提交 bfdc9abf 编写于 作者: C chenruilong

feat(uni-id-co): 新增 URL化请求时鉴权签名验证

上级 84bfee97
...@@ -36,7 +36,8 @@ const ERROR = { ...@@ -36,7 +36,8 @@ const ERROR = {
UNBIND_UNIQUE_LOGIN: 'uni-id-unbind-unique-login', UNBIND_UNIQUE_LOGIN: 'uni-id-unbind-unique-login',
UNBIND_PASSWORD_NOT_EXISTS: 'uni-id-unbind-password-not-exists', UNBIND_PASSWORD_NOT_EXISTS: 'uni-id-unbind-password-not-exists',
UNBIND_MOBILE_NOT_EXISTS: 'uni-id-unbind-mobile-not-exists', UNBIND_MOBILE_NOT_EXISTS: 'uni-id-unbind-mobile-not-exists',
UNSUPPORTED_REQUEST: 'uni-id-unsupported-request' UNSUPPORTED_REQUEST: 'uni-id-unsupported-request',
ILLEGAL_REQUEST: 'uni-id-illegal-request'
} }
function isUniIdError (errCode) { function isUniIdError (errCode) {
......
...@@ -41,7 +41,8 @@ const sentence = { ...@@ -41,7 +41,8 @@ const sentence = {
'uni-id-unbind-not-supported': 'Unbinding is not supported', 'uni-id-unbind-not-supported': 'Unbinding is not supported',
'uni-id-unbind-mobile-not-exists': 'This is the only way to login at the moment, please bind your phone number and then try to unbind', 'uni-id-unbind-mobile-not-exists': 'This is the only way to login at the moment, please bind your phone number and then try to unbind',
'uni-id-unbind-password-not-exists': 'Please set a password first', 'uni-id-unbind-password-not-exists': 'Please set a password first',
'uni-id-unsupported-request': 'Unsupported request' 'uni-id-unsupported-request': 'Unsupported request',
'uni-id-illegal-request': 'Illegal request'
} }
module.exports = { module.exports = {
......
...@@ -41,7 +41,8 @@ const sentence = { ...@@ -41,7 +41,8 @@ const sentence = {
'uni-id-unbind-not-supported': '不支持解绑', 'uni-id-unbind-not-supported': '不支持解绑',
'uni-id-unbind-mobile-not-exists': '这是当前唯一登录方式,请绑定手机号后再尝试解绑', 'uni-id-unbind-mobile-not-exists': '这是当前唯一登录方式,请绑定手机号后再尝试解绑',
'uni-id-unbind-password-not-exists': '请先设置密码在尝试解绑', 'uni-id-unbind-password-not-exists': '请先设置密码在尝试解绑',
'uni-id-unsupported-request': '不支持的请求方式' 'uni-id-unsupported-request': '不支持的请求方式',
'uni-id-illegal-request': '非法请求'
} }
module.exports = { module.exports = {
......
...@@ -3,5 +3,6 @@ module.exports = { ...@@ -3,5 +3,6 @@ module.exports = {
uniIdLog: require('./uni-id-log'), uniIdLog: require('./uni-id-log'),
validate: require('./validate'), validate: require('./validate'),
accessControl: require('./access-control'), accessControl: require('./access-control'),
verifyRequestSign: require('./verify-request-sign'),
...require('./rbac') ...require('./rbac')
} }
const crypto = require('crypto')
const { ERROR } = require('../common/error')
const needSignFunctions = new Set([
'externalRegister',
'externalLogin'
])
module.exports = function () {
const methodName = this.getMethodName()
const { source } = this.getClientInfo()
// 非 HTTP 方式请求不需要鉴权
if (source !== 'http') return
// 指定接口需要鉴权
if (!needSignFunctions.has(methodName)) return
const timeout = 20 * 1000 // 请求超过20秒不能再请求,防止重放攻击
const { headers, body: _body } = this.getHttpInfo()
const { 'uni-id-nonce': nonce, 'uni-id-timestamp': timestamp, 'uni-id-signature': signature } = headers
const body = JSON.parse(_body).params || {}
const bodyStr = Object.keys(body)
.sort()
.filter(item => typeof body[item] !== 'object')
.map(item => `${item}=${body[item]}`)
.join('&')
if (isNaN(Number(timestamp)) || (Number(timestamp) + timeout) < Date.now()) {
throw {
errCode: ERROR.ILLEGAL_REQUEST
}
}
const reSignature = crypto.createHmac('sha256', `${this.config.requestAuthSecret + nonce}`).update(`${timestamp}${bodyStr}`).digest('hex')
if (signature !== reSignature.toUpperCase()) {
throw {
errCode: ERROR.ILLEGAL_REQUEST
}
}
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册