@tencent-weixin/openclaw-weixin 1.0.0

package/src/auth/pairing.ts

@@ -0,0 +1,120 @@
+import fs from "node:fs";
+import path from "node:path";
+
+import { withFileLock } from "openclaw/plugin-sdk";
+
+import { resolveStateDir } from "../storage/state-dir.js";
+import { logger } from "../util/logger.js";
+
+/**
+ * Resolve the framework credentials directory (mirrors core resolveOAuthDir).
+ * Path: $OPENCLAW_OAUTH_DIR || $OPENCLAW_STATE_DIR/credentials || ~/.openclaw/credentials
+ */
+function resolveCredentialsDir(): string {
+  const override = process.env.OPENCLAW_OAUTH_DIR?.trim();
+  if (override) return override;
+  return path.join(resolveStateDir(), "credentials");
+}
+
+/**
+ * Sanitize a channel/account key for safe use in filenames (mirrors core safeChannelKey).
+ */
+function safeKey(raw: string): string {
+  const trimmed = raw.trim().toLowerCase();
+  if (!trimmed) throw new Error("invalid key for allowFrom path");
+  const safe = trimmed.replace(/[\\/:*?"<>|]/g, "_").replace(/\.\./g, "_");
+  if (!safe || safe === "_") throw new Error("invalid key for allowFrom path");
+  return safe;
+}
+
+/**
+ * Resolve the framework allowFrom file path for a given account.
+ * Mirrors: `resolveAllowFromPath(channel, env, accountId)` from core.
+ * Path: `<credDir>/openclaw-weixin-<accountId>-allowFrom.json`
+ */
+export function resolveFrameworkAllowFromPath(accountId: string): string {
+  const base = safeKey("openclaw-weixin");
+  const safeAccount = safeKey(accountId);
+  return path.join(resolveCredentialsDir(), `${base}-${safeAccount}-allowFrom.json`);
+}
+
+type AllowFromFileContent = {
+  version: number;
+  allowFrom: string[];
+};
+
+/**
+ * Read the framework allowFrom list for an account (user IDs authorized via pairing).
+ * Returns an empty array when the file is missing or unreadable.
+ */
+export function readFrameworkAllowFromList(accountId: string): string[] {
+  const filePath = resolveFrameworkAllowFromPath(accountId);
+  try {
+    if (!fs.existsSync(filePath)) return [];
+    const raw = fs.readFileSync(filePath, "utf-8");
+    const parsed = JSON.parse(raw) as AllowFromFileContent;
+    if (Array.isArray(parsed.allowFrom)) {
+      return parsed.allowFrom.filter((id): id is string => typeof id === "string" && id.trim() !== "");
+    }
+  } catch {
+    // best-effort
+  }
+  return [];
+}
+
+/** File lock options matching the framework's pairing store lock settings. */
+const LOCK_OPTIONS = {
+  retries: { retries: 3, factor: 2, minTimeout: 100, maxTimeout: 2000 },
+  stale: 10_000,
+};
+
+/**
+ * Register a user ID in the framework's channel allowFrom store.
+ * This writes directly to the same JSON file that `readChannelAllowFromStore` reads,
+ * making the user visible to the framework authorization pipeline.
+ *
+ * Uses file locking to avoid races with concurrent readers/writers.
+ */
+export async function registerUserInFrameworkStore(params: {
+  accountId: string;
+  userId: string;
+}): Promise<{ changed: boolean }> {
+  const { accountId, userId } = params;
+  const trimmedUserId = userId.trim();
+  if (!trimmedUserId) return { changed: false };
+
+  const filePath = resolveFrameworkAllowFromPath(accountId);
+
+  const dir = path.dirname(filePath);
+  fs.mkdirSync(dir, { recursive: true });
+
+  // Ensure the file exists before locking
+  if (!fs.existsSync(filePath)) {
+    const initial: AllowFromFileContent = { version: 1, allowFrom: [] };
+    fs.writeFileSync(filePath, JSON.stringify(initial, null, 2), "utf-8");
+  }
+
+  return await withFileLock(filePath, LOCK_OPTIONS, async () => {
+    let content: AllowFromFileContent = { version: 1, allowFrom: [] };
+    try {
+      const raw = fs.readFileSync(filePath, "utf-8");
+      const parsed = JSON.parse(raw) as AllowFromFileContent;
+      if (Array.isArray(parsed.allowFrom)) {
+        content = parsed;
+      }
+    } catch {
+      // If read/parse fails, start fresh
+    }
+
+    if (content.allowFrom.includes(trimmedUserId)) {
+      return { changed: false };
+    }
+
+    content.allowFrom.push(trimmedUserId);
+    fs.writeFileSync(filePath, JSON.stringify(content, null, 2), "utf-8");
+    logger.info(
+      `registerUserInFrameworkStore: added userId=${trimmedUserId} accountId=${accountId} path=${filePath}`,
+    );
+    return { changed: true };
+  });
+}

package/src/cdn/aes-ecb.ts

@@ -0,0 +1,21 @@
+/**
+ * Shared AES-128-ECB crypto utilities for CDN upload and download.
+ */
+import { createCipheriv, createDecipheriv } from "node:crypto";
+
+/** Encrypt buffer with AES-128-ECB (PKCS7 padding is default). */
+export function encryptAesEcb(plaintext: Buffer, key: Buffer): Buffer {
+  const cipher = createCipheriv("aes-128-ecb", key, null);
+  return Buffer.concat([cipher.update(plaintext), cipher.final()]);
+}
+
+/** Decrypt buffer with AES-128-ECB (PKCS7 padding). */
+export function decryptAesEcb(ciphertext: Buffer, key: Buffer): Buffer {
+  const decipher = createDecipheriv("aes-128-ecb", key, null);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+}
+
+/** Compute AES-128-ECB ciphertext size (PKCS7 padding to 16-byte boundary). */
+export function aesEcbPaddedSize(plaintextSize: number): number {
+  return Math.ceil((plaintextSize + 1) / 16) * 16;
+}

package/src/cdn/cdn-upload.ts

@@ -0,0 +1,77 @@
+import { encryptAesEcb } from "./aes-ecb.js";
+import { buildCdnUploadUrl } from "./cdn-url.js";
+import { logger } from "../util/logger.js";
+import { redactUrl } from "../util/redact.js";
+
+/** Maximum retry attempts for CDN upload. */
+const UPLOAD_MAX_RETRIES = 3;
+
+/**
+ * Upload one buffer to the Weixin CDN with AES-128-ECB encryption.
+ * Returns the download encrypted_query_param from the CDN response.
+ * Retries up to UPLOAD_MAX_RETRIES times on server errors; client errors (4xx) abort immediately.
+ */
+export async function uploadBufferToCdn(params: {
+  buf: Buffer;
+  uploadParam: string;
+  filekey: string;
+  cdnBaseUrl: string;
+  label: string;
+  aeskey: Buffer;
+}): Promise<{ downloadParam: string }> {
+  const { buf, uploadParam, filekey, cdnBaseUrl, label, aeskey } = params;
+  const ciphertext = encryptAesEcb(buf, aeskey);
+  const cdnUrl = buildCdnUploadUrl({ cdnBaseUrl, uploadParam, filekey });
+  logger.debug(`${label}: CDN POST url=${redactUrl(cdnUrl)} ciphertextSize=${ciphertext.length}`);
+
+  let downloadParam: string | undefined;
+  let lastError: unknown;
+
+  for (let attempt = 1; attempt <= UPLOAD_MAX_RETRIES; attempt++) {
+    try {
+      const res = await fetch(cdnUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/octet-stream" },
+        body: new Uint8Array(ciphertext),
+      });
+      if (res.status >= 400 && res.status < 500) {
+        const errMsg = res.headers.get("x-error-message") ?? (await res.text());
+        logger.error(
+          `${label}: CDN client error attempt=${attempt} status=${res.status} errMsg=${errMsg}`,
+        );
+        throw new Error(`CDN upload client error ${res.status}: ${errMsg}`);
+      }
+      if (res.status !== 200) {
+        const errMsg = res.headers.get("x-error-message") ?? `status ${res.status}`;
+        logger.error(
+          `${label}: CDN server error attempt=${attempt} status=${res.status} errMsg=${errMsg}`,
+        );
+        throw new Error(`CDN upload server error: ${errMsg}`);
+      }
+      downloadParam = res.headers.get("x-encrypted-param") ?? undefined;
+      if (!downloadParam) {
+        logger.error(
+          `${label}: CDN response missing x-encrypted-param header attempt=${attempt}`,
+        );
+        throw new Error("CDN upload response missing x-encrypted-param header");
+      }
+      logger.debug(`${label}: CDN upload success attempt=${attempt}`);
+      break;
+    } catch (err) {
+      lastError = err;
+      if (err instanceof Error && err.message.includes("client error")) throw err;
+      if (attempt < UPLOAD_MAX_RETRIES) {
+        logger.error(`${label}: attempt ${attempt} failed, retrying... err=${String(err)}`);
+      } else {
+        logger.error(`${label}: all ${UPLOAD_MAX_RETRIES} attempts failed err=${String(err)}`);
+      }
+    }
+  }
+
+  if (!downloadParam) {
+    throw lastError instanceof Error
+      ? lastError
+      : new Error(`CDN upload failed after ${UPLOAD_MAX_RETRIES} attempts`);
+  }
+  return { downloadParam };
+}

package/src/cdn/cdn-url.ts

@@ -0,0 +1,17 @@
+/**
+ * Unified CDN URL construction for Weixin CDN upload/download.
+ */
+
+/** Build a CDN download URL from encrypt_query_param. */
+export function buildCdnDownloadUrl(encryptedQueryParam: string, cdnBaseUrl: string): string {
+  return `${cdnBaseUrl}/download?encrypted_query_param=${encodeURIComponent(encryptedQueryParam)}`;
+}
+
+/** Build a CDN upload URL from upload_param and filekey. */
+export function buildCdnUploadUrl(params: {
+  cdnBaseUrl: string;
+  uploadParam: string;
+  filekey: string;
+}): string {
+  return `${params.cdnBaseUrl}/upload?encrypted_query_param=${encodeURIComponent(params.uploadParam)}&filekey=${encodeURIComponent(params.filekey)}`;
+}

package/src/cdn/pic-decrypt.ts

@@ -0,0 +1,85 @@
+import { decryptAesEcb } from "./aes-ecb.js";
+import { buildCdnDownloadUrl } from "./cdn-url.js";
+import { logger } from "../util/logger.js";
+
+/**
+ * Download raw bytes from the CDN (no decryption).
+ */
+async function fetchCdnBytes(url: string, label: string): Promise<Buffer> {
+  let res: Response;
+  try {
+    res = await fetch(url);
+  } catch (err) {
+    const cause =
+      (err as NodeJS.ErrnoException).cause ?? (err as NodeJS.ErrnoException).code ?? "(no cause)";
+    logger.error(
+      `${label}: fetch network error url=${url} err=${String(err)} cause=${String(cause)}`,
+    );
+    throw err;
+  }
+  logger.debug(`${label}: response status=${res.status} ok=${res.ok}`);
+  if (!res.ok) {
+    const body = await res.text().catch(() => "(unreadable)");
+    const msg = `${label}: CDN download ${res.status} ${res.statusText} body=${body}`;
+    logger.error(msg);
+    throw new Error(msg);
+  }
+  return Buffer.from(await res.arrayBuffer());
+}
+
+/**
+ * Parse CDNMedia.aes_key into a raw 16-byte AES key.
+ *
+ * Two encodings are seen in the wild:
+ *   - base64(raw 16 bytes)          → images (aes_key from media field)
+ *   - base64(hex string of 16 bytes) → file / voice / video
+ *
+ * In the second case, base64-decoding yields 32 ASCII hex chars which must
+ * then be parsed as hex to recover the actual 16-byte key.
+ */
+function parseAesKey(aesKeyBase64: string, label: string): Buffer {
+  const decoded = Buffer.from(aesKeyBase64, "base64");
+  if (decoded.length === 16) {
+    return decoded;
+  }
+  if (decoded.length === 32 && /^[0-9a-fA-F]{32}$/.test(decoded.toString("ascii"))) {
+    // hex-encoded key: base64 → hex string → raw bytes
+    return Buffer.from(decoded.toString("ascii"), "hex");
+  }
+  const msg = `${label}: aes_key must decode to 16 raw bytes or 32-char hex string, got ${decoded.length} bytes (base64="${aesKeyBase64}")`;
+  logger.error(msg);
+  throw new Error(msg);
+}
+
+/**
+ * Download and AES-128-ECB decrypt a CDN media file. Returns plaintext Buffer.
+ * aesKeyBase64: CDNMedia.aes_key JSON field (see parseAesKey for supported formats).
+ */
+export async function downloadAndDecryptBuffer(
+  encryptedQueryParam: string,
+  aesKeyBase64: string,
+  cdnBaseUrl: string,
+  label: string,
+): Promise<Buffer> {
+  const key = parseAesKey(aesKeyBase64, label);
+  const url = buildCdnDownloadUrl(encryptedQueryParam, cdnBaseUrl);
+  logger.debug(`${label}: fetching url=${url}`);
+  const encrypted = await fetchCdnBytes(url, label);
+  logger.debug(`${label}: downloaded ${encrypted.byteLength} bytes, decrypting`);
+  const decrypted = decryptAesEcb(encrypted, key);
+  logger.debug(`${label}: decrypted ${decrypted.length} bytes`);
+  return decrypted;
+}
+
+/**
+ * Download plain (unencrypted) bytes from the CDN. Returns the raw Buffer.
+ */
+export async function downloadPlainCdnBuffer(
+  encryptedQueryParam: string,
+  cdnBaseUrl: string,
+  label: string,
+): Promise<Buffer> {
+  const url = buildCdnDownloadUrl(encryptedQueryParam, cdnBaseUrl);
+  logger.debug(`${label}: fetching url=${url}`);
+  return fetchCdnBytes(url, label);
+}

package/src/cdn/upload.ts

@@ -0,0 +1,155 @@
+import crypto from "node:crypto";
+import fs from "node:fs/promises";
+import path from "node:path";
+
+import { getUploadUrl } from "../api/api.js";
+import type { WeixinApiOptions } from "../api/api.js";
+import { aesEcbPaddedSize } from "./aes-ecb.js";
+import { uploadBufferToCdn } from "./cdn-upload.js";
+import { logger } from "../util/logger.js";
+import { getExtensionFromContentTypeOrUrl } from "../media/mime.js";
+import { tempFileName } from "../util/random.js";
+import { UploadMediaType } from "../api/types.js";
+
+export type UploadedFileInfo = {
+  filekey: string;
+  /** 由 upload_param 上传后 CDN 返回的下载加密参数; fill into ImageItem.media.encrypt_query_param */
+  downloadEncryptedQueryParam: string;
+  /** AES-128-ECB key, hex-encoded; convert to base64 for CDNMedia.aes_key */
+  aeskey: string;
+  /** Plaintext file size in bytes */
+  fileSize: number;
+  /** Ciphertext file size in bytes (AES-128-ECB with PKCS7 padding); use for ImageItem.hd_size / mid_size */
+  fileSizeCiphertext: number;
+};
+
+/**
+ * Download a remote media URL (image, video, file) to a local temp file in destDir.
+ * Returns the local file path; extension is inferred from Content-Type / URL.
+ */
+export async function downloadRemoteImageToTemp(url: string, destDir: string): Promise<string> {
+  logger.debug(`downloadRemoteImageToTemp: fetching url=${url}`);
+  const res = await fetch(url);
+  if (!res.ok) {
+    const msg = `remote media download failed: ${res.status} ${res.statusText} url=${url}`;
+    logger.error(`downloadRemoteImageToTemp: ${msg}`);
+    throw new Error(msg);
+  }
+  const buf = Buffer.from(await res.arrayBuffer());
+  logger.debug(`downloadRemoteImageToTemp: downloaded ${buf.length} bytes`);
+  await fs.mkdir(destDir, { recursive: true });
+  const ext = getExtensionFromContentTypeOrUrl(res.headers.get("content-type"), url);
+  const name = tempFileName("weixin-remote", ext);
+  const filePath = path.join(destDir, name);
+  await fs.writeFile(filePath, buf);
+  logger.debug(`downloadRemoteImageToTemp: saved to ${filePath} ext=${ext}`);
+  return filePath;
+}
+
+/**
+ * Common upload pipeline: read file → hash → gen aeskey → getUploadUrl → uploadBufferToCdn → return info.
+ */
+async function uploadMediaToCdn(params: {
+  filePath: string;
+  toUserId: string;
+  opts: WeixinApiOptions;
+  cdnBaseUrl: string;
+  mediaType: (typeof UploadMediaType)[keyof typeof UploadMediaType];
+  label: string;
+}): Promise<UploadedFileInfo> {
+  const { filePath, toUserId, opts, cdnBaseUrl, mediaType, label } = params;
+
+  const plaintext = await fs.readFile(filePath);
+  const rawsize = plaintext.length;
+  const rawfilemd5 = crypto.createHash("md5").update(plaintext).digest("hex");
+  const filesize = aesEcbPaddedSize(rawsize);
+  const filekey = crypto.randomBytes(16).toString("hex");
+  const aeskey = crypto.randomBytes(16);
+
+  logger.debug(
+    `${label}: file=${filePath} rawsize=${rawsize} filesize=${filesize} md5=${rawfilemd5} filekey=${filekey}`,
+  );
+
+  const uploadUrlResp = await getUploadUrl({
+    ...opts,
+    filekey,
+    media_type: mediaType,
+    to_user_id: toUserId,
+    rawsize,
+    rawfilemd5,
+    filesize,
+    no_need_thumb: true,
+    aeskey: aeskey.toString("hex"),
+  });
+
+  const uploadParam = uploadUrlResp.upload_param;
+  if (!uploadParam) {
+    logger.error(
+      `${label}: getUploadUrl returned no upload_param, resp=${JSON.stringify(uploadUrlResp)}`,
+    );
+    throw new Error(`${label}: getUploadUrl returned no upload_param`);
+  }
+
+  const { downloadParam: downloadEncryptedQueryParam } = await uploadBufferToCdn({
+    buf: plaintext,
+    uploadParam,
+    filekey,
+    cdnBaseUrl,
+    aeskey,
+    label: `${label}[orig filekey=${filekey}]`,
+  });
+
+  return {
+    filekey,
+    downloadEncryptedQueryParam,
+    aeskey: aeskey.toString("hex"),
+    fileSize: rawsize,
+    fileSizeCiphertext: filesize,
+  };
+}
+
+/** Upload a local image file to the Weixin CDN with AES-128-ECB encryption. */
+export async function uploadFileToWeixin(params: {
+  filePath: string;
+  toUserId: string;
+  opts: WeixinApiOptions;
+  cdnBaseUrl: string;
+}): Promise<UploadedFileInfo> {
+  return uploadMediaToCdn({
+    ...params,
+    mediaType: UploadMediaType.IMAGE,
+    label: "uploadFileToWeixin",
+  });
+}
+
+/** Upload a local video file to the Weixin CDN. */
+export async function uploadVideoToWeixin(params: {
+  filePath: string;
+  toUserId: string;
+  opts: WeixinApiOptions;
+  cdnBaseUrl: string;
+}): Promise<UploadedFileInfo> {
+  return uploadMediaToCdn({
+    ...params,
+    mediaType: UploadMediaType.VIDEO,
+    label: "uploadVideoToWeixin",
+  });
+}
+
+/**
+ * Upload a local file attachment (non-image, non-video) to the Weixin CDN.
+ * Uses media_type=FILE; no thumbnail required.
+ */
+export async function uploadFileAttachmentToWeixin(params: {
+  filePath: string;
+  fileName: string;
+  toUserId: string;
+  opts: WeixinApiOptions;
+  cdnBaseUrl: string;
+}): Promise<UploadedFileInfo> {
+  return uploadMediaToCdn({
+    ...params,
+    mediaType: UploadMediaType.FILE,
+    label: "uploadFileAttachmentToWeixin",
+  });
+}