fix: harden wechat mp oauth
This commit is contained in:
empty
@@ -10,7 +10,7 @@ const router = Router();
|
||||
* 获取公众号网页授权URL
|
||||
* 前端在微信环境中调用此接口,获取授权跳转URL
|
||||
*/
|
||||
router.get('/auth-url', (req: Request, res: Response) => {
|
||||
router.get('/auth-url', async (req: Request, res: Response) => {
|
||||
try {
|
||||
if (!wechatMpService.isConfigured()) {
|
||||
return res.json({
|
||||
@@ -22,8 +22,15 @@ router.get('/auth-url', (req: Request, res: Response) => {
|
||||
// 从query获取回调地址,默认使用移动端URL
|
||||
const redirectUri = (req.query.redirect_uri as string) || config.mobileClientUrl;
|
||||
|
||||
if (!isRedirectAllowed(redirectUri)) {
|
||||
return res.status(400).json({
|
||||
success: false,
|
||||
error: 'Invalid redirect_uri',
|
||||
});
|
||||
}
|
||||
|
||||
// 生成随机state防止CSRF
|
||||
const state = Math.random().toString(36).slice(2, 15);
|
||||
const state = await wechatMpService.createState();
|
||||
|
||||
// 使用snsapi_base静默授权(只获取openid)
|
||||
const scope = (req.query.scope as 'snsapi_base' | 'snsapi_userinfo') || 'snsapi_base';
|
||||
@@ -55,7 +62,7 @@ router.get('/auth-url', (req: Request, res: Response) => {
|
||||
*/
|
||||
router.post('/login', async (req: Request, res: Response) => {
|
||||
try {
|
||||
const { code } = req.body;
|
||||
const { code, state } = req.body;
|
||||
|
||||
if (!code) {
|
||||
return res.status(400).json({
|
||||
@@ -64,6 +71,13 @@ router.post('/login', async (req: Request, res: Response) => {
|
||||
});
|
||||
}
|
||||
|
||||
if (!state) {
|
||||
return res.status(400).json({
|
||||
success: false,
|
||||
error: 'Missing state parameter',
|
||||
});
|
||||
}
|
||||
|
||||
if (!wechatMpService.isConfigured()) {
|
||||
return res.json({
|
||||
success: false,
|
||||
@@ -71,6 +85,14 @@ router.post('/login', async (req: Request, res: Response) => {
|
||||
});
|
||||
}
|
||||
|
||||
const isValidState = await wechatMpService.validateState(state);
|
||||
if (!isValidState) {
|
||||
return res.status(400).json({
|
||||
success: false,
|
||||
error: 'Invalid or expired state',
|
||||
});
|
||||
}
|
||||
|
||||
const result = await wechatMpService.login(code);
|
||||
|
||||
if (!result.success) {
|
||||
@@ -106,4 +128,21 @@ router.get('/config', (_req: Request, res: Response) => {
|
||||
});
|
||||
});
|
||||
|
||||
function isRedirectAllowed(redirectUri: string): boolean {
|
||||
try {
|
||||
const url = new URL(redirectUri);
|
||||
if (!['http:', 'https:'].includes(url.protocol)) return false;
|
||||
|
||||
const allowlist = config.wechatMp.redirectAllowlist;
|
||||
if (allowlist.length > 0) {
|
||||
return allowlist.includes(url.host);
|
||||
}
|
||||
|
||||
const fallbackHost = new URL(config.mobileClientUrl).host;
|
||||
return url.host === fallbackHost;
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
export default router;
|
||||
|
||||
Reference in New Issue
Block a user