add ali captcha

pkg/captcha/aliyun.go

@@ -0,0 +1,67 @@
+package captcha
+
+import (
+	"os"
+
+	captcha20230305 "github.com/alibabacloud-go/captcha-20230305/client"
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	"github.com/alibabacloud-go/tea/tea"
+	"github.com/pkg/errors"
+	"github.com/zeromicro/go-zero/core/logx"
+	"tyc-server/common/xerr"
+)
+
+// Config 阿里云验证码配置（与 api internal config 解耦，供 pkg 使用）
+type Config struct {
+	AccessKeyID     string
+	AccessKeySecret string
+	EndpointURL     string
+	SceneID         string
+}
+
+// Verify 校验前端传入的 captchaVerifyParam。异常时视为通过以保证业务可用。
+func Verify(cfg Config, captchaVerifyParam string) error {
+	if os.Getenv("ENV") == "development" {
+		return nil
+	}
+	if captchaVerifyParam == "" {
+		return errors.Wrapf(xerr.NewErrMsg("图形验证码校验失败"), "empty captchaVerifyParam")
+	}
+
+	clientCfg := &openapi.Config{
+		AccessKeyId:     tea.String(cfg.AccessKeyID),
+		AccessKeySecret: tea.String(cfg.AccessKeySecret),
+	}
+	clientCfg.Endpoint = tea.String(cfg.EndpointURL)
+	clientCfg.ConnectTimeout = tea.Int(5000)
+	clientCfg.ReadTimeout = tea.Int(5000)
+
+	client, err := captcha20230305.NewClient(clientCfg)
+	if err != nil {
+		logx.Errorf("init aliyun captcha client error: %+v", err)
+		return nil
+	}
+
+	req := &captcha20230305.VerifyIntelligentCaptchaRequest{
+		SceneId:            tea.String(cfg.SceneID),
+		CaptchaVerifyParam: tea.String(captchaVerifyParam),
+	}
+
+	resp, err := client.VerifyIntelligentCaptcha(req)
+	if err != nil {
+		logx.Errorf("verify aliyun captcha error: %+v", err)
+		return nil
+	}
+	if resp.Body == nil || resp.Body.Result == nil {
+		logx.Errorf("verify aliyun captcha empty result, resp: %+v", resp)
+		return nil
+	}
+
+	if tea.BoolValue(resp.Body.Result.VerifyResult) {
+		return nil
+	}
+
+	verifyCode := tea.StringValue(resp.Body.Result.VerifyCode)
+	logx.Errorf("verify aliyun captcha failed, code: %s", verifyCode)
+	return errors.Wrapf(xerr.NewErrMsg("图形验证码校验失败"), "aliyun captcha verify fail, code: %s", verifyCode)
+}

pkg/captcha/encrypt_scene.go

@@ -0,0 +1,61 @@
+package captcha
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"time"
+)
+
+// GenerateEncryptedSceneID 按阿里云文档生成 EncryptedSceneId（仅适用于 V3 架构加密模式）。
+// 明文格式: sceneId&timestamp&expireTime
+// 加密: AES-256-CBC + PKCS7Padding，结果为 Base64( IV(16字节) + ciphertext )
+func GenerateEncryptedSceneID(sceneId, ekey string, expireSeconds int) (string, error) {
+	if expireSeconds <= 0 || expireSeconds > 86400 {
+		expireSeconds = 3600
+	}
+
+	ts := time.Now().Unix() // 秒级时间戳
+	plaintext := fmt.Sprintf("%s&%d&%d", sceneId, ts, expireSeconds)
+
+	keyBytes, err := base64.StdEncoding.DecodeString(ekey)
+	if err != nil {
+		return "", fmt.Errorf("decode ekey error: %w", err)
+	}
+	if len(keyBytes) != 32 {
+		return "", fmt.Errorf("invalid ekey length, need 32 bytes after base64 decode, got %d", len(keyBytes))
+	}
+
+	block, err := aes.NewCipher(keyBytes)
+	if err != nil {
+		return "", fmt.Errorf("new cipher error: %w", err)
+	}
+
+	iv := make([]byte, aes.BlockSize)
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		return "", fmt.Errorf("read iv error: %w", err)
+	}
+
+	padded := pkcs7Pad([]byte(plaintext), aes.BlockSize)
+	ciphertext := make([]byte, len(padded))
+
+	mode := cipher.NewCBCEncrypter(block, iv)
+	mode.CryptBlocks(ciphertext, padded)
+
+	out := append(iv, ciphertext...)
+	return base64.StdEncoding.EncodeToString(out), nil
+}
+
+func pkcs7Pad(src []byte, blockSize int) []byte {
+	padLen := blockSize - len(src)%blockSize
+	if padLen == 0 {
+		padLen = blockSize
+	}
+	pad := bytes.Repeat([]byte{byte(padLen)}, padLen)
+	return append(src, pad...)
+}
+