wanwu/sub2api
1
0
Fork 0
mirror of https://gitee.com/wanwujie/sub2api synced 2026-05-05 13:40:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

Tighten WeChat OAuth capability mode selection

Browse Source
This commit is contained in:
IanShaw027
2026-04-21 00:46:40 +08:00
parent 12f4af742f
commit 067eb23d8e
15 changed files with 317 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
frontend/src/views/auth/WechatCallbackView.vue
View File

@@ -297,6 +297,7 @@ import {
login2FA,
prepareOAuthBindAccessTokenCookie,
persistOAuthTokenContext,
resolveWeChatOAuthStart,
type OAuthAdoptionDecision,
type PendingOAuthExchangeResponse
} from '@/api/auth'
@@ -378,7 +379,47 @@ function normalizeWeChatOAuthMode(value: unknown): 'open' | 'mp' | null {
return value === 'open' || value === 'mp' ? value : null
}
function resolveRequestedWeChatOAuthMode(): 'open' | 'mp' {
async function ensurePublicSettingsLoaded(): Promise<void> {
if (appStore.cachedPublicSettings || appStore.publicSettingsLoaded) {
return
}
try {
await appStore.fetchPublicSettings()
} catch {
// Fall back to legacy mode selection when public settings are unavailable.
}
}
function resolveConfiguredWeChatOAuthMode(): 'open' | 'mp' | null {
if (!appStore.cachedPublicSettings && !appStore.publicSettingsLoaded) {
return null
}
return resolveWeChatOAuthStart(appStore.cachedPublicSettings).mode
}
function resolveWeChatOAuthUnavailableMessage(): string {
const resolved = resolveWeChatOAuthStart(appStore.cachedPublicSettings)
switch (resolved.unavailableReason) {
case 'external_browser_required':
return 'This WeChat sign-in flow is only available in your system browser.'
case 'wechat_browser_required':
return 'This WeChat sign-in flow is only available inside the WeChat browser.'
case 'not_configured':
return 'WeChat sign-in is not configured yet.'
default:
return t('auth.loginFailed')
}
}
function resolveRequestedWeChatOAuthMode(): 'open' | 'mp' | null {
const configuredMode = resolveConfiguredWeChatOAuthMode()
if (configuredMode) {
return configuredMode
}
const queryMode = normalizeWeChatOAuthMode(route.query.mode)
return queryMode || resolveWeChatOAuthMode()
}
@@ -389,11 +430,15 @@ function resolveRedirectTarget(): string {
)
}
function resolveWeChatStartURL(intent: 'bind_current_user' | 'adopt_existing_user_by_email'): string {
function resolveWeChatStartURL(intent: 'bind_current_user' | 'adopt_existing_user_by_email'): string | null {
const apiBase = (import.meta.env.VITE_API_BASE_URL as string | undefined) || '/api/v1'
const normalized = apiBase.replace(/\/$/, '')
const mode = resolveRequestedWeChatOAuthMode()
if (!mode) {
return null
}
const params = new URLSearchParams({
mode: resolveRequestedWeChatOAuthMode(),
mode,
redirect: resolveRedirectTarget(),
intent,
})
@@ -406,11 +451,15 @@ function resolveWeChatStartURL(intent: 'bind_current_user' | 'adopt_existing_use
return `${normalized}/auth/oauth/wechat/start?${params.toString()}`
}
function buildExistingAccountResumePath(): string {
function buildExistingAccountResumePath(): string | null {
const mode = resolveRequestedWeChatOAuthMode()
if (!mode) {
return null
}
const params = new URLSearchParams({
wechat_bind_existing: '1',
redirect: resolveRedirectTarget(),
mode: resolveRequestedWeChatOAuthMode(),
mode,
})
const email = existingAccountEmail.value.trim()
@@ -444,14 +493,31 @@ function serializeAdoptionDecision(decision: OAuthAdoptionDecision): Record<stri
}
async function handleExistingAccountBinding() {
const unavailableMessage = resolveConfiguredWeChatOAuthMode() === null
? resolveWeChatOAuthUnavailableMessage()
: ''
if (getAuthToken()) {
const startURL = resolveWeChatStartURL('bind_current_user')
if (!startURL) {
errorMessage.value = unavailableMessage || resolveWeChatOAuthUnavailableMessage()
appStore.showError(errorMessage.value)
return
}
prepareOAuthBindAccessTokenCookie()
window.location.href = resolveWeChatStartURL('bind_current_user')
window.location.href = startURL
return
}
const resumePath = buildExistingAccountResumePath()
if (!resumePath) {
errorMessage.value = unavailableMessage || resolveWeChatOAuthUnavailableMessage()
appStore.showError(errorMessage.value)
return
}
const params = new URLSearchParams({
redirect: buildExistingAccountResumePath(),
redirect: resumePath,
})
const email = existingAccountEmail.value.trim()
if (email) {
@@ -720,19 +786,36 @@ async function handleSubmitTotpChallenge() {
}
onMounted(async () => {
await ensurePublicSettingsLoaded()
if (typeof route.query.email === 'string') {
existingAccountEmail.value = route.query.email
}
if (route.query.wechat_bind_existing === '1') {
if (getAuthToken()) {
const startURL = resolveWeChatStartURL('bind_current_user')
if (!startURL) {
errorMessage.value = resolveWeChatOAuthUnavailableMessage()
appStore.showError(errorMessage.value)
isProcessing.value = false
return
}
prepareOAuthBindAccessTokenCookie()
window.location.href = resolveWeChatStartURL('bind_current_user')
window.location.href = startURL
return
}
const resumePath = buildExistingAccountResumePath()
if (!resumePath) {
errorMessage.value = resolveWeChatOAuthUnavailableMessage()
appStore.showError(errorMessage.value)
isProcessing.value = false
return
}
const params = new URLSearchParams({
redirect: buildExistingAccountResumePath(),
redirect: resumePath,
})
const email = existingAccountEmail.value.trim()
if (email) {

44
frontend/src/views/auth/__tests__/WechatCallbackView.spec.ts
View File

@@ -14,8 +14,10 @@ const {
setTokenMock,
showSuccessMock,
showErrorMock,
fetchPublicSettingsMock,
routeState,
locationState,
appStoreState,
} = vi.hoisted(() => ({
exchangePendingOAuthCompletionMock: vi.fn(),
completeWeChatOAuthRegistrationMock: vi.fn(),
@@ -28,6 +30,7 @@ const {
setTokenMock: vi.fn(),
showSuccessMock: vi.fn(),
showErrorMock: vi.fn(),
fetchPublicSettingsMock: vi.fn(),
routeState: {
query: {} as Record<string, unknown>,
},
@@ -39,6 +42,10 @@ const {
pathname: '/auth/wechat/callback'
} as { href: string; hash: string; search: string; pathname: string },
},
appStoreState: {
cachedPublicSettings: null as null | Record<string, unknown>,
publicSettingsLoaded: false,
},
}))
vi.mock('vue-router', () => ({
@@ -102,8 +109,10 @@ vi.mock('@/stores', () => ({
setToken: setTokenMock,
}),
useAppStore: () => ({
...appStoreState,
showSuccess: showSuccessMock,
showError: showErrorMock,
fetchPublicSettings: fetchPublicSettingsMock,
}),
}))
@@ -139,7 +148,10 @@ describe('WechatCallbackView', () => {
showErrorMock.mockReset()
prepareOAuthBindAccessTokenCookieMock.mockReset()
getAuthTokenMock.mockReset()
fetchPublicSettingsMock.mockReset()
routeState.query = {}
appStoreState.cachedPublicSettings = null
appStoreState.publicSettingsLoaded = false
localStorage.clear()
locationState.current = {
href: 'http://localhost/auth/wechat/callback',
@@ -157,6 +169,38 @@ describe('WechatCallbackView', () => {
})
})
it('overrides an incompatible query mode with the configured open capability during bind recovery', async () => {
routeState.query = {
wechat_bind_existing: '1',
mode: 'mp',
redirect: '/profile',
}
appStoreState.cachedPublicSettings = {
wechat_oauth_enabled: true,
wechat_oauth_open_enabled: true,
wechat_oauth_mp_enabled: false,
}
appStoreState.publicSettingsLoaded = true
getAuthTokenMock.mockReturnValue('current-auth-token')
mount(WechatCallbackView, {
global: {
stubs: {
AuthLayout: { template: '<div><slot /></div>' },
Icon: true,
RouterLink: { template: '<a><slot /></a>' },
transition: false,
},
},
})
await flushPromises()
expect(prepareOAuthBindAccessTokenCookieMock).toHaveBeenCalledTimes(1)
expect(locationState.current.href).toContain('mode=open')
expect(locationState.current.href).not.toContain('mode=mp')
})
it('does not send adoption decisions during the initial exchange', async () => {
exchangePendingOAuthCompletionMock.mockResolvedValue({
access_token: 'access-token',