From a4de04528aebcee37a2b613f83d540d964768db7 Mon Sep 17 00:00:00 2001
From: Rui Tang <tr@geektang.cn>
Date: Fri, 21 Jul 2023 14:33:45 +0800
Subject: [PATCH] fix(123): `auth-key` verification (close #4811 in #4814)

Co-authored-by: Andy Hsu <i@nn.ci>
---
 drivers/123/util.go | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/drivers/123/util.go b/drivers/123/util.go
index 0d0a2b63..c9ddb5c7 100644
--- a/drivers/123/util.go
+++ b/drivers/123/util.go
@@ -1,10 +1,14 @@
 package _123
 
 import (
+	"crypto/md5"
 	"errors"
 	"fmt"
+	"math/rand"
 	"net/http"
+	"net/url"
 	"strconv"
+	"time"
 
 	"github.com/alist-org/alist/v3/drivers/base"
 	"github.com/alist-org/alist/v3/pkg/utils"
@@ -17,7 +21,7 @@ import (
 const (
 	AApi             = "https://www.123pan.com/a/api"
 	BApi             = "https://www.123pan.com/b/api"
-	MainApi          = AApi
+	MainApi          = BApi
 	SignIn           = MainApi + "/user/sign_in"
 	Logout           = MainApi + "/user/logout"
 	UserInfo         = MainApi + "/user/info"
@@ -33,6 +37,7 @@ const (
 	S3Auth           = MainApi + "/file/s3_upload_object/auth"
 	UploadCompleteV2 = MainApi + "/file/upload_complete/v2"
 	S3Complete       = MainApi + "/file/s3_complete_multipart_upload"
+	AuthKeySalt      = "8-8D$sL8gPjom7bk#cY"
 )
 
 func (d *Pan123) login() error {
@@ -70,6 +75,20 @@ func (d *Pan123) login() error {
 	return err
 }
 
+func authKey(reqUrl string) (*string, error) {
+	reqURL, err := url.Parse(reqUrl)
+	if err != nil {
+		return nil, err
+	}
+
+	nowUnix := time.Now().Unix()
+	random := rand.Intn(0x989680)
+
+	p4 := fmt.Sprintf("%d|%d|%s|%s|%s|%s", nowUnix, random, reqURL.Path, "web", "3", AuthKeySalt)
+	authKey := fmt.Sprintf("%d-%d-%x", nowUnix, random, md5.Sum([]byte(p4)))
+	return &authKey, nil
+}
+
 func (d *Pan123) request(url string, method string, callback base.ReqCallback, resp interface{}) ([]byte, error) {
 	req := base.RestyClient.R()
 	req.SetHeaders(map[string]string{
@@ -86,6 +105,11 @@ func (d *Pan123) request(url string, method string, callback base.ReqCallback, r
 	if resp != nil {
 		req.SetResult(resp)
 	}
+	authKey, err := authKey(url)
+	if err != nil {
+		return nil, err
+	}
+	req.SetQueryParam("auth-key", *authKey)
 	res, err := req.Execute(method, url)
 	if err != nil {
 		return nil, err