diff --git a/pkg/channels/wecom.go b/pkg/channels/wecom.go index 33afef17a..404949e07 100644 --- a/pkg/channels/wecom.go +++ b/pkg/channels/wecom.go @@ -220,7 +220,9 @@ func (c *WeComBotChannel) handleVerification(ctx context.Context, w http.Respons } // Decrypt echostr - decryptedEchoStr, err := WeComDecryptMessage(echostr, c.config.EncodingAESKey) + // For AIBOT (智能机器人), receiveid should be empty string "" + // Reference: https://developer.work.weixin.qq.com/document/path/101033 + decryptedEchoStr, err := WeComDecryptMessageWithVerify(echostr, c.config.EncodingAESKey, "") if err != nil { logger.ErrorCF("wecom", "Failed to decrypt echostr", map[string]interface{}{ "error": err.Error(), @@ -280,7 +282,9 @@ func (c *WeComBotChannel) handleMessageCallback(ctx context.Context, w http.Resp } // Decrypt message - decryptedMsg, err := WeComDecryptMessage(encryptedMsg.Encrypt, c.config.EncodingAESKey) + // For AIBOT (智能机器人), receiveid should be empty string "" + // Reference: https://developer.work.weixin.qq.com/document/path/101033 + decryptedMsg, err := WeComDecryptMessageWithVerify(encryptedMsg.Encrypt, c.config.EncodingAESKey, "") if err != nil { logger.ErrorCF("wecom", "Failed to decrypt message", map[string]interface{}{ "error": err.Error(), diff --git a/pkg/channels/wecom_app.go b/pkg/channels/wecom_app.go index 783d381f2..63a1dd815 100644 --- a/pkg/channels/wecom_app.go +++ b/pkg/channels/wecom_app.go @@ -230,6 +230,14 @@ func (c *WeComAppChannel) Send(ctx context.Context, msg bus.OutboundMessage) err func (c *WeComAppChannel) handleWebhook(w http.ResponseWriter, r *http.Request) { ctx := r.Context() + // Log all incoming requests for debugging + logger.DebugCF("wecom_app", "Received webhook request", map[string]interface{}{ + "method": r.Method, + "url": r.URL.String(), + "path": r.URL.Path, + "query": r.URL.RawQuery, + }) + if r.Method == http.MethodGet { // Handle verification request c.handleVerification(ctx, w, r) @@ -242,6 +250,9 @@ func (c *WeComAppChannel) handleWebhook(w http.ResponseWriter, r *http.Request) return } + logger.WarnCF("wecom_app", "Method not allowed", map[string]interface{}{ + "method": r.Method, + }) http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) } @@ -253,28 +264,55 @@ func (c *WeComAppChannel) handleVerification(ctx context.Context, w http.Respons nonce := query.Get("nonce") echostr := query.Get("echostr") + logger.DebugCF("wecom_app", "Handling verification request", map[string]interface{}{ + "msg_signature": msgSignature, + "timestamp": timestamp, + "nonce": nonce, + "echostr": echostr, + "corp_id": c.config.CorpID, + }) + if msgSignature == "" || timestamp == "" || nonce == "" || echostr == "" { + logger.ErrorC("wecom_app", "Missing parameters in verification request") http.Error(w, "Missing parameters", http.StatusBadRequest) return } // Verify signature if !WeComVerifySignature(c.config.Token, msgSignature, timestamp, nonce, echostr) { - logger.WarnC("wecom_app", "Signature verification failed") + logger.WarnCF("wecom_app", "Signature verification failed", map[string]interface{}{ + "token": c.config.Token, + "msg_signature": msgSignature, + "timestamp": timestamp, + "nonce": nonce, + }) http.Error(w, "Invalid signature", http.StatusForbidden) return } - // Decrypt echostr - decryptedEchoStr, err := WeComDecryptMessage(echostr, c.config.EncodingAESKey) + logger.DebugC("wecom_app", "Signature verification passed") + + // Decrypt echostr with CorpID verification + // For WeCom App (自建应用), receiveid should be corp_id + logger.DebugCF("wecom_app", "Attempting to decrypt echostr", map[string]interface{}{ + "encoding_aes_key": c.config.EncodingAESKey, + "corp_id": c.config.CorpID, + }) + decryptedEchoStr, err := WeComDecryptMessageWithVerify(echostr, c.config.EncodingAESKey, c.config.CorpID) if err != nil { logger.ErrorCF("wecom_app", "Failed to decrypt echostr", map[string]interface{}{ - "error": err.Error(), + "error": err.Error(), + "encoding_aes_key": c.config.EncodingAESKey, + "corp_id": c.config.CorpID, }) http.Error(w, "Decryption failed", http.StatusInternalServerError) return } + logger.DebugCF("wecom_app", "Successfully decrypted echostr", map[string]interface{}{ + "decrypted": decryptedEchoStr, + }) + // Remove BOM and whitespace as per WeCom documentation // The response must be plain text without quotes, BOM, or newlines decryptedEchoStr = strings.TrimSpace(decryptedEchoStr) @@ -325,8 +363,9 @@ func (c *WeComAppChannel) handleMessageCallback(ctx context.Context, w http.Resp return } - // Decrypt message - decryptedMsg, err := WeComDecryptMessage(encryptedMsg.Encrypt, c.config.EncodingAESKey) + // Decrypt message with CorpID verification + // For WeCom App (自建应用), receiveid should be corp_id + decryptedMsg, err := WeComDecryptMessageWithVerify(encryptedMsg.Encrypt, c.config.EncodingAESKey, c.config.CorpID) if err != nil { logger.ErrorCF("wecom_app", "Failed to decrypt message", map[string]interface{}{ "error": err.Error(), diff --git a/pkg/channels/wecom_common.go b/pkg/channels/wecom_common.go index 16a25fad6..3e3908622 100644 --- a/pkg/channels/wecom_common.go +++ b/pkg/channels/wecom_common.go @@ -12,6 +12,8 @@ import ( "fmt" "sort" "strings" + + "github.com/sipeed/picoclaw/pkg/logger" ) // WeComVerifySignature verifies the message signature for WeCom @@ -37,7 +39,20 @@ func WeComVerifySignature(token, msgSignature, timestamp, nonce, msgEncrypt stri // WeComDecryptMessage decrypts the encrypted message using AES // This is a common function used by both WeCom Bot and WeCom App +// For AIBOT, receiveid should be the aibotid; for other apps, it should be corp_id func WeComDecryptMessage(encryptedMsg, encodingAESKey string) (string, error) { + return WeComDecryptMessageWithVerify(encryptedMsg, encodingAESKey, "") +} + +// WeComDecryptMessageWithVerify decrypts the encrypted message and optionally verifies receiveid +// receiveid: for AIBOT use aibotid, for WeCom App use corp_id. If empty, skip verification. +func WeComDecryptMessageWithVerify(encryptedMsg, encodingAESKey, receiveid string) (string, error) { + logger.DebugCF("wecom_common", "Starting decryption", map[string]interface{}{ + "encodingAESKey_len": len(encodingAESKey), + "receiveid": receiveid, + "encryptedMsg_len": len(encryptedMsg), + }) + if encodingAESKey == "" { // No encryption, return as is (base64 decode) decoded, err := base64.StdEncoding.DecodeString(encryptedMsg) @@ -50,14 +65,27 @@ func WeComDecryptMessage(encryptedMsg, encodingAESKey string) (string, error) { // Decode AES key (base64) aesKey, err := base64.StdEncoding.DecodeString(encodingAESKey + "=") if err != nil { + logger.ErrorCF("wecom_common", "Failed to decode AES key", map[string]interface{}{ + "error": err.Error(), + "key": encodingAESKey, + }) return "", fmt.Errorf("failed to decode AES key: %w", err) } + logger.DebugCF("wecom_common", "AES key decoded", map[string]interface{}{ + "key_len": len(aesKey), + }) // Decode encrypted message cipherText, err := base64.StdEncoding.DecodeString(encryptedMsg) if err != nil { + logger.ErrorCF("wecom_common", "Failed to decode message", map[string]interface{}{ + "error": err.Error(), + }) return "", fmt.Errorf("failed to decode message: %w", err) } + logger.DebugCF("wecom_common", "Message decoded", map[string]interface{}{ + "cipher_len": len(cipherText), + }) // AES decrypt block, err := aes.NewCipher(aesKey) @@ -66,42 +94,79 @@ func WeComDecryptMessage(encryptedMsg, encodingAESKey string) (string, error) { } if len(cipherText) < aes.BlockSize { - return "", fmt.Errorf("ciphertext too short") + return "", fmt.Errorf("ciphertext too short: %d < %d", len(cipherText), aes.BlockSize) } - mode := cipher.NewCBCDecrypter(block, aesKey[:aes.BlockSize]) + // IV is the first 16 bytes of AESKey + iv := aesKey[:aes.BlockSize] + mode := cipher.NewCBCDecrypter(block, iv) plainText := make([]byte, len(cipherText)) mode.CryptBlocks(plainText, cipherText) // Remove PKCS7 padding - plainText, err = pkcs7UnpadWeCom(plainText) + unpaddedText, err := pkcs7UnpadWeCom(plainText) if err != nil { + lastByte := -1 + if len(plainText) > 0 { + lastByte = int(plainText[len(plainText)-1]) + } + logger.ErrorCF("wecom_common", "PKCS7 unpad failed", map[string]interface{}{ + "error": err.Error(), + "plain_len": len(plainText), + "last_byte": lastByte, + }) return "", fmt.Errorf("failed to unpad: %w", err) } + plainText = unpaddedText // Parse message structure - // Format: random(16) + msg_len(4) + msg + corp_id + // Format: random(16) + msg_len(4) + msg + receiveid if len(plainText) < 20 { return "", fmt.Errorf("decrypted message too short") } msgLen := binary.BigEndian.Uint32(plainText[16:20]) + logger.DebugCF("wecom_common", "Message structure parsed", map[string]interface{}{ + "msg_len": msgLen, + "plain_len": len(plainText), + "total_expected": 20 + int(msgLen), + }) + if int(msgLen) > len(plainText)-20 { - return "", fmt.Errorf("invalid message length") + return "", fmt.Errorf("invalid message length: %d > %d", msgLen, len(plainText)-20) } msg := plainText[20 : 20+msgLen] + // Verify receiveid if provided + if receiveid != "" && len(plainText) > 20+int(msgLen) { + actualReceiveID := string(plainText[20+msgLen:]) + logger.DebugCF("wecom_common", "ReceiveID verification", map[string]interface{}{ + "expected": receiveid, + "actual": actualReceiveID, + }) + if actualReceiveID != receiveid { + return "", fmt.Errorf("receiveid mismatch: expected %s, got %s", receiveid, actualReceiveID) + } + } + + logger.DebugCF("wecom_common", "Decryption successful", map[string]interface{}{ + "msg_len": len(msg), + }) return string(msg), nil } // pkcs7UnpadWeCom removes PKCS7 padding with validation +// WeCom uses block size of 32 (not standard AES block size of 16) +const wecomBlockSize = 32 + func pkcs7UnpadWeCom(data []byte) ([]byte, error) { if len(data) == 0 { return data, nil } padding := int(data[len(data)-1]) - if padding == 0 || padding > aes.BlockSize { + // WeCom uses 32-byte block size for PKCS7 padding + if padding == 0 || padding > wecomBlockSize { return nil, fmt.Errorf("invalid padding size: %d", padding) } if padding > len(data) {