From 512c56abe046c831a71db7c8a790a7e0df34adf4 Mon Sep 17 00:00:00 2001
From: handongxun <handongxun@dcloud.io>
Date: Thu, 8 Sep 2022 17:05:40 +0800
Subject: [PATCH] =?UTF-8?q?secret-net:=20=E5=A2=9E=E5=8A=A0=E4=BA=91?=
 =?UTF-8?q?=E7=AB=AF=E5=AE=89=E5=85=A8=E9=AA=8C=E8=AF=81=E8=AF=B4=E6=98=8E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docs/uniCloud/secret-net.md | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/docs/uniCloud/secret-net.md b/docs/uniCloud/secret-net.md
index 7d5e4878b..f02db50f4 100644
--- a/docs/uniCloud/secret-net.md
+++ b/docs/uniCloud/secret-net.md
@@ -90,7 +90,6 @@ uniCloud.callFunction({
 })
 ```
 
-
 - 云对象
 
 客户端通过importObject调用云对象时，加入secret和secretMethods参数。
@@ -102,6 +101,40 @@ uniCloud.importObject('object-name', {
 })
 ```
 
+## 服务器端
+
+为了避免客户端伪造参数获取服务器敏感数据，应以服务器端为准，如果客户端携带的 `secretType` 不符合要求应拒绝响应数据
+
+- callFunction
+
+```js
+exports.main = async (event, context) => {
+  const secretType = context.secretType
+  // secretType 是客户端调用 uniCloud.callFunction 传递的参数 secretType
+
+  if (secretType !== 'both' || secretType !== 'response') {
+    return null
+  }
+}
+```
+
+- 云对象
+
+```js
+module.exports = {
+  async _before() {
+    const methodName = this.getMethodName()
+    const clientInfo = this.getClientInfo()
+    const secretType = clientInfo.secretType
+    // secretType 是客户端调用 uniCloud.importObject 传递的参数 secretMethods
+
+    if (methodName === 'login' && (secretType !== 'both' || secretType !== 'response')) {
+      throw new Error('secretType invalid')
+    }
+  }
+}
+```
+
 
 **secretType 属性说明**@secretType
 
@@ -117,6 +150,8 @@ uniCloud.importObject('object-name', {
 `secretMethods` 是云对象中指定需要加密的方法名。可对每个方法配置，例如: `secretMethods: {'login':'both'}`，指定 `login` 方法的 `secretType` 为 both
 
 
+
+
 ## 小贴士
 
 1. 安全是相对的，没有绝对的安全。
-- 
GitLab