Merge branch 'master' into 'hotfix/api'

Master See merge request !19

Merge branch 'master' into 'hotfix/api'
Master See merge request !19
陈峰
Commit 7747146b62d4cc81eb83912233339c6f97c1d255 2 parents fcaf4829 388846fd
Showing 5 changed files with 80 additions and 2 deletions
apps/common/create-api-client.js
apps/common/utils.js
apps/utils/sign.js
config/api-map.js
doraemon/middleware/ssr-api.js
--- a/apps/common/create-api-client.js
View file @7747146
+++ b/apps/common/create-api-client.js
View file @7747146
 import axios from 'axios';
 import config from 'config';
+ import {sign} from './utils';
 
 axios.defaults.baseURL = config.axiosBaseUrl;
 axios.defaults.responseType = config.axiosResponseType;
@@ -15,6 +16,8 @@ const errHandle = (error) => {
   });
 };
 const request = (options, store) => {
+   sign(options);
+ 
   return axios(options).then((res) => {
     if (res.data.code === 401) {
       store && store.commit('needLogin', {needLogin: true});
--- a/apps/common/utils.js
View file @7747146
+++ b/apps/common/utils.js
View file @7747146
+ import md5 from 'yoho-md5';
+ import * as signUtils from 'utils/sign.js';
+ 
 export const getImgUrl = function(src, width = 300, height = 300, mode = 2) {
   return src ? src.replace(/(\{width}|\{height}|\{mode})/g, function($0) {
     const dict = {
@@ -45,3 +48,13 @@ export const throttle = (delay, action) => { // 函数节流器，定义函数
     }
   };
 };
+ 
+ export const sign = (op) => {
+   const p = signUtils.getParams(op);
+ 
+   signUtils.setTime(p);
+ 
+   const str = `${signUtils.joinParams(p, signUtils.sortParams(p))}`;
+ 
+   signUtils.setSign(p, md5(`${str}_${str.length}`));
+ };
--- a/apps/utils/sign.js 0 → 100644
View file @7747146
+++ b/apps/utils/sign.js 0 → 100644
View file @7747146
+ const ps = ['p', 'a', 'r', 'a', 'm', 's'];
+ const ts = ['t', 's'];
+ 
+ export const getParams = (op) => {
+   const p = ps.join('');
+ 
+   if (!op[p]) {
+     op[p] = {};
+   }
+   return op[p];
+ };
+ export const setTime = (p) => {
+   p[ts.join('')] = Date.now();
+ };
+ export const setSign = (p, sign) => {
+   p.s = sign;
+ };
+ export const sortParams = (p) => {
+   return Object.keys(p).sort();
+ };
+ export const joinParams = (p, sks) => {
+   return sks.map(key => {
+     return `${key}:${encodeURIComponent(p[key])}`;
+   }).join('_');
+ };
--- a/config/api-map.js
View file @7747146
+++ b/config/api-map.js
View file @7747146
@@ -33,6 +33,7 @@ module.exports = {
     params: {}
   },
   '/api/ufo/seller/entryGoodsSizeList': {
+     checkSign: true,
     ufo: true,
     api: 'ufo.seller.entryGoodsSizeList',
     params: {
@@ -42,6 +43,7 @@ module.exports = {
     }
   },
   '/api/ufo/sellerOrder/computeAdjustPrice': {
+     checkSign: true,
     ufo: true,
     api: 'ufo.sellerOrder.computeAdjustPrice',
     params: {
@@ -53,6 +55,7 @@ module.exports = {
     }
   },
   '/api/ufo/sellerOrder/batchAdjustPrice': {
+     checkSign: true,
     ufo: true,
     api: 'ufo.sellerOrder.batchAdjustPrice',
     params: {
@@ -64,6 +67,7 @@ module.exports = {
     }
   },
   '/api/ufo/sellerOrder/batchDownShelf': {
+     checkSign: true,
     ufo: true,
     api: 'ufo.sellerOrder.batchDownShelf',
     params: {
--- a/doraemon/middleware/ssr-api.js
View file @7747146
+++ b/doraemon/middleware/ssr-api.js
View file @7747146
 const serviceApi = global.yoho.ServiceAPI;
 const ufoAPI = global.yoho.UfoAPI;
 const logger = global.yoho.logger;
+ const _ = require('lodash');
+ const md5 = require('yoho-md5');
 const checkParams = require('../../utils/check-params');
 const apiMaps = require('../../config/api-map');
 
+ function checkSign(params, sign) {
+   delete params.s;
+   const sortKeys = Object.keys(params).sort();
+   const str = sortKeys.map(key => {
+     return `${key}:${encodeURIComponent(params[key])}`;
+   }).join('_');
+ 
+   const signDiff = md5(`${str}_${str.length}`);
+ 
+   if (sign === signDiff) {
+     return true;
+   }
+   logger.error(`验签不匹配： 提交sign: ${sign}, 服务端sign: ${signDiff}, params: ${JSON.stringify(params)}`);
+   return false;
+ }
+ 
 module.exports = async(req, res, next) => {
   const apiInfo = apiMaps[req.path];
 
@@ -11,12 +29,27 @@ module.exports = async(req, res, next) => {
     return next();
   }
   let baseParams;
+   let reqParams = Object.assign({}, req.query, req.body);
 
   res.set({
     'Cache-Control': 'no-cache',
     Pragma: 'no-cache',
     Expires: (new Date(1900, 0, 1, 0, 0, 0, 0)).toUTCString()
   });
+ 
+   if (apiInfo.checkSign) {
+     if (!checkSign(Object.assign({}, reqParams), reqParams.s)) {
+       logger.error(`验签失败！uid: ${_.get(req, 'user.uid', '').toString()}, params: ${JSON.stringify(reqParams)}, ip: ${req.yoho.clientIp}`);
+       return res.json({
+         code: 400,
+         message: '验签失败'
+       });
+     }
+   }
+ 
+   delete reqParams.s;
+   delete reqParams.ts;
+ 
   if (!apiInfo.service) {
     baseParams = {
       uid: (req.user && req.user.uid) ? {
@@ -31,8 +64,8 @@ module.exports = async(req, res, next) => {
   }
 
   try {
-     const reqParams = Object.assign({}, req.query, req.body, baseParams);
-     const params = checkParams.getParams(reqParams, apiInfo);
+     const mergeParams = Object.assign(reqParams, baseParams);
+     const params = checkParams.getParams(mergeParams, apiInfo);
     const cache = req.method.toLowerCase() !== 'get' ? false : apiInfo.cache;
     let method = req.method.toLowerCase() === 'post' ? 'post' : 'get';