From e2d105300731af3ad9dd398116e8f07d68b60dfa Mon Sep 17 00:00:00 2001
From: Patrick Peng Sun <patrick@lawipac.com>
Date: Thu, 6 Jul 2017 15:23:00 +1000
Subject: [PATCH] check singature by cookie (not being used)

---
 main.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/main.go b/main.go
index bffa8a5..7d0f174 100644
--- a/main.go
+++ b/main.go
@@ -53,6 +53,7 @@ func setupHTTPHandler() {
 	http.HandleFunc("/dumprequest", dumpReuestHandler)
 	http.HandleFunc("/MP_verify_6JqVkftKr39GMakA.txt", mpDomainAuthSecret)
 	http.HandleFunc("/profile_newly_register", initialRegistrationHandler)
+	http.HandleFunc("/iapi/getAccessToken", supplyAccessToken)
 	http.ListenAndServe(":65500", nil)
 }
 
@@ -95,6 +96,30 @@ func dumpReuestHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func supplyAccessToken(w http.ResponseWriter, r *http.Request) {
+	logRequestDebug(httputil.DumpRequest(r, true))
+	signature := ""
+	nonce := ""
+	timestamp := ""
+	for _, c := range r.Cookies() {
+		switch c.Name {
+		case "signature":
+			signature = c.Value
+		case "nonce":
+			nonce = c.Value
+		case "timestamp":
+			timestamp = c.Value
+		}
+	}
+	if verifySignature(signature, timestamp, nonce, IntraAPIConfig.CRMSecrete) {
+		atk, _ := GetAccessToken()
+		fmt.Fprint(w, atk)
+	} else {
+		fmt.Fprint(w, "fuck this world")
+	}
+
+}
+
 // 用户在网页授权页同意授权给公众号后，微信会将授权数据传给一个回调页面，回调页面需在此域名下，以确保安全可靠。
 // 注意事项：
 // 1、回调页面域名或路径需使用字母、数字及“-”的组合（例：wx.qq.com或wx.qq.com/mp），不支持IP地址、端口号及短链域名。填写的域名或路径需与实际回调URL中的域名或路径相同。