estel/estel_docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加API检测域名

Browse Source
This commit is contained in:
estel
2025-08-10 12:52:58 +08:00
parent 194bb77793
commit bb48392da4
2 changed files with 26 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/components/shared/wxShare.vue
View File

@@ -53,7 +53,6 @@ function getWx(): WeChat | undefined {
} }
function loadWxSdk(): Promise<void> { function loadWxSdk(): Promise<void> {
console.log('loadWxSdk')
if (typeof window === 'undefined') return Promise.resolve() if (typeof window === 'undefined') return Promise.resolve()
if (getWx()) return Promise.resolve() if (getWx()) return Promise.resolve()
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {

26
server/api/wechat/wx-config.get.ts
View File

@@ -122,6 +122,19 @@ export default defineEventHandler(async (event): Promise<WxConfigPayload> => {
throw createError({ statusCode: 500, statusMessage: 'Missing WECHAT_APP_ID or WECHAT_APP_SECRET in environment.' }) throw createError({ statusCode: 500, statusMessage: 'Missing WECHAT_APP_ID or WECHAT_APP_SECRET in environment.' })
} }
// 限制可签名的 URL 域名:从环境变量中获取站点基准地址,仅允许该主域或其子域
const siteBaseUrl = process.env.NUXT_PUBLIC_SITE_URL || process.env.SITE_BASE_URL || process.env.BASE_URL || ''
if (!siteBaseUrl) {
throw createError({ statusCode: 500, statusMessage: 'Missing site base URL in environment (NUXT_PUBLIC_SITE_URL/SITE_BASE_URL/BASE_URL).' })
}
let allowedHostname = ''
try {
allowedHostname = new URL(siteBaseUrl).hostname
} catch {
throw createError({ statusCode: 500, statusMessage: 'Invalid site base URL in environment. Expecting an absolute URL.' })
}
const query = getQuery(event) const query = getQuery(event)
let pageUrlRaw = typeof query.url === 'string' ? query.url : '' let pageUrlRaw = typeof query.url === 'string' ? query.url : ''
// 若未传入 url则使用当前请求完整地址去除 hash通常建议前端传入当前页面 URL // 若未传入 url则使用当前请求完整地址去除 hash通常建议前端传入当前页面 URL
@@ -140,6 +153,19 @@ export default defineEventHandler(async (event): Promise<WxConfigPayload> => {
throw createError({ statusCode: 400, statusMessage: 'Invalid url parameter. Expecting an absolute http/https URL.' }) throw createError({ statusCode: 400, statusMessage: 'Invalid url parameter. Expecting an absolute http/https URL.' })
} }
// 校验传入 URL 的域名是否在允许范围(同主域或其子域)
let pageHostname = ''
try {
pageHostname = new URL(pageUrl).hostname
} catch {
throw createError({ statusCode: 400, statusMessage: 'Invalid url parameter. Expecting an absolute http/https URL.' })
}
const isSameHost = pageHostname === allowedHostname
const isSubdomain = pageHostname.endsWith('.' + allowedHostname)
if (!isSameHost && !isSubdomain) {
throw createError({ statusCode: 400, statusMessage: 'The url hostname is not allowed.' })
}
const accessToken = await fetchAccessToken(appId, appSecret) const accessToken = await fetchAccessToken(appId, appSecret)
const jsapiTicket = await fetchJsapiTicket(accessToken) const jsapiTicket = await fetchJsapiTicket(accessToken)