feat: add wecom and wecomApp test

pkg/channels/wecom.go

@@ -220,7 +220,9 @@ func (c *WeComBotChannel) handleVerification(ctx context.Context, w http.Respons
 	}
 
 	// Decrypt echostr
-	decryptedEchoStr, err := WeComDecryptMessage(echostr, c.config.EncodingAESKey)
+	// For AIBOT (智能机器人), receiveid should be empty string ""
+	// Reference: https://developer.work.weixin.qq.com/document/path/101033
+	decryptedEchoStr, err := WeComDecryptMessageWithVerify(echostr, c.config.EncodingAESKey, "")
 	if err != nil {
 		logger.ErrorCF("wecom", "Failed to decrypt echostr", map[string]interface{}{
 			"error": err.Error(),
@@ -280,7 +282,9 @@ func (c *WeComBotChannel) handleMessageCallback(ctx context.Context, w http.Resp
 	}
 
 	// Decrypt message
-	decryptedMsg, err := WeComDecryptMessage(encryptedMsg.Encrypt, c.config.EncodingAESKey)
+	// For AIBOT (智能机器人), receiveid should be empty string ""
+	// Reference: https://developer.work.weixin.qq.com/document/path/101033
+	decryptedMsg, err := WeComDecryptMessageWithVerify(encryptedMsg.Encrypt, c.config.EncodingAESKey, "")
 	if err != nil {
 		logger.ErrorCF("wecom", "Failed to decrypt message", map[string]interface{}{
 			"error": err.Error(),

pkg/channels/wecom_app.go

@@ -230,6 +230,14 @@ func (c *WeComAppChannel) Send(ctx context.Context, msg bus.OutboundMessage) err
 func (c *WeComAppChannel) handleWebhook(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
+	// Log all incoming requests for debugging
+	logger.DebugCF("wecom_app", "Received webhook request", map[string]interface{}{
+		"method": r.Method,
+		"url":    r.URL.String(),
+		"path":   r.URL.Path,
+		"query":  r.URL.RawQuery,
+	})
+
 	if r.Method == http.MethodGet {
 		// Handle verification request
 		c.handleVerification(ctx, w, r)
@@ -242,6 +250,9 @@ func (c *WeComAppChannel) handleWebhook(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	logger.WarnCF("wecom_app", "Method not allowed", map[string]interface{}{
+		"method": r.Method,
+	})
 	http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 }
 
@@ -253,28 +264,55 @@ func (c *WeComAppChannel) handleVerification(ctx context.Context, w http.Respons
 	nonce := query.Get("nonce")
 	echostr := query.Get("echostr")
 
+	logger.DebugCF("wecom_app", "Handling verification request", map[string]interface{}{
+		"msg_signature": msgSignature,
+		"timestamp":     timestamp,
+		"nonce":         nonce,
+		"echostr":       echostr,
+		"corp_id":       c.config.CorpID,
+	})
+
 	if msgSignature == "" || timestamp == "" || nonce == "" || echostr == "" {
+		logger.ErrorC("wecom_app", "Missing parameters in verification request")
 		http.Error(w, "Missing parameters", http.StatusBadRequest)
 		return
 	}
 
 	// Verify signature
 	if !WeComVerifySignature(c.config.Token, msgSignature, timestamp, nonce, echostr) {
-		logger.WarnC("wecom_app", "Signature verification failed")
+		logger.WarnCF("wecom_app", "Signature verification failed", map[string]interface{}{
+			"token":         c.config.Token,
+			"msg_signature": msgSignature,
+			"timestamp":     timestamp,
+			"nonce":         nonce,
+		})
 		http.Error(w, "Invalid signature", http.StatusForbidden)
 		return
 	}
 
-	// Decrypt echostr
-	decryptedEchoStr, err := WeComDecryptMessage(echostr, c.config.EncodingAESKey)
+	logger.DebugC("wecom_app", "Signature verification passed")
+
+	// Decrypt echostr with CorpID verification
+	// For WeCom App (自建应用), receiveid should be corp_id
+	logger.DebugCF("wecom_app", "Attempting to decrypt echostr", map[string]interface{}{
+		"encoding_aes_key": c.config.EncodingAESKey,
+		"corp_id":          c.config.CorpID,
+	})
+	decryptedEchoStr, err := WeComDecryptMessageWithVerify(echostr, c.config.EncodingAESKey, c.config.CorpID)
 	if err != nil {
 		logger.ErrorCF("wecom_app", "Failed to decrypt echostr", map[string]interface{}{
-			"error": err.Error(),
+			"error":            err.Error(),
+			"encoding_aes_key": c.config.EncodingAESKey,
+			"corp_id":          c.config.CorpID,
 		})
 		http.Error(w, "Decryption failed", http.StatusInternalServerError)
 		return
 	}
 
+	logger.DebugCF("wecom_app", "Successfully decrypted echostr", map[string]interface{}{
+		"decrypted": decryptedEchoStr,
+	})
+
 	// Remove BOM and whitespace as per WeCom documentation
 	// The response must be plain text without quotes, BOM, or newlines
 	decryptedEchoStr = strings.TrimSpace(decryptedEchoStr)
@@ -325,8 +363,9 @@ func (c *WeComAppChannel) handleMessageCallback(ctx context.Context, w http.Resp
 		return
 	}
 
-	// Decrypt message
-	decryptedMsg, err := WeComDecryptMessage(encryptedMsg.Encrypt, c.config.EncodingAESKey)
+	// Decrypt message with CorpID verification
+	// For WeCom App (自建应用), receiveid should be corp_id
+	decryptedMsg, err := WeComDecryptMessageWithVerify(encryptedMsg.Encrypt, c.config.EncodingAESKey, c.config.CorpID)
 	if err != nil {
 		logger.ErrorCF("wecom_app", "Failed to decrypt message", map[string]interface{}{
 			"error": err.Error(),

pkg/channels/wecom_common.go

@@ -12,6 +12,8 @@ import (
 	"fmt"
 	"sort"
 	"strings"
+
+	"github.com/sipeed/picoclaw/pkg/logger"
 )
 
 // WeComVerifySignature verifies the message signature for WeCom
@@ -37,7 +39,20 @@ func WeComVerifySignature(token, msgSignature, timestamp, nonce, msgEncrypt stri
 
 // WeComDecryptMessage decrypts the encrypted message using AES
 // This is a common function used by both WeCom Bot and WeCom App
+// For AIBOT, receiveid should be the aibotid; for other apps, it should be corp_id
 func WeComDecryptMessage(encryptedMsg, encodingAESKey string) (string, error) {
+	return WeComDecryptMessageWithVerify(encryptedMsg, encodingAESKey, "")
+}
+
+// WeComDecryptMessageWithVerify decrypts the encrypted message and optionally verifies receiveid
+// receiveid: for AIBOT use aibotid, for WeCom App use corp_id. If empty, skip verification.
+func WeComDecryptMessageWithVerify(encryptedMsg, encodingAESKey, receiveid string) (string, error) {
+	logger.DebugCF("wecom_common", "Starting decryption", map[string]interface{}{
+		"encodingAESKey_len": len(encodingAESKey),
+		"receiveid":          receiveid,
+		"encryptedMsg_len":   len(encryptedMsg),
+	})
+
 	if encodingAESKey == "" {
 		// No encryption, return as is (base64 decode)
 		decoded, err := base64.StdEncoding.DecodeString(encryptedMsg)
@@ -50,14 +65,27 @@ func WeComDecryptMessage(encryptedMsg, encodingAESKey string) (string, error) {
 	// Decode AES key (base64)
 	aesKey, err := base64.StdEncoding.DecodeString(encodingAESKey + "=")
 	if err != nil {
+		logger.ErrorCF("wecom_common", "Failed to decode AES key", map[string]interface{}{
+			"error": err.Error(),
+			"key":   encodingAESKey,
+		})
 		return "", fmt.Errorf("failed to decode AES key: %w", err)
 	}
+	logger.DebugCF("wecom_common", "AES key decoded", map[string]interface{}{
+		"key_len": len(aesKey),
+	})
 
 	// Decode encrypted message
 	cipherText, err := base64.StdEncoding.DecodeString(encryptedMsg)
 	if err != nil {
+		logger.ErrorCF("wecom_common", "Failed to decode message", map[string]interface{}{
+			"error": err.Error(),
+		})
 		return "", fmt.Errorf("failed to decode message: %w", err)
 	}
+	logger.DebugCF("wecom_common", "Message decoded", map[string]interface{}{
+		"cipher_len": len(cipherText),
+	})
 
 	// AES decrypt
 	block, err := aes.NewCipher(aesKey)
@@ -66,42 +94,79 @@ func WeComDecryptMessage(encryptedMsg, encodingAESKey string) (string, error) {
 	}
 
 	if len(cipherText) < aes.BlockSize {
-		return "", fmt.Errorf("ciphertext too short")
+		return "", fmt.Errorf("ciphertext too short: %d < %d", len(cipherText), aes.BlockSize)
 	}
 
-	mode := cipher.NewCBCDecrypter(block, aesKey[:aes.BlockSize])
+	// IV is the first 16 bytes of AESKey
+	iv := aesKey[:aes.BlockSize]
+	mode := cipher.NewCBCDecrypter(block, iv)
 	plainText := make([]byte, len(cipherText))
 	mode.CryptBlocks(plainText, cipherText)
 
 	// Remove PKCS7 padding
-	plainText, err = pkcs7UnpadWeCom(plainText)
+	unpaddedText, err := pkcs7UnpadWeCom(plainText)
 	if err != nil {
+		lastByte := -1
+		if len(plainText) > 0 {
+			lastByte = int(plainText[len(plainText)-1])
+		}
+		logger.ErrorCF("wecom_common", "PKCS7 unpad failed", map[string]interface{}{
+			"error":     err.Error(),
+			"plain_len": len(plainText),
+			"last_byte": lastByte,
+		})
 		return "", fmt.Errorf("failed to unpad: %w", err)
 	}
+	plainText = unpaddedText
 
 	// Parse message structure
-	// Format: random(16) + msg_len(4) + msg + corp_id
+	// Format: random(16) + msg_len(4) + msg + receiveid
 	if len(plainText) < 20 {
 		return "", fmt.Errorf("decrypted message too short")
 	}
 
 	msgLen := binary.BigEndian.Uint32(plainText[16:20])
+	logger.DebugCF("wecom_common", "Message structure parsed", map[string]interface{}{
+		"msg_len":        msgLen,
+		"plain_len":      len(plainText),
+		"total_expected": 20 + int(msgLen),
+	})
+
 	if int(msgLen) > len(plainText)-20 {
-		return "", fmt.Errorf("invalid message length")
+		return "", fmt.Errorf("invalid message length: %d > %d", msgLen, len(plainText)-20)
 	}
 
 	msg := plainText[20 : 20+msgLen]
 
+	// Verify receiveid if provided
+	if receiveid != "" && len(plainText) > 20+int(msgLen) {
+		actualReceiveID := string(plainText[20+msgLen:])
+		logger.DebugCF("wecom_common", "ReceiveID verification", map[string]interface{}{
+			"expected": receiveid,
+			"actual":   actualReceiveID,
+		})
+		if actualReceiveID != receiveid {
+			return "", fmt.Errorf("receiveid mismatch: expected %s, got %s", receiveid, actualReceiveID)
+		}
+	}
+
+	logger.DebugCF("wecom_common", "Decryption successful", map[string]interface{}{
+		"msg_len": len(msg),
+	})
 	return string(msg), nil
 }
 
 // pkcs7UnpadWeCom removes PKCS7 padding with validation
+// WeCom uses block size of 32 (not standard AES block size of 16)
+const wecomBlockSize = 32
+
 func pkcs7UnpadWeCom(data []byte) ([]byte, error) {
 	if len(data) == 0 {
 		return data, nil
 	}
 	padding := int(data[len(data)-1])
-	if padding == 0 || padding > aes.BlockSize {
+	// WeCom uses 32-byte block size for PKCS7 padding
+	if padding == 0 || padding > wecomBlockSize {
 		return nil, fmt.Errorf("invalid padding size: %d", padding)
 	}
 	if padding > len(data) {