调整开放平台加签方式

2 years ago · 334386073a
parent 443addb63c
commit 334386073a
7 changed files with 132 additions and 47 deletions
--- a/app/functions.php
+++ b/app/functions.php
@ -35,3 +35,32 @@ function decrypt($data, $key)
    list($encrypted_data, $iv) = explode('::', base64_decode($data), 2);
    return openssl_decrypt($encrypted_data, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv);
 }
+
+// 生成签名
+function generateSign($params, $secretKey): string
+{
+    // 将参数按照键名进行字典排序
+    ksort($params);
+    // 拼接参数和对应的值
+    $signStr = '';
+    foreach ($params as $key => $value) {
+        $signStr .= $key . '=' . $value . '&';
+    }
+    // 拼接密钥
+    $signStr .= 'key=' . $secretKey;
+    // 使用哈希函数计算签名，这里使用 MD5 作为示例
+    return strtoupper(md5($signStr));
+}
+
+// 验证签名
+function verifySign($params, $secretKey, $sign): bool
+{
+    // 生成待验证的签名
+    $generatedSign = generateSign($params, $secretKey);
+    // 验证签名是否一致
+    if ($generatedSign === $sign) {
+        return true;
+    } else {
+        return false;
+    }
+}
--- a/app/wechat/controller/IndexController.php
+++ b/app/wechat/controller/IndexController.php
@ -5,7 +5,6 @@ namespace app\wechat\controller;
 use app\admin\model\Platform;
 use app\common\model\Authorizers;
 use app\common\service\Forward;
-use app\common\service\wechat\MiniProgram;
 use app\common\service\wechat\OpenPlatform;
 use support\Request;
 use Tinywan\ExceptionHandler\Exception\BadRequestHttpException;
@ -52,47 +51,12 @@ class IndexController
    /**
     * 获取授权链接
     * @param Request $request
-     * @param $url
+     * @param string $url
     * @return string
     */
-    public function authorizer(Request $request, $url = ''): string
+    public function authorizer(Request $request, string $url = ''): string
    {
        $url = urldecode($url);
        return "<a href='$url' target='_blank'>点击授权</a>";
    }
-
-    /**
-     * 获取token给第三方平台使用
-     * @param Request $request
-     * @return int
-     * @throws BadRequestHttpException
-     */
-    public function getToken(Request $request)
-    {
-        // 开放平台应用ID
-        $platformAppId = $request->input('platform_appid');
-        // 被授权的应用ID
-        $appid = $request->input('appid');
-        // 校验参数
-        if (empty($platformAppId) || empty($appid)) return '参数错误';
-
-        $platformSetting = Platform::where('app_id', $platformAppId)->find();
-        $app = new MiniProgram($platformSetting->id);
-
-        if (empty($platformSetting->third_secret)) return '请先在wechat-mp开放平台配置外部平台解密secret';
-
-        // 获取 component_access_token
-        $component_access_token = $app->app->access_token->getToken()['component_access_token'];
-
-        // 获取 authorizer_access_token
-        $authorizer_access_token = $app->getToken($appid)['authorizer_access_token'];
-
-        $result = [
-            'platform_id' => $platformAppId,
-            'app_id' => $appid,
-            'component_access_token' => $component_access_token,
-            'authorizer_access_token' => $authorizer_access_token
-        ];
-        return encrypt(json_encode($result), $platformSetting->third_secret);
-    }
 }
--- a/app/wechat/controller/OpenApiController.php
+++ b/app/wechat/controller/OpenApiController.php
@ -0,0 +1,46 @@
+<?php
+
+namespace app\wechat\controller;
+
+use app\admin\model\Platform;
+use app\common\service\wechat\MiniProgram;
+use support\Request;
+use Tinywan\ExceptionHandler\Exception\BadRequestHttpException;
+
+class OpenApiController
+{
+    /**
+     * 获取token给第三方平台使用
+     * @param Request $request
+     * @return int
+     * @throws BadRequestHttpException
+     */
+    public function getToken(Request $request)
+    {
+        // 开放平台应用ID
+        $platformAppId = $request->input('platform_appid');
+        // 被授权的应用ID
+        $appid = $request->input('appid');
+        // 校验参数
+        if (empty($platformAppId) || empty($appid)) return '参数错误';
+
+        $platformSetting = Platform::where('app_id', $platformAppId)->find();
+        $app = new MiniProgram($platformSetting->id);
+
+        if (empty($platformSetting->third_secret)) return '请先在wechat-mp开放平台配置外部平台解密secret';
+
+        // 获取 component_access_token
+        $component_access_token = $app->app->access_token->getToken()['component_access_token'];
+
+        // 获取 authorizer_access_token
+        $authorizer_access_token = $app->getToken($appid)['authorizer_access_token'];
+
+        $result = [
+            'platform_id' => $platformAppId,
+            'app_id' => $appid,
+            'component_access_token' => $component_access_token,
+            'authorizer_access_token' => $authorizer_access_token
+        ];
+        return encrypt(json_encode($result), $platformSetting->third_secret);
+    }
+}
--- a/app/wechat/middleware/OpenApiMiddleware.php
+++ b/app/wechat/middleware/OpenApiMiddleware.php
@ -0,0 +1,42 @@
+<?php
+
+namespace app\wechat\middleware;
+
+use app\admin\model\Platform;
+use Webman\MiddlewareInterface;
+
+class OpenApiMiddleware implements MiddlewareInterface
+{
+    public function process($request, $handler): \Webman\Http\Response
+    {
+        // 开放平台应用ID
+        $platformAppId = $request->get('platform_appid');
+        $sign = $request->get('sign');
+        $time = $request->get('time');
+
+        // 校验参数
+        if (empty($platformAppId) || empty($sign) || empty($time)) {
+            return error('参数不完整，请检查 platform_appid, time, sign 参数是否齐全');
+        }
+
+        // 验证签名有效期
+        if ($time < time() - 3000 || $time > time() + 3000) {
+            return error('签名已过期');
+        }
+
+        $platformSetting = Platform::where('app_id', $platformAppId)->find();
+        if (empty($platformSetting->third_secret)) {
+            return error('请先在开放平台处配置外部平台解密secret');
+        }
+
+        // 验证签名
+        $data = $request->get();
+        unset($data['sign']);
+        $secret = $platformSetting->third_secret;
+        if (!verifySign($data, $secret, $sign)) {
+            return error('签名验证失败');
+        }
+
+        return $handler($request);
+    }
+}
--- a/composer.lock
+++ b/composer.lock
@ -4,7 +4,7 @@
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
-    "content-hash": "dad11a64820c7df0160bac4d2bb6934a",
+    "content-hash": "bdcea27b1db52d1e355aecf5ace2fc22",
    "packages": [
        {
            "name": "easywechat-composer/easywechat-composer",
@ -2668,8 +2668,10 @@
    "prefer-stable": false,
    "prefer-lowest": false,
    "platform": {
-        "php": ">=7.2",
-        "ext-simplexml": "*"
+        "php": ">=7.4",
+        "ext-simplexml": "*",
+        "ext-json": "*",
+        "ext-curl": "*"
    },
    "platform-dev": [],
    "plugin-api-version": "2.6.0"
--- a/config/route.php
+++ b/config/route.php
@ -14,12 +14,14 @@

 use Webman\Route;

-Route::any('/wechat/getToken', [app\wechat\controller\IndexController::class, 'getToken']);
 // 发起微信授权
 Route::any('/wechat/authorizer/{url}', [app\wechat\controller\IndexController::class, 'authorizer'])->name('wechat.authorizer');
 // 微信授权事件、消息与事件通知回调
 Route::any('/wechat[/{appid}]', [app\wechat\controller\IndexController::class, 'index']);

-
-
-
+// openapi
+Route::group('/openapi', function () {
+    Route::get('/getToken', [app\wechat\controller\OpenApiController::class, 'getToken']);
+})->middleware(
+    app\wechat\middleware\OpenApiMiddleware::class
+);
--- a/front/src/views/authorizer/authorizerList.vue
+++ b/front/src/views/authorizer/authorizerList.vue
@ -302,7 +302,7 @@ export default {
    },

    getTokenLink(appid) {
-      const url = window.location.origin + '/wechat/getToken?platform_appid=' + this.currentPlatform['app_id'] + '&appid=' + appid
+      const url = window.location.origin + '/openapi/getToken?platform_appid=' + this.currentPlatform['app_id'] + '&appid=' + appid
      navigator.clipboard.writeText(url)
        .then(() => {
          Message.success('复制成功')