给接口api做签名验证 · 梧桐树tp6备忘录

## 一，创建middelware和controller ~~~ liuhongdi@lhdpc:/data/php/admapi$ php think make:middleware CheckSign Middleware:app\middleware\CheckSign created successfully. ~~~ ~~~ liuhongdi@lhdpc:/data/php/admapi$ php think make:controller Pay Controller:app\controller\Pay created successfully. ~~~ ## 二，编写php代码: 1,middleware/CheckSign.php ~~~ <?php declare (strict_types = 1); namespace app\middleware; use app\result\Result; use app\lib\util\sign; class CheckSign { //第三方对接口的访问不需要检查 private $notCheck = ["/pay/alipayreturn","/pay/alipayrotify"]; /** * 处理请求 * * @param \think\Request $request * @param \Closure $next * @return Response */ public function handle($request, \Closure $next) { $uri = $request->server("REQUEST_URI"); //如果是不需检查的uri if (in_array($uri ,$this->notCheck)) { return $next($request); } else { $sign = new sign(); $param = $request->request(); unset($param['s']); //检查参数的sign $res = $sign->verifySign($param); if ($res['code'] == 0){ return $next($request); } else { return Result::Error(1,$res['msg']); } } } } ~~~ 2,lib/util/sign.php ~~~ <?php namespace app\lib\util; class sign { private $appId = "lc20220118"; private $appKey = "u665698fzur5e2t85tyu142"; //创建sign public function makeSign($data) { ksort($data); $string = $this->toUrlParams($data); $string = $string . "&key=" . $this->appKey; $string = md5($string); $result = strtolower($string); return $result; } //检验sign是否正确 public function verifySign($data) { //check sign if (!isset($data['sign']) || !$data['sign']) { return ['code'=>1,'msg'=>'发送的数据签名不存在']; } //check sign if (!isset($data['appid']) || !$data['appid']) { return ['code'=>1,'msg'=>'发送的应用参数1不存在']; } if ($data['appid'] != $this->appId) { return ['code'=>1,'msg'=>'发送的应用参数1错误']; } //check sign if (!isset($data['nonce']) || !$data['nonce']) { return ['code'=>1,'msg'=>'发送的应用参数2不存在']; } //check timestamp if (!isset($data['timestamp']) || !$data['timestamp']) { return ['code'=>1,'msg'=>'发送的数据参数不合法']; } // 验证请求， 10分钟失效 if (time() - $data['timestamp'] > 600) { return ['code'=>1,'msg'=>'验证超时，请重新发送请求']; } $clientSign = $data['sign']; unset($data['sign']); $serverSign = $this->makeSign($data); if ($clientSign == $serverSign) { return ['code'=>0,'msg'=>'验证通过']; } else { return ['code'=>1,'msg'=>'请求不合法']; } } //生成url字符串 private function toUrlParams($values){ $buff = ""; foreach ($values as $k => $v) { //&& $v != "" if($k != "sign" && !is_array($v)){ $buff .= $k . "=" . $v . "&"; } } $buff = trim($buff, "&"); return $buff; } } ~~~ 3,controller/Pay.php ~~~ <?php declare (strict_types = 1); namespace app\controller; use think\Request; class Pay { /** * return * * @return \think\Response */ public function alipayReturn() { echo "alipayReturn"; exit; } /** * notify * * @return \think\Response */ public function alipayNotify() { echo "alipayNotify"; exit; } } ~~~ ## 三，编写vue代码: 说明：vue代码仅供演示，因为js中无法安全保存appkey, 所以web/wap等不需要做验证: ~~~ <template> <div style="text-align: left;"> id:{{article.id}}<br/> title:{{article.title}}<br/> content:{{article.content}}<br/> </div> </template> <script> import {apiArticleOne} from "../api/api"; import {ElMessage} from "element-plus"; import {ref} from "vue"; import md5 from 'js-md5'; export default { name: "Article", setup() { const article = ref([]); //得到sign const getSign = (param,key) => { let str = ""; for(var idx in param) { let one = idx+"="+param[idx]; if (str == "") { str = one; } else { str = str+"&"+one; } } str = str+"&key="+key; //console.log("before md5:"+str); let md5str = md5(str); return md5str; } //得到参数对象 const getParam = (id) => { let appid = "lc20220118"; let appkey = "u665698fzur5e2t85tyu1421"; let timestamp = parseInt((new Date()).getTime()/1000); let nonce = Math.floor(Math.random()*8999)+1000; let param = { appid:appid, id:id, nonce:nonce, timestamp:timestamp, } let sign = getSign(param,appkey); param.sign = sign; return param; } //查询得到一篇文章的内容: const getArticle = () => { var param = getParam(1); apiArticleOne(param).then(res => { //成功 if (res.code == 0) { article.value = res.data; } else { ElMessage.error("获取表单令牌失败:"+res.msg); } }).catch((error) => { console.log(error) }) } getArticle(); return { article, } } } </script> <style scoped> </style> ~~~ ## 四，测试效果: 1,成功返回数据时: ![](https://img.kancloud.cn/55/69/5569b1113b0ef981c6e593d3be37e977_1198x472.png) 2,appkey不正确时: ![](https://img.kancloud.cn/81/cf/81cf1920f5250d29e9a199ecf2b05f85_988x312.png) 3,直接访问接口时报错： ![](https://img.kancloud.cn/8c/ef/8cef16ebb2d5969d3fe7a9043acea3a1_1014x274.png) 4,访问不做check的接口: ![](https://img.kancloud.cn/ed/73/ed7358f0229e0af814b0af3cfe09b11c_902x162.png) ## 五，查看php和thinkphp的版本: