增加API检测域名

server/api/wechat/wx-config.get.ts

@@ -122,6 +122,19 @@ export default defineEventHandler(async (event): Promise<WxConfigPayload> => {
     throw createError({ statusCode: 500, statusMessage: 'Missing WECHAT_APP_ID or WECHAT_APP_SECRET in environment.' })
   }
 
+  // 限制可签名的 URL 域名：从环境变量中获取站点基准地址，仅允许该主域或其子域
+  const siteBaseUrl = process.env.NUXT_PUBLIC_SITE_URL || process.env.SITE_BASE_URL || process.env.BASE_URL || ''
+  if (!siteBaseUrl) {
+    throw createError({ statusCode: 500, statusMessage: 'Missing site base URL in environment (NUXT_PUBLIC_SITE_URL/SITE_BASE_URL/BASE_URL).' })
+  }
+
+  let allowedHostname = ''
+  try {
+    allowedHostname = new URL(siteBaseUrl).hostname
+  } catch {
+    throw createError({ statusCode: 500, statusMessage: 'Invalid site base URL in environment. Expecting an absolute URL.' })
+  }
+
   const query = getQuery(event)
   let pageUrlRaw = typeof query.url === 'string' ? query.url : ''
   // 若未传入 url，则使用当前请求完整地址（去除 hash），通常建议前端传入当前页面 URL
@@ -140,6 +153,19 @@ export default defineEventHandler(async (event): Promise<WxConfigPayload> => {
     throw createError({ statusCode: 400, statusMessage: 'Invalid url parameter. Expecting an absolute http/https URL.' })
   }
 
+  // 校验传入 URL 的域名是否在允许范围（同主域或其子域）
+  let pageHostname = ''
+  try {
+    pageHostname = new URL(pageUrl).hostname
+  } catch {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid url parameter. Expecting an absolute http/https URL.' })
+  }
+  const isSameHost = pageHostname === allowedHostname
+  const isSubdomain = pageHostname.endsWith('.' + allowedHostname)
+  if (!isSameHost && !isSubdomain) {
+    throw createError({ statusCode: 400, statusMessage: 'The url hostname is not allowed.' })
+  }
+
   const accessToken = await fetchAccessToken(appId, appSecret)
   const jsapiTicket = await fetchJsapiTicket(accessToken)