fix: 修复在 Laravel 7.28 版本直接返回字符串链接造成的 StartSession::addCookieToResponse 参数错误; 增加授权链接跳转时强制使用 HTTPS 配置 (overtrue#395)

Co-authored-by: 龙权 <[email protected]>

Author: lonquan

src/Middleware/OAuthAuthenticate.php

@@ -24,11 +24,10 @@ class OAuthAuthenticate
     /**
      * Handle an incoming request.
      *
-     * @param \Illuminate\Http\Request $request
-     * @param \Closure                 $next
-     * @param string|null              $scope
-     * @param string|null              $type    : service(服务号), subscription(订阅号), work(企业微信)
-     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @param  string|null  $scope
+     * @param  string|null  $type : service(服务号), subscription(订阅号), work(企业微信)
      * @return mixed
      */
     public function handle($request, Closure $next, $account = 'default', $scope = null, $type = 'service')
@@ -37,9 +36,9 @@ public function handle($request, Closure $next, $account = 'default', $scope = n
         //保证兼容性
         $class = ('work' !== $type) ? 'wechat' : 'work';
         $prefix = ('work' !== $type) ? 'official_account' : 'work';
-        $sessionKey = \sprintf($class.'.oauth_user.%s', $account);
-        $config = config(\sprintf('wechat.'.$prefix.'.%s', $account), []);
-        $officialAccount = app(\sprintf('wechat.'.$prefix.'.%s', $account));
+        $sessionKey = \sprintf($class . '.oauth_user.%s', $account);
+        $config = config(\sprintf('wechat.' . $prefix . '.%s', $account), []);
+        $officialAccount = app(\sprintf('wechat.' . $prefix . '.%s', $account));
         $scope = $scope ?: Arr::get($config, 'oauth.scopes', ['snsapi_base']);
 
         if (is_string($scope)) {
@@ -49,18 +48,25 @@ public function handle($request, Closure $next, $account = 'default', $scope = n
         $session = session($sessionKey, []);
 
         if (!$session) {
+            // 是否强制使用 HTTPS 跳转
+            $enforceHttps = Arr::get($config, 'oauth.enforce_https', false);
+
             if ($request->has('code')) {
                 session([$sessionKey => $officialAccount->oauth->user() ?? []]);
                 $isNewSession = true;
 
                 event(new WeChatUserAuthorized(session($sessionKey), $isNewSession, $account));
 
-                return redirect()->to($this->getTargetUrl($request));
+                return redirect()->to($this->getTargetUrl($request, $enforceHttps));
             }
 
             session()->forget($sessionKey);
 
-            return $officialAccount->oauth->scopes($scope)->redirect($request->fullUrl());
+            // 跳转到微信授权页
+            return redirect()->away(
+                $officialAccount->oauth->scopes($scope)
+                                       ->redirect($this->getRedirectUrl($request, $enforceHttps))
+            );
         }
 
         event(new WeChatUserAuthorized(session($sessionKey), $isNewSession, $account));
@@ -71,14 +77,37 @@ public function handle($request, Closure $next, $account = 'default', $scope = n
     /**
      * Build the target business url.
      *
-     * @param Request $request
-     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  bool  $https
      * @return string
      */
-    protected function getTargetUrl($request)
+    protected function getTargetUrl($request, $https = false)
     {
         $queries = Arr::except($request->query(), ['code', 'state']);
+        $url = $request->url();
+
+        if ($https && Str::startsWith($url, 'http://')) {
+            $url = Str::replaceFirst('http', 'https', $url);
+        }
+
+        return $url . (empty($queries) ? '' : '?' . http_build_query($queries));
+    }
+
+    /**
+     * generate the redirect url
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  bool  $https
+     * @return string
+     */
+    protected function getRedirectUrl($request, $https = false)
+    {
+        if (!$https) {
+            return $request->fullUrl();
+        }
 
-        return $request->url().(empty($queries) ? '' : '?'.http_build_query($queries));
+        return Str::startsWith($request->fullUrl(), 'http://')
+            ? Str::replaceFirst('http', 'https', $request->fullUrl())
+            : $request->fullUrl();
     }
 }

src/config.php

@@ -13,11 +13,11 @@
     /*
      * 默认配置，将会合并到各模块中
      */
-    'defaults' => [
+    'defaults'         => [
         /*
          * 指定 API 调用返回结果的类型：array(default)/collection/object/raw/自定义类名
          */
-        'response_type' => 'array',
+        'response_type'     => 'array',
 
         /*
          * 使用 Laravel 的缓存系统
@@ -31,16 +31,16 @@
          *                 debug/info/notice/warning/error/critical/alert/emergency
          * file：日志文件位置(绝对路径!!!)，要求可写权限
          */
-        'log' => [
+        'log'               => [
             'level' => env('WECHAT_LOG_LEVEL', 'debug'),
-            'file' => env('WECHAT_LOG_FILE', storage_path('logs/wechat.log')),
+            'file'  => env('WECHAT_LOG_FILE', storage_path('logs/wechat.log')),
         ],
     ],
 
     /*
      * 路由配置
      */
-    'route' => [
+    'route'            => [
         /*
          * 开放平台第三方平台路由配置
          */
@@ -59,20 +59,22 @@
      */
     'official_account' => [
         'default' => [
-            'app_id' => env('WECHAT_OFFICIAL_ACCOUNT_APPID', 'your-app-id'),         // AppID
-            'secret' => env('WECHAT_OFFICIAL_ACCOUNT_SECRET', 'your-app-secret'),    // AppSecret
-            'token' => env('WECHAT_OFFICIAL_ACCOUNT_TOKEN', 'your-token'),           // Token
+            'app_id'  => env('WECHAT_OFFICIAL_ACCOUNT_APPID', 'your-app-id'),         // AppID
+            'secret'  => env('WECHAT_OFFICIAL_ACCOUNT_SECRET', 'your-app-secret'),    // AppSecret
+            'token'   => env('WECHAT_OFFICIAL_ACCOUNT_TOKEN', 'your-token'),           // Token
             'aes_key' => env('WECHAT_OFFICIAL_ACCOUNT_AES_KEY', ''),                 // EncodingAESKey
 
             /*
              * OAuth 配置
              *
              * scopes：公众平台（snsapi_userinfo / snsapi_base），开放平台：snsapi_login
              * callback：OAuth授权完成后的回调页地址(如果使用中间件，则随便填写。。。)
+             * enforce_https：是否强制使用 HTTPS 跳转
              */
-            // 'oauth' => [
-            //     'scopes'   => array_map('trim', explode(',', env('WECHAT_OFFICIAL_ACCOUNT_OAUTH_SCOPES', 'snsapi_userinfo'))),
-            //     'callback' => env('WECHAT_OFFICIAL_ACCOUNT_OAUTH_CALLBACK', '/examples/oauth_callback.php'),
+            // 'oauth'   => [
+            //     'scopes'        => array_map('trim', explode(',', env('WECHAT_OFFICIAL_ACCOUNT_OAUTH_SCOPES', 'snsapi_userinfo'))),
+            //     'callback'      => env('WECHAT_OFFICIAL_ACCOUNT_OAUTH_CALLBACK', '/examples/oauth_callback.php'),
+            //     'enforce_https' => true,
             // ],
         ],
     ],