auth.go 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159
  1. package middleware
  2. import (
  3. "crypto/md5"
  4. "errors"
  5. "eta_gn/eta_bridge/controller/resp"
  6. "eta_gn/eta_bridge/global"
  7. "eta_gn/eta_bridge/models/crm"
  8. "eta_gn/eta_bridge/utils"
  9. "fmt"
  10. "github.com/gin-gonic/gin"
  11. "math"
  12. "sort"
  13. "strconv"
  14. "strings"
  15. "time"
  16. )
  17. func BaseAuthCheck() gin.HandlerFunc {
  18. return func(c *gin.Context) {
  19. method := c.Request.Method
  20. if method != "POST" {
  21. resp.TokenError(nil, "请求异常", "不支持非POST请求", c)
  22. c.Abort()
  23. return
  24. }
  25. pass, e := signCheck(c)
  26. if e != nil {
  27. resp.TokenError(nil, "签名错误", "签名校验失败, Err: "+e.Error(), c)
  28. c.Abort()
  29. return
  30. }
  31. if !pass {
  32. resp.TokenError(nil, "签名错误", "签名错误", c)
  33. c.Abort()
  34. return
  35. }
  36. }
  37. }
  38. func signCheck(c *gin.Context) (ok bool, err error) {
  39. params := make(map[string][]string)
  40. err = c.ShouldBind(params)
  41. if err != nil {
  42. return
  43. }
  44. signData := convertParam(params)
  45. // 签名校验
  46. ip := c.ClientIP()
  47. err = checkSignData(signData, ip)
  48. if err != nil {
  49. return
  50. }
  51. ok = true
  52. return
  53. }
  54. // convertParam 将请求传入的数据格式转换成签名需要的格式
  55. func convertParam(params map[string][]string) (signData map[string]string) {
  56. signData = make(map[string]string)
  57. for key := range params {
  58. signData[key] = params[key][0]
  59. }
  60. return signData
  61. }
  62. // checkSignData 请求参数签名校验
  63. func checkSignData(postData map[string]string, ip string) (err error) {
  64. isSandbox := postData["is_sandbox"]
  65. // 如果是测试环境, 且是沙箱环境的话, 那么绕过测试
  66. if global.CONFIG.Serve.RunMode == "debug" && isSandbox != "" {
  67. return
  68. }
  69. appid := postData["appid"]
  70. if appid == "" {
  71. err = errors.New("参数异常,缺少appid")
  72. return
  73. }
  74. openApiOB := new(crm.OpenApiUser)
  75. apiUser, e := openApiOB.GetItemByAppid(appid)
  76. if e != nil {
  77. if e != utils.ErrNoRow {
  78. err = errors.New("系统异常,请联系管理员")
  79. return
  80. }
  81. err = errors.New("appid异常,请联系管理员")
  82. return
  83. }
  84. if apiUser == nil {
  85. err = errors.New("系统异常,请联系管理员")
  86. return
  87. }
  88. // 如果有ip限制, 则校验IP
  89. if apiUser.Ip != "" {
  90. if !strings.Contains(apiUser.Ip, ip) {
  91. err = errors.New(fmt.Sprintf("无权限访问该接口,ip:%v,请联系管理员", ip))
  92. return
  93. }
  94. }
  95. // 接口提交的签名字符串
  96. ownSign := postData["sign"]
  97. if ownSign == "" {
  98. err = errors.New("参数异常,缺少签名字符串")
  99. return
  100. }
  101. if postData["nonce_str"] == "" {
  102. err = errors.New("参数异常,缺少随机字符串")
  103. return
  104. }
  105. if postData["timestamp"] == "" {
  106. err = errors.New("参数异常,缺少时间戳")
  107. return
  108. } else {
  109. timeUnix := time.Now().Unix() // 当前格林威治时间,int64类型
  110. // 将接口传入的时间做转换
  111. timestamp, timeErr := strconv.ParseInt(postData["timestamp"], 10, 64)
  112. if timeErr != nil {
  113. err = errors.New("参数异常,时间戳格式异常")
  114. return
  115. }
  116. if math.Abs(float64(timeUnix-timestamp)) > 300 {
  117. err = errors.New("当前时间异常,请调整设备时间与北京时间一致")
  118. return
  119. }
  120. }
  121. // 先取出除sign外的所有的提交的参数key
  122. var keys []string
  123. for k := range postData {
  124. if k != "sign" {
  125. keys = append(keys, k)
  126. }
  127. }
  128. //1,根据参数名称的ASCII码表的顺序排序
  129. sort.Strings(keys)
  130. //2 根据排序后的参数名称,取出对应的值,并拼接字符串
  131. var signStr string
  132. for _, v := range keys {
  133. signStr += v + "=" + postData[v] + "&"
  134. }
  135. //3,全转小写(md5(拼装的字符串后+分配给你的app_secret))
  136. //sign := strings.ToLower(fmt.Sprintf("%x", md5.Sum([]byte(strings.Trim(signStr, "&")+key))))
  137. //md5.Sum([]byte(signStr+"key="+key)) 这是md5加密出来后的每个字符的AscII码,需要再转换成对应的字符
  138. //3,全转大写(md5(拼装的字符串后+分配给你的app_secret))
  139. sign := strings.ToUpper(fmt.Sprintf("%x", md5.Sum([]byte(signStr+"secret="+apiUser.Secret))))
  140. if sign != ownSign {
  141. global.LOG.Info(fmt.Sprintf("签名校验异常,签名字符串:%v;服务端签名值:%v", signStr, sign))
  142. return errors.New("签名校验异常,请核实签名")
  143. }
  144. return nil
  145. }