perf: Links in WeCom messages can be opened without re-logging in.

2025-09-12 21:39:18 +00:00 · 2024-10-18 16:51:12 +08:00
parent cc1fcd2b98
commit 7c55c42582
6 changed files with 178 additions and 140 deletions
--- a/apps/authentication/views/wecom.py
+++ b/apps/authentication/views/wecom.py
@@ -13,20 +13,17 @@ from authentication.const import ConfirmType
 from authentication.mixins import AuthMixin
 from authentication.permissions import UserConfirmation
 from common.sdk.im.wecom import URL
-from common.sdk.im.wecom import WeCom
+from common.sdk.im.wecom import WeCom, wecom_tool
 from common.utils import get_logger
-from common.utils.common import get_request_ip
 from common.utils.django import reverse, get_object_or_none, safe_next_url
-from common.utils.random import random_string
 from common.views.mixins import UserConfirmRequiredExceptionMixin, PermissionsMixin
 from users.models import User
 from users.views import UserVerifyPasswordView
 from .base import BaseLoginCallbackView, BaseBindCallbackView
 from .mixins import METAMixin, FlashMessageMixin

-logger = get_logger(__file__)

-WECOM_STATE_SESSION_KEY = '_wecom_state'
+logger = get_logger(__file__)


 class WeComBaseMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, FlashMessageMixin, View):
@@ -45,7 +42,7 @@ class WeComBaseMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, FlashM
            )

    def verify_state(self):
-        return self.verify_state_with_session_key(WECOM_STATE_SESSION_KEY)
+        return wecom_tool.check_state(self.request.GET.get('state'), self.request)

    def get_already_bound_response(self, redirect_url):
        msg = _('WeCom is already bound')
@@ -56,13 +53,10 @@ class WeComBaseMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, FlashM
 class WeComQRMixin(WeComBaseMixin, View):

    def get_qr_url(self, redirect_uri):
-        state = random_string(16)
-        self.request.session[WECOM_STATE_SESSION_KEY] = state
-
        params = {
            'appid': settings.WECOM_CORPID,
            'agentid': settings.WECOM_AGENTID,
-            'state': state,
+            'state': wecom_tool.gen_state(request=self.request),
            'redirect_uri': redirect_uri,
        }
        url = URL.QR_CONNECT + '?' + urlencode(params)
@@ -74,13 +68,11 @@ class WeComOAuthMixin(WeComBaseMixin, View):
    def get_oauth_url(self, redirect_uri):
        if not settings.AUTH_WECOM:
            return reverse('authentication:login')
-        state = random_string(16)
-        self.request.session[WECOM_STATE_SESSION_KEY] = state

        params = {
            'appid': settings.WECOM_CORPID,
            'agentid': settings.WECOM_AGENTID,
-            'state': state,
+            'state': wecom_tool.gen_state(request=self.request),
            'redirect_uri': redirect_uri,
            'response_type': 'code',
            'scope': 'snsapi_base',