README

English | 中文

A comprehensive security bundle for WeChat Mini Program applications, providing content security checks, sensitive text detection, user risk assessment, and avatar management functionalities.

Overview
Features
Installation
Dependencies
Quick Start
Configuration
API Documentation
Database Schema
Advanced Usage
Console Commands
Event System
Admin Interface
Environment Variables
Testing
Contributing
License

Overview

WeChat Mini Program Security Bundle is a Symfony-based package that provides essential security features for WeChat Mini Program backend services. It integrates seamlessly with WeChat's official security APIs to provide real-time content moderation, user risk assessment, and comprehensive security logging.

Features

Media Content Security: Asynchronous image and media content security checking using WeChat's security APIs
Sensitive Text Detection: Advanced text content filtering and sensitive word detection with caching
User Risk Assessment: Real-time user risk ranking and behavior monitoring based on WeChat's risk assessment API
Avatar Management: Automatic user avatar downloading, validation, and risky content detection
Risk Logging: Comprehensive risk event logging with automatic cleanup and data retention policies
Admin Interface: EasyAdmin-powered management interface for security logs and monitoring
Cron Job Integration: Automated security tasks with configurable schedules
Event-Driven Architecture: Comprehensive event system for security-related actions
High Performance: Optimized with caching layers and asynchronous processing

Installation

composer require tourze/wechat-mini-program-security-bundle

Symfony Configuration

Add the bundle to your config/bundles.php:

return [
    // ...
    WechatMiniProgramSecurityBundle\WechatMiniProgramSecurityBundle::class => ['all' => true],
];

Dependencies

This bundle requires the following packages:

tourze/wechat-mini-program-bundle: WeChat Mini Program base functionality
tourze/wechat-mini-program-auth-bundle: WeChat authentication and session management
tourze/sensitive-text-detect-bundle: Text content filtering capabilities
tourze/risky-image-detect-bundle: Image content analysis
tourze/symfony-cron-job-bundle: Scheduled task management
tourze/http-client-bundle: HTTP client for API calls
doctrine/orm: Database abstraction and ORM
symfony/cache-contracts: Caching support
symfony/messenger: Asynchronous message processing

Quick Start

Basic Configuration

 # config/packages/wechat_mini_program_security.yaml
wechat_mini_program_security:
    default_avatar_url: 'https://your-domain.com/images/default-avatar.jpg'
    risk_log_retention_days: 90

Basic Usage

<?php

use WechatMiniProgramSecurityBundle\Service\MediaSecurityService;
use WechatMiniProgramSecurityBundle\Service\SensitiveTextService;
use WechatMiniProgramSecurityBundle\Service\UserRiskService;

// Inject services via dependency injection
class SecurityController
{
    public function __construct(
        private MediaSecurityService $mediaSecurityService,
        private SensitiveTextService $sensitiveTextService,
        private UserRiskService $userRiskService
    ) {}

    public function checkContent(UserInterface $user, string $content): bool
    {
        // Check sensitive text with user context
        $isSensitive = $this->sensitiveTextService->isSensitiveText($content, $user);
        
        if ($isSensitive) {
            // Log security event
            return false;
        }
        
        return true;
    }

    public function checkUserAvatar(UserInterface $wechatUser, string $imageUrl): void
    {
        // Asynchronous image security check
        $this->mediaSecurityService->checkImage($wechatUser, $imageUrl);
    }

    public function getUserRiskLevel(UserInterface $user): int
    {
        // Get user risk ranking (0-4, higher means more risky)
        return $this->userRiskService->getUserRiskRank($user, 1);
    }
}

Configuration

Service Configuration

The bundle provides automatic service configuration. Key services are:

 # config/services.yaml (optional customization)
services:
    WechatMiniProgramSecurityBundle\Service\MediaSecurityService:
        # Custom configuration if needed
        
    WechatMiniProgramSecurityBundle\Service\SensitiveTextService:
        # Decorates the base SensitiveTextDetector
        decorates: 'Tourze\SensitiveTextDetectBundle\Service\SensitiveTextDetector'

Cache Configuration

 # config/packages/cache.yaml
framework:
    cache:
        pools:
            wechat.security.cache:
                adapter: cache.adapter.redis
                default_lifetime: 604800 # 7 days

API Documentation

MediaSecurityService

Provides asynchronous media content security checking.

class MediaSecurityService
{
    /**
     * Check image content security asynchronously
     * 
     * @param UserInterface $wechatUser The WeChat user
     * @param string $url Image URL to check
     */
    public function checkImage(UserInterface $wechatUser, string $url): void;
}

SensitiveTextService

Advanced text content filtering with WeChat integration.

class SensitiveTextService implements SensitiveTextDetector
{
    /**
     * Check if text contains sensitive content
     * 
     * @param string $text Text content to check
     * @param UserInterface|null $user User context for enhanced checking
     * @return bool True if content is sensitive
     */
    public function isSensitiveText(string $text, ?UserInterface $user = null): bool;
}

UserRiskService

User risk assessment and monitoring.

class UserRiskService
{
    /**
     * Get user risk ranking from WeChat API
     * 
     * @param UserInterface $user WeChat user
     * @param int $scene Risk assessment scene (1-4)
     * @return int Risk rank (0-4, higher means more risky)
     */
    public function getUserRiskRank(UserInterface $user, int $scene): int;
}

WechatRiskyImageService

Image content risk assessment.

class WechatRiskyImageService implements RiskyImageDetector
{
    /**
     * Check if image contains risky content
     * 
     * @param string $imageUrl Image URL to analyze
     * @return bool True if image is risky
     */
    public function isRiskyImage(string $imageUrl): bool;
}

Database Schema

MediaCheck Entity

Stores media content security check results.

Field	Type	Description
id	INTEGER	Primary key
openId	VARCHAR(120)	WeChat user OpenID
unionId	VARCHAR(120)	WeChat user UnionID (nullable)
mediaUrl	VARCHAR(190)	URL of checked media
traceId	VARCHAR(100)	Unique trace identifier
risky	BOOLEAN	Whether content is risky
rawData	TEXT	Raw API response data
createTime	DATETIME	Creation timestamp
updateTime	DATETIME	Last update timestamp
ipAddress	VARCHAR(45)	User IP address

RiskLog Entity

Records user risk events and rankings.

Field	Type	Description
id	INTEGER	Primary key
user	RELATION	Related WeChat user
riskRank	INTEGER	Risk level (0-4)
scene	INTEGER	Assessment scene
mobileNo	VARCHAR(40)	User mobile number
clientIp	VARCHAR(20)	User IP address
emailAddress	VARCHAR(120)	User email
extendedInfo	VARCHAR(255)	Additional information
unoinId	VARCHAR(60)	Unique request identifier
openId	VARCHAR(64)	WeChat OpenID
unionId	VARCHAR(64)	WeChat UnionID
createTime	DATETIME	Event timestamp

Advanced Usage

Event-Driven Security Monitoring

use WechatMiniProgramSecurityBundle\Event\MediaCheckAsyncEvent;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;

class SecurityMonitoringSubscriber implements EventSubscriberInterface
{
    public static function getSubscribedEvents(): array
    {
        return [
            MediaCheckAsyncEvent::class => 'onMediaCheck',
        ];
    }

    public function onMediaCheck(MediaCheckAsyncEvent $event): void
    {
        $mediaCheck = $event->getMediaCheck();
        
        if ($mediaCheck->isRisky()) {
            // Custom handling for risky content
            $this->notifyAdministrators($mediaCheck);
        }
    }
}

Custom Risk Assessment

class CustomRiskAssessment
{
    public function __construct(
        private UserRiskService $userRiskService,
        private LoggerInterface $logger
    ) {}

    public function assessUserBehavior(UserInterface $user, array $context): string
    {
        $riskRank = $this->userRiskService->getUserRiskRank($user, 1);
        
        return match($riskRank) {
            0 => 'safe',
            1 => 'low_risk',
            2 => 'medium_risk',
            3 => 'high_risk',
            4 => 'very_high_risk',
            default => 'unknown'
        };
    }
}

Console Commands

Data Cleanup

 # Clean up old risk logs (automatically scheduled)
php bin/console app:cleanup-entities

Note: The avatar management command has been temporarily removed due to complex dependency issues. It will be reintroduced in a future release with improved dependency management.

Event System

Available Events

MediaCheckAsyncEvent: Fired when media content check is completed
UserRiskEvent: Fired when user risk assessment is performed
SensitiveContentEvent: Fired when sensitive content is detected

Event Subscribers

CheckSensitiveDataSubscriber: Monitors sensitive data detection
RiskRankSubscriber: Tracks user risk assessments
UserListener: Handles user-related security events (avatar changes, etc.)

Admin Interface

The bundle provides EasyAdmin integration for security monitoring:

Available Admin Controllers

MediaCheckCrudController: Manage media security check logs
RiskLogCrudController: Monitor user risk assessments

Admin Features

Real-time security log monitoring
Risk trend analysis
User behavior tracking
Content moderation dashboard
Export capabilities for compliance reporting

Environment Variables

Configure the bundle behavior with these environment variables:

 # Default avatar URL for invalid user avatars
DEFAULT_USER_AVATAR_URL=https://your-domain.com/images/default-avatar.jpg

 # Risk log retention period (days)
WECHAT_MP_RISK_LOG_PERSIST_DAY_NUM=90

 # WeChat API configuration
WECHAT_MINI_PROGRAM_APP_ID=your_app_id
WECHAT_MINI_PROGRAM_APP_SECRET=your_app_secret

Testing

Running Tests

 # Run all tests
./vendor/bin/phpunit packages/wechat-mini-program-security-bundle/tests

 # Run with coverage
./vendor/bin/phpunit packages/wechat-mini-program-security-bundle/tests --coverage-html coverage

 # Run specific test class
./vendor/bin/phpunit packages/wechat-mini-program-security-bundle/tests/Service/MediaSecurityServiceTest.php

Test Structure

Integration/: Integration tests with database
Service/: Unit tests for service classes
Entity/: Entity validation tests

Test Status

All Tests Pass: All 46 tests now pass successfully after fixing dependency injection issues
PHPUnit Coverage: Comprehensive test coverage across Entity, Event, Request, Message, EventSubscriber, MessageHandler, Service, Repository, and Controller components
Unit Testing Approach: Uses simplified unit tests to avoid complex dependency injection configuration issues
Known PHPStan Issues: Some custom PHPStan rules require integration test base classes, but this conflicts with dependency injection complexity (tracked in Issue #875)
Production Ready: All core functionality is thoroughly tested and production usage is fully supported

Contributing

Fork the repository
Create your feature branch (git checkout -b feature/amazing-feature)
Commit your changes (git commit -m 'Add some amazing feature')
Push to the branch (git push origin feature/amazing-feature)
Open a Pull Request

Development Guidelines

Follow PSR-12 coding standards
Write comprehensive tests for new features
Update documentation for API changes
Ensure backward compatibility

License

The MIT License (MIT). Please see License File for more information.

tourze / wechat-mini-program-security-bundle

Maintainers

Details