package middleware import ( "crypto/md5" "errors" "eta/eta_bridge/controller/resp" "eta/eta_bridge/global" "eta/eta_bridge/models/crm" "eta/eta_bridge/utils" "fmt" "github.com/gin-gonic/gin" "math" "sort" "strconv" "strings" "time" ) func BaseAuthCheck() gin.HandlerFunc { return func(c *gin.Context) { method := c.Request.Method if method != "POST" { resp.TokenError(nil, "请求异常", "不支持非POST请求", c) c.Abort() return } pass, e := signCheck(c) if e != nil { resp.TokenError(nil, "签名错误", "签名校验失败, Err: "+e.Error(), c) c.Abort() return } if !pass { resp.TokenError(nil, "签名错误", "签名错误", c) c.Abort() return } } } func signCheck(c *gin.Context) (ok bool, err error) { params := make(map[string][]string) err = c.ShouldBind(params) if err != nil { return } signData := convertParam(params) // 签名校验 ip := c.ClientIP() err = checkSignData(signData, ip) if err != nil { return } ok = true return } // convertParam 将请求传入的数据格式转换成签名需要的格式 func convertParam(params map[string][]string) (signData map[string]string) { signData = make(map[string]string) for key := range params { signData[key] = params[key][0] } return signData } // checkSignData 请求参数签名校验 func checkSignData(postData map[string]string, ip string) (err error) { isSandbox := postData["is_sandbox"] // 如果是测试环境, 且是沙箱环境的话, 那么绕过测试 if global.CONFIG.Serve.RunMode == "debug" && isSandbox != "" { return } appid := postData["appid"] if appid == "" { err = errors.New("参数异常,缺少appid") return } openApiOB := new(crm.OpenApiUser) apiUser, e := openApiOB.GetItemByAppid(appid) if e != nil { if e != utils.ErrNoRow { err = errors.New("系统异常,请联系管理员") return } err = errors.New("appid异常,请联系管理员") return } if apiUser == nil { err = errors.New("系统异常,请联系管理员") return } // 如果有ip限制, 则校验IP if apiUser.Ip != "" { if !strings.Contains(apiUser.Ip, ip) { err = errors.New(fmt.Sprintf("无权限访问该接口,ip:%v,请联系管理员", ip)) return } } // 接口提交的签名字符串 ownSign := postData["sign"] if ownSign == "" { err = errors.New("参数异常,缺少签名字符串") return } if postData["nonce_str"] == "" { err = errors.New("参数异常,缺少随机字符串") return } if postData["timestamp"] == "" { err = errors.New("参数异常,缺少时间戳") return } else { timeUnix := time.Now().Unix() // 当前格林威治时间,int64类型 // 将接口传入的时间做转换 timestamp, timeErr := strconv.ParseInt(postData["timestamp"], 10, 64) if timeErr != nil { err = errors.New("参数异常,时间戳格式异常") return } if math.Abs(float64(timeUnix-timestamp)) > 300 { err = errors.New("当前时间异常,请调整设备时间与北京时间一致") return } } // 先取出除sign外的所有的提交的参数key var keys []string for k := range postData { if k != "sign" { keys = append(keys, k) } } //1,根据参数名称的ASCII码表的顺序排序 sort.Strings(keys) //2 根据排序后的参数名称,取出对应的值,并拼接字符串 var signStr string for _, v := range keys { signStr += v + "=" + postData[v] + "&" } //3,全转小写(md5(拼装的字符串后+分配给你的app_secret)) //sign := strings.ToLower(fmt.Sprintf("%x", md5.Sum([]byte(strings.Trim(signStr, "&")+key)))) //md5.Sum([]byte(signStr+"key="+key)) 这是md5加密出来后的每个字符的AscII码,需要再转换成对应的字符 //3,全转大写(md5(拼装的字符串后+分配给你的app_secret)) sign := strings.ToUpper(fmt.Sprintf("%x", md5.Sum([]byte(signStr+"secret="+apiUser.Secret)))) if sign != ownSign { global.LOG.Info(fmt.Sprintf("签名校验异常,签名字符串:%v;服务端签名值:%v", signStr, sign)) return errors.New("签名校验异常,请核实签名") } return nil }