weixin connect (#7184)

* weixin connect * update
2025-07-16 08:16:55 +00:00 · 2024-12-16 10:10:40 +08:00 · 2024-12-16 10:10:40 +08:00 · f6fb7ce715
commit f6fb7ce715
parent 13c9525df1
9 changed files with 238 additions and 8 deletions
--- a/frontend/src/components/dialog/confirm-disconnect-weixin.js
+++ b/frontend/src/components/dialog/confirm-disconnect-weixin.js
@ -0,0 +1,45 @@
+import React, { Component } from 'react';
+import PropTypes from 'prop-types';
+import { Modal, ModalHeader, ModalBody, ModalFooter, Button } from 'reactstrap';
+import { gettext } from '../../utils/constants';
+
+const propTypes = {
+  formActionURL: PropTypes.string.isRequired,
+  csrfToken: PropTypes.string.isRequired,
+  toggle: PropTypes.func.isRequired
+};
+
+class ConfirmDisconnectWeixin extends Component {
+
+  constructor(props) {
+    super(props);
+    this.form = React.createRef();
+  }
+
+  disconnect = () => {
+    this.form.current.submit();
+  };
+
+  render() {
+    const { formActionURL, csrfToken, toggle } = this.props;
+    return (
+      <Modal centered={true} isOpen={true} toggle={toggle}>
+        <ModalHeader toggle={toggle}>{gettext('Disconnect')}</ModalHeader>
+        <ModalBody>
+          <p>{gettext('Are you sure you want to disconnect?')}</p>
+          <form ref={this.form} className="d-none" method="post" action={formActionURL}>
+            <input type="hidden" name="csrfmiddlewaretoken" value={csrfToken} />
+          </form>
+        </ModalBody>
+        <ModalFooter>
+          <Button color="secondary" onClick={toggle}>{gettext('Cancel')}</Button>
+          <Button color="primary" onClick={this.disconnect}>{gettext('Disconnect')}</Button>
+        </ModalFooter>
+      </Modal>
+    );
+  }
+}
+
+ConfirmDisconnectWeixin.propTypes = propTypes;
+
+export default ConfirmDisconnectWeixin;
--- a/frontend/src/components/user-settings/social-login-weixin.js
+++ b/frontend/src/components/user-settings/social-login-weixin.js
@ -0,0 +1,59 @@
+import React from 'react';
+import { gettext, siteRoot } from '../../utils/constants';
+import ModalPortal from '../modal-portal';
+import ConfirmDisconnectWeixin from '../dialog/confirm-disconnect-weixin';
+
+const {
+  csrfToken,
+  langCode,
+  socialConnectedWeixin,
+  socialNextPage
+} = window.app.pageOptions;
+
+class SocialLoginWeixin extends React.Component {
+
+  constructor(props) {
+    super(props);
+    this.state = {
+      isConfirmDialogOpen: false
+    };
+  }
+
+  confirmDisconnect = () => {
+    this.setState({
+      isConfirmDialogOpen: true
+    });
+  };
+
+  toggleDialog = () => {
+    this.setState({
+      isConfirmDialogOpen: !this.state.isConfirmDialogOpen
+    });
+  };
+
+  render() {
+    return (
+      <React.Fragment>
+        <div className="setting-item" id="social-auth">
+          <h3 className="setting-item-heading">{gettext('Social Login')}</h3>
+          <p className="mb-2">{langCode == 'zh-cn' ? '微信' : 'Weixin'}</p>
+          {socialConnectedWeixin ?
+            <button className="btn btn-outline-primary" onClick={this.confirmDisconnect}>{gettext('Disconnect')}</button> :
+            <a href={`${siteRoot}weixin/oauth-connect/?next=${encodeURIComponent(socialNextPage)}`} className="btn btn-outline-primary">{gettext('Connect')}</a>
+          }
+        </div>
+        {this.state.isConfirmDialogOpen && (
+          <ModalPortal>
+            <ConfirmDisconnectWeixin
+              formActionURL={`${siteRoot}weixin/oauth-disconnect/?next=${encodeURIComponent(socialNextPage)}`}
+              csrfToken={csrfToken}
+              toggle={this.toggleDialog}
+            />
+          </ModalPortal>
+        )}
+      </React.Fragment>
+    );
+  }
+}
+
+export default SocialLoginWeixin;
--- a/frontend/src/settings.js
+++ b/frontend/src/settings.js
@ -19,6 +19,7 @@ import EmailNotice from './components/user-settings/email-notice';
 import TwoFactorAuthentication from './components/user-settings/two-factor-auth';
 import SocialLogin from './components/user-settings/social-login';
 import SocialLoginDingtalk from './components/user-settings/social-login-dingtalk';
+import SocialLoginWeixin from './components/user-settings/social-login-weixin';
 import SocialLoginSAML from './components/user-settings/social-login-saml';
 import LinkedDevices from './components/user-settings/linked-devices';
 import DeleteAccount from './components/user-settings/delete-account';
@ -39,6 +40,7 @@ const {
  twoFactorAuthEnabled,
  enableWechatWork,
  enableDingtalk,
+  enableWeixin,
  isOrgContext,
  enableADFS,
  enableMultiADFS,
@ -59,7 +61,7 @@ class Settings extends React.Component {
      { show: true, href: '#lang-setting', text: gettext('Language') },
      { show: isPro, href: '#email-notice', text: gettext('Email Notification') },
      { show: twoFactorAuthEnabled, href: '#two-factor-auth', text: gettext('Two-Factor Authentication') },
-      { show: (enableWechatWork || enableDingtalk || enableADFS || (enableMultiADFS || isOrgContext)), href: '#social-auth', text: gettext('Social Login') },
+      { show: (enableWechatWork || enableDingtalk || enableWeixin || enableADFS || (enableMultiADFS || isOrgContext)), href: '#social-auth', text: gettext('Social Login') },
      { show: true, href: '#linked-devices', text: gettext('Linked Devices') },
      { show: enableDeleteAccount, href: '#del-account', text: gettext('Delete Account') },
    ];
@ -180,6 +182,7 @@ class Settings extends React.Component {
                {twoFactorAuthEnabled && <TwoFactorAuthentication />}
                {enableWechatWork && <SocialLogin />}
                {enableDingtalk && <SocialLoginDingtalk />}
+                {enableWeixin && <SocialLoginWeixin />}
                {(enableADFS || (enableMultiADFS && isOrgContext)) && <SocialLoginSAML />}
                <LinkedDevices />
                {enableDeleteAccount && <DeleteAccount />}
--- a/seahub/profile/templates/profile/set_profile_react.html
+++ b/seahub/profile/templates/profile/set_profile_react.html
@ -78,6 +78,12 @@ window.app.pageOptions = {
  socialNextPage: "{{ social_next_page|escapejs }}",
  {% endif %}

+  enableWeixin: {% if enable_weixin %} true {% else %} false {% endif %},
+  {% if enable_weixin %}
+  socialConnectedWeixin: {% if social_connected_weixin %} true {% else %} false {% endif %},
+  socialNextPage: "{{ social_next_page|escapejs }}",
+  {% endif %}
+
  enableADFS: {% if enable_adfs %} true {% else %} false {% endif %},
  {% if enable_adfs %}
  samlConnected: {% if saml_connected %} true {% else %} false {% endif %},
--- a/seahub/profile/views.py
+++ b/seahub/profile/views.py
@ -26,10 +26,11 @@ from seahub.views import get_owned_repo_list
 from seahub.work_weixin.utils import work_weixin_oauth_check
 from seahub.settings import ENABLE_DELETE_ACCOUNT, ENABLE_UPDATE_USER_INFO, ENABLE_ADFS_LOGIN, ENABLE_MULTI_ADFS
 from seahub.dingtalk.settings import ENABLE_DINGTALK
+from seahub.weixin.settings import ENABLE_WEIXIN
 from constance import config
 try:
    from seahub.settings import SAML_PROVIDER_IDENTIFIER
-except ImportError as e:
+except ImportError:
    SAML_PROVIDER_IDENTIFIER = 'saml'


@ -107,6 +108,14 @@ def edit_profile(request):
        enable_dingtalk = False
        social_connected_dingtalk = False

+    if ENABLE_WEIXIN:
+        enable_weixin = True
+        social_connected_weixin = SocialAuthUser.objects.filter(
+            username=request.user.username, provider='weixin').count() > 0
+    else:
+        enable_weixin = False
+        social_connected_weixin = False
+
    if ENABLE_ADFS_LOGIN:
        enable_adfs = True
        saml_connected = SocialAuthUser.objects.filter(
@ -164,6 +173,8 @@ def edit_profile(request):
            'social_connected': social_connected,
            'enable_dingtalk': enable_dingtalk,
            'social_connected_dingtalk': social_connected_dingtalk,
+            'enable_weixin': enable_weixin,
+            'social_connected_weixin': social_connected_weixin,
            'ENABLE_USER_SET_CONTACT_EMAIL': settings.ENABLE_USER_SET_CONTACT_EMAIL,
            'ENABLE_USER_SET_NAME': settings.ENABLE_USER_SET_NAME,
            'user_unusable_password': request.user.enc_password == UNUSABLE_PASSWORD,
--- a/seahub/settings.py
+++ b/seahub/settings.py
@ -271,6 +271,7 @@ INSTALLED_APPS = [
    'seahub.file_tags',
    'seahub.related_files',
    'seahub.work_weixin',
+    'seahub.weixin',
    'seahub.dingtalk',
    'seahub.file_participants',
    'seahub.repo_api_tokens',
--- a/seahub/weixin/templates/weixin/weixin_user_not_found_error.html
+++ b/seahub/weixin/templates/weixin/weixin_user_not_found_error.html
@ -0,0 +1,8 @@
+{% extends 'base.html' %}
+
+{% block main_content %}
+<div class="text-panel">
+    <p class="error">没找到对应的账号，请先用邮箱注册一个团队账号，然后在个人设置页绑定微信后再扫码登录。</p>
+    <p class="error"><a href="{% url 'org_register' %}">[注册团队账号]</a></p>
+</div>
+{% endblock %}
--- a/seahub/weixin/urls.py
+++ b/seahub/weixin/urls.py
@ -2,9 +2,13 @@
 # encoding: utf-8

 from django.urls import path
-from seahub.weixin.views import weixin_oauth_login, weixin_oauth_callback
+from seahub.weixin.views import weixin_oauth_login, weixin_oauth_callback, \
+        weixin_oauth_disconnect, weixin_oauth_connect, weixin_oauth_connect_callback

 urlpatterns = [
    path('oauth-login/', weixin_oauth_login, name='weixin_oauth_login'),
    path('oauth-callback/', weixin_oauth_callback, name='weixin_oauth_callback'),
+    path('oauth-connect/', weixin_oauth_connect, name='weixin_oauth_connect'),
+    path('oauth-connect-callback/', weixin_oauth_connect_callback, name='weixin_oauth_connect_callback'),
+    path('oauth-disconnect/', weixin_oauth_disconnect, name='weixin_oauth_disconnect'),
 ]
--- a/seahub/weixin/views.py
+++ b/seahub/weixin/views.py
@ -9,6 +9,7 @@ from django.http import HttpResponseRedirect
 from django.urls import reverse
 from django.core.files.base import ContentFile
 from django.utils.translation import gettext as _
+from django.shortcuts import render

 from seahub.api2.utils import get_api_token

@ -18,13 +19,15 @@ from seahub.avatar.models import Avatar
 from seahub.profile.models import Profile
 from seahub.utils import render_error, get_site_scheme_and_netloc
 from seahub.auth.models import SocialAuthUser
+from seahub.utils.auth import VIRTUAL_ID_EMAIL_DOMAIN
+from seahub.auth.decorators import login_required
 from seahub.settings import SITE_ROOT

 from seahub.weixin.settings import ENABLE_WEIXIN, \
        WEIXIN_OAUTH_APP_ID, WEIXIN_OAUTH_APP_SECRET, \
        WEIXIN_OAUTH_SCOPE, WEIXIN_OAUTH_RESPONSE_TYPE, WEIXIN_OAUTH_QR_CONNECT_URL, \
        WEIXIN_OAUTH_GRANT_TYPE, WEIXIN_OAUTH_ACCESS_TOKEN_URL, \
-        WEIXIN_OAUTH_USER_INFO_URL
+        WEIXIN_OAUTH_USER_INFO_URL, WEIXIN_OAUTH_CREATE_UNKNOWN_USER

 logger = logging.getLogger(__name__)

@ -34,15 +37,17 @@ logger = logging.getLogger(__name__)
 def weixin_oauth_login(request):

    if not ENABLE_WEIXIN:
-        return render_error(request, _('Error, please contact administrator.'))
+        return render_error(request, _('Feature is not enabled.'))

    state = str(uuid.uuid4())
    request.session['weixin_oauth_login_state'] = state
-    request.session['weixin_oauth_login_redirect'] = request.GET.get(auth.REDIRECT_FIELD_NAME, '/')
+    redirect_to = request.GET.get(auth.REDIRECT_FIELD_NAME, SITE_ROOT)
+    request.session['weixin_oauth_login_redirect'] = redirect_to

+    redirect_uri = get_site_scheme_and_netloc() + reverse('weixin_oauth_callback')
    data = {
        'appid': WEIXIN_OAUTH_APP_ID,
-        'redirect_uri': get_site_scheme_and_netloc() + reverse('weixin_oauth_callback'),
+        'redirect_uri': redirect_uri,
        'response_type': WEIXIN_OAUTH_RESPONSE_TYPE,
        'scope': WEIXIN_OAUTH_SCOPE,
        'state': state,
@ -54,7 +59,7 @@ def weixin_oauth_login(request):
 def weixin_oauth_callback(request):

    if not ENABLE_WEIXIN:
-        return render_error(request, _('Error, please contact administrator.'))
+        return render_error(request, _('Feature is not enabled.'))

    state = request.GET.get('state', '')
    if not state or state != request.session.get('weixin_oauth_login_state', ''):
@ -89,6 +94,9 @@ def weixin_oauth_callback(request):
        email = None
        is_new_user = True

+    if is_new_user and not WEIXIN_OAUTH_CREATE_UNKNOWN_USER:
+        return render(request, 'weixin/weixin_user_not_found_error.html')
+
    try:
        user = auth.authenticate(remote_user=email)
        email = user.username
@ -147,3 +155,88 @@ def weixin_oauth_callback(request):
                                                        SITE_ROOT))
    response.set_cookie('seahub_auth', email + '@' + api_token.key)
    return response
+
+
+@login_required
+def weixin_oauth_connect(request):
+
+    if not ENABLE_WEIXIN:
+        return render_error(request, _('Feature is not enabled.'))
+
+    state = str(uuid.uuid4())
+    request.session['weixin_oauth_connect_state'] = state
+    redirect_to = request.GET.get(auth.REDIRECT_FIELD_NAME, SITE_ROOT)
+    request.session['weixin_oauth_connect_redirect'] = redirect_to
+
+    redirect_uri = get_site_scheme_and_netloc() + reverse('weixin_oauth_connect_callback')
+    data = {
+        'appid': WEIXIN_OAUTH_APP_ID,
+        'redirect_uri': redirect_uri,
+        'response_type': WEIXIN_OAUTH_RESPONSE_TYPE,
+        'scope': WEIXIN_OAUTH_SCOPE,
+        'state': state,
+    }
+    url = WEIXIN_OAUTH_QR_CONNECT_URL + '?' + urllib.parse.urlencode(data)
+    return HttpResponseRedirect(url)
+
+
+@login_required
+def weixin_oauth_connect_callback(request):
+
+    if not ENABLE_WEIXIN:
+        return render_error(request, _('Feature is not enabled.'))
+
+    state = request.GET.get('state', '')
+    if not state or state != request.session.get('weixin_oauth_connect_state', ''):
+        logger.error('invalid state')
+        return render_error(request, _('Error, please contact administrator.'))
+
+    # get access_token and user openid
+    parameters = {
+        'appid': WEIXIN_OAUTH_APP_ID,
+        'secret': WEIXIN_OAUTH_APP_SECRET,
+        'code': request.GET.get('code'),
+        'grant_type': WEIXIN_OAUTH_GRANT_TYPE,
+    }
+
+    access_token_url = WEIXIN_OAUTH_ACCESS_TOKEN_URL + '?' + urllib.parse.urlencode(parameters)
+    access_token_json = requests.get(access_token_url).json()
+
+    openid = access_token_json.get('openid', '')
+    access_token = access_token_json.get('access_token', '')
+    if not access_token or not openid:
+        logger.error('invalid access_token or openid')
+        logger.error(access_token_url)
+        logger.error(access_token_json)
+        return render_error(request, _('Error, please contact administrator.'))
+
+    auth_user = SocialAuthUser.objects.get_by_provider_and_uid('weixin', openid)
+    if auth_user:
+        logger.warning('weixin account already exists %s' % openid)
+        return render_error(request, '出错了，此微信账号已被绑定')
+
+    username = request.user.username
+    SocialAuthUser.objects.add(username, 'weixin', openid)
+
+    weixin_oauth_connect_redirect = request.session['weixin_oauth_connect_redirect']
+    response = HttpResponseRedirect(weixin_oauth_connect_redirect)
+    return response
+
+
+@login_required
+def weixin_oauth_disconnect(request):
+
+    if not ENABLE_WEIXIN:
+        return render_error(request, _('Feature is not enabled.'))
+
+    username = request.user.username
+    if username[-(len(VIRTUAL_ID_EMAIL_DOMAIN)):] == VIRTUAL_ID_EMAIL_DOMAIN:
+        profile = Profile.objects.get_profile_by_user(username)
+        if not profile:
+            return render_error(request, '出错了，当前账号不能解绑微信')
+
+    SocialAuthUser.objects.delete_by_username_and_provider(username, 'weixin')
+
+    # redirect user to page
+    response = HttpResponseRedirect(request.GET.get(auth.REDIRECT_FIELD_NAME, SITE_ROOT))
+    return response