签名说明
- 签名对 url + method + 业务参数 进行统一签名,防止重放和篡改
- 客户端js对加密逻辑和appSecret进行混淆加密处理,增加破解难度
- 客户端本地存储appid 和 appSecret 字段名,使用无意义字段,比如:nihao,wohao,dajiahao
- 文件上传接口不进行签名,后期统一处理,签文件md5值。
名词解释:
- appid: 统一分配的唯一标示 ,比如 ximaiwu_h5
- nonce 随机字符串,每次重新生成,位数32位以上,推荐使用随机数+本地唯一值+用户唯一值参与计算
- timestamp: 当前的时间戳 (10位时间戳,单位是秒)
- signature: 最后生成的签名字符串
重要数据
- appSecret: 统一分配的与唯一标示配对的密钥, 比如 E8yUMwLTOJWvdCsDuwIMup7R1dyxIHcE, 加密保存,不能泄露,不能在接口参数中传递
// 加密处理函数 返回处理过的请求数据
var Jia_Mi = function (obj, url, method) {
var Url = url //接口地址
var $method = method; //请求方式
var arr = []
//对象转数组处理
for (let v in obj) {
arr.push({
key: v,
value: obj[v]
})
}
// console.log('arr', JSON.stringify(arr, null, 2));
//首字母排序,生成一个按key首字母排序的升序数组
arr.sort(function (s, t) {
var a = s.key.toLowerCase();
var b = t.key.toLowerCase();
if (a < b) return -1;
if (a > b) return 1;
return 0;
})
console.log(arr, 2222)
//使用 & 符号,将所有 key 和 value 连接起来,
var arrstr = Url + $method
for (var i in arr) { //遍历数组
arrstr += arr[i].key + '=' + arr[i].value + "&"
}
// arr.forEach(function (e) {
// arrstr += e.key + '=' + e.value + "&"
// })
//使用 RFC 3986 编码格式的 urlencode , 将字符串统一编码
arrstr = arrstr.slice(0, -1)
console.log(arrstr, 22223333)
arrstr = rawurlencode(arrstr);
$appSecret = 'E8yUMwLTOJWvdCsDuwIMup7R1dyxIHcE'; //密钥,严格保存,字段名称无意义,混淆使用过程,跟appid 是配对使用的,不要在接口参数中传输
//使用算法
var sha1_result = CryptoJS.HmacSHA1(arrstr, $appSecret).toString(CryptoJS.enc.Base64); //第一个参数为加密字符串,第二个参数为公共秘钥
console.log(sha1_result, 44444, )
var $data = {
"appid": obj.appid,
"nonce": obj.nonce,
"timestamp": obj.timestamp,
"signature": sha1_result
}
return $data;
}
/**
* 加密过程中涉及到的处理方法urlcode编码 rfc 3986 urlencode
* @param {
* RFC 3986 编码格式的 urlencode , 将字符串统一编码}
*/
function rawurlencode(str = "") {
const replaceList = [
{
reg: /!/g,
value: '%21'
},
{
reg: /\*/g,
value: '%2A'
},
{
reg: /\(/g,
value: '%28'
},
{
reg: /\)/g,
value: '%29'
},
{
reg: /'/g,
value: '%21'
},
];
let resStr = encodeURIComponent(str);
replaceList.forEach(({
reg,
value
}) => {
resStr = resStr.replace(reg, value);
});
return resStr;
}
/*
加密过程中涉及到的处理方法 CryptoJS sha1加密,可以直接引用Crypto-js
CryptoJS v3.1.2
code.google.com/p/crypto-js
(c) 2009-2013 by Jeff Mott. All rights reserved.
code.google.com/p/crypto-js/wiki/License
加密算法
*/
var CryptoJS = CryptoJS || function (g, l) {
var e = {},
d = e.lib = {},
m = function () {},
k = d.Base = {
extend: function (a) {
m.prototype = this;
var c = new m;
a && c.mixIn(a);
c.hasOwnProperty("init") || (c.init = function () {
c.$super.init.apply(this, arguments)
});
c.init.prototype = c;
c.$super = this;
return c
},
create: function () {
var a = this.extend();
a.init.apply(a, arguments);
return a
},
init: function () {},
mixIn: function (a) {
for (var c in a) a.hasOwnProperty(c) && (this[c] = a[c]);
a.hasOwnProperty("toString") && (this.toString = a.toString)
},
clone: function () {
return this.init.prototype.extend(this)
}
},
p = d.WordArray = k.extend({
init: function (a, c) {
a = this.words = a || [];
this.sigBytes = c != l ? c : 4 * a.length
},
toString: function (a) {
return (a || n).stringify(this)
},
concat: function (a) {
var c = this.words,
q = a.words,
f = this.sigBytes;
a = a.sigBytes;
this.clamp();
if (f % 4)
for (var b = 0; b < a; b++) c[f + b >>> 2] |= (q[b >>> 2] >>> 24 - 8 * (b % 4) & 255) << 24 - 8 * ((f + b) % 4);
else if (65535 < q.length)
for (b = 0; b < a; b += 4) c[f + b >>> 2] = q[b >>> 2];
else c.push.apply(c, q);
this.sigBytes += a;
return this
},
clamp: function () {
var a = this.words,
c = this.sigBytes;
a[c >>> 2] &= 4294967295 << 32 - 8 * (c % 4);
a.length = g.ceil(c / 4)
},
clone: function () {
var a = k.clone.call(this);
a.words = this.words.slice(0);
return a
},
random: function (a) {
for (var c = [], b = 0; b < a; b += 4) c.push(4294967296 * g.random() | 0);
return new p.init(c, a)
}
}),
b = e.enc = {},
n = b.Hex = {
stringify: function (a) {
var c = a.words;
a = a.sigBytes;
for (var b = [], f = 0; f < a; f++) {
var d = c[f >>> 2] >>> 24 - 8 * (f % 4) & 255;
b.push((d >>> 4).toString(16));
b.push((d & 15).toString(16))
}
return b.join("")
},
parse: function (a) {
for (var c = a.length, b = [], f = 0; f < c; f += 2) b[f >>> 3] |= parseInt(a.substr(f, 2), 16) << 24 - 4 * (f % 8);
return new p.init(b, c / 2)
}
},
j = b.Latin1 = {
stringify: function (a) {
var c = a.words;
a = a.sigBytes;
for (var b = [], f = 0; f < a; f++) b.push(String.fromCharCode(c[f >>> 2] >>> 24 - 8 * (f % 4) & 255));
return b.join("")
},
parse: function (a) {
for (var c = a.length, b = [], f = 0; f < c; f++) b[f >>> 2] |= (a.charCodeAt(f) & 255) << 24 - 8 * (f % 4);
return new p.init(b, c)
}
},
h = b.Utf8 = {
stringify: function (a) {
try {
return decodeURIComponent(escape(j.stringify(a)))
} catch (c) {
throw Error("Malformed UTF-8 data");
}
},
parse: function (a) {
return j.parse(unescape(encodeURIComponent(a)))
}
},
r = d.BufferedBlockAlgorithm = k.extend({
reset: function () {
this._data = new p.init;
this._nDataBytes = 0
},
_append: function (a) {
"string" == typeof a && (a = h.parse(a));
this._data.concat(a);
this._nDataBytes += a.sigBytes
},
_process: function (a) {
var c = this._data,
b = c.words,
f = c.sigBytes,
d = this.blockSize,
e = f / (4 * d),
e = a ? g.ceil(e) : g.max((e | 0) - this._minBufferSize, 0);
a = e * d;
f = g.min(4 * a, f);
if (a) {
for (var k = 0; k < a; k += d) this._doProcessBlock(b, k);
k = b.splice(0, a);
c.sigBytes -= f
}
return new p.init(k, f)
},
clone: function () {
var a = k.clone.call(this);
a._data = this._data.clone();
return a
},
_minBufferSize: 0
});
d.Hasher = r.extend({
cfg: k.extend(),
init: function (a) {
this.cfg = this.cfg.extend(a);
this.reset()
},
reset: function () {
r.reset.call(this);
this._doReset()
},
update: function (a) {
this._append(a);
this._process();
return this
},
finalize: function (a) {
a && this._append(a);
return this._doFinalize()
},
blockSize: 16,
_createHelper: function (a) {
return function (b, d) {
return (new a.init(d)).finalize(b)
}
},
_createHmacHelper: function (a) {
return function (b, d) {
return (new s.HMAC.init(a, d)).finalize(b)
}
}
});
var s = e.algo = {};
return e
}(Math);
(function () {
var g = CryptoJS,
l = g.lib,
e = l.WordArray,
d = l.Hasher,
m = [],
l = g.algo.SHA1 = d.extend({
_doReset: function () {
this._hash = new e.init([1732584193, 4023233417, 2562383102, 271733878, 3285377520])
},
_doProcessBlock: function (d, e) {
for (var b = this._hash.words, n = b[0], j = b[1], h = b[2], g = b[3], l = b[4], a = 0; 80 > a; a++) {
if (16 > a) m[a] = d[e + a] | 0;
else {
var c = m[a - 3] ^ m[a - 8] ^ m[a - 14] ^ m[a - 16];
m[a] = c << 1 | c >>> 31
}
c = (n << 5 | n >>> 27) + l + m[a];
c = 20 > a ? c + ((j & h | ~j & g) + 1518500249) : 40 > a ? c + ((j ^ h ^ g) + 1859775393) : 60 > a ? c + ((j & h | j & g | h & g) - 1894007588) : c + ((j ^ h ^ g) - 899497514);
l = g;
g = h;
h = j << 30 | j >>> 2;
j = n;
n = c
}
b[0] = b[0] + n | 0;
b[1] = b[1] + j | 0;
b[2] = b[2] + h | 0;
b[3] = b[3] + g | 0;
b[4] = b[4] + l | 0
},
_doFinalize: function () {
var d = this._data,
e = d.words,
b = 8 * this._nDataBytes,
g = 8 * d.sigBytes;
e[g >>> 5] |= 128 << 24 - g % 32;
e[(g + 64 >>> 9 << 4) + 14] = Math.floor(b / 4294967296);
e[(g + 64 >>> 9 << 4) + 15] = b;
d.sigBytes = 4 * e.length;
this._process();
return this._hash
},
clone: function () {
var e = d.clone.call(this);
e._hash = this._hash.clone();
return e
}
});
g.SHA1 = d._createHelper(l);
g.HmacSHA1 = d._createHmacHelper(l)
})();
(function () {
var g = CryptoJS,
l = g.enc.Utf8;
g.algo.HMAC = g.lib.Base.extend({
init: function (e, d) {
e = this._hasher = new e.init;
"string" == typeof d && (d = l.parse(d));
var g = e.blockSize,
k = 4 * g;
d.sigBytes > k && (d = e.finalize(d));
d.clamp();
for (var p = this._oKey = d.clone(), b = this._iKey = d.clone(), n = p.words, j = b.words, h = 0; h < g; h++) n[h] ^= 1549556828, j[h] ^= 909522486;
p.sigBytes = b.sigBytes = k;
this.reset()
},
reset: function () {
var e = this._hasher;
e.reset();
e.update(this._iKey)
},
update: function (e) {
this._hasher.update(e);
return this
},
finalize: function (e) {
var d = this._hasher;
e = d.finalize(e);
d.reset();
return d.finalize(this._oKey.clone().concat(e))
}
})
})();
/** * 生成uuid * * UUid: 通用唯一识别码(Universally Unique Identifier)的缩写,是一种软件建构的标准,亦为开放软件 * 基金会组织在分布式计算环境领域的一部分。其目的,是让分布式系统中的所有元素,都能有唯一的辨识信息, * 而不需要通过中央控制端来做辨识信息的指定。如此一来,每个人都可以创建不与其它人冲突的UUID。在这样的情 * 况下,就不需考虑数据库创建时的名称重复问题。目前最广泛应用的UUID,是微软公司的全局唯一标识符(GUID) * ,而其他重要的应用,则有Linux ext2/ext3文件系统、LUKS加密分区、GNOME、KDE、Mac OS X等等。另外我们 * 也可以在e2fsprogs包中的UUID库找到实现。 * UUID是由一组32个16进制数字所构成,因此UUID理论上的总数为:3.4*10^38,也就是说若每纳秒产生1兆个uuid, * 需要花100亿年才能用完所有的uuid,所以它是唯一的,不必担心重复。 * 在JavaScript中生成uuid的代码如下,这个函数会直接给你返回uuid,所以直接调用,然后用变量接收即可! * */ function get_UUID(uid) { var d = uid || new Date().getTime(); // 默认根据时间戳生成, 如果有用户uid可以使用用户uid生成,原则上生成标识码要具有唯一性 console.log(d) if (window.performance && typeof window.performance.now === "function") { d += performance.now(); //use high-precision timer if available } var uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) { var r = (d + Math.random() * 16) % 16 | 0; d = Math.floor(d / 16); return (c == 'x' ? r : (r & 0x3 | 0x8)).toString(16); }); return uuid; }
// 封装请求函数 function _ajax(method, url, param) { var nonce = get_UUID(JSON.parse(window.localStorage.getItem('browser_user_info')).uid) // 获取唯一标识码 console.log(nonce) //请求数据 $buildData = { appid: 'daofengdj_h5', nonce: nonce,//'8fa14cdd754f91cc6554c9e71929cce7', timestamp: 1517564053, }; $buildData = $.extend(true, $buildData, param); //第一个参数设为true表示深复制 需要引入jquery console.log($buildData,99999999999) $buildData = Jia_Mi($buildData, url, method) return new Promise(function (resolve, reject) { $.ajax({ type: method, url: url, data: $buildData || "", dataType: "json", success: function (response) { resolve(response) }, error: function (error) { reject(error); }, }); }); }
//参数
$params = {
area_num: '86',
mobile: '18610642891',
};
// 执行demo 三个参数 method url params(请求参数)
_ajax('GET','/sms/get/',$params).then(function(data){
console.log('resolved成功回调');
console.log('成功回调接受的值:',data);
}).catch(function(reason, data){
console.log('catch到rejected失败回调');
console.log('catch失败执行回调抛出失败原因:',reason);
});