WeChat official account development (1) WeChat verifies the developer server interface

Wechat verification developer server interface

Wechat verification developer server interface

  • As shown in the figure, developers can fill in the interface address of their own server's authentication token, as well as the customized token (the test number applied by the blogger, and use natapp for intranet penetration)
  • Objective: to help wechat server and developer server identify each other to prevent malicious attacks
  • The flow chart is as follows (I don't know how to display md flow chart in blog Park, but I have been informed by my brother): (from wechat public platform technical documents)


    st=>start: Open service
    ipop1=>inputoutput: Received data [not sure who sent it]
    op1=>operation: Try to extract signature Field, timestamp Field, nonce Field, echostr field
    cd1=>condition: Are all fields extracted successfully?
    op2=>operation: token Assign as information in basic configuration
    op3=>operation: token,timestamp,nonce Field sort to get string list
    op4=>operation: Hash algorithm encryption list obtain hashcode
    cd2=>condition: hashcode == signature?
    op5=>operation: Confirm that the data source is wechat background
    ipop2=>inputoutput: hold echostr Return to wechat background for authentication Token
    ed=>end: Continue other services
    op6=>operation: Make sure the data source is not wechat background
    ipop3=>inputoutput: Do not handle
    st->ipop1->op1->cd1->op2->op3->op4->cd2->op5->ipop2->ed
    cd1(yes)->op2
    cd1(no)->op6->ipop3->ed
    cd2(yes)->op5
    cd2(no)->op6


  • The java code is implemented as follows:

    @GetMapping("/getToken")
    @ResponseBody
    public String getToken(TokenDTO tokenDTO, HttpServletResponse response){
        if ((StringUtils.isBlank(tokenDTO.getSignature()) || StringUtils.isBlank(tokenDTO.getTimestamp()) || StringUtils.isBlank(tokenDTO.getNonce()) || StringUtils.isBlank(tokenDTO.getEchostr()))) {
            return "";
        }
        String[] arr = new String[]{tokenDTO.getTimestamp(), WeixinConstant.token, tokenDTO.getNonce()};
        Arrays.sort(arr);
        StringBuffer sb = new StringBuffer();
        sb.append(arr[0]).append(arr[1]).append(arr[2]);
        String hash = null;
        try {
            hash = new String(Hex.encodeHex(MessageDigest.getInstance("SHA-1").
                    digest(sb.toString().getBytes(Constant.charset))));
        } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        return (StringUtils.isNoneBlank(hash) && hash.equals(tokenDTO.getSignature()))
                ? tokenDTO.getEchostr() : "";
    }

Tags: Java

Posted on Tue, 05 May 2020 18:56:35 -0400 by apollyon