"Go" Open API Interface Signature Verification

Do not worry, source code sharing at the bottom, first ask you a question, you write an open API interface is how to ensure the security of the data? Let's take a look at the security issues in the Open API interface, we are faced with many security issues when we request the server via HTTP POST or GET, for example:

• 1. Is the request source (identity) legal?
• 2. Is the request parameter tampered with?
• 3. Uniqueness of the request (non-reproducible)

In order to ensure the security of data in communication, we can use the method of parameter signature to verify the correlation.

Case analysis

We analyze the case of a [mobile app] writing [background interface (API)]:

Client: The following abbreviation app

Background interface: The following abbreviation API
We use the app to query the product list for this operation to analyze:

Click the Query button in the app = = "Call API to query = =" Return query results ==> displayed in the app

On the code,-_-!.

I. Ways of not verifying

API Query Interface:

App call: http://api.test.com/getproducts? parameter 1=value1 ....

As above, this method is simple and rough, by calling the GetProducts method to obtain the product list information, but this way there is a serious security problem, no validation, we can get to the product list, resulting in product information disclosure.
So how do you verify the identity of the caller? How do you prevent parameters from being tampered with?
Second, the way of MD5 parameter signature

We optimized the API query product interface:

1. Assign the corresponding key and secret to the app

2. Sign signature, call the API when you need to sign the request parameters to verify, the signature method is as follows:

A. Follow the request parameter name to sort all the request parameters in alphabetical order: Keyvaluekeyvalue...keyvalue string such as: Arong=1,mrong=2,crong=3 sorted as: arong=1, crong=3, Mrong=2 then concatenation the parameter name and the parameter value to get the argument string: Arong1crong3mrong2.

B. Secret is added to the header of the parameter string and MD5 encrypted, and the encrypted string is capitalized. That is to get signed sign
New API Interface Code:

App Call: Http://api.test.com/getproducts? key=app_key&sign =bcc7c71cf93f9cdbdb88671b701d8a35& parameter 1=value1& parameter 2=value2 ....

Note: Secret is used only for encryption purposes and is not used in request parameters in order to ensure data security.

As above, the optimized request is more than the key and sign parameters, so the request requires a valid key and the correct signature to obtain product data. This solves the problem of authentication and preventing parameter tampering, and if the request parameters are taken away, it's OK that they will never get secret, because secret is not delivered. No longer can forge legitimate requests.
But... Is that enough for you? The attentive classmate may find that if I get your complete link, always use your key and sign and the same parameters will not be able to get the data normally ...-_-! yes, just the above optimization is not enough
Uniqueness of the request:

To prevent others from reusing request parameter issues, we need to ensure that the request is unique, that the corresponding request can only be used once, so that even if someone else takes the complete link to the request is not valid.
Uniqueness implementation: In the request parameter as above, we add timestamp: Timestamp (YYYYMMDDHHMMSS), similarly, timestamp as one of the request parameters, also added to the sign algorithm for encryption.
New API Interface:

App Call:
Http://api.test.com/getproducts? key=app_key&sign =bcc7c71cf93f9cdbdb88671b701d8a35&timestamp=201603261407 & parameter 1=value1& parameter 2=value2 ....
As above, we use the timestamp timestamp to verify that the request is out of date. This is not valid even if the full request link is taken.

Sign Signature security Analysis:

Through the above case, we can see that the key to security is to participate in the signature of the secret, the whole process of secret is not involved in communication, so long as the guarantee secret not disclosed, the request will not be forged.

Summarize

The above sign signature way can prevent the information to be tampered with to a certain extent, guarantee the security of the communication, here is using MD5 to encrypt, of course, we can make the custom signature algorithm according to the actual demand, for example: Rsa,sha and so on.

Related methods source code sharing:

Source has been managed to the code cloud: Https://git.oschina.net/daimali/Daimali.ISV

Source: http://www.daimali.com/index.php/2016/04/27/241/

"Go" Open API Interface Signature Verification