@tencent-weixin/openclaw-weixin 1.0.0

package/src/auth/accounts.ts

@@ -0,0 +1,321 @@
+import fs from "node:fs";
+import path from "node:path";
+
+import { normalizeAccountId } from "openclaw/plugin-sdk";
+import type { OpenClawConfig } from "openclaw/plugin-sdk";
+
+import { resolveStateDir } from "../storage/state-dir.js";
+import { logger } from "../util/logger.js";
+
+export const DEFAULT_BASE_URL = "https://ilinkai.weixin.qq.com";
+export const CDN_BASE_URL = "https://novac2c.cdn.weixin.qq.com/c2c";
+
+
+// ---------------------------------------------------------------------------
+// Account ID compatibility (legacy raw ID → normalized ID)
+// ---------------------------------------------------------------------------
+
+/**
+ * Pattern-based reverse of normalizeWeixinAccountId for known weixin ID suffixes.
+ * Used only as a compatibility fallback when loading accounts / sync bufs stored
+ * under the old raw ID.
+ * e.g. "b0f5860fdecb-im-bot" → "b0f5860fdecb@im.bot"
+ */
+export function deriveRawAccountId(normalizedId: string): string | undefined {
+  if (normalizedId.endsWith("-im-bot")) {
+    return `${normalizedId.slice(0, -7)}@im.bot`;
+  }
+  if (normalizedId.endsWith("-im-wechat")) {
+    return `${normalizedId.slice(0, -10)}@im.wechat`;
+  }
+  return undefined;
+}
+
+// ---------------------------------------------------------------------------
+// Account index (persistent list of registered account IDs)
+// ---------------------------------------------------------------------------
+
+function resolveWeixinStateDir(): string {
+  return path.join(resolveStateDir(), "openclaw-weixin");
+}
+
+function resolveAccountIndexPath(): string {
+  return path.join(resolveWeixinStateDir(), "accounts.json");
+}
+
+/** Returns all accountIds registered via QR login. */
+export function listIndexedWeixinAccountIds(): string[] {
+  const filePath = resolveAccountIndexPath();
+  try {
+    if (!fs.existsSync(filePath)) return [];
+    const raw = fs.readFileSync(filePath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) return [];
+    return parsed.filter((id): id is string => typeof id === "string" && id.trim() !== "");
+  } catch {
+    return [];
+  }
+}
+
+/** Add accountId to the persistent index (no-op if already present). */
+export function registerWeixinAccountId(accountId: string): void {
+  const dir = resolveWeixinStateDir();
+  fs.mkdirSync(dir, { recursive: true });
+
+  const existing = listIndexedWeixinAccountIds();
+  if (existing.includes(accountId)) return;
+
+  const updated = [...existing, accountId];
+  fs.writeFileSync(resolveAccountIndexPath(), JSON.stringify(updated, null, 2), "utf-8");
+}
+
+// ---------------------------------------------------------------------------
+// Account store (per-account credential files)
+// ---------------------------------------------------------------------------
+
+/** Unified per-account data: token + baseUrl in one file. */
+export type WeixinAccountData = {
+  token?: string;
+  savedAt?: string;
+  baseUrl?: string;
+  /** Last linked Weixin user id from QR login (optional). */
+  userId?: string;
+};
+
+function resolveAccountsDir(): string {
+  return path.join(resolveWeixinStateDir(), "accounts");
+}
+
+function resolveAccountPath(accountId: string): string {
+  return path.join(resolveAccountsDir(), `${accountId}.json`);
+}
+
+/**
+ * Legacy single-file token: `credentials/openclaw-weixin/credentials.json` (pre per-account files).
+ */
+function loadLegacyToken(): string | undefined {
+  const legacyPath = path.join(resolveStateDir(), "credentials", "openclaw-weixin", "credentials.json");
+  try {
+    if (!fs.existsSync(legacyPath)) return undefined;
+    const raw = fs.readFileSync(legacyPath, "utf-8");
+    const parsed = JSON.parse(raw) as { token?: string };
+    return typeof parsed.token === "string" ? parsed.token : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+function readAccountFile(filePath: string): WeixinAccountData | null {
+  try {
+    if (fs.existsSync(filePath)) {
+      return JSON.parse(fs.readFileSync(filePath, "utf-8")) as WeixinAccountData;
+    }
+  } catch {
+    // ignore
+  }
+  return null;
+}
+
+/** Load account data by ID, with compatibility fallbacks. */
+export function loadWeixinAccount(accountId: string): WeixinAccountData | null {
+  // Primary: try given accountId (normalized IDs written after this change).
+  const primary = readAccountFile(resolveAccountPath(accountId));
+  if (primary) return primary;
+
+  // Compatibility: if the given ID is normalized, derive the old raw filename
+  // (e.g. "b0f5860fdecb-im-bot" → "b0f5860fdecb@im.bot") for existing installs.
+  const rawId = deriveRawAccountId(accountId);
+  if (rawId) {
+    const compat = readAccountFile(resolveAccountPath(rawId));
+    if (compat) return compat;
+  }
+
+  // Legacy fallback: read token from old single-account credentials file.
+  const token = loadLegacyToken();
+  if (token) return { token };
+
+  return null;
+}
+
+/**
+ * Persist account data after QR login (merges into existing file).
+ * - token: overwritten when provided.
+ * - baseUrl: stored when non-empty; resolveWeixinAccount falls back to DEFAULT_BASE_URL.
+ * - userId: set when `update.userId` is provided; omitted from file when cleared to empty.
+ */
+export function saveWeixinAccount(
+  accountId: string,
+  update: { token?: string; baseUrl?: string; userId?: string },
+): void {
+  const dir = resolveAccountsDir();
+  fs.mkdirSync(dir, { recursive: true });
+
+  const existing = loadWeixinAccount(accountId) ?? {};
+
+  const token = update.token?.trim() || existing.token;
+  const baseUrl = update.baseUrl?.trim() || existing.baseUrl;
+  const userId =
+    update.userId !== undefined
+      ? update.userId.trim() || undefined
+      : existing.userId?.trim() || undefined;
+
+  const data: WeixinAccountData = {
+    ...(token ? { token, savedAt: new Date().toISOString() } : {}),
+    ...(baseUrl ? { baseUrl } : {}),
+    ...(userId ? { userId } : {}),
+  };
+
+  const filePath = resolveAccountPath(accountId);
+  fs.writeFileSync(filePath, JSON.stringify(data, null, 2), "utf-8");
+  try {
+    fs.chmodSync(filePath, 0o600);
+  } catch {
+    // best-effort
+  }
+}
+
+/** Remove account data file. */
+export function clearWeixinAccount(accountId: string): void {
+  try {
+    fs.unlinkSync(resolveAccountPath(accountId));
+  } catch {
+    // ignore if not found
+  }
+}
+
+/**
+ * Resolve the openclaw.json config file path.
+ * Checks OPENCLAW_CONFIG env var, then state dir.
+ */
+function resolveConfigPath(): string {
+  const envPath = process.env.OPENCLAW_CONFIG?.trim();
+  if (envPath) return envPath;
+  return path.join(resolveStateDir(), "openclaw.json");
+}
+
+/**
+ * Read `routeTag` from openclaw.json (for callers without an `OpenClawConfig` object).
+ * Checks per-account `channels.<id>.accounts[accountId].routeTag` first, then section-level
+ * `channels.<id>.routeTag`. Matches `feat_weixin_extension` behavior; channel key is `"openclaw-weixin"`.
+ */
+export function loadConfigRouteTag(accountId?: string): string | undefined {
+  try {
+    const configPath = resolveConfigPath();
+    if (!fs.existsSync(configPath)) return undefined;
+    const raw = fs.readFileSync(configPath, "utf-8");
+    const cfg = JSON.parse(raw) as Record<string, unknown>;
+    const channels = cfg.channels as Record<string, unknown> | undefined;
+    const section = channels?.["openclaw-weixin"] as Record<string, unknown> | undefined;
+    if (!section) return undefined;
+    if (accountId) {
+      const accounts = section.accounts as Record<string, Record<string, unknown>> | undefined;
+      const tag = accounts?.[accountId]?.routeTag;
+      if (typeof tag === "number") return String(tag);
+      if (typeof tag === "string" && tag.trim()) return tag.trim();
+    }
+    if (typeof section.routeTag === "number") return String(section.routeTag);
+    return typeof section.routeTag === "string" && section.routeTag.trim()
+      ? section.routeTag.trim()
+      : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+/**
+ * Touch openclaw.json to trigger channel reload.
+ * Updates `channels.<channelId>._accountsUpdatedAt` so config-reload detects a change
+ * and restarts the channel.
+ */
+export function triggerWeixinChannelReload(): void {
+  try {
+    const configPath = resolveConfigPath();
+    logger.info(`triggerWeixinChannelReload: configPath=${configPath}`);
+
+    if (!fs.existsSync(configPath)) {
+      logger.warn(`triggerWeixinChannelReload: config not found at ${configPath}`);
+      return;
+    }
+
+    const raw = fs.readFileSync(configPath, "utf-8");
+    const cfg = JSON.parse(raw) as Record<string, unknown>;
+    const channels = (cfg.channels ?? {}) as Record<string, unknown>;
+    const section = (channels["openclaw-weixin"] ?? {}) as Record<string, unknown>;
+
+    const updated = {
+      ...cfg,
+      channels: {
+        ...channels,
+        "openclaw-weixin": {
+          ...section,
+          _accountsUpdatedAt: Date.now(),
+        },
+      },
+    };
+
+    fs.writeFileSync(configPath, JSON.stringify(updated, null, 2), "utf-8");
+    logger.info(`triggerWeixinChannelReload: wrote to ${configPath}`);
+  } catch (err) {
+    logger.error(`triggerWeixinChannelReload: failed: ${String(err)}`);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Account resolution (merge config + stored credentials)
+// ---------------------------------------------------------------------------
+
+export type ResolvedWeixinAccount = {
+  accountId: string;
+  baseUrl: string;
+  cdnBaseUrl: string;
+  token?: string;
+  enabled: boolean;
+  /** true when a token has been obtained via QR login. */
+  configured: boolean;
+  name?: string;
+};
+
+type WeixinAccountConfig = {
+  name?: string;
+  enabled?: boolean;
+  cdnBaseUrl?: string;
+  /** Optional SKRouteTag source; read from openclaw.json when `accountId` is passed to `loadConfigRouteTag`. */
+  routeTag?: number | string;
+};
+
+type WeixinSectionConfig = WeixinAccountConfig & {
+  accounts?: Record<string, WeixinAccountConfig>;
+};
+
+/** List accountIds from the index file (written at QR login). */
+export function listWeixinAccountIds(_cfg: OpenClawConfig): string[] {
+  return listIndexedWeixinAccountIds();
+}
+
+/** Resolve a weixin account by ID, merging config and stored credentials. */
+export function resolveWeixinAccount(
+  cfg: OpenClawConfig,
+  accountId?: string | null,
+): ResolvedWeixinAccount {
+  const raw = accountId?.trim();
+  if (!raw) {
+    throw new Error("weixin: accountId is required (no default account)");
+  }
+  const id = normalizeAccountId(raw);
+  const section = cfg.channels?.["openclaw-weixin"] as WeixinSectionConfig | undefined;
+  const accountCfg: WeixinAccountConfig = section?.accounts?.[id] ?? section ?? {};
+
+  const accountData = loadWeixinAccount(id);
+  const token = accountData?.token?.trim() || undefined;
+  const stateBaseUrl = accountData?.baseUrl?.trim() || "";
+
+  return {
+    accountId: id,
+    baseUrl: stateBaseUrl || DEFAULT_BASE_URL,
+    cdnBaseUrl: accountCfg.cdnBaseUrl?.trim() || CDN_BASE_URL,
+    token,
+    enabled: accountCfg.enabled !== false,
+    configured: Boolean(token),
+    name: accountCfg.name?.trim() || undefined,
+  };
+}

package/src/auth/login-qr.ts

@@ -0,0 +1,331 @@
+import { randomUUID } from "node:crypto";
+
+import { loadConfigRouteTag } from "./accounts.js";
+import { logger } from "../util/logger.js";
+import { redactToken } from "../util/redact.js";
+
+type ActiveLogin = {
+  sessionKey: string;
+  id: string;
+  qrcode: string;
+  qrcodeUrl: string;
+  startedAt: number;
+  botToken?: string;
+  status?: "wait" | "scaned" | "confirmed" | "expired";
+  error?: string;
+};
+
+const ACTIVE_LOGIN_TTL_MS = 5 * 60_000;
+/** Client-side timeout for the long-poll get_qrcode_status request. */
+const QR_LONG_POLL_TIMEOUT_MS = 35_000;
+
+/** Default `bot_type` for ilink get_bot_qrcode / get_qrcode_status (this channel build). */
+export const DEFAULT_ILINK_BOT_TYPE = "3";
+
+const activeLogins = new Map<string, ActiveLogin>();
+
+interface QRCodeResponse {
+  qrcode: string;
+  qrcode_img_content: string;
+}
+
+interface StatusResponse {
+  status: "wait" | "scaned" | "confirmed" | "expired";
+  bot_token?: string;
+  ilink_bot_id?: string;
+  baseurl?: string;
+  /** The user ID of the person who scanned the QR code. */
+  ilink_user_id?: string;
+}
+
+function isLoginFresh(login: ActiveLogin): boolean {
+  return Date.now() - login.startedAt < ACTIVE_LOGIN_TTL_MS;
+}
+
+/** Remove all expired entries from the activeLogins map to prevent memory leaks. */
+function purgeExpiredLogins(): void {
+  for (const [id, login] of activeLogins) {
+    if (!isLoginFresh(login)) {
+      activeLogins.delete(id);
+    }
+  }
+}
+
+async function fetchQRCode(apiBaseUrl: string, botType: string): Promise<QRCodeResponse> {
+  const base = apiBaseUrl.endsWith("/") ? apiBaseUrl : `${apiBaseUrl}/`;
+  const url = new URL(`ilink/bot/get_bot_qrcode?bot_type=${encodeURIComponent(botType)}`, base);
+  logger.info(`Fetching QR code from: ${url.toString()}`);
+
+  const headers: Record<string, string> = {};
+  const routeTag = loadConfigRouteTag();
+  if (routeTag) {
+    headers.SKRouteTag = routeTag;
+  }
+
+  const response = await fetch(url.toString(), { headers });
+  if (!response.ok) {
+    const body = await response.text().catch(() => "(unreadable)");
+    logger.error(`QR code fetch failed: ${response.status} ${response.statusText} body=${body}`);
+    throw new Error(`Failed to fetch QR code: ${response.status} ${response.statusText}`);
+  }
+  return await response.json();
+}
+
+async function pollQRStatus(apiBaseUrl: string, qrcode: string): Promise<StatusResponse> {
+  const base = apiBaseUrl.endsWith("/") ? apiBaseUrl : `${apiBaseUrl}/`;
+  const url = new URL(`ilink/bot/get_qrcode_status?qrcode=${encodeURIComponent(qrcode)}`, base);
+  logger.debug(`Long-poll QR status from: ${url.toString()}`);
+
+  const headers: Record<string, string> = {
+    "iLink-App-ClientVersion": "1",
+  };
+  const routeTag = loadConfigRouteTag();
+  if (routeTag) {
+    headers.SKRouteTag = routeTag;
+  }
+
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), QR_LONG_POLL_TIMEOUT_MS);
+  try {
+    const response = await fetch(url.toString(), { headers, signal: controller.signal });
+    clearTimeout(timer);
+    logger.debug(`pollQRStatus: HTTP ${response.status}, reading body...`);
+    const rawText = await response.text();
+    logger.debug(`pollQRStatus: body=${rawText.substring(0, 200)}`);
+    if (!response.ok) {
+      logger.error(`QR status poll failed: ${response.status} ${response.statusText} body=${rawText}`);
+      throw new Error(`Failed to poll QR status: ${response.status} ${response.statusText}`);
+    }
+    return JSON.parse(rawText) as StatusResponse;
+  } catch (err) {
+    clearTimeout(timer);
+    if (err instanceof Error && err.name === "AbortError") {
+      logger.debug(`pollQRStatus: client-side timeout after ${QR_LONG_POLL_TIMEOUT_MS}ms, returning wait`);
+      return { status: "wait" };
+    }
+    throw err;
+  }
+}
+
+export type WeixinQrStartResult = {
+  qrcodeUrl?: string;
+  message: string;
+  sessionKey: string;
+};
+
+export type WeixinQrWaitResult = {
+  connected: boolean;
+  botToken?: string;
+  accountId?: string;
+  baseUrl?: string;
+  /** The user ID of the person who scanned the QR code; add to allowFrom. */
+  userId?: string;
+  message: string;
+};
+
+export async function startWeixinLoginWithQr(opts: {
+  verbose?: boolean;
+  timeoutMs?: number;
+  force?: boolean;
+  accountId?: string;
+  apiBaseUrl: string;
+  botType?: string;
+}): Promise<WeixinQrStartResult> {
+  const sessionKey = opts.accountId || randomUUID();
+
+  purgeExpiredLogins();
+
+  const existing = activeLogins.get(sessionKey);
+  if (!opts.force && existing && isLoginFresh(existing) && existing.qrcodeUrl) {
+    return {
+      qrcodeUrl: existing.qrcodeUrl,
+      message: "二维码已就绪，请使用微信扫描。",
+      sessionKey,
+    };
+  }
+
+  try {
+    const botType = opts.botType || DEFAULT_ILINK_BOT_TYPE;
+    logger.info(`Starting Weixin login with bot_type=${botType}`);
+
+    if (!opts.apiBaseUrl) {
+      return {
+        message:
+          "No baseUrl configured. Add channels.openclaw-weixin.baseUrl to your config before logging in.",
+        sessionKey,
+      };
+    }
+
+    const qrResponse = await fetchQRCode(opts.apiBaseUrl, botType);
+    logger.info(
+      `QR code received, qrcode=${redactToken(qrResponse.qrcode)} imgContentLen=${qrResponse.qrcode_img_content?.length ?? 0}`,
+    );
+    logger.info(`二维码链接: ${qrResponse.qrcode_img_content}`);
+
+    const login: ActiveLogin = {
+      sessionKey,
+      id: randomUUID(),
+      qrcode: qrResponse.qrcode,
+      qrcodeUrl: qrResponse.qrcode_img_content,
+      startedAt: Date.now(),
+    };
+
+    activeLogins.set(sessionKey, login);
+
+    return {
+      qrcodeUrl: qrResponse.qrcode_img_content,
+      message: "使用微信扫描以下二维码，以完成连接。",
+      sessionKey,
+    };
+  } catch (err) {
+    logger.error(`Failed to start Weixin login: ${String(err)}`);
+    return {
+      message: `Failed to start login: ${String(err)}`,
+      sessionKey,
+    };
+  }
+}
+
+const MAX_QR_REFRESH_COUNT = 3;
+
+export async function waitForWeixinLogin(opts: {
+  timeoutMs?: number;
+  verbose?: boolean;
+  sessionKey: string;
+  apiBaseUrl: string;
+  botType?: string;
+}): Promise<WeixinQrWaitResult> {
+  let activeLogin = activeLogins.get(opts.sessionKey);
+
+  if (!activeLogin) {
+    logger.warn(`waitForWeixinLogin: no active login sessionKey=${opts.sessionKey}`);
+    return {
+      connected: false,
+      message: "当前没有进行中的登录，请先发起登录。",
+    };
+  }
+
+  if (!isLoginFresh(activeLogin)) {
+    logger.warn(`waitForWeixinLogin: login QR expired sessionKey=${opts.sessionKey}`);
+    activeLogins.delete(opts.sessionKey);
+    return {
+      connected: false,
+      message: "二维码已过期，请重新生成。",
+    };
+  }
+
+  const timeoutMs = Math.max(opts.timeoutMs ?? 480_000, 1000);
+  const deadline = Date.now() + timeoutMs;
+  let scannedPrinted = false;
+  let qrRefreshCount = 1;
+
+  logger.info("Starting to poll QR code status...");
+
+  while (Date.now() < deadline) {
+    try {
+      const statusResponse = await pollQRStatus(opts.apiBaseUrl, activeLogin.qrcode);
+      logger.debug(`pollQRStatus: status=${statusResponse.status} hasBotToken=${Boolean(statusResponse.bot_token)} hasBotId=${Boolean(statusResponse.ilink_bot_id)}`);
+      activeLogin.status = statusResponse.status;
+
+      switch (statusResponse.status) {
+        case "wait":
+          if (opts.verbose) {
+            process.stdout.write(".");
+          }
+          break;
+        case "scaned":
+          if (!scannedPrinted) {
+            process.stdout.write("\n👀 已扫码，在微信继续操作...\n");
+            scannedPrinted = true;
+          }
+          break;
+        case "expired": {
+          qrRefreshCount++;
+          if (qrRefreshCount > MAX_QR_REFRESH_COUNT) {
+            logger.warn(
+              `waitForWeixinLogin: QR expired ${MAX_QR_REFRESH_COUNT} times, giving up sessionKey=${opts.sessionKey}`,
+            );
+            activeLogins.delete(opts.sessionKey);
+            return {
+              connected: false,
+              message: "登录超时：二维码多次过期，请重新开始登录流程。",
+            };
+          }
+
+          process.stdout.write(`\n⏳ 二维码已过期，正在刷新...(${qrRefreshCount}/${MAX_QR_REFRESH_COUNT})\n`);
+          logger.info(
+            `waitForWeixinLogin: QR expired, refreshing (${qrRefreshCount}/${MAX_QR_REFRESH_COUNT})`,
+          );
+
+          try {
+            const botType = opts.botType || DEFAULT_ILINK_BOT_TYPE;
+            const qrResponse = await fetchQRCode(opts.apiBaseUrl, botType);
+            activeLogin.qrcode = qrResponse.qrcode;
+            activeLogin.qrcodeUrl = qrResponse.qrcode_img_content;
+            activeLogin.startedAt = Date.now();
+            scannedPrinted = false;
+            logger.info(`waitForWeixinLogin: new QR code obtained qrcode=${redactToken(qrResponse.qrcode)}`);
+            process.stdout.write(`🔄 新二维码已生成，请重新扫描\n\n`);
+            try {
+              const qrterm = await import("qrcode-terminal");
+              qrterm.default.generate(qrResponse.qrcode_img_content, { small: true });
+            } catch {
+              process.stdout.write(`QR Code URL: ${qrResponse.qrcode_img_content}\n`);
+            }
+          } catch (refreshErr) {
+            logger.error(`waitForWeixinLogin: failed to refresh QR code: ${String(refreshErr)}`);
+            activeLogins.delete(opts.sessionKey);
+            return {
+              connected: false,
+              message: `刷新二维码失败: ${String(refreshErr)}`,
+            };
+          }
+          break;
+        }
+        case "confirmed": {
+          if (!statusResponse.ilink_bot_id) {
+            activeLogins.delete(opts.sessionKey);
+            logger.error("Login confirmed but ilink_bot_id missing from response");
+            return {
+              connected: false,
+              message: "登录失败：服务器未返回 ilink_bot_id。",
+            };
+          }
+
+          activeLogin.botToken = statusResponse.bot_token;
+          activeLogins.delete(opts.sessionKey);
+
+          logger.info(
+            `✅ Login confirmed! ilink_bot_id=${statusResponse.ilink_bot_id} ilink_user_id=${redactToken(statusResponse.ilink_user_id)}`,
+          );
+
+          return {
+            connected: true,
+            botToken: statusResponse.bot_token,
+            accountId: statusResponse.ilink_bot_id,
+            baseUrl: statusResponse.baseurl,
+            userId: statusResponse.ilink_user_id,
+            message: "✅ 与微信连接成功！",
+          };
+        }
+      }
+
+    } catch (err) {
+      logger.error(`Error polling QR status: ${String(err)}`);
+      activeLogins.delete(opts.sessionKey);
+      return {
+        connected: false,
+        message: `Login failed: ${String(err)}`,
+      };
+    }
+  }
+
+  logger.warn(
+    `waitForWeixinLogin: timed out waiting for QR scan sessionKey=${opts.sessionKey} timeoutMs=${timeoutMs}`,
+  );
+  activeLogins.delete(opts.sessionKey);
+  return {
+    connected: false,
+    message: "登录超时，请重试。",
+  };
+}