feat: 各种登录方式传入invite_token

This commit is contained in:
tim
2025-08-17 12:45:58 +08:00
parent 9c3e1d17f0
commit 9ca5d7b167
7 changed files with 230 additions and 96 deletions
+45 -7
View File
@@ -20,7 +20,8 @@ async function generateCodeChallenge(codeVerifier) {
.replace(/=+$/, '')
}
export async function twitterAuthorize(state = '') {
// 邀请码明文放入 state;同时生成 csrf 放入 state 并在回调校验
export async function twitterAuthorize(inviteToken = '') {
const config = useRuntimeConfig()
const WEBSITE_BASE_URL = config.public.websiteBaseUrl
const TWITTER_CLIENT_ID = config.public.twitterClientId
@@ -28,17 +29,30 @@ export async function twitterAuthorize(state = '') {
toast.error('Twitter 登录不可用')
return
}
if (state === '') {
state = Math.random().toString(36).substring(2, 15)
}
const redirectUri = `${WEBSITE_BASE_URL}/twitter-callback`
// PKCE
const codeVerifier = generateCodeVerifier()
sessionStorage.setItem('twitter_code_verifier', codeVerifier)
const codeChallenge = await generateCodeChallenge(codeVerifier)
// CSRF + 邀请码一起放入 state
const csrf = Math.random().toString(36).slice(2)
sessionStorage.setItem('twitter_csrf_state', csrf)
const state = new URLSearchParams({
csrf,
invite_token: inviteToken || '',
}).toString()
const url =
`https://x.com/i/oauth2/authorize?response_type=code&client_id=${TWITTER_CLIENT_ID}` +
`&redirect_uri=${encodeURIComponent(redirectUri)}&scope=tweet.read%20users.read` +
`&state=${state}&code_challenge=${codeChallenge}&code_challenge_method=S256`
`https://x.com/i/oauth2/authorize?response_type=code&client_id=${encodeURIComponent(TWITTER_CLIENT_ID)}` +
`&redirect_uri=${encodeURIComponent(redirectUri)}` +
`&scope=${encodeURIComponent('tweet.read users.read')}` +
`&state=${encodeURIComponent(state)}` +
`&code_challenge=${encodeURIComponent(codeChallenge)}` +
`&code_challenge_method=S256`
window.location.href = url
}
@@ -46,8 +60,29 @@ export async function twitterExchange(code, state, reason) {
try {
const config = useRuntimeConfig()
const API_BASE_URL = config.public.apiBaseUrl
// 取出并清理 PKCE/CSRF
const codeVerifier = sessionStorage.getItem('twitter_code_verifier')
sessionStorage.removeItem('twitter_code_verifier')
const savedCsrf = sessionStorage.getItem('twitter_csrf_state')
sessionStorage.removeItem('twitter_csrf_state')
// 从 state 解析 csrf 与 invite_token
let parsedCsrf = ''
let inviteToken = ''
try {
const sp = new URLSearchParams(state || '')
parsedCsrf = sp.get('csrf') || ''
inviteToken = sp.get('invite_token') || sp.get('invitetoken') || ''
} catch {}
// 简单 CSRF 校验(存在才校验,避免误杀老会话)
if (savedCsrf && parsedCsrf && savedCsrf !== parsedCsrf) {
toast.error('登录状态校验失败,请重试')
return { success: false, needReason: false, error: 'state mismatch' }
}
const res = await fetch(`${API_BASE_URL}/api/auth/twitter`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
@@ -57,8 +92,10 @@ export async function twitterExchange(code, state, reason) {
reason,
state,
codeVerifier,
inviteToken,
}),
})
const data = await res.json()
if (res.ok && data.token) {
setToken(data.token)
@@ -77,6 +114,7 @@ export async function twitterExchange(code, state, reason) {
return { success: false, needReason: false, error: data.error || '登录失败' }
}
} catch (e) {
console.error(e)
toast.error('登录失败')
return { success: false, needReason: false, error: '登录失败' }
}