fix

2023-11-07 11:06:04 +08:00 · 2023-11-07 11:06:04 +08:00 · 96d3a9111d
commit 96d3a9111d
parent 25b774c905
1 changed files with 22 additions and 2 deletions
--- a/server/feishu-sync/internal/logic/webhooklogic.go
+++ b/server/feishu-sync/internal/logic/webhooklogic.go
@ -1,12 +1,12 @@
 package logic

 import (
+	"context"
+	"crypto/sha256"
 	"encoding/json"
 	"io"
 	"net/http"

-	"context"
-
 	"fusenapi/server/feishu-sync/internal/svc"
 	"github.com/zeromicro/go-zero/core/logx"
 )
@ -53,6 +53,10 @@ func (l *WebhookLogic) Webhook(w http.ResponseWriter, r *http.Request) {
 	}
 	logx.Info("收到头消息:", r.Header)
 	logx.Info("收到body消息:", string(bodyBytes))
+	//验证消息合法性
+	if !l.VerifyWebhook(r.Header, bodyBytes, "DmiHQ2bHhKiR3KK4tIjLShbs13eErxKA") {
+		return
+	}
 	defer r.Body.Close()
 	//如果只是验证http连接的消息
 	var webhookMsg WebhookMsg
@ -103,3 +107,19 @@ func (l *WebhookLogic) Webhook(w http.ResponseWriter, r *http.Request) {
 // func (l *WebhookLogic) AfterLogic(w http.ResponseWriter, r *http.Request, resp *basic.Response) {
 // // httpx.OkJsonCtx(r.Context(), w, resp)
 // }
+func (l *WebhookLogic) VerifyWebhook(header http.Header, bodyBytes []byte, encryptKey string) bool {
+	b := []byte(header.Get("X-Lark-Request-Timestamp") + header.Get("X-Lark-Request-Nonce") + encryptKey)
+	b = append(b, bodyBytes...)
+	h := sha256.New()
+	_, err := h.Write(b)
+	if err != nil {
+		logx.Error(err)
+		return false
+	}
+	hashKey := h.Sum(nil)
+	if string(hashKey) != header.Get("X-Lark-Signature") {
+		logx.Error("无效的消息", string(hashKey), ":-----:", header.Get("X-Lark-Signature"))
+		return false
+	}
+	return true
+}