Skip to content

Support per-app WeChat MP credentials on outbound reply#1530

Open
bingran-you wants to merge 2 commits intodevfrom
bry/fix-wechat-mp-per-app-credentials
Open

Support per-app WeChat MP credentials on outbound reply#1530
bingran-you wants to merge 2 commits intodevfrom
bry/fix-wechat-mp-per-app-credentials

Conversation

@bingran-you
Copy link
Copy Markdown
Contributor

@bingran-you bingran-you commented Apr 22, 2026

Summary

  • Add WeChatMpOutboundAdapter::from_env_with_app_id which supports both per-app credentials via a new WECHAT_MP_APPS_JSON env (JSON array of {app_id, app_secret}) and the existing single-app WECHAT_MP_APP_ID/WECHAT_MP_APP_SECRET as a fallback.
  • Thread normalized_channel_metadata().wechat_mp_app_id from SendReplyTask through execute_wechat_mp_send so outbound replies use credentials for the app the inbound message arrived on.
  • Plumb the same app_id through the quick-response path in service/inbound/quick_responses.rs.

Why

WeChat MP openids are scoped to the Official Account's app_id. Previously, execute_wechat_mp_send always called WeChatMpOutboundAdapter::from_env() which reads a single app's credentials, so replies for any other app_id seen by the gateway failed with invalid openid errors (issue #1527).

Rollout

  • Existing deployments that only serve one app keep working via the single-app env vars; no config change required.
  • To support additional apps, set WECHAT_MP_APPS_JSON=[{\"app_id\":\"gh_...\",\"app_secret\":\"...\"}, ...]. Entries override the single-app default when the app_id matches.

Test plan

  • cargo check -p scheduler_module (clean, no new warnings)
  • Live WeChat MP staging send once secrets are populated for the additional app_id
  • Verify quick-response path on staging after rollout

Refs #1527

@bingran-you
Support per-app WeChat MP credentials on outbound reply
94fb0c3 
WeChat MP openids are scoped to the receiving Official Account's app_id,
so a reply can only be delivered using credentials for the same app_id
that received the inbound message. The previous outbound path always
loaded the single-app WECHAT_MP_APP_ID/_APP_SECRET pair, which caused
"invalid openid" failures whenever the gateway received messages for a
different app_id than the one configured (issue #1527).

- Add WeChatMpOutboundAdapter::from_env_with_app_id which reads a new
  optional WECHAT_MP_APPS_JSON array of {app_id, app_secret} entries and
  falls back to the existing single-app env vars when no match or when
  no app_id is requested.
- Plumb normalized_channel_metadata().wechat_mp_app_id from
  SendReplyTask through execute_wechat_mp_send so the correct
  credentials are selected per reply.
- Update the quick-response path in inbound/quick_responses.rs to pass
  the inbound message's wechat_mp_app_id through to the adapter.

Refs #1527
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
dowhiz Ready Ready Preview, Comment Apr 22, 2026 2:21am

@bingran-you bingran-you mentioned this pull request Apr 22, 2026
Open
@bingran-you bingran-you added breeze:wip Breeze is actively working on this item breeze:done Breeze finished handling this item and removed breeze:wip Breeze is actively working on this item labels Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

breeze:done Breeze finished handling this item

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bingran-you