wechat 0.7.8 → 0.7.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 53ffffaf24d8d96f29551c79c5de7ffa1829a918
-  data.tar.gz: d98f374eda600f2c61a1ce1dfcbe408663538b08
+  metadata.gz: 5457309cd442e525f5769f1fb632c3d9e5c0eb10
+  data.tar.gz: a8fbea864c6c3e26ed689628ec137818864b6479
 SHA512:
-  metadata.gz: f3a9d2da9c57c99b535c5f1f29a36f796100f23997386cfe922415df30aeb5d32e0e0634e99f6e5cf58e3ba2d1bf8b0e6a47bccdc4d3e1eb2db84d48fff9af61
-  data.tar.gz: f8913573a84ca830f21b14be23d446b336ef4daa010ec2501185dd3da102cc98244ef3e6ddc74d72b7b9781ce452e7065f8614b86690c62148742a564c771563
+  metadata.gz: bee8b03680fa64611e07fd7ce78f5c0683b4fb1877e79240aabd5ab22c330a9e1d9ad0f2a56444bbf53e8722d1b1026203b9d5d43565a99d0ebb0186f9bcea68
+  data.tar.gz: f368347ad7a5601cdf7ab77390e3bab3a46a6a07bd9673639762d986315ce6befa6aac438a1d11c4f9922912b96c8280957513003d49ff4b68efc18ae7e092b6

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## v0.7.9 (released at 4/12/2016)
+
+* wechat_oauth2 support public account now.
+* Refresh and store state on jsapi ticket, using it on oauth2_url to more secure.
+* Remove extra sending payload in message template send json
+* Allow setting oauth2_cookie_duration in config
+
 ## v0.7.8 (released at 3/31/2016)
 
 * New wechat_api, similar to wechat_responder, but without messange handle DSL, support web page only wechat application

data/README-CN.md

@@ -98,12 +98,15 @@ default: &default
   secret: "app_secret"
   token:  "app_token"
   access_token: "/var/tmp/wechat_access_token"
+  jsapi_ticket: "/var/tmp/wechat_jsapi_ticket"
 
 production:
   appid: <%= ENV['WECHAT_APPID'] %>
   secret: <%= ENV['WECHAT_APP_SECRET'] %>
   token:   <%= ENV['WECHAT_TOKEN'] %>
-  access_token:  <%= ENV['WECHAT_ACCESS_TOKEN'] %>
+  access_token: <%= ENV['WECHAT_ACCESS_TOKEN'] %>
+  jsapi_ticket: <%= ENV['WECHAT_JSAPI_TICKET'] %>
+  oauth2_cookie_duration: <%= ENV['WECHAT_OAUTH2_COOKIE_DURATION'] %>
 
 development:
   <<: *default
@@ -143,6 +146,7 @@ production:
   skip_verify_ssl: true
   encoding_aes_key:  <%= ENV['WECHAT_ENCODING_AES_KEY'] %>
   jsapi_ticket: <%= ENV['WECHAT_JSAPI_TICKET'] %>
+  oauth2_cookie_duration: <%= ENV['WECHAT_OAUTH2_COOKIE_DURATION'] %>
 
 development:
   <<: *default
@@ -196,7 +200,21 @@ end
 
 #### OAuth2.0验证接口支持
 
-目前企业号可以使用如下代码直接取得用户企业号userid：
+公众号可使用如下代码取得关注用户的相关信息。
+
+```ruby
+class CartController < ActionController::Base
+  wechat_api
+  def index
+    wechat_oauth2 do |openid|
+      @current_user = User.find_by(wechat_openid: openid)
+      @articles = @current_user.articles
+    end
+  end
+end
+```
+
+企业号可使用如下代码取得企业用户的相关信息。
 
 ```ruby
 class WechatsController < ActionController::Base
@@ -212,7 +230,7 @@ class WechatsController < ActionController::Base
 end
 ```
 
-`wechat_oauth2`封装了OAuth2.0验证接口和cookie处理逻辑，用户仅需提供业务代码块即可，userid就是微信成员UserID。
+`wechat_oauth2`封装了OAuth2.0验证接口和cookie处理逻辑，用户仅需提供业务代码块即可。userid指的是微信企业成员UserID，openid是关注该公众号的用户openid。
 
 ## 关于接口权限
 

data/README.md

@@ -108,12 +108,15 @@ default: &default
   secret: "app_secret"
   token:  "app_token"
   access_token: "/var/tmp/wechat_access_token"
+  jsapi_ticket: "/var/tmp/wechat_jsapi_ticket"
 
 production:
   appid: <%= ENV['WECHAT_APPID'] %>
   secret: <%= ENV['WECHAT_APP_SECRET'] %>
   token:   <%= ENV['WECHAT_TOKEN'] %>
-  access_token:  <%= ENV['WECHAT_ACCESS_TOKEN'] %>
+  access_token: <%= ENV['WECHAT_ACCESS_TOKEN'] %>
+  jsapi_ticket: <%= ENV['WECHAT_JSAPI_TICKET'] %>
+  oauth2_cookie_duration: <%= ENV['WECHAT_OAUTH2_COOKIE_DURATION'] %>
 
 development:
   <<: *default
@@ -156,6 +159,7 @@ production:
   skip_verify_ssl: true # not recommend
   encoding_aes_key:  <%= ENV['WECHAT_ENCODING_AES_KEY'] %>
   jsapi_ticket: <%= ENV['WECHAT_JSAPI_TICKET'] %>
+  oauth2_cookie_duration: <%= ENV['WECHAT_OAUTH2_COOKIE_DURATION'] %>
 
 development:
   <<: *default
@@ -209,7 +213,21 @@ Configure the `trusted_domain_fullname` if you are in development mode and app r
 
 #### OAuth2.0 authentication
 
-For enterprise account, user can using userid directly by provide a block in wechat_oauth2:
+For public account, below code will get flollowing user's info.
+
+```ruby
+class CartController < ActionController::Base
+  wechat_api
+  def index
+    wechat_oauth2 do |openid|
+      @current_user = User.find_by(wechat_openid: openid)
+      @articles = @current_user.articles
+    end
+  end
+end
+```
+
+For enterprise account, below code will get enterprise member's userinfo.
 
 ```ruby
 class WechatsController < ActionController::Base
@@ -225,7 +243,7 @@ class WechatsController < ActionController::Base
 end
 ```
 
-`wechat_oauth2` already implement the necessory OAuth2.0 and cookie logic, userid available as a member UserID for the whole block.
+`wechat_oauth2` already implement the necessory OAuth2.0 and cookie logic. userid defined as the enterprise member UserID. openid defined as the user who following the public account, also notice openid will be different for the same user for different following public account.
 
 
 ## The API privilege

data/lib/action_controller/wechat_responder.rb

@@ -22,6 +22,7 @@ module ActionController
       self.skip_verify_ssl = opts[:skip_verify_ssl]
       self.encoding_aes_key = opts[:encoding_aes_key] || Wechat.config.encoding_aes_key
       self.trusted_domain_fullname = opts[:trusted_domain_fullname] || Wechat.config.trusted_domain_fullname
+      self.oauth2_cookie_duration = opts[:oauth2_cookie_duration] || Wechat.config.oauth2_cookie_duration || 1.hour
 
       return self.wechat = Wechat.api if opts.empty?
       if corpid.present?

data/lib/generators/wechat/templates/config/wechat.yml

@@ -24,7 +24,8 @@ production:
   access_token:  <%%= ENV['WECHAT_ACCESS_TOKEN'] %>
   encrypt_mode: false # if true must fill encoding_aes_key
   encoding_aes_key:  <%%= ENV['WECHAT_ENCODING_AES_KEY'] %>
-  jsapi_ticket: <%= ENV['WECHAT_JSAPI_TICKET'] %>
+  jsapi_ticket: <%%= ENV['WECHAT_JSAPI_TICKET'] %>
+  oauth2_cookie_duration: <%%= ENV['WECHAT_OAUTH2_COOKIE_DURATION'] %>
 
 development:
   <<: *default

data/lib/wechat/api.rb

@@ -1,15 +1,14 @@
 require 'wechat/api_base'
-require 'wechat/client'
+require 'wechat/http_client'
 require 'wechat/token/public_access_token'
 require 'wechat/ticket/public_jsapi_ticket'
 
 module Wechat
   class Api < ApiBase
     API_BASE = 'https://api.weixin.qq.com/cgi-bin/'.freeze
-    OAUTH2_BASE = 'https://api.weixin.qq.com/sns/oauth2/'.freeze
 
     def initialize(appid, secret, token_file, timeout, skip_verify_ssl, jsapi_ticket_file)
-      @client = Client.new(API_BASE, timeout, skip_verify_ssl)
+      @client = HttpClient.new(API_BASE, timeout, skip_verify_ssl)
       @access_token = Token::PublicAccessToken.new(@client, appid, secret, token_file)
       @jsapi_ticket = Ticket::PublicJsapiTicket.new(@client, @access_token, jsapi_ticket_file)
     end
@@ -130,8 +129,8 @@ module Wechat
       get 'customservice/getonlinekflist'
     end
 
-    # http://mp.weixin.qq.com/wiki/17/c0f37d5704f0b64713d5d2c37b468d75.html
-    # 第二步：通过code换取网页授权access_token
+    OAUTH2_BASE = 'https://api.weixin.qq.com/sns/'.freeze
+
     def web_access_token(code)
       params = {
         appid: access_token.appid,
@@ -139,7 +138,24 @@ module Wechat
         code: code,
         grant_type: 'authorization_code'
       }
-      get 'access_token', params: params, base: OAUTH2_BASE
+      client.get 'oauth2/access_token', params: params, base: OAUTH2_BASE
+    end
+
+    def web_auth_access_token(web_access_token, openid)
+      client.get 'auth', params: { access_token: web_access_token, openid: openid }, base: OAUTH2_BASE
+    end
+
+    def web_refresh_access_token(user_refresh_token)
+      params = {
+        appid: access_token.appid,
+        grant_type: 'refresh_token',
+        refresh_token: user_refresh_token
+      }
+      client.get 'oauth2/refresh_token', params: params, base: OAUTH2_BASE
+    end
+
+    def web_userinfo(web_access_token, openid, lang = 'zh_CN')
+      client.get 'sns/userinfo', params: { access_token: web_access_token, openid: openid, lang: lang }, base: OAUTH2_BASE
     end
   end
 end

data/lib/wechat/cipher.rb

@@ -1,5 +1,4 @@
 require 'openssl/cipher'
-require 'securerandom'
 require 'base64'
 
 module Wechat

data/lib/wechat/controller_api.rb

@@ -3,14 +3,15 @@ module Wechat
     extend ActiveSupport::Concern
 
     module ClassMethods
-      attr_accessor :wechat, :token, :appid, :corpid, :agentid, :encrypt_mode, :timeout, :skip_verify_ssl, :encoding_aes_key, :trusted_domain_fullname
+      attr_accessor :wechat, :token, :appid, :corpid, :agentid, :encrypt_mode, :timeout,
+                    :skip_verify_ssl, :encoding_aes_key, :trusted_domain_fullname, :oauth2_cookie_duration
     end
 
     def wechat
       self.class.wechat # Make sure user can continue access wechat at instance level similar to class level
     end
 
-    def wechat_oauth2(scope = 'snsapi_base', page_url = nil)
+    def wechat_oauth2(scope = 'snsapi_base', page_url = nil, &block)
       appid = self.class.corpid || self.class.appid
       page_url ||= if self.class.trusted_domain_fullname
                      "#{self.class.trusted_domain_fullname}#{request.original_fullpath}"
@@ -18,17 +19,38 @@ module Wechat
                      request.original_url
                    end
       redirect_uri = CGI.escape(page_url)
-      oauth2_url = "https://open.weixin.qq.com/connect/oauth2/authorize?appid=#{appid}&redirect_uri=#{redirect_uri}&response_type=code&scope=#{scope}#wechat_redirect"
+      oauth2_url = "https://open.weixin.qq.com/connect/oauth2/authorize?appid=#{appid}&redirect_uri=#{redirect_uri}&response_type=code&scope=#{scope}&state=#{wechat.jsapi_ticket.oauth2_state}#wechat_redirect"
 
       return oauth2_url unless block_given?
-      raise 'Currently wechat_oauth2 only support enterprise account.' unless self.class.corpid
+      if self.class.corpid
+        wechat_corp_oauth2(oauth2_url, &block)
+      else
+        wechat_public_oauth2(oauth2_url, &block)
+      end
+    end
+
+    private
+
+    def wechat_public_oauth2(oauth2_url)
+      if cookies.signed_or_encrypted[:we_openid].blank? && params[:code].blank?
+        redirect_to oauth2_url
+      elsif cookies.signed_or_encrypted[:we_openid].blank? && params[:code].present? && params[:state] == wechat.jsapi_ticket.oauth2_state
+        access_info = wechat.web_access_token(params[:code])
+        cookies.signed_or_encrypted[:we_openid] = { value: access_info['openid'], expires: self.class.oauth2_cookie_duration.from_now }
+        yield access_info['openid'], access_info
+      else
+        yield cookies.signed_or_encrypted[:we_openid], { 'openid' => cookies.signed_or_encrypted[:we_openid] }
+      end
+    end
+
+    def wechat_corp_oauth2(oauth2_url)
       if cookies.signed_or_encrypted[:we_deviceid].blank? && params[:code].blank?
         redirect_to oauth2_url
-      elsif cookies.signed_or_encrypted[:we_deviceid].blank? && params[:code].present?
+      elsif cookies.signed_or_encrypted[:we_deviceid].blank? && params[:code].present? && params[:state] == wechat.jsapi_ticket.oauth2_state
         userinfo = wechat.getuserinfo(params[:code])
-        cookies.signed_or_encrypted[:we_userid] = { value: userinfo['UserId'], expires: 1.hour.from_now }
-        cookies.signed_or_encrypted[:we_deviceid] = { value: userinfo['DeviceId'], expires: 1.hour.from_now }
-        cookies.signed_or_encrypted[:we_openid] = { value: userinfo['OpenId'], expires: 1.hour.from_now }
+        cookies.signed_or_encrypted[:we_userid] = { value: userinfo['UserId'], expires: self.class.oauth2_cookie_duration.from_now }
+        cookies.signed_or_encrypted[:we_deviceid] = { value: userinfo['DeviceId'], expires: self.class.oauth2_cookie_duration.from_now }
+        cookies.signed_or_encrypted[:we_openid] = { value: userinfo['OpenId'], expires: self.class.oauth2_cookie_duration.from_now }
         yield userinfo['UserId'], userinfo
       else
         yield cookies.signed_or_encrypted[:we_userid], { 'UserId' => cookies.signed_or_encrypted[:we_userid],

data/lib/wechat/corp_api.rb

@@ -1,5 +1,5 @@
 require 'wechat/api_base'
-require 'wechat/client'
+require 'wechat/http_client'
 require 'wechat/token/corp_access_token'
 require 'wechat/ticket/corp_jsapi_ticket'
 require 'cgi'
@@ -11,7 +11,7 @@ module Wechat
     API_BASE = 'https://qyapi.weixin.qq.com/cgi-bin/'.freeze
 
     def initialize(appid, secret, token_file, agentid, timeout, skip_verify_ssl, jsapi_ticket_file)
-      @client = Client.new(API_BASE, timeout, skip_verify_ssl)
+      @client = HttpClient.new(API_BASE, timeout, skip_verify_ssl)
       @access_token = Token::CorpAccessToken.new(@client, appid, secret, token_file)
       @agentid = agentid
       @jsapi_ticket = Ticket::CorpJsapiTicket.new(@client, @access_token, jsapi_ticket_file)

data/lib/wechat/{client.rb → http_client.rb}

@@ -1,7 +1,7 @@
 require 'http'
 
 module Wechat
-  class Client
+  class HttpClient
     attr_reader :base, :ssl_context
 
     def initialize(base, timeout, skip_verify_ssl)
@@ -39,10 +39,10 @@ module Wechat
     private
 
     def request(path, header = {}, &_block)
-      url = "#{header.delete(:base) || base}#{path}"
+      url_base = header.delete(:base) || base
       as = header.delete(:as)
       header['Accept'] = 'application/json'
-      response = yield(url, header)
+      response = yield("#{url_base}#{path}", header)
 
       raise "Request not OK, response status #{response.status}" if response.status != 200
       parse_response(response, as || :json) do |parse_as, data|

data/lib/wechat/message.rb

@@ -115,7 +115,7 @@ module Wechat
       update(MsgType: 'music', Music: music_fields)
     end
 
-    def news(collection, &block)
+    def news(collection, &_block)
       if block_given?
         article = ArticleBuilder.new
         collection.take(10).each_with_index { |item, index| yield(article, item, index) }
@@ -164,7 +164,7 @@ module Wechat
       when 'news'
         json_hash['news'] = { 'articles' => json_hash.delete('articles') }
       when 'template'
-        json_hash.merge! json_hash['template']
+        json_hash = { 'touser' => json_hash['touser'] }.merge!(json_hash['template'])
       end
       JSON.generate(json_hash)
     end

data/lib/wechat/responder.rb

@@ -106,7 +106,7 @@ module Wechat
             yield(* user_defined_view_responders(message[:EventKey]), message[:EventKey])
           elsif 'click' == message[:Event]
             yield(* match_responders(responders, message[:EventKey]))
-          elsif known_scan_key_lists.include?(message[:EventKey]) && %w(scan subscribe scancode_push scancode_waitmsg).include?(message[:Event])
+          elsif known_scan_key_lists.include?(message[:EventKey]) && %w(scan subscribe scancode_push scancode_waitmsg).freeze.include?(message[:Event])
             yield(* known_scan_with_match_responders(user_defined_scan_responders, message))
           elsif 'batch_job_result' == message[:Event]
             yield(* user_defined_batch_job_responders(message[:BatchJob][:JobType]), message[:BatchJob])
@@ -142,9 +142,9 @@ module Wechat
 
       def known_scan_with_match_responders(responders, message)
         matched = responders.each_with_object({}) do |responder, memo|
-          if %w(scan subscribe).include?(message[:Event]) && message[:EventKey] == responder[:with]
+          if %w(scan subscribe).freeze.include?(message[:Event]) && message[:EventKey] == responder[:with]
             memo[:scaned] ||= [responder, message[:Ticket]]
-          elsif %w(scancode_push scancode_waitmsg).include?(message[:Event]) && message[:EventKey] == responder[:with]
+          elsif %w(scancode_push scancode_waitmsg).freeze.include?(message[:Event]) && message[:EventKey] == responder[:with]
             memo[:scaned] ||= [responder, message[:ScanCodeInfo][:ScanResult], message[:ScanCodeInfo][:ScanType]]
           end
         end

data/lib/wechat/ticket/corp_jsapi_ticket.rb

@@ -5,6 +5,7 @@ module Wechat
     class CorpJsapiTicket < JsapiBase
       def refresh
         data = client.get('get_jsapi_ticket', params: { access_token: access_token.token })
+        @oauth2_state = data['oauth2_state'] = SecureRandom.hex(16)
         write_ticket_to_store(data)
         read_ticket_from_store
       end

data/lib/wechat/ticket/jsapi_base.rb

@@ -1,9 +1,10 @@
 require 'digest/sha1'
+require 'securerandom'
 
 module Wechat
   module Ticket
     class JsapiBase
-      attr_reader :client, :access_token, :jsapi_ticket_file, :access_ticket, :ticket_life_in_seconds, :got_ticket_at
+      attr_reader :client, :access_token, :oauth2_state, :jsapi_ticket_file, :access_ticket, :ticket_life_in_seconds, :got_ticket_at
 
       def initialize(client, access_token, jsapi_ticket_file)
         @client = client
@@ -47,6 +48,7 @@ module Wechat
         td = read_ticket
         @ticket_life_in_seconds = td.fetch('ticket_expires_in').to_i
         @got_ticket_at = td.fetch('got_ticket_at').to_i
+        @oauth2_state = td.fetch('oauth2_state')
         @access_ticket = td.fetch('ticket') # return access_ticket same time
       rescue JSON::ParserError, Errno::ENOENT, KeyError, TypeError
         refresh

data/lib/wechat/ticket/public_jsapi_ticket.rb

@@ -5,6 +5,7 @@ module Wechat
     class PublicJsapiTicket < JsapiBase
       def refresh
         data = client.get('ticket/getticket', params: { access_token: access_token.token, type: 'jsapi' })
+        @oauth2_state = data['oauth2_state'] = SecureRandom.hex(16)
         write_ticket_to_store(data)
         read_ticket_from_store
       end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: wechat
 version: !ruby/object:Gem::Version
-  version: 0.7.8
+  version: 0.7.9
 platform: ruby
 authors:
 - Skinnyworm
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-31 00:00:00.000000000 Z
+date: 2016-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -152,10 +152,10 @@ files:
 - lib/wechat/api_base.rb
 - lib/wechat/api_loader.rb
 - lib/wechat/cipher.rb
-- lib/wechat/client.rb
 - lib/wechat/controller_api.rb
 - lib/wechat/corp_api.rb
 - lib/wechat/helpers.rb
+- lib/wechat/http_client.rb
 - lib/wechat/message.rb
 - lib/wechat/responder.rb
 - lib/wechat/signature.rb