feat(uni-id-co): 新增 URL化请求时鉴权签名验证

bfdc9abf · chenruilong · 84bfee97 · bfdc9abf · bfdc9abf · bfdc9abf
5 changed file
--- a/uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/common/error.js
+++ b/uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/common/error.js
@@ -36,7 +36,8 @@ const ERROR = {
  UNBIND_UNIQUE_LOGIN: 'uni-id-unbind-unique-login',
  UNBIND_PASSWORD_NOT_EXISTS: 'uni-id-unbind-password-not-exists',
  UNBIND_MOBILE_NOT_EXISTS: 'uni-id-unbind-mobile-not-exists',
-  UNSUPPORTED_REQUEST: 'uni-id-unsupported-request'
+  UNSUPPORTED_REQUEST: 'uni-id-unsupported-request',
+  ILLEGAL_REQUEST: 'uni-id-illegal-request'
 }

 function isUniIdError (errCode) {

--- a/uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/lang/en.js
+++ b/uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/lang/en.js
@@ -41,7 +41,8 @@ const sentence = {
  'uni-id-unbind-not-supported': 'Unbinding is not supported',
  'uni-id-unbind-mobile-not-exists': 'This is the only way to login at the moment, please bind your phone number and then try to unbind',
  'uni-id-unbind-password-not-exists': 'Please set a password first',
-  'uni-id-unsupported-request': 'Unsupported request'
+  'uni-id-unsupported-request': 'Unsupported request',
+  'uni-id-illegal-request': 'Illegal request'
 }

 module.exports = {

--- a/uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/lang/zh-hans.js
+++ b/uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/lang/zh-hans.js
@@ -41,7 +41,8 @@ const sentence = {
  'uni-id-unbind-not-supported': '不支持解绑',
  'uni-id-unbind-mobile-not-exists': '这是当前唯一登录方式，请绑定手机号后再尝试解绑',
  'uni-id-unbind-password-not-exists': '请先设置密码在尝试解绑',
-  'uni-id-unsupported-request': '不支持的请求方式'
+  'uni-id-unsupported-request': '不支持的请求方式',
+  'uni-id-illegal-request': '非法请求'
 }

 module.exports = {

--- a/uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/middleware/index.js
+++ b/uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/middleware/index.js
@@ -3,5 +3,6 @@ module.exports = {
  uniIdLog: require('./uni-id-log'),
  validate: require('./validate'),
  accessControl: require('./access-control'),
+  verifyRequestSign: require('./verify-request-sign'),
  ...require('./rbac')
 }
--- a/uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/middleware/verify-request-sign.js
+++ b/uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/middleware/verify-request-sign.js
+const crypto = require('crypto')
+const { ERROR } = require('../common/error')
+const needSignFunctions = new Set([
+  'externalRegister',
+  'externalLogin'
+])
+
+module.exports = function () {
+  const methodName = this.getMethodName()
+  const { source } = this.getClientInfo()
+  // 非 HTTP 方式请求不需要鉴权
+  if (source !== 'http') return
+  // 指定接口需要鉴权
+  if (!needSignFunctions.has(methodName)) return
+
+  const timeout = 20 * 1000 // 请求超过20秒不能再请求，防止重放攻击
+  const { headers, body: _body } = this.getHttpInfo()
+  const { 'uni-id-nonce': nonce, 'uni-id-timestamp': timestamp, 'uni-id-signature': signature } = headers
+  const body = JSON.parse(_body).params || {}
+  const bodyStr = Object.keys(body)
+    .sort()
+    .filter(item => typeof body[item] !== 'object')
+    .map(item => `${item}=${body[item]}`)
+    .join('&')
+
+  if (isNaN(Number(timestamp)) || (Number(timestamp) + timeout) < Date.now()) {
+    throw {
+      errCode: ERROR.ILLEGAL_REQUEST
+    }
+  }
+
+  const reSignature = crypto.createHmac('sha256', `${this.config.requestAuthSecret + nonce}`).update(`${timestamp}${bodyStr}`).digest('hex')
+
+  if (signature !== reSignature.toUpperCase()) {
+    throw {
+      errCode: ERROR.ILLEGAL_REQUEST
+    }
+  }
+}