From 4b8af75652be8915b265368641dbd6594d482904 Mon Sep 17 00:00:00 2001
From: laodaming <11058467+laudamine@user.noreply.gitee.com>
Date: Tue, 7 Nov 2023 11:23:30 +0800
Subject: [PATCH] fix

---
 .../internal/logic/webhooklogic.go            | 44 +++++++++----------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/server/feishu-sync/internal/logic/webhooklogic.go b/server/feishu-sync/internal/logic/webhooklogic.go
index 13d4fba8..ea5efc18 100644
--- a/server/feishu-sync/internal/logic/webhooklogic.go
+++ b/server/feishu-sync/internal/logic/webhooklogic.go
@@ -4,8 +4,10 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
+	"strings"
 
 	"fusenapi/server/feishu-sync/internal/svc"
 	"github.com/zeromicro/go-zero/core/logx"
@@ -51,10 +53,14 @@ func (l *WebhookLogic) Webhook(w http.ResponseWriter, r *http.Request) {
 		logx.Error("读取请求body失败", err)
 		return
 	}
-	logx.Info("收到头消息:", r.Header)
-	logx.Info("收到body消息:", string(bodyBytes))
-	//验证消息合法性
-	if !l.VerifyWebhook(r.Header, bodyBytes, "DmiHQ2bHhKiR3KK4tIjLShbs13eErxKA") {
+	//计算签名
+	timestamp := r.Header.Get("X-Lark-Request-Timestamp")
+	nonce := r.Header.Get("X-Lark-Request-Nonce")
+	encryptKey := "DmiHQ2bHhKiR3KK4tIjLShbs13eErxKA"
+	signature := r.Header.Get("X-Lark-Signature")
+	sign := l.calculateSignature(timestamp, nonce, encryptKey, bodyBytes)
+	if signature != sign {
+		logx.Error("非法的消息，签名验证不通过", sign, "====", signature)
 		return
 	}
 	defer r.Body.Close()
@@ -103,23 +109,17 @@ func (l *WebhookLogic) Webhook(w http.ResponseWriter, r *http.Request) {
 	return
 }
 
-// 处理逻辑后 w,r 如:重定向, resp 必须重新处理
-// func (l *WebhookLogic) AfterLogic(w http.ResponseWriter, r *http.Request, resp *basic.Response) {
-// // httpx.OkJsonCtx(r.Context(), w, resp)
-// }
-func (l *WebhookLogic) VerifyWebhook(header http.Header, bodyBytes []byte, encryptKey string) bool {
-	b := []byte(header.Get("X-Lark-Request-Timestamp") + header.Get("X-Lark-Request-Nonce") + encryptKey)
-	b = append(b, bodyBytes...)
+// 计算签名
+func (l *WebhookLogic) calculateSignature(timestamp, nonce, encryptKey string, body []byte) string {
+	var b strings.Builder
+	b.WriteString(timestamp)
+	b.WriteString(nonce)
+	b.WriteString(encryptKey)
+	b.Write(body) //bodystring 指整个请求体，不要在反序列化后再计算
+	bs := []byte(b.String())
 	h := sha256.New()
-	_, err := h.Write(b)
-	if err != nil {
-		logx.Error(err)
-		return false
-	}
-	hashKey := h.Sum(nil)
-	if string(hashKey) != header.Get("X-Lark-Signature") {
-		logx.Error("无效的消息", string(b), ":------:", string(hashKey), ":-----:", header.Get("X-Lark-Signature"))
-		return false
-	}
-	return true
+	h.Write(bs)
+	bs = h.Sum(nil)
+	sig := fmt.Sprintf("%x", bs)
+	return sig
 }