Merge pull request #183 from 1254qwer/feat/xeapi-crypto

feat: 新增 xeapi 算法支持
Merge branch 'pr/183'
2026-06-27 21:25:08 +00:00 · 2026-05-29 22:49:37 +08:00 · 2026-05-29 22:46:26 +08:00 · 2026-05-29 22:17:16 +08:00 · 2026-05-29 21:56:27 +08:00 · 2026-05-29 21:54:27 +08:00
14 changed files with 483 additions and 201 deletions
--- a/.env.prod.example
+++ b/.env.prod.example
@ -8,6 +8,9 @@ ENABLE_PROXY = false
 ## 代理配置
 PROXY_URL = "https://your-proxy-url.com/?proxy="
 ### 随机IP设置
 ## 启用随机中国IP（默认关闭）；启用后，所有请求默认使用随机中国IP，除非请求参数randomCNIP显式关闭
 ENABLE_RANDOM_CN_IP = false
 ### UnblockNeteaseMusic 设置项
 ## 启用全局解灰, 无论是否调用参数都会使用解灰(不推荐开启)
--- a/.github/workflows/Build_Image.yml
+++ b/.github/workflows/Build_Image.yml
@ -1,54 +0,0 @@
 name: Publish Docker image
 on:
  release:
    types: [published]
  workflow_dispatch:
 permissions:
  contents: read
  packages: write
 jobs:
  build-and-push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      # 读取 package.json 的版本号
      - name: Read package version
        id: pkg
        run: echo "VERSION=$(jq -r .version package.json)" >> $GITHUB_ENV
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push Docker image
        uses: docker/build-push-action@v7
        with:
          context: .
          push: true
          tags: |
            moefurina/ncm-api:latest
            moefurina/ncm-api:${{ env.VERSION }}
            ghcr.io/neteasecloudmusicapienhanced/ncm-api:latest
            ghcr.io/neteasecloudmusicapienhanced/ncm-api:${{ env.VERSION }}
          platforms: linux/amd64,linux/arm64/v8
--- a/.github/workflows/build-and-pr.yml
+++ b/.github/workflows/build-and-pr.yml
@ -1,109 +0,0 @@
 name: Build and Create PR
 on:
  workflow_dispatch: # 手动触发
  push:
    branches: [main]
 jobs:
  build:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
        include:
          - os: ubuntu-latest
            platform: linux
            target: node18-linux-x64
            output: precompiled/app
          - os: windows-latest
            platform: win
            target: node18-win-x64
            output: precompiled/app.exe
          - os: macos-latest
            platform: macos
            target: node18-macos-x64
            output: precompiled/app
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: '18'
      - name: Install dependencies
        run: |
          npm install -g pnpm
          pnpm install
      - name: Build for ${{ matrix.platform }}
        run: |
          npm run pkg${{ matrix.platform }}
        env:
          PKG_TARGET: ${{ matrix.target }}
      - name: Upload artifacts
        uses: actions/upload-artifact@v7
        with:
          name: app-${{ matrix.platform }}
          path: ${{ matrix.output }}
          if-no-files-found: error
  create-pr:
    needs: build
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' # 只在手动触发时创建PR
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
      - name: Download all artifacts
        uses: actions/download-artifact@v8
        with:
          path: precompiled
      - name: Display structure of downloaded files
        run: ls -R
      - name: Setup Node.js
        uses: actions/setup-node@v6
      - name: Create new branch and commit
        run: |
          git config --global user.name 'github-actions[bot]'
          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
          BRANCH_NAME="auto-build-$(date +%Y%m%d-%H%M%S)"
          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
          git checkout -b $BRANCH_NAME
          # 复制并整理下载的文件
          mkdir -p precompiled
          cp app-win/* precompiled/ || true
          cp app-linux/* precompiled/ || true
          cp app-macos/* precompiled/ || true
          # 提交更改
          git add precompiled/
          git commit -m "Auto-build: Add compiled binaries for win, linux, macos" || exit 0
          # 推送到远程仓库
          git push origin $BRANCH_NAME
      - name: Create Pull Request
        uses: actions/github-script@v8
        with:
          script: |
            const { data: pullRequest } = await github.rest.pulls.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              title: 'Auto-build: Add compiled binaries for win, linux, macos',
              head: '${{ env.BRANCH_NAME }}',
              base: 'main',
              body: 'This PR contains newly built binaries for Windows, Linux, and macOS platforms.'
            });
            console.log(`Created PR #${pullRequest.number}: ${pullRequest.html_url}`);
--- a/.github/workflows/build-dev.yml
+++ b/.github/workflows/build-dev.yml
@ -0,0 +1,53 @@
 name: Build Artifacts
 on:
  workflow_dispatch: # 手动触发
  push:
    branches: [main]
 jobs:
  build:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
        include:
          - os: ubuntu-latest
            platform: linux
            target: node18-linux-x64
            output: precompiled/app
          - os: windows-latest
            platform: win
            target: node18-win-x64
            output: precompiled/app.exe
          - os: macos-latest
            platform: macos
            target: node18-macos-x64
            output: precompiled/app
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: '18'
      - name: Install dependencies
        run: |
          npm install -g pnpm
          pnpm install
      - name: Build for ${{ matrix.platform }}
        run: |
          npm run pkg${{ matrix.platform }}
        env:
          PKG_TARGET: ${{ matrix.target }}
      - name: Upload artifacts
        uses: actions/upload-artifact@v7
        with:
          name: app-${{ matrix.platform }}
          path: ${{ matrix.output }}
          if-no-files-found: error
--- a/.github/workflows/npm.yml
+++ b/.github/workflows/npm.yml
@ -1,25 +0,0 @@
 name: Release
 on:
  release:
    types: [published]
 permissions:
  contents: read
  id-token: write
 jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: npm
      - run: npm ci
      - run: npm publish --access public
--- a/.github/workflows/release-on-version-change.yml
+++ b/.github/workflows/release-on-version-change.yml
@ -103,7 +103,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
-          node-version: 18
+          node-version: 24
          cache: pnpm
@ -230,4 +230,87 @@ jobs:
          body_path: release-notes.md
          files: final-artifacts/*
          draft: false
-          prerelease: false
+          prerelease: false
  publish-docker:
    name: Publish Docker Image
    needs: detect
    if: |
      needs.detect.outputs.should_release == 'true' &&
      needs.detect.outputs.tag_exists != 'true'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Read package version
        id: pkg
        run: echo "VERSION=$(jq -r .version package.json)" >> $GITHUB_ENV
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push Docker image
        uses: docker/build-push-action@v7
        with:
          context: .
          push: true
          tags: |
            moefurina/ncm-api:latest
            moefurina/ncm-api:${{ env.VERSION }}
            ghcr.io/neteasecloudmusicapienhanced/ncm-api:latest
            ghcr.io/neteasecloudmusicapienhanced/ncm-api:${{ env.VERSION }}
          platforms: linux/amd64,linux/arm64/v8
  publish-npm:
    name: Publish to npm
    needs: detect
    if: |
      needs.detect.outputs.should_release == 'true' &&
      needs.detect.outputs.tag_exists != 'true'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v6
      - uses: pnpm/action-setup@v6
        with:
          version: 9
      - uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: pnpm
      - run: pnpm install --frozen-lockfile
      - run: pnpm publish --access public --provenance 
--- a/README.MD
+++ b/README.MD
@ -131,6 +131,7 @@ $ sudo docker run -d -p 3000:3000 ncm-api
 | **CORS_ALLOW_ORIGIN**      | `*`                                  | 允许跨域请求的域名。可填写单个源，或使用逗号分隔多个源（例如 `https://a.com,https://b.com`）。 |
 | **ENABLE_PROXY**           | `false`                              | 是否启用反向代理功能。                                        |
 | **PROXY_URL**              | `https://your-proxy-url.com/?proxy=` | 代理服务地址。仅当 `ENABLE_PROXY=true` 时生效。                 |
 | **ENABLE_RANDOM_CN_IP**    | `false`                              | 是否默认启用随机中国IP。启用后，所有请求默认使用随机中国IP，除非请求参数 `randomCNIP` 显式关闭。 |
 | **ENABLE_GENERAL_UNBLOCK** | `true`                               | 是否启用全局解灰（推荐开启）。开启后所有歌曲都尝试自动解锁。                     |
 | **ENABLE_FLAC**            | `true`                               | 是否启用无损音质（FLAC）。                                    |
 | **SELECT_MAX_BR**          | `false`                              | 启用无损音质时，是否选择最高码率音质。                                |
--- a/generateConfig.js
+++ b/generateConfig.js
@ -2,6 +2,7 @@ const fs = require('fs')
 const path = require('path')
 const { register_anonimous } = require('./main')
 const { cookieToJson, generateRandomChineseIP } = require('./util/index')
 const { getXeapiPublicKey } = require('./util/xeapiKey')
 const tmpPath = require('os').tmpdir()
 async function generateConfig() {
@ -20,5 +21,21 @@ async function generateConfig() {
  } catch (error) {
    console.log(error)
  }
  try {
    let currentPublicKey = {}
    try {
      currentPublicKey = JSON.parse(
        fs.readFileSync(path.resolve(tmpPath, 'xeapi_public_key'), 'utf-8'),
      )
    } catch (_) {}
    const publicKey = await getXeapiPublicKey(currentPublicKey, global.deviceId)
    fs.writeFileSync(
      path.resolve(tmpPath, 'xeapi_public_key'),
      JSON.stringify(publicKey),
      'utf-8',
    )
  } catch (error) {
    console.log(error)
  }
 }
 module.exports = generateConfig
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@neteasecloudmusicapienhanced/api",
-  "version": "4.33.0",
+  "version": "4.33.1",
  "description": "全网最全的网易云音乐API接口 || A revival project for NeteaseCloudMusicApi Node.js Services (Half Refactor & Enhanced) || 网易云音乐 API 备份 + 增强 || 本项目自原版v4.28.0版本后开始自行维护",
  "scripts": {
    "dev": "nodemon app.js",
--- a/server.js
+++ b/server.js
@ -303,8 +303,13 @@ async function constructServer(moduleDefs) {
          // 参数注入客户端IP
          const obj = [...params]
          const options = obj[2] || {}
-          if (!options.randomCNIP) {
+          let ip = ''
-            let ip = req.ip
+          
          if (options.randomCNIP) {
            ip = global.cnIp
            // logger.info('Using random Chinese IP for request:', ip)
          } else {
            ip = req.ip
            if (ip.substring(0, 7) == '::ffff:') {
              ip = ip.substring(7)
@ -313,10 +318,11 @@ async function constructServer(moduleDefs) {
              ip = global.cnIp
            }
            // logger.info('Requested from ip:', ip)
-            obj[2] = {
+          }
-              ...options,
+          
-              ip,
+          obj[2] = {
-            }
+            ...options,
            ip,
          }
          return request(...obj)
--- a/util/crypto.js
+++ b/util/crypto.js
@ -1,4 +1,5 @@
 const CryptoJS = require('crypto-js')
 const crypto = require('crypto')
 const forge = require('node-forge')
 const zlib = require('zlib')
 const iv = '0102030405060708'
@ -9,6 +10,13 @@ const publicKey = `-----BEGIN PUBLIC KEY-----
 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgtQn2JZ34ZC28NWYpAUd98iZ37BUrX/aKzmFbt7clFSs6sXqHauqKWqdtLkF2KexO40H1YTX8z2lSgBBOAxLsvaklV8k4cBFK9snQXE9/DDaFt6Rr7iVZMldczhC0JNgTz+SHXT6CBHuX3e9SdB1Ua44oncaTWz7OBGLbCiK45wIDAQAB
 -----END PUBLIC KEY-----`
 const eapiKey = 'e82ckenh8dichen8'
 const xeapiStaticKey = Buffer.from(
  'ab1d5a430f6bb04a3f01e81ddd72bd916d5ce591248ac128714806d7f8fb1b84',
  'hex',
 )
 const xeapiSignKey =
  'mUHCwVNWJbunMqAHf5MImuirT6plvs6VSFW62MGHstFQxhBGdEoIhLItH3djc4+FB/OKty3+lL2rGeoFBpVe5g=='
 const x25519SpkiPrefix = Buffer.from('302a300506032b656e032100', 'hex')
 const aesEncrypt = (text, mode, key, iv, format = 'base64') => {
  let encrypted = CryptoJS.AES.encrypt(
@ -141,13 +149,172 @@ const decrypt = (cipher) => {
  return decryptedBytes
 }
 const aesEcbEncrypt = (key, plaintext) => {
  const cipher = crypto.createCipheriv(`aes-${key.length * 8}-ecb`, key, null)
  return Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()])
 }
 const aesEcbDecrypt = (key, ciphertext) => {
  const decipher = crypto.createDecipheriv(
    `aes-${key.length * 8}-ecb`,
    key,
    null,
  )
  return Buffer.concat([decipher.update(ciphertext), decipher.final()])
 }
 const createX25519PublicKey = (raw) => {
  // Node's crypto API expects X25519 public keys as DER SubjectPublicKeyInfo.
  // The Android SDK stores only the 32-byte raw key, so prepend the fixed
  // RFC 8410 SPKI header for id-X25519 before importing it.
  return crypto.createPublicKey({
    key: Buffer.concat([x25519SpkiPrefix, raw]),
    format: 'der',
    type: 'spki',
  })
 }
 const deriveX25519AesKey = (sharedSecret, ephemeralPublicKey) => {
  const prk = crypto
    .createHmac('sha256', Buffer.alloc(32))
    .update(sharedSecret.length ? sharedSecret : Buffer.alloc(32))
    .digest()
  return crypto
    .createHmac('sha256', prk)
    .update(Buffer.concat([ephemeralPublicKey, Buffer.from([1])]))
    .digest()
    .subarray(0, 16)
 }
 const xeapiSign = (timestamp, nonce) => {
  return crypto
    .createHmac('sha256', xeapiSignKey)
    .update(String(timestamp) + nonce)
    .digest('base64')
 }
 const xeapiMidTransform = (ciphertext) => {
  const random = crypto.randomBytes(16)
  const xored = Buffer.alloc(ciphertext.length)
  for (let i = 0; i < ciphertext.length; i++) {
    xored[i] = ciphertext[i] ^ random[i & 0x0f]
  }
  const b64 = Buffer.from(xored.toString('base64'))
  const rot = b64.length ? (random[0] & 0x0f) % b64.length : 0
  return Buffer.concat([random, b64.subarray(rot), b64.subarray(0, rot)])
 }
 const xeapiEncryptS = (dynamicKey, publicKeyState, os) => {
  const peerRaw = Buffer.from(publicKeyState.publicKey, 'base64')
  const peerKey = createX25519PublicKey(peerRaw)
  const { publicKey, privateKey } = crypto.generateKeyPairSync('x25519')
  const ephemeralRaw = Buffer.from(
    publicKey.export({ format: 'der', type: 'spki' }),
  ).subarray(-32)
  const sharedSecret = crypto.diffieHellman({
    privateKey,
    publicKey: peerKey,
  })
  const aesKey = deriveX25519AesKey(sharedSecret, ephemeralRaw)
  const iv = crypto.randomBytes(12)
  const cipher = crypto.createCipheriv('aes-128-gcm', aesKey, iv)
  const plaintext = Buffer.from(
    `${dynamicKey.toString('base64')}|${os}|${publicKeyState.sk || ''}`,
  )
  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()])
  return Buffer.concat([ephemeralRaw, iv, encrypted, cipher.getAuthTag()])
 }
 const buildXeapiPlaintext = (uri, data, options = {}) => {
  const fields = {}
  const contentType =
    options.contentType || 'application/x-www-form-urlencoded;charset=utf-8'
  const mediaType = contentType.split(';', 1)[0].toLowerCase()
  if (mediaType !== 'application/x-www-form-urlencoded') {
    fields.contentType = contentType
  }
  const method = (options.method || 'POST').toUpperCase()
  if (method !== 'POST') fields.method = method
  const url = new URL(uri, 'https://interface.music.163.com')
  if (url.search) fields.queryString = url.search.slice(1)
  if (data !== undefined && data !== null) {
    const bodyData = { ...data }
    delete bodyData.e_r
    const body = Buffer.from(new URLSearchParams(bodyData).toString())
    fields.body = body.toString('base64')
  }
  if (fields.queryString) {
    fields.queryString += '&e_r=true'
  } else {
    fields.queryString = 'e_r=true'
  }
  return JSON.stringify(fields)
 }
 const xeapi = (uri, data, options = {}) => {
  const publicKeyState = options.publicKeyState
  if (!publicKeyState) {
    throw new Error('xeapi publicKeyState is required')
  }
  const activeSessionKey = options.sessionKey
    ? Buffer.from(String(options.sessionKey))
    : null
  const activeSessionId = options.sessionId || ''
  const dynamicKey = activeSessionKey || crypto.randomBytes(16)
  const plaintext = Buffer.from(buildXeapiPlaintext(uri, data, options))
  const b = aesEcbEncrypt(
    dynamicKey,
    xeapiMidTransform(aesEcbEncrypt(xeapiStaticKey, plaintext)),
  )
  const s = xeapiEncryptS(dynamicKey, publicKeyState, options.os || 'android')
  const r = aesEcbEncrypt(
    xeapiStaticKey,
    Buffer.from(
      `${publicKeyState.version}|${activeSessionKey ? activeSessionId : ''}`,
    ),
  )
  return {
    B: b.toString('base64'),
    S: s.toString('base64'),
    R: r.toString('base64'),
  }
 }
 const xeapiResDecrypt = (body) => {
  const decrypted = aesEcbDecrypt(eapiKey, body)
  const plaintext =
    decrypted[0] === 0x1f && decrypted[1] === 0x8b
      ? zlib.gunzipSync(decrypted)
      : decrypted
  return JSON.parse(plaintext.toString())
 }
 const xeapiDecryptPublicKey = (encryptedData) => {
  return JSON.parse(
    aesEcbDecrypt(
      xeapiStaticKey,
      Buffer.from(encryptedData, 'base64'),
    ).toString(),
  )
 }
 module.exports = {
  weapi,
  linuxapi,
  eapi,
  xeapi,
  decrypt,
  aesEncrypt,
  aesDecrypt,
  eapiReqDecrypt,
  eapiResDecrypt,
  xeapiSign,
  xeapiResDecrypt,
  xeapiDecryptPublicKey,
 }
--- a/util/option.js
+++ b/util/option.js
@ -5,7 +5,7 @@ const createOption = (query, crypto = '') => {
    ua: query.ua || '',
    proxy: query.proxy,
    realIP: query.realIP,
-    randomCNIP: query.randomCNIP || false,
+    randomCNIP: process.env.ENABLE_RANDOM_CN_IP === 'true' ? !['false', false].includes(query.randomCNIP) : ['true', true].includes(query.randomCNIP),
    e_r: query.e_r || undefined,
    domain: query.domain || '',
    checkToken: query.checkToken || false,
--- a/util/request.js
+++ b/util/request.js
@ -2,6 +2,7 @@
 const encrypt = require('./crypto')
 const CryptoJS = require('crypto-js')
 const { default: axios } = require('axios')
 const logger = require('./logger')
 const { PacProxyAgent } = require('pac-proxy-agent')
 const http = require('http')
 const https = require('https')
@ -23,6 +24,20 @@ const anonymous_token = fs.readFileSync(
  path.resolve(tmpPath, './anonymous_token'),
  'utf-8',
 )
 const xeapiPublicKeyPath = path.resolve(tmpPath, './xeapi_public_key')
 let xeapi_public_key = null
 const loadXeapiPublicKey = () => {
  if (!xeapi_public_key && fs.existsSync(xeapiPublicKeyPath)) {
    try {
      xeapi_public_key = JSON.parse(
        fs.readFileSync(xeapiPublicKeyPath, 'utf-8'),
      )
    } catch (error) {
      console.log('[ERR]', error)
    }
  }
  return xeapi_public_key
 }
 // 预先绑定常用函数和常量
 const floor = Math.floor
@ -95,9 +110,13 @@ const userAgentMap = {
 // 预先定义常量
 const DOMAIN = APP_CONF.domain
 const API_DOMAIN = APP_CONF.apiDomain
 const XEAPI_DOMAIN = 'https://interface3.music.163.com'
 const ENCRYPT_RESPONSE = APP_CONF.encryptResponse
 const SPECIAL_STATUS_CODES = new Set([201, 302, 400, 502, 800, 801, 802, 803])
 let xeapiSessionId = ''
 let xeapiSessionKey = ''
 // chooseUserAgent函数
 const chooseUserAgent = (crypto, uaType = 'pc') => {
  return (userAgentMap[crypto] && userAgentMap[crypto][uaType]) || ''
@ -216,6 +235,52 @@ const createRequest = (uri, data, options) => {
        url = (options.domain || DOMAIN) + '/api/linux/forward'
        break
      case 'xeapi':
        const xeapiPublicKey = loadXeapiPublicKey()
        if (!xeapiPublicKey) {
          throw new Error('xeapi public key is missing')
        }
        const xeapiOs = cookie.os === 'android' ? cookie.os : 'android'
        const xeapiAppver =
          cookie.os === 'android' && cookie.appver ? cookie.appver : '9.1.65'
        const xeapiOsver =
          cookie.os === 'android' && cookie.osver ? cookie.osver : '16'
        const xeapiBuildver = cookie.buildver || now().toString().substr(0, 10)
        headers['User-Agent'] = options.ua || chooseUserAgent('api', 'android')
        headers['X-Client-Enc-State'] = 'ENCRYPTED'
        headers['x-aeapi'] = true
        headers['content-type'] =
          'application/x-www-form-urlencoded;charset=utf-8'
        headers['x-deviceid'] = cookie.deviceId
        headers['x-os'] = xeapiOs
        headers['x-osver'] = xeapiOsver
        headers['x-appver'] = xeapiAppver
        headers['x-sdeviceid'] = cookie.sDeviceId || cookie.deviceId
        headers['x-buildver'] = xeapiBuildver
        if (cookie.MUSIC_U) headers['x-music-u'] = cookie.MUSIC_U
        const xeapiCookie = {
          ...cookie,
          os: xeapiOs,
          osver: xeapiOsver,
          appver: xeapiAppver,
          buildver: xeapiBuildver,
          deviceId: cookie.deviceId,
          sDeviceId: cookie.sDeviceId || cookie.deviceId,
        }
        headers['Cookie'] = cookieObjToString(xeapiCookie)
        url = (options.domain || XEAPI_DOMAIN) + '/xeapi/' + uri.substr(5)
        encryptData = encrypt.xeapi(uri, data, {
          ...options,
          publicKeyState: xeapiPublicKey,
          sessionId: xeapiSessionId,
          sessionKey: xeapiSessionKey,
          appver: xeapiAppver,
          deviceId: cookie.deviceId,
          os: xeapiOs,
          uid: cookie.uid || cookie.userId || '',
        })
        break
      case 'eapi':
      case 'api':
        // header创建
@ -259,7 +324,7 @@ const createRequest = (uri, data, options) => {
        console.log('[ERR]', 'Unknown Crypto:', crypto)
        break
    }
-    // console.log(url);
+    logger.debug(`[${crypto}]`, uri)
    // settings创建
    let settings = {
      method: 'POST',
@ -272,7 +337,8 @@ const createRequest = (uri, data, options) => {
    // 使用返回值加密
    const use_e_r = (crypto === 'eapi' || crypto === 'weapi') && data.e_r
-    if (use_e_r) {
+    const use_xeapi = crypto === 'xeapi'
    if (use_e_r || use_xeapi) {
      settings.encoding = null
      settings.responseType = 'arraybuffer'
    }
@ -320,7 +386,13 @@ const createRequest = (uri, data, options) => {
        )
        try {
-          if (use_e_r) {
+          if (use_xeapi) {
            if (res.headers['x-encr-ssid'] && res.headers['x-encr-sskey']) {
              xeapiSessionId = res.headers['x-encr-ssid']
              xeapiSessionKey = res.headers['x-encr-sskey']
            }
            answer.body = encrypt.xeapiResDecrypt(Buffer.from(body))
          } else if (use_e_r) {
            answer.body = encrypt.eapiResDecrypt(
              body.toString('hex').toUpperCase(),
              headers['x-aeapi'],
--- a/util/xeapiKey.js
+++ b/util/xeapiKey.js
@ -0,0 +1,68 @@
 const { default: axios } = require('axios')
 const encrypt = require('./crypto')
 const { APP_CONF } = require('./config.json')
 const generateNonce = () => {
  let nonce = ''
  for (let i = 0; i < 16; i++) {
    nonce += Math.floor(Math.random() * 10).toString()
  }
  return nonce
 }
 const getXeapiPublicKey = async (currentPublicKey = {}, deviceId = '') => {
  const nonce = generateNonce()
  const timestamp = String(Date.now())
  const data = {
    appVersion: '9.1.65',
    currentKeyVersion: currentPublicKey.version || '',
    deviceId,
    nonce,
    os: 'android',
    requestType: 'active',
    signature: encrypt.xeapiSign(timestamp, nonce),
    t1: '',
    t2: '',
    timestamp,
    uid: '',
  }
  const res = await axios({
    method: 'POST',
    url: APP_CONF.apiDomain + '/api/gorilla/anti/crawler/security/key/get',
    headers: {
      'User-Agent':
        'NeteaseMusic/9.1.65.240927161425(9001065);Dalvik/2.1.0 (Linux; U; Android 14; 23013RK75C Build/UKQ1.230804.001)',
      Cookie: deviceId ? `deviceId=${encodeURIComponent(deviceId)}` : '',
    },
    data: new URLSearchParams(data).toString(),
    proxy: false,
  })
  if (
    !res.data ||
    res.data.code !== 200 ||
    !res.data.data ||
    !res.data.data.encryptedData
  ) {
    throw new Error('xeapi public key request failed')
  }
  if (
    !res.data.data.signature ||
    encrypt.xeapiSign(res.data.data.timestamp, nonce) !==
      res.data.data.signature
  ) {
    throw new Error('xeapi public key response signature mismatch')
  }
  const publicKey = encrypt.xeapiDecryptPublicKey(res.data.data.encryptedData)
  if (!publicKey.sk && currentPublicKey.sk) {
    publicKey.sk = currentPublicKey.sk
  }
  if (!publicKey.sk) {
    throw new Error('xeapi public key response missing sk')
  }
  return publicKey
 }
 module.exports = {
  getXeapiPublicKey,
 }
Author	SHA1	Message	Date
MoEFusion	d0d71bb4f9	Merge pull request #183 from 1254qwer/feat/xeapi-crypto feat: 新增 xeapi 算法支持	2026-05-29 22:49:37 +08:00
MoeFurina	ec7eff1697	Merge branch 'pr/183'	2026-05-29 22:46:26 +08:00
MoeFurina	1882c3c31e	fix workflows	2026-05-29 22:17:16 +08:00
1254qwer	f21f5677e8	feat: Add xeapi crypto support	2026-05-29 21:56:27 +08:00
MoeFurina	fc5a76d5e2	Merge branch 'main' into main	2026-05-29 21:54:27 +08:00
MoeFurina	fbc34a1846	Merge branch 'pr/178'	2026-05-29 21:53:29 +08:00
MoeFurina	3ef5ea341b	Merge branch 'pr/179'	2026-05-29 21:53:11 +08:00
MoeFurina	4195c41171	bump 4.33.1	2026-05-29 21:49:21 +08:00
MoeFurina	232cc3d916	Squashed commit of the following: commit 01d391ac91b14a5c3ed0e75e7b32c3d2dd5fe740 Author: Sunset Mikoto <26019675+SunsetMkt@users.noreply.github.com> Date: Mon May 25 13:05:14 2026 +0800 Update util/option.js Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> commit 85d70ba9ddbf6fdef54a5bd67f32003d11611604 Author: Sunset Mikoto <26019675+SunsetMkt@users.noreply.github.com> Date: Mon May 25 12:56:34 2026 +0800 Update util/option.js Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> commit 3cfecbcc1f53e6d261b329b9d1f1d82fe826404a Author: Sunset Mikoto <26019675+SunsetMkt@users.noreply.github.com> Date: Mon May 25 12:51:29 2026 +0800 Update util/option.js Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> commit c6e9746ed6d22d8d7ee08126985303101d0369f8 Author: Sunset Mikoto <26019675+SunsetMkt@users.noreply.github.com> Date: Mon May 25 01:47:53 2026 +0000 fix: 修正为原始逻辑，简化代码 commit d6961ecb4ddea872f25b46065aa7d6ae78953809 Author: Sunset Mikoto <26019675+SunsetMkt@users.noreply.github.com> Date: Sun May 24 18:11:35 2026 +0000 feat: 当ENABLE_RANDOM_CN_IP为true时，除非请求参数randomCNIP显式为false，默认开启randomCNIP	2026-05-29 17:20:07 +08:00
MoeFurina	1b4af30a49	Squashed commit of the following: commit 02242eecf6ceadf8be32466502d4ab531e7dfc65 Author: Sunset Mikoto <26019675+SunsetMkt@users.noreply.github.com> Date: Sun May 24 18:00:36 2026 +0000 fix: randomCNIP 不工作	2026-05-29 17:19:41 +08:00
Sunset Mikoto	01d391ac91	Update util/option.js Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>	2026-05-25 13:05:14 +08:00
Sunset Mikoto	85d70ba9dd	Update util/option.js Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>	2026-05-25 12:56:34 +08:00
Sunset Mikoto	3cfecbcc1f	Update util/option.js Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>	2026-05-25 12:51:29 +08:00
Sunset Mikoto	c6e9746ed6	fix: 修正为原始逻辑，简化代码	2026-05-25 01:47:53 +00:00
Sunset Mikoto	d6961ecb4d	feat: 当ENABLE_RANDOM_CN_IP为true时，除非请求参数randomCNIP显式为false，默认开启randomCNIP	2026-05-24 18:11:35 +00:00
Sunset Mikoto	02242eecf6	fix: randomCNIP 不工作	2026-05-24 18:00:36 +00:00