wechat_oauth2

Question

wechat_oauth2

Chen-George-Zhen opened this issue 5 years ago · comments

Unsafe redirect "https://open.weixin.qq.com/connect/oauth2/authorize?。。。。。“
source "redirect_to generate_oauth2_url(oauth2_params)"
redirect_to 方法

Eric Guo · Answer 1 · Wed Jul 17 2019 15:03:25 GMT+0800 (China Standard Time)

Kindly provide more information to check.

ChenZhen · Answer 2 · Wed Jul 17 2019 16:19:20 GMT+0800 (China Standard Time)

Get this Exception "Unsafe redirect "https://open.weixin.qq.com/connect/oauth2/authorize?appid=wx89b14e8f3cd5b096&redirect_uri=http%3A%2F%2Fde.client.com.au%2Fwechat_test&response_type=code&scope=snsapi_base&state=d9d8ad7ec7a066297b7eb5f99add4049#wechat_redirect", use :fallback_location to specify a fallback or :allow_other_host to redirect anyway.):" when use "wechat_oauth2", Maybe code " redirect_to generate_oauth2_url(oauth2_params) " , redirect_to add :allow_other_host

Eric Guo · Answer 3 · Wed Jul 17 2019 16:48:27 GMT+0800 (China Standard Time)

de.client.com.au is not in the safe whitelist in Tencent Wechat backend, please make sure filling it in dashboard, it's not a bug in this gem.

ChenZhen · Answer 4 · Wed Jul 17 2019 17:19:55 GMT+0800 (China Standard Time)

I mean "redirect_to generate_oauth2_url(oauth2_params), allow_other_host: true" to replace "redirect_to generate_oauth2_url(oauth2_params)".

Eric Guo · Answer 5 · Wed Jul 17 2019 17:27:33 GMT+0800 (China Standard Time)

allow_other_host seems introduced at Rails 5.2 and valid only for redirect_back, so using redirect_to generate_oauth2_url(oauth2_params), allow_other_host: true is wrong here IMHO.

ChenZhen · Answer 6 · Wed Jul 17 2019 17:36:18 GMT+0800 (China Standard Time)

Thanks, I used rails 6, this exception occurred when using "redirect_to other domain"

ChenZhen · Answer 7 · Wed Jul 17 2019 18:31:19 GMT+0800 (China Standard Time)

方便加下微信么！哈哈，我也是在上海，上面那个问题，应该是我没有描述清楚，我还以为你是老外!其实就是我用的 rails 6, 在调用 wechat_oauth2 这个方法的时候，redirect_to, 方法抛出了异常，提示需要添加 allow_other_host: true，选项，我fork 了一个版本，加上了就没有问题了！

Eric Guo · Answer 8 · Wed Jul 17 2019 19:03:09 GMT+0800 (China Standard Time)

我也有项目跑Rails 6，没有这个情况。。

ChenZhen · Answer 9 · Wed Jul 17 2019 20:01:23 GMT+0800 (China Standard Time)

哦哦，我是执行到这个地方的时候
https://github.com/Eric-Guo/wechat/blob/5de4131c525dac222a2a63c75ad3f534eb8d19fa/lib/wechat/controller_api.rb

def wechat_public_oauth2(oauth2_params, account = nil)
  openid  = cookies.signed_or_encrypted[:we_openid]
  unionid = cookies.signed_or_encrypted[:we_unionid]
  we_token = cookies.signed_or_encrypted[:we_access_token]
  if openid.present?
    yield openid, { 'openid' => openid, 'unionid' => unionid, 'access_token' => we_token}
  elsif params[:code].present? && params[:state] == oauth2_params[:state]
    access_info = wechat(account).web_access_token(params[:code])
    cookies.signed_or_encrypted[:we_openid] = { value: access_info['openid'], expires: self.class.oauth2_cookie_duration.from_now }
    cookies.signed_or_encrypted[:we_unionid] = { value: access_info['unionid'], expires: self.class.oauth2_cookie_duration.from_now }
    cookies.signed_or_encrypted[:we_access_token] = { value: access_info['access_token'], expires: self.class.oauth2_cookie_duration.from_now }
    yield access_info['openid'], access_info
  else
    redirect_to generate_oauth2_url(oauth2_params)
  end
end

error:

"Unsafe redirect "https://open.weixin.qq.com/connect/oauth2/authorize?appid=wx89b14e8f3cd5b096&redirect_uri=http%3A%2F%2Fxxx%2Fwechat_test&response_type=code&scope=snsapi_base&state=d9d8ad7ec7a066297b7eb5f99add4049#wechat_redirect"
use :fallback_location to specify a fallback or :allow_other_host to redirect anyway.):

然后我直接在控制器中 redirect_to "https://open.weixin.qq.com/connect/oauth2/authorize" 也会报同样的错，应该是 rails 版本的问题吧！就是 redirect_to 非当前项目域名的时候，就会这样，你可以在你的rails 6 项目，控制器中直接使用 redirect_to 试试，应该会是同样的结果

Eric Guo · Answer 10 · Wed Jul 17 2019 20:09:25 GMT+0800 (China Standard Time)

那你直接提 PR 吧，写成仅针对Rails 6即可，我直接合并。

Eric Guo · Answer 11 · Thu Jul 18 2019 05:55:53 GMT+0800 (China Standard Time)

Fix at #263