fix: harden wechat mp oauth
This commit is contained in:
empty
@@ -24,7 +24,7 @@ function isWechatBrowser(): boolean {
|
||||
/**
|
||||
* 用code完成登录
|
||||
*/
|
||||
async function loginWithCode(code: string) {
|
||||
async function loginWithCode(code: string, state?: string) {
|
||||
isProcessing.value = true;
|
||||
showLoadingToast({ message: '登录中...', forbidClick: true });
|
||||
|
||||
@@ -32,7 +32,7 @@ async function loginWithCode(code: string) {
|
||||
const response = await fetch(`${apiUrl}/api/mp/login`, {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ code }),
|
||||
body: JSON.stringify({ code, state }),
|
||||
});
|
||||
|
||||
const result = await response.json();
|
||||
@@ -92,11 +92,12 @@ async function redirectToWechatAuth() {
|
||||
async function handleWechatAuth() {
|
||||
// 检查URL中是否有code参数(授权回调)
|
||||
const code = route.query.code as string;
|
||||
const state = route.query.state as string;
|
||||
|
||||
if (code) {
|
||||
// 有code,用code完成登录
|
||||
console.log('[HomeView] Got code from callback, logging in...');
|
||||
await loginWithCode(code);
|
||||
await loginWithCode(code, state);
|
||||
} else {
|
||||
// 无code,跳转到授权页面
|
||||
console.log('[HomeView] No code, redirecting to auth...');
|
||||
|
||||
@@ -64,6 +64,10 @@ export const config = {
|
||||
wechatMp: {
|
||||
appId: process.env.WECHAT_MP_APP_ID || '',
|
||||
appSecret: process.env.WECHAT_MP_APP_SECRET || '',
|
||||
redirectAllowlist: (process.env.WECHAT_MP_REDIRECT_ALLOWLIST || '')
|
||||
.split(',')
|
||||
.map((item) => item.trim())
|
||||
.filter(Boolean),
|
||||
},
|
||||
} as const;
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ const router = Router();
|
||||
* 获取公众号网页授权URL
|
||||
* 前端在微信环境中调用此接口,获取授权跳转URL
|
||||
*/
|
||||
router.get('/auth-url', (req: Request, res: Response) => {
|
||||
router.get('/auth-url', async (req: Request, res: Response) => {
|
||||
try {
|
||||
if (!wechatMpService.isConfigured()) {
|
||||
return res.json({
|
||||
@@ -22,8 +22,15 @@ router.get('/auth-url', (req: Request, res: Response) => {
|
||||
// 从query获取回调地址,默认使用移动端URL
|
||||
const redirectUri = (req.query.redirect_uri as string) || config.mobileClientUrl;
|
||||
|
||||
if (!isRedirectAllowed(redirectUri)) {
|
||||
return res.status(400).json({
|
||||
success: false,
|
||||
error: 'Invalid redirect_uri',
|
||||
});
|
||||
}
|
||||
|
||||
// 生成随机state防止CSRF
|
||||
const state = Math.random().toString(36).slice(2, 15);
|
||||
const state = await wechatMpService.createState();
|
||||
|
||||
// 使用snsapi_base静默授权(只获取openid)
|
||||
const scope = (req.query.scope as 'snsapi_base' | 'snsapi_userinfo') || 'snsapi_base';
|
||||
@@ -55,7 +62,7 @@ router.get('/auth-url', (req: Request, res: Response) => {
|
||||
*/
|
||||
router.post('/login', async (req: Request, res: Response) => {
|
||||
try {
|
||||
const { code } = req.body;
|
||||
const { code, state } = req.body;
|
||||
|
||||
if (!code) {
|
||||
return res.status(400).json({
|
||||
@@ -64,6 +71,13 @@ router.post('/login', async (req: Request, res: Response) => {
|
||||
});
|
||||
}
|
||||
|
||||
if (!state) {
|
||||
return res.status(400).json({
|
||||
success: false,
|
||||
error: 'Missing state parameter',
|
||||
});
|
||||
}
|
||||
|
||||
if (!wechatMpService.isConfigured()) {
|
||||
return res.json({
|
||||
success: false,
|
||||
@@ -71,6 +85,14 @@ router.post('/login', async (req: Request, res: Response) => {
|
||||
});
|
||||
}
|
||||
|
||||
const isValidState = await wechatMpService.validateState(state);
|
||||
if (!isValidState) {
|
||||
return res.status(400).json({
|
||||
success: false,
|
||||
error: 'Invalid or expired state',
|
||||
});
|
||||
}
|
||||
|
||||
const result = await wechatMpService.login(code);
|
||||
|
||||
if (!result.success) {
|
||||
@@ -106,4 +128,21 @@ router.get('/config', (_req: Request, res: Response) => {
|
||||
});
|
||||
});
|
||||
|
||||
function isRedirectAllowed(redirectUri: string): boolean {
|
||||
try {
|
||||
const url = new URL(redirectUri);
|
||||
if (!['http:', 'https:'].includes(url.protocol)) return false;
|
||||
|
||||
const allowlist = config.wechatMp.redirectAllowlist;
|
||||
if (allowlist.length > 0) {
|
||||
return allowlist.includes(url.host);
|
||||
}
|
||||
|
||||
const fallbackHost = new URL(config.mobileClientUrl).host;
|
||||
return url.host === fallbackHost;
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
export default router;
|
||||
|
||||
@@ -1,9 +1,13 @@
|
||||
import { randomUUID } from 'crypto';
|
||||
import { config } from '../config';
|
||||
import { logger } from '../utils/logger';
|
||||
import { createSessionToken } from '../utils/auth';
|
||||
import { redis } from '../config/redis';
|
||||
import type { WechatAccessTokenResponse, WechatUserInfo } from '@gala/shared/types';
|
||||
|
||||
const SESSION_TOKEN_TTL = 24 * 60 * 60; // 24 hours
|
||||
const STATE_TTL = 5 * 60; // 5 minutes
|
||||
const STATE_PREFIX = 'wechat_mp:state:';
|
||||
|
||||
/**
|
||||
* 微信公众号网页授权服务
|
||||
@@ -47,6 +51,31 @@ class WechatMpService {
|
||||
return `${baseUrl}?${params.toString()}#wechat_redirect`;
|
||||
}
|
||||
|
||||
/**
|
||||
* 创建并保存state(防止CSRF)
|
||||
*/
|
||||
async createState(): Promise<string> {
|
||||
const state = randomUUID();
|
||||
await redis.setex(`${STATE_PREFIX}${state}`, STATE_TTL, '1');
|
||||
return state;
|
||||
}
|
||||
|
||||
/**
|
||||
* 校验并消费state
|
||||
*/
|
||||
async validateState(state: string): Promise<boolean> {
|
||||
try {
|
||||
const key = `${STATE_PREFIX}${state}`;
|
||||
const exists = await redis.get(key);
|
||||
if (!exists) return false;
|
||||
await redis.del(key);
|
||||
return true;
|
||||
} catch (error) {
|
||||
logger.error({ error }, 'Failed to validate WeChat MP state');
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* 用code换取access_token和openid
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user