Skip to content

fix(weixin): macOS SSL cert verification, QR scan data, and refresh rendering#8730

Closed
shenuu wants to merge 1 commit into
NousResearch:mainfrom
shenuu:fix/weixin-macos-ssl-qr
Closed

fix(weixin): macOS SSL cert verification, QR scan data, and refresh rendering#8730
shenuu wants to merge 1 commit into
NousResearch:mainfrom
shenuu:fix/weixin-macos-ssl-qr

Conversation

@shenuu

@shenuu shenuu commented Apr 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Three bugs that prevent WeChat QR login from working on macOS (Apple Silicon / Homebrew Python 3.13).

1. SSL Certificate Failure

aiohttp uses Homebrew's OpenSSL cert store, which cannot verify Tencent's iLink server (ilinkai.weixin.qq.com). Fix: use certifi CA bundle via TCPConnector(ssl=...) in all three ClientSession locations:

  • qr_login() — QR setup
  • WeixinAdapter.start() — runtime polling
  • send_weixin_direct() — one-shot outbound sends (cron, send_message tool)

2. Wrong Data Encoded in QR Code

The API returns two fields:

  • qrcode: raw hex token (e.g. 2fef748912e6e765...) — NOT scannable by WeChat
  • qrcode_img_content: full liteapp URL (e.g. https://liteapp.weixin.qq.com/q/7GiQu1?qrcode=...) — this is what WeChat needs

The previous code encoded qrcode_url or qrcode_value, but since both were truthy strings, it always fell through to qrcode_value (the hex). Fix: explicitly prefer qrcode_img_content.

3. No QR Re-render on Refresh

When the QR code expired and was refreshed, only the URL was printed — no ASCII QR block was rendered. Added the same qrcode.print_ascii() render in the refresh path.

Testing

Verified end-to-end on macOS 14 (Apple Silicon), Homebrew Python 3.13, certifi installed in the hermes venv.

@shenuu
fix(weixin): macOS SSL cert, QR data, and refresh rendering
e7e50e6 
- Use certifi CA bundle for aiohttp SSL in qr_login(), start(), and
  send_weixin_direct() to fix SSL verification failures against
  Tencent's iLink server on macOS (Homebrew OpenSSL lacks system certs)
- Fix QR code data: encode qrcode_img_content (full liteapp URL) instead
  of raw hex token — WeChat needs the full URL to resolve the scan
- Render ASCII QR on refresh so the user can re-scan without restarting
- Improve error message on QR render failure to show the actual exception

Tested on macOS (Apple Silicon, Homebrew Python 3.13)
@teknium1 teknium1 mentioned this pull request Apr 17, 2026
Merged
@teknium1

teknium1 commented Apr 17, 2026

Copy link
Copy Markdown
Contributor

Merged as part of Batch-5 salvage: #11634

Your commit cherry-picked onto main with authorship preserved. One adjustment during salvage: the PR would have dropped trust_env=True from the aiohttp.ClientSession() calls (a subsequent commit on main added it for proxy env var support). Refactored your certifi SSL fix into a module-level _make_ssl_connector() helper that's now used with trust_env=True preserved at all 4 ClientSession creation sites — so macOS Homebrew Python users get certifi verification AND proxy env vars still work. The helper returns None gracefully if certifi is unavailable. Your QR refresh render + qrcode_img_content preference also landed as-is. Thanks!

Commit SHA on main: 3a0ec1d

@teknium1 teknium1 closed this Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shenuu @teknium1