这个验证请求的代码是不是有问题
Closed this issue · 3 comments
Sean-Snow commented
dispatcher/request-handle.ts
checkIsEventValidated(data: any): boolean {
if (!this.encryptKey) {
return true;
}
const {
'x-lark-request-timestamp': timestamp,
'x-lark-request-nonce': nonce,
'x-lark-signature': signature,
} = data.headers;
const content =
timestamp + nonce + this.encryptKey + JSON.stringify(data);
const computedSignature = crypto
.createHash('sha256')
.update(content)
.digest('hex');
return computedSignature === signature;
}
改成下面的是不是才是正确的,你这里从header中取签名,又把header的值参与计算签名,感觉永远不会匹配:
checkIsEventValidated(data: any): boolean {
if (!this.encryptKey) {
return true;
}
const {
'x-lark-request-timestamp': timestamp,
'x-lark-request-nonce': nonce,
'x-lark-signature': signature,
} = data.headers;
const content =
timestamp + nonce + this.encryptKey + JSON.stringify(data.body);
const computedSignature = crypto
.createHash('sha256')
.update(content)
.digest('hex');
return computedSignature === signature;
}
mazhe-nerd commented
签名这些是挂headers原型上的哈,没问题
Sean-Snow commented
签名这些是挂headers原型上的哈,没问题
url_verification 事件不支持,没有签名信息,这个要咋弄?自己解密出来判断在给EventDispatcher ? @mazhe-nerd
mazhe-nerd commented
如果用了内置的适配器的话,可以开启autoChallenge,SDK会自己进行验签,参考:https://github.com/larksuite/node-sdk/blob/main/README.zh.md#challenge%E6%A0%A1%E9%AA%8C
如果是自定义适配器的话,需要自己实现验签逻辑,可以参考内置适配器的代码:https://github.com/larksuite/node-sdk/blob/main/adaptor/default.ts