Conversation
Agent-Logs-Url: https://github.com/binarywang/WxJava/sessions/d488dd87-3bc7-4498-a3df-99d106a68abe Co-authored-by: binarywang <1343140+binarywang@users.noreply.github.com>
![chatgpt-codex-connector[bot]](https://avatars.gh.umua.top/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 47add3a19b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| @Override | ||
| public boolean checkSessionKey(String openid, String sessionKey) throws WxErrorException { | ||
| String signature = SignUtils.createHmacSha256Sign(openid, sessionKey); |
There was a problem hiding this comment.
The checkSessionKey signature is computed as HMAC_SHA256(openid, sessionKey), but this API expects the signature generated by signing an empty string with session_key (hmac_sha256(session_key, "")). With the current implementation, even a valid session_key will consistently produce an invalid signature error (87009), so the method cannot successfully validate a real login session.
Useful? React with 👍 / 👎.
🤖 Augment PR SummarySummary: Adds a Mini Program server-side API wrapper to validate whether a stored login session (session_key) is still valid before sensitive operations (e.g., virtual payments). Changes:
🤖 Was this summary useful? React with 👍 or 👎 |
![augmentcode[bot]](https://avatars.gh.umua.top/in/1027498?s=60&v=4){kind=small}
|
|
||
| @Override | ||
| public boolean checkSessionKey(String openid, String sessionKey) throws WxErrorException { | ||
| String signature = SignUtils.createHmacSha256Sign(openid, sessionKey); |
There was a problem hiding this comment.
weixin-java-miniapp/src/main/java/cn/binarywang/wx/miniapp/api/impl/WxMaUserServiceImpl.java:103: According to the official checkSessionKey docs, the endpoint is /wxa/checksession and signature is hmac_sha256(session_key, "") (signing the empty string), so signing openid (and using /checksessionkey in the URL constant) will likely make this API always fail with 87009/invalid signature.
Severity: high
Other Locations
weixin-java-miniapp/src/main/java/cn/binarywang/wx/miniapp/constant/WxMaApiUrlConstants.java:371
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
| assertNotNull(wxService.getAccessToken(true)); | ||
| } | ||
|
|
||
| @Test(expectedExceptions = WxErrorException.class) |
There was a problem hiding this comment.
weixin-java-miniapp/src/test/java/cn/binarywang/wx/miniapp/api/impl/WxMaUserServiceImplTest.java:85: This test only asserts an exception for obviously-invalid inputs, so it can pass even if the request URL/signature computation is incorrect. It also doesn’t validate the success path (returning true) or the specific errcode (e.g., 87009) that the Javadoc mentions.
Severity: medium
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
There was a problem hiding this comment.
Pull request overview
该 PR 为 weixin-java-miniapp 补齐微信小程序服务端“检查登录态(api_checksessionkey)”能力,便于在虚拟支付等场景中在构建用户签名前验证 session_key 是否仍有效。
Changes:
- 在
WxMaApiUrlConstants.User中新增CHECK_SESSION_KEY_URL接口常量。 - 在
WxMaUserService新增checkSessionKey(String openid, String sessionKey)方法签名,并在WxMaUserServiceImpl中实现:按HMAC_SHA256(openid, sessionKey)生成签名并发起 GET 请求。 - 新增对应的 TestNG 测试用例(当前为“期望抛出异常”的用例)。
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| weixin-java-miniapp/src/main/java/cn/binarywang/wx/miniapp/constant/WxMaApiUrlConstants.java | 增加 checksessionkey 的 URL 模板常量,供用户服务实现调用 |
| weixin-java-miniapp/src/main/java/cn/binarywang/wx/miniapp/api/WxMaUserService.java | 对外暴露 checkSessionKey API,并补充使用语义与文档链接 |
| weixin-java-miniapp/src/main/java/cn/binarywang/wx/miniapp/api/impl/WxMaUserServiceImpl.java | 具体实现 checksessionkey 请求与签名构造逻辑 |
| weixin-java-miniapp/src/test/java/cn/binarywang/wx/miniapp/api/impl/WxMaUserServiceImplTest.java | 增加 checkSessionKey 的测试覆盖(目前仅断言抛异常) |
|
|
||
| @Test(expectedExceptions = WxErrorException.class) | ||
| public void testCheckSessionKey() throws WxErrorException { | ||
| // 使用无效的 openid 和 sessionKey,预期微信服务端返回错误(如 errcode=87009)并抛出 WxErrorException |
There was a problem hiding this comment.
这里的用例只断言会抛出 WxErrorException,但注释中写“如 errcode=87009”并不成立:传入的 openid 本身就是无效值时,更可能返回的是 openid 不合法等其它错误码,导致测试无法稳定验证“session_key 失效(87009)”这一场景。建议要么去掉对 87009 的暗示、仅说明预期抛异常;要么使用 test-config 中的真实 openid 并构造一个已失效/错误的 sessionKey,再断言具体 errorCode。
| // 使用无效的 openid 和 sessionKey,预期微信服务端返回错误(如 errcode=87009)并抛出 WxErrorException | |
| // 使用无效的 openid 和 sessionKey,预期微信服务端返回错误并抛出 WxErrorException |
微信小程序服务端缺少检查登录态(
api_checksessionkey)接口,该接口在虚拟支付等场景下构建用户签名前必须调用以验证session_key有效性。变更内容
WxMaApiUrlConstants.User:新增CHECK_SESSION_KEY_URL常量(https://api.weixin.qq.com/wxa/checksessionkey)WxMaUserService:新增checkSessionKey(String openid, String sessionKey)方法接口,登录态有效返回true,失效时抛出WxErrorException(errcode 87009)WxMaUserServiceImpl:实现方法,使用HMAC_SHA256(openid, sessionKey)构建签名并发起 GET 请求使用示例
参考官方文档:api_checksessionkey