123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159 |
- package middleware
- import (
- "crypto/md5"
- "errors"
- "eta/eta_bridge/controller/resp"
- "eta/eta_bridge/global"
- "eta/eta_bridge/models/crm"
- "eta/eta_bridge/utils"
- "fmt"
- "github.com/gin-gonic/gin"
- "math"
- "sort"
- "strconv"
- "strings"
- "time"
- )
- func BaseAuthCheck() gin.HandlerFunc {
- return func(c *gin.Context) {
- method := c.Request.Method
- if method != "POST" {
- resp.TokenError(nil, "请求异常", "不支持非POST请求", c)
- c.Abort()
- return
- }
- pass, e := signCheck(c)
- if e != nil {
- resp.TokenError(nil, "签名错误", "签名校验失败, Err: "+e.Error(), c)
- c.Abort()
- return
- }
- if !pass {
- resp.TokenError(nil, "签名错误", "签名错误", c)
- c.Abort()
- return
- }
- }
- }
- func signCheck(c *gin.Context) (ok bool, err error) {
- params := make(map[string][]string)
- err = c.ShouldBind(params)
- if err != nil {
- return
- }
- signData := convertParam(params)
- // 签名校验
- ip := c.ClientIP()
- err = checkSignData(signData, ip)
- if err != nil {
- return
- }
- ok = true
- return
- }
- // convertParam 将请求传入的数据格式转换成签名需要的格式
- func convertParam(params map[string][]string) (signData map[string]string) {
- signData = make(map[string]string)
- for key := range params {
- signData[key] = params[key][0]
- }
- return signData
- }
- // checkSignData 请求参数签名校验
- func checkSignData(postData map[string]string, ip string) (err error) {
- isSandbox := postData["is_sandbox"]
- // 如果是测试环境, 且是沙箱环境的话, 那么绕过测试
- if global.CONFIG.Serve.RunMode == "debug" && isSandbox != "" {
- return
- }
- appid := postData["appid"]
- if appid == "" {
- err = errors.New("参数异常,缺少appid")
- return
- }
- openApiOB := new(crm.OpenApiUser)
- apiUser, e := openApiOB.GetItemByAppid(appid)
- if e != nil {
- if e != utils.ErrNoRow {
- err = errors.New("系统异常,请联系管理员")
- return
- }
- err = errors.New("appid异常,请联系管理员")
- return
- }
- if apiUser == nil {
- err = errors.New("系统异常,请联系管理员")
- return
- }
- // 如果有ip限制, 则校验IP
- if apiUser.Ip != "" {
- if !strings.Contains(apiUser.Ip, ip) {
- err = errors.New(fmt.Sprintf("无权限访问该接口,ip:%v,请联系管理员", ip))
- return
- }
- }
- // 接口提交的签名字符串
- ownSign := postData["sign"]
- if ownSign == "" {
- err = errors.New("参数异常,缺少签名字符串")
- return
- }
- if postData["nonce_str"] == "" {
- err = errors.New("参数异常,缺少随机字符串")
- return
- }
- if postData["timestamp"] == "" {
- err = errors.New("参数异常,缺少时间戳")
- return
- } else {
- timeUnix := time.Now().Unix() // 当前格林威治时间,int64类型
- // 将接口传入的时间做转换
- timestamp, timeErr := strconv.ParseInt(postData["timestamp"], 10, 64)
- if timeErr != nil {
- err = errors.New("参数异常,时间戳格式异常")
- return
- }
- if math.Abs(float64(timeUnix-timestamp)) > 300 {
- err = errors.New("当前时间异常,请调整设备时间与北京时间一致")
- return
- }
- }
- // 先取出除sign外的所有的提交的参数key
- var keys []string
- for k := range postData {
- if k != "sign" {
- keys = append(keys, k)
- }
- }
- //1,根据参数名称的ASCII码表的顺序排序
- sort.Strings(keys)
- //2 根据排序后的参数名称,取出对应的值,并拼接字符串
- var signStr string
- for _, v := range keys {
- signStr += v + "=" + postData[v] + "&"
- }
- //3,全转小写(md5(拼装的字符串后+分配给你的app_secret))
- //sign := strings.ToLower(fmt.Sprintf("%x", md5.Sum([]byte(strings.Trim(signStr, "&")+key))))
- //md5.Sum([]byte(signStr+"key="+key)) 这是md5加密出来后的每个字符的AscII码,需要再转换成对应的字符
- //3,全转大写(md5(拼装的字符串后+分配给你的app_secret))
- sign := strings.ToUpper(fmt.Sprintf("%x", md5.Sum([]byte(signStr+"secret="+apiUser.Secret))))
- if sign != ownSign {
- global.LOG.Info(fmt.Sprintf("签名校验异常,签名字符串:%v;服务端签名值:%v", signStr, sign))
- return errors.New("签名校验异常,请核实签名")
- }
- return nil
- }
|