f

app/main/api/internal/logic/user/wxminiauthlogic.go

@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
+	"strings"
 	"time"
 
 	"qnc-server/app/main/api/internal/svc"
@@ -33,8 +35,14 @@ func NewWxMiniAuthLogic(ctx context.Context, svcCtx *svc.ServiceContext) *WxMini
 }
 
 func (l *WxMiniAuthLogic) WxMiniAuth(req *types.WXMiniAuthReq) (resp *types.WXMiniAuthResp, err error) {
+	code := strings.TrimSpace(req.Code)
+	if code == "" || code == "the code is a mock one" || strings.Contains(code, " ") {
+		return nil, errors.Wrapf(xerr.NewErrMsg("微信登录凭证无效，请重新打开小程序"),
+			"无效的微信 code: %q", req.Code)
+	}
+
 	// 1. 获取session_key和openid
-	sessionKeyResp, err := l.GetSessionKey(req.Code)
+	sessionKeyResp, err := l.GetSessionKey(code)
 	if err != nil {
 		return nil, errors.Wrapf(xerr.NewErrCode(xerr.SERVER_COMMON_ERROR), "获取session_key失败: %v", err)
 	}
@@ -104,10 +112,10 @@ func (l *WxMiniAuthLogic) GetSessionKey(code string) (*SessionKeyResp, error) {
 	appID = l.svcCtx.Config.WechatMini.AppID
 	appSecret = l.svcCtx.Config.WechatMini.AppSecret
 
-	url := fmt.Sprintf("https://api.weixin.qq.com/sns/jscode2session?appid=%s&secret=%s&js_code=%s&grant_type=authorization_code",
-		appID, appSecret, code)
+	apiURL := fmt.Sprintf("https://api.weixin.qq.com/sns/jscode2session?appid=%s&secret=%s&js_code=%s&grant_type=authorization_code",
+		url.QueryEscape(appID), url.QueryEscape(appSecret), url.QueryEscape(code))
 
-	resp, err := http.Get(url)
+	resp, err := http.Get(apiURL)
 	if err != nil {
 		return nil, errors.Wrapf(xerr.NewErrCode(xerr.SERVER_COMMON_ERROR), "获取session_key失败: %v", err)
 	}