fix: harden wechat mp oauth

2026-02-04 01:29:05 +08:00
parent 99fe68e851
commit c2731ce1dc
7 changed files with 105 additions and 6 deletions
--- a/.env.production
+++ b/.env.production
@@ -12,3 +12,9 @@ CORS_ORIGINS=https://your-domain.com,https://www.your-domain.com

 # 你的域名（用于生成二维码等）
 DOMAIN=your-domain.com
+
+# 微信公众号网页授权配置
+WECHAT_MP_APP_ID=your-mp-app-id
+WECHAT_MP_APP_SECRET=your-mp-app-secret
+# 允许的回调域名白名单（逗号分隔，host 级别）
+WECHAT_MP_REDIRECT_ALLOWLIST=your-domain.com,www.your-domain.com
--- a/DEPLOY.md
+++ b/DEPLOY.md
@@ -34,6 +34,16 @@ WECHAT_REDIRECT_URI=https://your-domain.com/api/wechat/callback

 > 注意：需要在微信开放平台配置授权回调域名（只填域名，不含路径）

+如需启用公众号网页授权登录，请追加：
+
+```env
+# 微信公众号网页授权配置（可选）
+WECHAT_MP_APP_ID=your-mp-app-id
+WECHAT_MP_APP_SECRET=your-mp-app-secret
+# 回调域名白名单（host 级别，逗号分隔，不含协议与路径）
+WECHAT_MP_REDIRECT_ALLOWLIST=your-domain.com,www.your-domain.com
+```
+
 ### 3. 配置域名

 编辑 `deploy/Caddyfile`，将 `your-domain.com` 替换为你的实际域名：
--- a/README.md
+++ b/README.md
@@ -109,6 +109,16 @@ sed -i 's/your-domain.com/你的域名/g' deploy/Caddyfile
 docker-compose up -d --build
 ```

+### 公众号网页授权配置（可选）
+
+若启用微信内 H5 授权登录，请在环境变量中配置：
+
+```env
+WECHAT_MP_APP_ID=your-mp-app-id
+WECHAT_MP_APP_SECRET=your-mp-app-secret
+WECHAT_MP_REDIRECT_ALLOWLIST=your-domain.com,www.your-domain.com
+```
+
 详细部署说明请参考 [DEPLOY.md](./DEPLOY.md)。

 ## 测试
--- a/packages/client-mobile/src/views/HomeView.vue
+++ b/packages/client-mobile/src/views/HomeView.vue
@@ -24,7 +24,7 @@ function isWechatBrowser(): boolean {
 /**
 * 用code完成登录
 */
-async function loginWithCode(code: string) {
+async function loginWithCode(code: string, state?: string) {
  isProcessing.value = true;
  showLoadingToast({ message: '登录中...', forbidClick: true });

@@ -32,7 +32,7 @@ async function loginWithCode(code: string) {
    const response = await fetch(`${apiUrl}/api/mp/login`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ code }),
+      body: JSON.stringify({ code, state }),
    });

    const result = await response.json();
@@ -92,11 +92,12 @@ async function redirectToWechatAuth() {
 async function handleWechatAuth() {
  // 检查URL中是否有code参数（授权回调）
  const code = route.query.code as string;
+  const state = route.query.state as string;

  if (code) {
    // 有code，用code完成登录
    console.log('[HomeView] Got code from callback, logging in...');
-    await loginWithCode(code);
+    await loginWithCode(code, state);
  } else {
    // 无code，跳转到授权页面
    console.log('[HomeView] No code, redirecting to auth...');
--- a/packages/server/src/config/index.ts
+++ b/packages/server/src/config/index.ts
@@ -64,6 +64,10 @@ export const config = {
  wechatMp: {
    appId: process.env.WECHAT_MP_APP_ID || '',
    appSecret: process.env.WECHAT_MP_APP_SECRET || '',
+    redirectAllowlist: (process.env.WECHAT_MP_REDIRECT_ALLOWLIST || '')
+      .split(',')
+      .map((item) => item.trim())
+      .filter(Boolean),
  },
 } as const;

--- a/packages/server/src/routes/wechat-mp.routes.ts
+++ b/packages/server/src/routes/wechat-mp.routes.ts
@@ -10,7 +10,7 @@ const router = Router();
 * 获取公众号网页授权URL
 * 前端在微信环境中调用此接口，获取授权跳转URL
 */
-router.get('/auth-url', (req: Request, res: Response) => {
+router.get('/auth-url', async (req: Request, res: Response) => {
  try {
    if (!wechatMpService.isConfigured()) {
      return res.json({
@@ -22,8 +22,15 @@ router.get('/auth-url', (req: Request, res: Response) => {
    // 从query获取回调地址，默认使用移动端URL
    const redirectUri = (req.query.redirect_uri as string) || config.mobileClientUrl;

+    if (!isRedirectAllowed(redirectUri)) {
+      return res.status(400).json({
+        success: false,
+        error: 'Invalid redirect_uri',
+      });
+    }
+
    // 生成随机state防止CSRF
-    const state = Math.random().toString(36).slice(2, 15);
+    const state = await wechatMpService.createState();

    // 使用snsapi_base静默授权（只获取openid）
    const scope = (req.query.scope as 'snsapi_base' | 'snsapi_userinfo') || 'snsapi_base';
@@ -55,7 +62,7 @@ router.get('/auth-url', (req: Request, res: Response) => {
 */
 router.post('/login', async (req: Request, res: Response) => {
  try {
-    const { code } = req.body;
+    const { code, state } = req.body;

    if (!code) {
      return res.status(400).json({
@@ -64,6 +71,13 @@ router.post('/login', async (req: Request, res: Response) => {
      });
    }

+    if (!state) {
+      return res.status(400).json({
+        success: false,
+        error: 'Missing state parameter',
+      });
+    }
+
    if (!wechatMpService.isConfigured()) {
      return res.json({
        success: false,
@@ -71,6 +85,14 @@ router.post('/login', async (req: Request, res: Response) => {
      });
    }

+    const isValidState = await wechatMpService.validateState(state);
+    if (!isValidState) {
+      return res.status(400).json({
+        success: false,
+        error: 'Invalid or expired state',
+      });
+    }
+
    const result = await wechatMpService.login(code);

    if (!result.success) {
@@ -106,4 +128,21 @@ router.get('/config', (_req: Request, res: Response) => {
  });
 });

+function isRedirectAllowed(redirectUri: string): boolean {
+  try {
+    const url = new URL(redirectUri);
+    if (!['http:', 'https:'].includes(url.protocol)) return false;
+
+    const allowlist = config.wechatMp.redirectAllowlist;
+    if (allowlist.length > 0) {
+      return allowlist.includes(url.host);
+    }
+
+    const fallbackHost = new URL(config.mobileClientUrl).host;
+    return url.host === fallbackHost;
+  } catch {
+    return false;
+  }
+}
+
 export default router;
--- a/packages/server/src/services/wechat-mp.service.ts
+++ b/packages/server/src/services/wechat-mp.service.ts
@@ -1,9 +1,13 @@
+import { randomUUID } from 'crypto';
 import { config } from '../config';
 import { logger } from '../utils/logger';
 import { createSessionToken } from '../utils/auth';
+import { redis } from '../config/redis';
 import type { WechatAccessTokenResponse, WechatUserInfo } from '@gala/shared/types';

 const SESSION_TOKEN_TTL = 24 * 60 * 60; // 24 hours
+const STATE_TTL = 5 * 60; // 5 minutes
+const STATE_PREFIX = 'wechat_mp:state:';

 /**
 * 微信公众号网页授权服务
@@ -47,6 +51,31 @@ class WechatMpService {
    return `${baseUrl}?${params.toString()}#wechat_redirect`;
  }

+  /**
+   * 创建并保存state（防止CSRF）
+   */
+  async createState(): Promise<string> {
+    const state = randomUUID();
+    await redis.setex(`${STATE_PREFIX}${state}`, STATE_TTL, '1');
+    return state;
+  }
+
+  /**
+   * 校验并消费state
+   */
+  async validateState(state: string): Promise<boolean> {
+    try {
+      const key = `${STATE_PREFIX}${state}`;
+      const exists = await redis.get(key);
+      if (!exists) return false;
+      await redis.del(key);
+      return true;
+    } catch (error) {
+      logger.error({ error }, 'Failed to validate WeChat MP state');
+      return false;
+    }
+  }
+
  /**
   * 用code换取access_token和openid
   */