields. Because each municipality (gemeente) can define its own unique goal bindings and corresponding fields, this plugin cannot include all possible mapping configurations by default.
+
+```php
+add_filter('pg::theme/dir_mapping_options', function ($value) {
+    return __DIR__ . '/templates/owc-prefill/';
+}, 10, 1);
+```

build/icons.asset.php

@@ -1 +1 @@
-<?php return ['dependencies' => [], 'version' => '12341f29470476729a0c'];
+<?php return ['dependencies' => [], 'version' => 'eafbc2f5130762d2e52d'];