search

wechaty / puppet-official-account

Wechaty Puppet for WeChat Official Account
https://wechaty.js.org/2020/11/06/wechaty-puppet-oa-released-en/
Apache License 2.0
16 stars 7 forks source link

custom the access token endpoint #15

Open wj-Mcat opened 3 years ago

wj-Mcat commented 3 years ago

White IP Addres will only work in access_token interface.

refer to : “获取access_token”接口新增IP白名单保护

And if the puppet is deployed at dynamic local subnet, there will be dynamic address which makes it difficult when setting white IP address. Of course, there are many solutions to resolve it, but we always find the easiest way:

If refreshAccessToken service can be customized into a center place which store and lazy refresh the access_token, it will be easy to scale wechaty official-account.

As my consideration, we can build a docker which serves as an accessToken center, and refreshAccessToken address can be customized by environment variables.

@huan How do you think about ?

huan commented 3 years ago

I guess I need some time to understand the reason why we need to build a central place for accessToken because it makes things complicated.

Could you explain why the current design can not fulfill your requirements?

wj-Mcat commented 3 years ago

It makes things complicated, because it's a complicated things.

Problems: wechaty-puppet-official-account will be deployed at docker cluster server. If it is dead at sometimes, it will be deployed in another docker host machine which is choosed in a dynamic mode. So, when puppet-oa fetches the accessToken, white ip address will change and the tencent server will refuse the request because the ip address is not in white ip address list. So, how can we resolve this porblem ?

Solution:

As our consideration, all of the solution will try to keep an agent, which has the static ip address, fetching the accessToken.

  1. change the iptables to reroute all of the tencent server request. First, this will only change the network configurationt to fit our need, and will redirect all of the tencent request. Second, there will exist an agent to receive your rerouted request to help you do the job.

  1. change the endpoint of updateAccessToken. First, this will add some envrioment variables configuration and change one method in puppet-oa, but the changes is tiny. Second, there wil exist an agent to receive your updateAccessToken request and help you refresh the accessToken.

  2. create forward proxy server to reroute your request to an agent. First, this should configure the nginx forward proxy server in every docker host machine which is a big work. Second, there also will exist an agent to helo you do your job.

So, after we weight it up, we will choose the second solution to help us resolve this problem. @huan how do you think about ?

huan commented 3 years ago

I have two questions about our problem:

  1. Do we have to enable the white list? Is there possible to just disable it?
  2. Can we add all our docker cluster IP address/network to the white list? If not, why?
wj-Mcat commented 3 years ago

How to set accessTokenProxyUrl:

then final request url will be: http://url-of-your-host/token?