From 4708abad5ae61310b654b337c4f86f0f85f997ef Mon Sep 17 00:00:00 2001
From: Patrick Peng Sun <patrick@lawipac.com>
Date: Sun, 16 Jul 2017 18:59:56 +1000
Subject: [PATCH] redirect now has signature check

---
 crmpixel.go             | 65 ++++++++++++++++++++++++++++++++---------
 crmpixel_test.go        |  2 +-
 main.go                 |  6 ++--
 menuClick.go            |  5 ++--
 procGetBasicUserInfo.go |  2 +-
 spa/403.html            |  1 +
 6 files changed, 62 insertions(+), 19 deletions(-)

diff --git a/crmpixel.go b/crmpixel.go
index 1c3b931..7e92f47 100644
--- a/crmpixel.go
+++ b/crmpixel.go
@@ -79,14 +79,25 @@ func getLeadIDFromCookie(r *http.Request) (leadID string, ok bool) {
 
 func createNewCookie(r *http.Request) (ret http.Cookie, info crmdLead) {
 	info = crmCreateNewAnonymousLeadByHTTPRequest(r)
-	ret = createNewCookieByLeadID(info.ID)
+	ret = cookieFromLeadID(info.ID)
 	return
 }
 
-func createNewCookieByLeadID(leadID string) (ret http.Cookie) {
+func cookieFromLeadID(leadID string) (ret http.Cookie) {
+	return cookieCreateLongTerm(cookLeadID, leadID)
+}
+
+func cookieCreateLongTerm(name, value string) (ret http.Cookie) {
 	expiration := time.Now().Add(10 * 365 * 24 * time.Hour)
-	cookieValue := buildBiukopCLValue(leadID)
-	ret = http.Cookie{Name: cookLeadID, Value: cookieValue, Expires: expiration}
+	signedValue := cookieSignValue(value)
+	ret = http.Cookie{Name: name, Value: signedValue, Expires: expiration}
+	return
+}
+
+func cookieCreate(name, value string, expireInSeconds int) (ret http.Cookie) {
+	expiration := time.Now().Add(time.Duration(expireInSeconds) * time.Second)
+	signedValue := cookieSignValue(value)
+	ret = http.Cookie{Name: name, Value: signedValue, Expires: expiration}
 	return
 }
 
@@ -148,7 +159,7 @@ func buildBiukopCLsignature(id, nonce string) (timestamp, signature string) {
 	return
 }
 
-func buildBiukopCLValue(id string) (ret string) {
+func cookieSignValue(id string) (ret string) {
 	rand.Seed(time.Now().Unix())
 	nonce := fmt.Sprintf("%d", rand.Intn(655352017))
 	timestamp, signature := buildBiukopCLsignature(id, nonce)
@@ -184,25 +195,53 @@ func crmpixelLead(id string) (info crmdLead, err error) {
 //
 func setTrackingCookieAndRecirect(w http.ResponseWriter, r *http.Request) {
 
-	rq := r.URL.RawQuery
-	m, _ := url.ParseQuery(rq)
+	//check signature and then perform redirect
+	if !checkSignatureByToken(r, IntraAPIConfig.CRMSecrete) {
+		response403Handler(w)
+		return
+	}
+
+	m, err := url.ParseQuery(r.URL.RawQuery)
+	if err != nil {
+		response400Handler(w)
+		return
+	}
+
+	url, ok := m["url"]
+	if !ok {
+		response400Handler(w)
+		return
+	}
 
 	//set cookie if any
 	leadID, ok := m["lid"]
 	if ok {
 		log.Println("setlead cookie :" + leadID[0])
-		cookie := createNewCookieByLeadID(leadID[0])
+		cookie := cookieFromLeadID(leadID[0])
 		http.SetCookie(w, &cookie)
 	} else {
 		cookie := crmpixelCookie(r)
 		http.SetCookie(w, &cookie)
 	}
 
-	url, ok := m["url"]
+	//get expire settings if any
+	expire := 7200 //2 hours
+	expireTime, ok := m["expire"]
 	if ok {
-		http.Redirect(w, r, url[0], 307) //302 temp redirect
-		return
+		expire, _ = strconv.Atoi(expireTime[0])
 	}
-	w.WriteHeader(http.StatusNotFound)
-	fmt.Fprintf(w, "Not Found URL")
+
+	//set all cookie from url
+	for k, v := range m {
+		if k == "lid" || k == "url" || k == "expire" { //skip lead id and URL and expire
+			continue
+		}
+		log.Printf("set cookie %s=%s", k, v)
+		cookie := cookieCreate(k, v[0], expire)
+		http.SetCookie(w, &cookie)
+	}
+
+	//perform redirect
+	http.Redirect(w, r, url[0], 307) //302 temp redirect
+	return
 }
diff --git a/crmpixel_test.go b/crmpixel_test.go
index 32b1351..0b8e9b1 100644
--- a/crmpixel_test.go
+++ b/crmpixel_test.go
@@ -56,7 +56,7 @@ func buildReqCrmPixel() (req *http.Request) {
 }
 
 func buildReqRedirect() (req *http.Request) {
-	req, err := http.NewRequest("GET", "/redirect?url=url=http%3A%2F%2Fkidshealth.org%2Fen%2Fparents%2Ffas.html", nil)
+	req, err := http.NewRequest("GET", "/spa/redirect?url=url=http%3A%2F%2Fkidshealth.org%2Fen%2Fparents%2Ffas.html", nil)
 	if err != nil {
 		log.Fatal(err)
 	}
diff --git a/main.go b/main.go
index a30383a..d531381 100644
--- a/main.go
+++ b/main.go
@@ -59,7 +59,7 @@ func setupHTTPHandler() {
 	http.HandleFunc("/crmfiles/", crmAttachmentHandler)
 	http.HandleFunc("/dumprequest", dumpReuestHandler)
 	http.HandleFunc("/MP_verify_6JqVkftKr39GMakA.txt", mpDomainAuthSecret)
-	http.HandleFunc("/redirect", setTrackingCookieAndRecirect)
+	http.HandleFunc("/spa/redirect", setTrackingCookieAndRecirect)
 	http.HandleFunc("/iapi/getAccessToken", supplyAccessToken)
 	http.HandleFunc("/iapi/createWechatQr", iapiCreateWechatQrCode)
 	http.HandleFunc("/crmpixel.png", crmpixel) //tracking pixel.
@@ -97,10 +97,12 @@ func dumpReuestHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Access-Control-Expose-Headers", "Set-Cookie,myheader,*")
 	w.Header().Set("myheader", "myheader-data")
 
-	// expiration := time.Now().Add(10 * 365 * 24 * time.Hour)
+	// expiration := time.Now().Add(time.Duration(300) * time.Second)
 	// str := time.Now().String()
 	// cookie := http.Cookie{Name: "username", Value: str, Expires: expiration}
 	// http.SetCookie(w, &cookie)
+	// cookie1 := http.Cookie{Name: "username1", Value: str, Expires: expiration}
+	// http.SetCookie(w, &cookie1)
 
 	fmt.Fprintf(w, `{"status":"OK"}`)
 	for _, c := range r.Cookies() {
diff --git a/menuClick.go b/menuClick.go
index f56c496..5145cc3 100644
--- a/menuClick.go
+++ b/menuClick.go
@@ -55,13 +55,14 @@ func onMembeCredits(ss *openIDSessionData, in *InWechatMsg) {
 
 	if found && err == nil {
 		url := ""
-		first := "截至" + time.Now().Format("2006-01-02 15:04:06 Mon MST -07") + " 您的积分，奖品，余额，如下\n\n" +
+		AEST, _ := time.LoadLocation("Australia/Sydney")
+		first := "截至" + time.Now().In(AEST).Format("2006-01-02 15:04") + "(澳洲东部时间) 您的积分，奖品，余额，如下\n\n" +
 			"积分：无"
 		name := info.LastName
 		addr := info.EmailAddress
 		card := info.ID
 		balance := "澳币 $0 "
-		remark := "奖品：无\n\n余额可联络财务兑现，奖品余额30过期" + "\n请确保您的姓名，地址信息正确"
+		remark := "奖品：无\n\n余额可联络财务兑现，奖品余额30天过期" + "\n请确保您的姓名，地址信息正确"
 		templateSendAccountBalance(ss.OpenID, url, first, remark, name, addr, card, balance)
 	}
 
diff --git a/procGetBasicUserInfo.go b/procGetBasicUserInfo.go
index 696abe6..efb6ceb 100644
--- a/procGetBasicUserInfo.go
+++ b/procGetBasicUserInfo.go
@@ -102,7 +102,7 @@ func (m crmdLead) getBasicUserInfoEditButton() (ret sendNewsArticle) {
 	a.Description = ""
 	a.PicURL = ""
 	a.Title = "点击这里编辑您的资料"
-	u := GlobalPath.ThisSiteURL + "redirect?lid=" + m.ID + "&url=" + GlobalPath.ThisSiteURL + "spa/editprofile"
+	u := GlobalPath.ThisSiteURL + "spa/redirect?lid=" + m.ID + "&url=" + GlobalPath.ThisSiteURL + "spa/editprofile"
 	a.URL = buildSignatureAppend2Url(u, IntraAPIConfig.CRMSecrete)
 	return a
 }
diff --git a/spa/403.html b/spa/403.html
index f22146b..7b1ac3c 100644
--- a/spa/403.html
+++ b/spa/403.html
@@ -27,6 +27,7 @@
                 <div class="col s12 valign center"> 
                     <h3>Not Autorized</h3> 
                     <p>Oops! 你没有访问权限</p>
+                    <p>您的请求已经过期</p>
                 </div>
             </div>
             <div class="row">