# 创建项目目录
mkdir -p /opt/wechat
cd /opt/wechat

# 创建虚拟环境
python3 -m venv venv
source venv/bin/activate

# flask: Web框架
# flask-sock: WebSocket支持
# cryptography: 用于企业微信消息加解密
# requests: 调用企微信API
pip install flask flask-sock cryptography requests

import os
import json
import time
import hashlib
import base64
import logging
import random
import string
from flask import Flask, request, abort, jsonify
from flask_sock import Sock
from Crypto.Cipher import AES
from cryptography.hazmat.primitives import padding
import requests
import xml.etree.ElementTree as ET

# ================= 配置区域 =================
#配置，企业ID
CORP_ID = "第一步获取的:企业ID"
#配置，应用ID，int类型
AGENT_ID = 第一步获取的:应用ID
#配置，应用秘钥
SECRET = "第一步获取的:应用Secret"
#配置，消息回调api的Token
TOKEN = "第一步获取的:消息回调api的Token"
#配置，消息回调api的EncodingAESKey
ENCODING_AES_KEY_RAW = "第一步获取的:消息回调api的EncodingAESKey"
#配置，客户端WebSocket连接认证
AUTH_TOKEN = "自定义一个客户端连接WebSocket的密码" 
########################################################################



GET_TOKEN_URL = "https://qyapi.weixin.qq.com/cgi-bin/gettoken"
SEND_MESSAGE_URL = "https://qyapi.weixin.qq.com/cgi-bin/message/send"

# ================= 初始化 =================
app = Flask(__name__)
sock = Sock(app)
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

# 全局变量
access_token = None
token_expires_at = 0
client_ws_connection = None 

# ================= 工具函数：加解密 (WXBizMsgCrypt) - 已修复 =================
class WXBizMsgCrypt:
    def __init__(self, token, encoding_aes_key, corp_id):
        self.token = token
        self.corp_id = corp_id

        # 【修复点】Base64 解码需要长度是 4 的倍数。
        # 企业微信给的 Key 通常是 43 位，需要补一个 '=' 变成 44 位。
        key = encoding_aes_key
        missing_padding = len(key) % 4
        if missing_padding:
            key += '=' * (4 - missing_padding)

        try:
            self.aes_key = base64.b64decode(key)
        except Exception as e:
            logging.error(f"AES Key decoding failed: {e}")
            raise e

        self.block_size = 32

    def decrypt(self, encrypt_msg, msg_signature, timestamp, nonce):
        signature = self._generate_signature(timestamp, nonce, encrypt_msg)
        if signature != msg_signature:
            raise ValueError("Signature verification failed")

        try:
            aes_cipher = AES.new(self.aes_key, AES.MODE_CBC, self.aes_key[:16])
            decrypted = aes_cipher.decrypt(base64.b64decode(encrypt_msg))

            # 去除 PKCS7 填充
            unpadder = padding.PKCS7(8 * self.block_size).unpadder()
            unpadded_data = unpadder.update(decrypted) + unpadder.finalize()

            # 解析结构: 16字节随机串 + 4字节长度 + 消息体 + 4字节corp_id
            msg_len = int.from_bytes(unpadded_data[16:20], 'big')
            msg_content = unpadded_data[20:20+msg_len].decode('utf-8')
            recv_corp_id = unpadded_data[20+msg_len:].decode('utf-8')

            if recv_corp_id != self.corp_id:
                raise ValueError("CorpID mismatch")

            return msg_content
        except Exception as e:
            logging.error(f"Decryption error: {e}")
            raise e

    def _generate_signature(self, timestamp, nonce, encrypt_msg):
        tmp_list = [self.token, timestamp, nonce, encrypt_msg]
        tmp_list.sort()
        sha = hashlib.sha1()
        sha.update("".join(tmp_list).encode('utf-8'))
        return sha.hexdigest()

    def encrypt(self, reply_msg, timestamp, nonce):
        random_str = ''.join(random.choices(string.ascii_letters + string.digits, k=16))
        msg_bytes = reply_msg.encode('utf-8')
        msg_len = len(msg_bytes).to_bytes(4, 'big')
        corp_id_bytes = self.corp_id.encode('utf-8')

        raw_data = random_str.encode('utf-8') + msg_len + msg_bytes + corp_id_bytes

        padder = padding.PKCS7(8 * self.block_size).padder()
        padded_data = padder.update(raw_data) + padder.finalize()

        aes_cipher = AES.new(self.aes_key, AES.MODE_CBC, self.aes_key[:16])
        encrypted = aes_cipher.encrypt(padded_data)
        encrypt_msg = base64.b64encode(encrypted).decode('utf-8')

        signature = self._generate_signature(timestamp, nonce, encrypt_msg)

        return {
            "Encrypt": encrypt_msg,
            "MsgSignature": signature,
            "TimeStamp": timestamp,
            "Nonce": nonce
        }

# 使用原始 Key 初始化，类内部会自动处理 padding
cryptor = WXBizMsgCrypt(TOKEN, ENCODING_AES_KEY_RAW, CORP_ID)

# ================= Token 管理 =================
def get_access_token():
    global access_token, token_expires_at
    if access_token and time.time() < token_expires_at:
        return access_token

    url = f"{GET_TOKEN_URL}?corpid={CORP_ID}&corpsecret={SECRET}"
    try:
        resp = requests.get(url, timeout=5)
        data = resp.json()
        if data.get('errcode') == 0:
            access_token = data['access_token']
            token_expires_at = time.time() + data['expires_in'] - 200
            logging.info(f"New access token obtained.")
            return access_token
        else:
            logging.error(f"Failed to get token: {data}")
            return None
    except Exception as e:
        logging.error(f"Request token error: {e}")
        return None

# ================= WebSocket 路由 (带认证) =================
@sock.route('/ws/local_client')
def local_client(ws):
    global client_ws_connection

    # 1. 获取并验证 Token
    provided_token = request.args.get('token', '')
    if not provided_token or provided_token != AUTH_TOKEN:
        logging.warning(f"非法连接尝试！IP: {request.remote_addr}, Token: {provided_token}")
        try:
            ws.send(json.dumps({"error": "Authentication failed: Invalid token"}))
        except:
            pass
        return 

    logging.info(f"合法客户端已连接 (IP: {request.remote_addr})")
    client_ws_connection = ws

    try:
        while True:
            data = ws.receive()
            if data:
                try:
                    req_data = json.loads(data)
                    send_to_wechat(req_data)
                except json.JSONDecodeError:
                    ws.send(json.dumps({"error": "Invalid JSON"}))
    except Exception as e:
        logging.error(f"WebSocket connection error: {e}")
    finally:
        if client_ws_connection == ws:
            client_ws_connection = None
        logging.info("Client disconnected")

def send_to_wechat(payload):
    token = get_access_token()
    if not token:
        if client_ws_connection:
            client_ws_connection.send(json.dumps({"error": "Server failed to get access token"}))
        return

    full_payload = {
        "touser": payload.get("touser", "@all"),
        "msgtype": payload.get("msgtype", "text"),
        "agentid": AGENT_ID,
        "safe": 0
    }
    msg_type = payload.get("msgtype", "text")
    if msg_type in payload:
        full_payload[msg_type] = payload[msg_type]

    url = f"{SEND_MESSAGE_URL}?access_token={token}"
    try:
        resp = requests.post(url, json=full_payload, timeout=5)
        res_data = resp.json()
        if res_data.get('errcode') != 0:
            logging.error(f"Send message failed: {res_data}")
            if client_ws_connection:
                client_ws_connection.send(json.dumps({"error": f"WeChat API Error: {res_data.get('errmsg')}"}))
        else:
            logging.info(f"Message sent successfully.")
    except Exception as e:
        logging.error(f"Request send message error: {e}")

# ================= 企业微信回调路由 (HTTP) =================
@app.route('/wechat', methods=['GET', 'POST'])
def wechat_callback():
    msg_signature = request.args.get('msg_signature', '')
    timestamp = request.args.get('timestamp', '')
    nonce = request.args.get('nonce', '')
    echostr = request.args.get('echostr', '')

    if request.method == 'GET':
        if not all([msg_signature, timestamp, nonce, echostr]):
            abort(400)
        try:
            decrypt_echostr = cryptor.decrypt(echostr, msg_signature, timestamp, nonce)
            logging.info("Verification successful.")
            return decrypt_echostr
        except Exception as e:
            logging.error(f"Verification failed: {e}")
            abort(403)

    elif request.method == 'POST':
        try:
            root = ET.fromstring(request.data)
            encrypt_node = root.find('Encrypt')
            if encrypt_node is None:
                abort(400)
            encrypt_text = encrypt_node.text

            decrypted_xml_str = cryptor.decrypt(encrypt_text, msg_signature, timestamp, nonce)
            msg_root = ET.fromstring(decrypted_xml_str)

            msg_type = msg_root.find('MsgType').text
            content = msg_root.find('Content').text if msg_root.find('Content') is not None else ""
            from_user = msg_root.find('FromUserName').text
            create_time = msg_root.find('CreateTime').text

            logging.info(f"Received msg from {from_user}: {content}")

            forward_data = {
                "type": "receive",
                "data": {
                    "FromUserName": from_user,
                    "MsgType": msg_type,
                    "Content": content,
                    "Time": create_time
                }
            }

            if client_ws_connection:
                try:
                    client_ws_connection.send(json.dumps(forward_data, ensure_ascii=False))
                except Exception as e:
                    logging.error(f"Failed to forward to local: {e}")
            else:
                logging.warning("No local client connected, message dropped.")

            # 构造回复
            reply_xml = f"<xml><ToUserName><![CDATA[{from_user}]]></ToUserName><FromUserName><![CDATA[{CORP_ID}]]></FromUserName><CreateTime>{int(time.time())}</CreateTime><MsgType><![CDATA[text]]></MsgType><Content><![CDATA[收到]]></Content></xml>"
            encrypt_reply = cryptor.encrypt(reply_xml, timestamp, nonce)

            return json.dumps(encrypt_reply), 200, {'Content-Type': 'application/json'}

        except Exception as e:
            logging.error(f"Process message error: {e}")
            return "error", 200 

if __name__ == '__main__':
    app.run(host='127.0.0.1', port=5000, debug=False)

python /opt/wechat/server.py

[Unit]
Description=WeChat Bridge Service
After=network.target

[Service]
User=root
Group=root
WorkingDirectory=/opt/wechat
Environment="PATH=/opt/wechat/venv/bin"
ExecStart=/opt/wechat/venv/bin/python server.py
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

systemctl daemon-reload
systemctl enable wechat
systemctl start wechat
systemctl status wechat

server {
    listen 443 ssl;
    server_name wechat.ffing.cn;

    ssl_certificate /etc/ssl/wechat.ffing.cn.crt;
    ssl_certificate_key /etc/ssl/wechat.ffing.cn.key;

    # SSL 优化配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # 关键：支持 WebSocket 升级
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # 增加超时时间，防止长连接断开
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }
}

# 可选：强制跳转 HTTPS (如果还没做)
server {
    listen 80;
    server_name wechat.ffing.cn;
    return 301 https://$host$request_uri;
}

#apt安装
systemctl restart nginx

#编译安装的nginx重启
##################
NGINX路径/nginx -s reload
#停止
NGINX路径/nginx -s stop
#启动
NGINX路径/nginx

pip install websocket-client

import websocket
import json
import threading
import time
import ssl
import certifi
from urllib.parse import urlencode

# ================= 配置区域 =================
#服务端配置的websocket中的路由
BASE_WS_URL = "wss://wechat.ffing.cn/ws/local_client"
#必须与服务器端的 AUTH_TOKEN 完全一致
AUTH_TOKEN = "服务端配置的连接WebSocket密码" 
#发送消息用户ID(从企业通讯录重查找账号即ID)
#@all为全部人群
USER_ID="接收消息用户ID"
#############################################
# 拼接带认证的 URL
WS_URL = f"{BASE_WS_URL}?token={AUTH_TOKEN}"

def on_message(ws, message):
    try:
        data = json.loads(message)
        if data.get('type') == 'receive':
            msg_data = data['data']
            print(f"\n[收到企微消息] 来自: {msg_data['FromUserName']}")
            print(f"类型: {msg_data['MsgType']}")
            print(f"内容: {msg_data['Content']}")
            print("-" * 30)
        elif data.get('error'):
            print(f"\n[服务器错误]: {data['error']}")
            if "Authentication failed" in data['error']:
                print(">>> 认证失败！请检查本地代码中的 AUTH_TOKEN 是否与服务器一致。")
                print(">>> 程序将自动退出。")
                ws.close()
        else:
            print(f"[系统消息]: {message}")
    except json.JSONDecodeError:
        print(f"[原始消息]: {message}")

def on_error(ws, error):
    print(f"[连接错误]: {error}")

def on_close(ws, close_status_code, close_msg):
    print("### 连接已关闭 ###")

def on_open(ws):
    print("### 认证成功，已连接到云服务器 ###")
    print("提示：现在可以输入消息发送给企业微信了。")

def send_loop(ws):
    while True:
        try:
            user_input = input("\n输入要发送给企微的消息 (输入 'q' 退出): ")
            if user_input.lower() == 'q':
                ws.close()
                break
            if user_input.strip():
                payload = {
                    "touser": USER_ID, 
                    "msgtype": "text",
                    "text": {"content": user_input}
                }
                ws.send(json.dumps(payload))
                print(">>> 消息发送请求已提交")
        except Exception as e:
            print(f"输入错误: {e}")

if __name__ == "__main__":
    # 如需调试网络包，可取消下面这行的注释
    # websocket.enableTrace(True) 

    print(f"正在连接: {WS_URL}")
    ws = websocket.WebSocketApp(WS_URL,
                                on_open=on_open,
                                on_message=on_message,
                                on_error=on_error,
                                on_close=on_close)

    wst = threading.Thread(target=lambda: ws.run_forever(
        sslopt={"cert_reqs": ssl.CERT_REQUIRED, "ca_certs": certifi.where()}
    ))
    wst.daemon = True
    wst.start()

    # 等待连接建立
    time.sleep(2) 

    if ws.sock and ws.sock.connected:
        send_loop(ws)
    else:
        print("无法连接到服务器。")
        print("可能原因：")
        print("1. 企业微信应用是否添加云服务器IP到企业可信IP")
        print("2. SSL证书问题")
        print("3. AUTH_TOKENT 不匹配被服务器拒绝（查看上方错误日志）")
        time.sleep(5)