Foreword
In the app open interface api design, can not avoid is the security issue, because most interfaces related to the user's personal information and sensitive data, so these interfaces need to be authenticated identity, then it requires the user to provide some information, such as user name and password, etc., but for safety reasons so that the number of users exposed plaintext password as possible, we are generally in a web project, in most cases, the saved session, and then to keep a cookie, to keep answer the validity of the user. But in the open interface provided by the app, the back-end server How to verify a user logs in after landing and maintain the effectiveness of the user of it, the following items are reference design solutions, the principle and most secure authentication as open interfaces, such as Taobao open interface token validation, verification token micro-channel development platform is empathy.
Signature Design
Api interfaces for sensitive, use https protocol
https is added to the hypertext transfer protocol http SSL layer, between which a communication network is encrypted, an encryption certificate is required.
https protocol requires ca certificate, generally require payment.
How it works: Users log on to the server to provide user authentication information (such as account and password), the authentication server to the client to return after a Token token, when the user gets information again, take this token, if the token Zhengqu Returns data. For obtaining the Token information, access user interfaces, client request url you need to take the following parameters:
- Timestamp: timestamp
- Token Ryopai: token
Then all the parameters requested by the user in alphabetical order (including the timestamp, token), then in accordance with the MD5 (salt can be added), all caps, generating a signature sign, which is called url signature algorithm. Then the user login information each call, take sign, timestamp, token parameters.
For example: the original request https://www.andy.cn/api/user/update/info.shtml?city=北京 (POST and get the same, sort all encryption parameters)
Stamped and token
https://www.andy.cn/api/user/update/info.shtml?city=北京×tamp=12445323134&token=wefkfjdskfjewfjkjfdfnc- 1
Then more url parameter generation sign, the final https://www.andy.cn/api/user/update/info.shtml?city=北京×tamp=12445323134&token=wefkfjdskfjewfjkjfdfnc&sign=FDK2434JKJFD334FDF2principle is to reduce the number of exposed plaintext; ensure data security access.
Specific achieve the following:
1.api requesting client wants a server sends a user authentication information (username and password), the server-side request to change requests, verify that the user information is correct.
If it is correct: a unique non-repeating string is returned (usually the UUID), and then maintained in the Redis Token (any cache server) - Customer Relationship Uid order to check on the other the token api. If the error: error code is returned.
2. The server design a url request blocking rules
- (1) determines whether or not containing timestamp, token, sign parameters, return an error code if not contained.
- (2) determination server receives the request and the time stamp parameters differ by a very long time (half an hour of time, such as custom), it indicates that the url exceeds expired (url if stolen, he changed the time stamp, but can lead to unequal sign signature).
- (3) determine whether the token is valid, according to the request over the token, the query redis cache uid, if not get this indicates that the token has expired.
- (4) The url parameters of the user request, the server generates signature sign according to the same rules, the signature comparison for equality, are equal release. (Natural url signature can not guarantee 100% security, but also can encrypt data and url, but if this can not be sure that the public key is lost through a public key AES, so only the signature large part to ensure safety).
- (5) just to get this url intercept authentication url release (such as landing url), all the rest are subject to the url interception.
3.Token and relationship maintenance Uid
For the user logs we need to create a relationship token-uid, you need to be deleted relationship token-uid when the user exits
Signature Algorithm
Get All request parameters
String sign = request.getParameter("sign");
Enumeration<?> pNames = request.getParameterNames();
Map<String, Object> params = new HashMap<String, Object>();
while (pNames.hasMoreElements()) {
String pName = (String) pNames.nextElement();
if("sign".equals(pName))continue;
Object pValue = request.getParameter(pName);
params.put(pName, pValue);
}
Generating a signature
public static String createSign(Map<String, String> params, boolean encode)
throws UnsupportedEncodingException {
Set<String> keysSet = params.keySet();
Object[] keys = keysSet.toArray();
Arrays.sort(keys);
StringBuffer temp = new StringBuffer();
boolean first = true;
for (Object key : keys) {
if (first) {
first = false;
} else {
temp.append("&");
}
temp.append(key).append("=");
Object value = params.get(key);
String valueString = "";
if (null != value) {
valueString = String.valueOf(value);
}
if (encode) {
temp.append(URLEncoder.encode(valueString, "UTF-8"));
} else {
temp.append(valueString);
}
}
return MD5Utils.getMD5(temp.toString()).toUpperCase();
}