/// <summary>
/// Verify the authenticity of the message and get the decrypted plaintext.
/// </summary>
/// <param name="postData">Cipher message.</param>
/// <returns>Decrypted message string.</returns>
public string DecryptMessage(string postData)
{
// This should fix the XXE loophole
var doc = new XmlDocument
{
XmlResolver = null,
};
doc.LoadXml(postData);
var root = doc.FirstChild ?? throw new ArgumentException("Invalid post data.", nameof(postData));
var encryptMessage = root["Encrypt"]?.InnerText ?? root["encrypt"]?.InnerText ?? throw new ArgumentException("Invalid post data, no encrypted field.", nameof(postData));
if (!VerificationHelper.VerifySignature(_msgSignature, _timestamp, _nonce, _token, encryptMessage))
{
throw new UnauthorizedAccessException("Signature verification failed.");
}
return(AesDecrypt(encryptMessage, _encodingAesKey, _appId));
}
/// <summary>
/// Process the request from WeChat.
/// This method can be called from inside a POST method on any Controller implementation.
/// </summary>
/// <param name="httpRequest">The HTTP request object, typically in a POST handler by a Controller.</param>
/// <param name="httpResponse">The HTTP response object.</param>
/// <param name="bot">The bot implementation.</param>
/// <param name="secretInfo">The secret info provide by WeChat.</param>
/// <param name="cancellationToken">A cancellation token that can be used by other objects
/// or threads to receive notice of cancellation.</param>
/// <returns>A task that represents the work queued to execute.</returns>
public async Task ProcessAsync(HttpRequest httpRequest, HttpResponse httpResponse, IBot bot, SecretInfo secretInfo, CancellationToken cancellationToken = default(CancellationToken))
{
_logger.LogInformation("Receive a new request from WeChat.");
if (httpRequest == null)
{
throw new ArgumentNullException(nameof(httpRequest));
}
if (httpResponse == null)
{
throw new ArgumentNullException(nameof(httpResponse));
}
if (bot == null)
{
throw new ArgumentNullException(nameof(bot));
}
if (secretInfo == null)
{
throw new ArgumentNullException(nameof(secretInfo));
}
if (!VerificationHelper.VerifySignature(secretInfo.WebhookSignature, secretInfo.Timestamp, secretInfo.Nonce, _settings.Token))
{
throw new UnauthorizedAccessException("Signature verification failed.");
}
// Return echo string when request is setting up the endpoint.
if (!string.IsNullOrEmpty(secretInfo.EchoString))
{
await httpResponse.WriteAsync(secretInfo.EchoString, cancellationToken).ConfigureAwait(false);
return;
}
// Directly return OK header to prevent WeChat from retrying.
if (!_settings.PassiveResponseMode)
{
httpResponse.StatusCode = (int)HttpStatusCode.OK;
httpResponse.ContentType = "text/event-stream";
await httpResponse.WriteAsync(string.Empty).ConfigureAwait(false);
await httpResponse.Body.FlushAsync().ConfigureAwait(false);
}
try
{
var wechatRequest = GetRequestMessage(httpRequest.Body, secretInfo);
var wechatResponse = await ProcessWeChatRequest(
wechatRequest,
bot.OnTurnAsync,
cancellationToken).ConfigureAwait(false);
// Reply WeChat(User) request have two ways, set response in http response or use background task to process the request async.
if (_settings.PassiveResponseMode)
{
httpResponse.StatusCode = (int)HttpStatusCode.OK;
httpResponse.ContentType = "text/xml";
var xmlString = WeChatMessageFactory.ConvertResponseToXml(wechatResponse);
await httpResponse.WriteAsync(xmlString).ConfigureAwait(false);
}
}
catch (Exception ex)
{
_logger.LogError(ex, "Process WeChat request failed.");
throw;
}
}