diff --git a/.env.production b/.env.production index edc8898..0827ab3 100644 --- a/.env.production +++ b/.env.production @@ -12,3 +12,9 @@ CORS_ORIGINS=https://your-domain.com,https://www.your-domain.com # 你的域名(用于生成二维码等) DOMAIN=your-domain.com + +# 微信公众号网页授权配置 +WECHAT_MP_APP_ID=your-mp-app-id +WECHAT_MP_APP_SECRET=your-mp-app-secret +# 允许的回调域名白名单(逗号分隔,host 级别) +WECHAT_MP_REDIRECT_ALLOWLIST=your-domain.com,www.your-domain.com diff --git a/DEPLOY.md b/DEPLOY.md index 43e6b78..e37f0f3 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -34,6 +34,16 @@ WECHAT_REDIRECT_URI=https://your-domain.com/api/wechat/callback > 注意:需要在微信开放平台配置授权回调域名(只填域名,不含路径) +如需启用公众号网页授权登录,请追加: + +```env +# 微信公众号网页授权配置(可选) +WECHAT_MP_APP_ID=your-mp-app-id +WECHAT_MP_APP_SECRET=your-mp-app-secret +# 回调域名白名单(host 级别,逗号分隔,不含协议与路径) +WECHAT_MP_REDIRECT_ALLOWLIST=your-domain.com,www.your-domain.com +``` + ### 3. 配置域名 编辑 `deploy/Caddyfile`,将 `your-domain.com` 替换为你的实际域名: diff --git a/README.md b/README.md index f36458d..ee441f6 100644 --- a/README.md +++ b/README.md @@ -109,6 +109,16 @@ sed -i 's/your-domain.com/你的域名/g' deploy/Caddyfile docker-compose up -d --build ``` +### 公众号网页授权配置(可选) + +若启用微信内 H5 授权登录,请在环境变量中配置: + +```env +WECHAT_MP_APP_ID=your-mp-app-id +WECHAT_MP_APP_SECRET=your-mp-app-secret +WECHAT_MP_REDIRECT_ALLOWLIST=your-domain.com,www.your-domain.com +``` + 详细部署说明请参考 [DEPLOY.md](./DEPLOY.md)。 ## 测试 diff --git a/packages/client-mobile/src/views/HomeView.vue b/packages/client-mobile/src/views/HomeView.vue index 437d011..858a1a3 100644 --- a/packages/client-mobile/src/views/HomeView.vue +++ b/packages/client-mobile/src/views/HomeView.vue @@ -24,7 +24,7 @@ function isWechatBrowser(): boolean { /** * 用code完成登录 */ -async function loginWithCode(code: string) { +async function loginWithCode(code: string, state?: string) { isProcessing.value = true; showLoadingToast({ message: '登录中...', forbidClick: true }); @@ -32,7 +32,7 @@ async function loginWithCode(code: string) { const response = await fetch(`${apiUrl}/api/mp/login`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, - body: JSON.stringify({ code }), + body: JSON.stringify({ code, state }), }); const result = await response.json(); @@ -92,11 +92,12 @@ async function redirectToWechatAuth() { async function handleWechatAuth() { // 检查URL中是否有code参数(授权回调) const code = route.query.code as string; + const state = route.query.state as string; if (code) { // 有code,用code完成登录 console.log('[HomeView] Got code from callback, logging in...'); - await loginWithCode(code); + await loginWithCode(code, state); } else { // 无code,跳转到授权页面 console.log('[HomeView] No code, redirecting to auth...'); diff --git a/packages/server/src/config/index.ts b/packages/server/src/config/index.ts index 676fa59..5602510 100644 --- a/packages/server/src/config/index.ts +++ b/packages/server/src/config/index.ts @@ -64,6 +64,10 @@ export const config = { wechatMp: { appId: process.env.WECHAT_MP_APP_ID || '', appSecret: process.env.WECHAT_MP_APP_SECRET || '', + redirectAllowlist: (process.env.WECHAT_MP_REDIRECT_ALLOWLIST || '') + .split(',') + .map((item) => item.trim()) + .filter(Boolean), }, } as const; diff --git a/packages/server/src/routes/wechat-mp.routes.ts b/packages/server/src/routes/wechat-mp.routes.ts index 6df5939..f0fdc61 100644 --- a/packages/server/src/routes/wechat-mp.routes.ts +++ b/packages/server/src/routes/wechat-mp.routes.ts @@ -10,7 +10,7 @@ const router = Router(); * 获取公众号网页授权URL * 前端在微信环境中调用此接口,获取授权跳转URL */ -router.get('/auth-url', (req: Request, res: Response) => { +router.get('/auth-url', async (req: Request, res: Response) => { try { if (!wechatMpService.isConfigured()) { return res.json({ @@ -22,8 +22,15 @@ router.get('/auth-url', (req: Request, res: Response) => { // 从query获取回调地址,默认使用移动端URL const redirectUri = (req.query.redirect_uri as string) || config.mobileClientUrl; + if (!isRedirectAllowed(redirectUri)) { + return res.status(400).json({ + success: false, + error: 'Invalid redirect_uri', + }); + } + // 生成随机state防止CSRF - const state = Math.random().toString(36).slice(2, 15); + const state = await wechatMpService.createState(); // 使用snsapi_base静默授权(只获取openid) const scope = (req.query.scope as 'snsapi_base' | 'snsapi_userinfo') || 'snsapi_base'; @@ -55,7 +62,7 @@ router.get('/auth-url', (req: Request, res: Response) => { */ router.post('/login', async (req: Request, res: Response) => { try { - const { code } = req.body; + const { code, state } = req.body; if (!code) { return res.status(400).json({ @@ -64,6 +71,13 @@ router.post('/login', async (req: Request, res: Response) => { }); } + if (!state) { + return res.status(400).json({ + success: false, + error: 'Missing state parameter', + }); + } + if (!wechatMpService.isConfigured()) { return res.json({ success: false, @@ -71,6 +85,14 @@ router.post('/login', async (req: Request, res: Response) => { }); } + const isValidState = await wechatMpService.validateState(state); + if (!isValidState) { + return res.status(400).json({ + success: false, + error: 'Invalid or expired state', + }); + } + const result = await wechatMpService.login(code); if (!result.success) { @@ -106,4 +128,21 @@ router.get('/config', (_req: Request, res: Response) => { }); }); +function isRedirectAllowed(redirectUri: string): boolean { + try { + const url = new URL(redirectUri); + if (!['http:', 'https:'].includes(url.protocol)) return false; + + const allowlist = config.wechatMp.redirectAllowlist; + if (allowlist.length > 0) { + return allowlist.includes(url.host); + } + + const fallbackHost = new URL(config.mobileClientUrl).host; + return url.host === fallbackHost; + } catch { + return false; + } +} + export default router; diff --git a/packages/server/src/services/wechat-mp.service.ts b/packages/server/src/services/wechat-mp.service.ts index de8cef8..a9629aa 100644 --- a/packages/server/src/services/wechat-mp.service.ts +++ b/packages/server/src/services/wechat-mp.service.ts @@ -1,9 +1,13 @@ +import { randomUUID } from 'crypto'; import { config } from '../config'; import { logger } from '../utils/logger'; import { createSessionToken } from '../utils/auth'; +import { redis } from '../config/redis'; import type { WechatAccessTokenResponse, WechatUserInfo } from '@gala/shared/types'; const SESSION_TOKEN_TTL = 24 * 60 * 60; // 24 hours +const STATE_TTL = 5 * 60; // 5 minutes +const STATE_PREFIX = 'wechat_mp:state:'; /** * 微信公众号网页授权服务 @@ -47,6 +51,31 @@ class WechatMpService { return `${baseUrl}?${params.toString()}#wechat_redirect`; } + /** + * 创建并保存state(防止CSRF) + */ + async createState(): Promise { + const state = randomUUID(); + await redis.setex(`${STATE_PREFIX}${state}`, STATE_TTL, '1'); + return state; + } + + /** + * 校验并消费state + */ + async validateState(state: string): Promise { + try { + const key = `${STATE_PREFIX}${state}`; + const exists = await redis.get(key); + if (!exists) return false; + await redis.del(key); + return true; + } catch (error) { + logger.error({ error }, 'Failed to validate WeChat MP state'); + return false; + } + } + /** * 用code换取access_token和openid */