Open Platform API interface Signature Verification instructions

Preface:

How to ensure the security of the data when writing an API interface that is open to the outside.

When an external user accesses an open API interface, we request the server through an HTTP post or get method,

You encounter the following issue: whether the request is legitimate
Whether the request parameter has been tampered with
The uniqueness of the request

In order to ensure the security of data in communication, we can use the method of parameter signature to verify the correlation.

One, example:
Such as: Client clients need to call the Platform open API interface for data query

The process is really simple, not difficult to understand,
Client query ==> Call API interface to query ==> return query results ==> displayed in client

This is called by ordinary non-secure authentication:

Client invocation:

Http://ip:port/interfaceName? parameter 1=value1 .... As above, this method is simple but the security problem is very big,
By calling the link above, you can get the product list information, but there is a serious security problem in this way, without any verification, we can obtain the product list through this method, resulting in the disclosure of product information;
At the same time is also vulnerable to malicious information, such as the value of the parameter 1 can be changed to 1,2,3,4 ... and constantly go like "crash" to call.


second, use data signature (using Sha or MD5, get other algorithms)
For these issues, we optimized the API interface for the Open platform:

1. Assign the corresponding key and secret to client clients, which can be understood as: User name password;
2.Sign Signature: When calling the API, signature verification is required for the request parameters as follows:

A. Sort all request parameters in alphabetical order according to the request parameter name (if the parameter hierarchy is more than one order),

$param = Array (
	' access_token ' = ' = ',
	' app_key ' = ' 152968d9af768bf084dad750f78d6866 ',
	' client ' = > ' {' Channel ': ' Mcontact_md_ahlrj_api_android ', ' IMEI ': ' 1 ', ' Version ': ' v3.9.8 '} ',
	' once ' = ' 911091697599 ' ,
	' phone ' = ' 13800138000 ',
	' sdk_from ' = ' java ',
	' type ' = 0,
	' version ' = ' 1.0 ',
);

B. Then stitch the parameter name and the parameter value to get the argument string, such as:

Access_token=app_key=152968d9af768bf084dad750f78d6866client={"channel": "Mcontact_md_ahlrj_api_android", "IMEI": "1", "Version": "v3.9.8"}once=911091697599 ...

After splicing, in the last side of the secret and then splicing the string to encrypt the signature verification strings signed by Sha.
such as: Sign=bcc7c71cf93f9cdbdb88671b701d8a35

Platform API interface code:

Public Response InterfaceName (HttpRequest request) {
	//user authentication, determine if key exists, and according to key query secret used to verify the signature
	//....
	Verify sign signature, according to the above-mentioned algorithm of sorting and other parameters to get the signature of the new sign and the parameter in the comparison
	//...
	Query data to do processing
	//...
	return//Returns processing result
}

Open API Interface Signature Verification
3. Call

Client invocation:

http://ip:port/interfacename?app_key=app_key&sign=bcc7c71cf93f9cdbdb88671b701d8a35& parameter 1=value1& Parameter 2 = Value2 .....

That is: Upload the parameter and sign signature to API interface

Note: Secret is used only for encryption purposes and is not used in request parameters in order to ensure data security.
As above, the optimized request is more than the key and sign parameters, so the request requires a valid key and the correct signature to obtain product data. This solves the problem of authentication and preventing parameter tampering, and if the request parameter is taken away, the secret is not taken, because secret is not passed. No longer can forge legitimate requests.

This completes the signature interface API call.

remark:
The above method is not perfect enough, or there will be a small problem if you get the complete link above, always make key and sign and the same parameters can still get the data normally.
Therefore, the "uniqueness of the request" needs to be guaranteed:

To prevent others from reusing request parameter issues, we need to ensure that the request is unique, that the corresponding request can only be used once, so that even if someone else takes the complete link to the request is not valid. Uniqueness implementation: In the request parameter as above, we add timestamp: Timestamp (YYYYMMDDHHMMSS), similarly, timestamp as one of the request parameters, also added to the sign algorithm for encryption.
Platform API interface code:

Public Response InterfaceName (HttpRequest request) {
	//user authentication, determine if key exists, and according to key query secret used to verify the signature
	//....
	Verify sign signature, according to the above-mentioned algorithm of sorting and other parameters to get the signature of the new sign and the parameter in the comparison
	//...
	Verify validity period
	//...
	Query data to do processing
	//...
	return//Returns processing result
}

Open API Interface Signature Verification

Client invocation:

http://ip:port/interfaceName?app_key=app_key&sign=BCC7C71CF93F9CDBDB88671B701D8A35xtimestamp=201603261407 & parameter 1=value1& parameter 2=value2 ....

As above, we use the timestamp timestamp to verify that the request is out of date. This is not valid even if the full request link is taken.

About timestamp validation can be set for a single time or for a period of validity.