Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

示例程序 WxPortalController#post 为什么不校验签名? #73

Open
awaken233 opened this issue Jun 26, 2024 · 1 comment
Open

示例程序 WxPortalController#post 为什么不校验签名? #73

awaken233 opened this issue Jun 26, 2024 · 1 comment

Comments

@awaken233
Copy link

WxPortalController#post 为什么不调用 wxMaService.checkSignature(timestamp, nonce, signature) 校验签名呢?

weixin-java-miniapp-demo/src/main/java/com/github/binarywang/demo/wx/miniapp/controller/WxPortalController.java

Lines 51 to 99 in 02dd8c0

@PostMapping(produces = "application/xml; charset=UTF-8")
public String post(@PathVariable String appid,
@RequestBody String requestBody,
@RequestParam(name = "msg_signature", required = false) String msgSignature,
@RequestParam(name = "encrypt_type", required = false) String encryptType,
@RequestParam(name = "signature", required = false) String signature,
@RequestParam("timestamp") String timestamp,
@RequestParam("nonce") String nonce) {
log.info("\n接收微信请求:[msg_signature=[{}], encrypt_type=[{}], signature=[{}]," +
" timestamp=[{}], nonce=[{}], requestBody=[\n{}\n] ",
msgSignature, encryptType, signature, timestamp, nonce, requestBody);
if (!wxMaService.switchover(appid)) {
throw new IllegalArgumentException(String.format("未找到对应appid=[%s]的配置,请核实!", appid));
}
final boolean isJson = Objects.equals(wxMaService.getWxMaConfig().getMsgDataFormat(),
WxMaConstants.MsgDataFormat.JSON);
if (StringUtils.isBlank(encryptType)) {
// 明文传输的消息
WxMaMessage inMessage;
if (isJson) {
inMessage = WxMaMessage.fromJson(requestBody);
} else {//xml
inMessage = WxMaMessage.fromXml(requestBody);
}
this.route(inMessage);
WxMaConfigHolder.remove();//清理ThreadLocal
return "success";
}
if ("aes".equals(encryptType)) {
// 是aes加密的消息
WxMaMessage inMessage;
if (isJson) {
inMessage = WxMaMessage.fromEncryptedJson(requestBody, wxMaService.getWxMaConfig());
} else {//xml
inMessage = WxMaMessage.fromEncryptedXml(requestBody, wxMaService.getWxMaConfig(),
timestamp, nonce, msgSignature);
}
this.route(inMessage);
WxMaConfigHolder.remove();//清理ThreadLocal
return "success";
}
WxMaConfigHolder.remove();//清理ThreadLocal
throw new RuntimeException("不可识别的加密类型:" + encryptType);
}

WxPortalController#authGet 中校验了签名,但是这个方法只有在小程序管理后台配置url, token, aesKey手动校验 token 的时候才会调用吧?
@awaken233
Copy link
Author

应该还是需要校验签名的吧? 我看示例程序中是直接解析消息内容 WxMaMessage.fromEncryptedXml(), 这里是直接使用 aes 解密. 没有验证签名和验证消息签名.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@awaken233