Wechat verification developer server interface
Wechat verification developer server interface
- As shown in the figure, developers can fill in the interface address of their own server's authentication token, as well as the customized token (the test number applied by the blogger, and use natapp for intranet penetration)
- Objective: to help wechat server and developer server identify each other to prevent malicious attacks
-
The flow chart is as follows (I don't know how to display md flow chart in blog Park, but I have been informed by my brother): (from wechat public platform technical documents)
st=>start: Open service ipop1=>inputoutput: Received data [not sure who sent it] op1=>operation: Try to extract signature Field, timestamp Field, nonce Field, echostr field cd1=>condition: Are all fields extracted successfully? op2=>operation: token Assign as information in basic configuration op3=>operation: token,timestamp,nonce Field sort to get string list op4=>operation: Hash algorithm encryption list obtain hashcode cd2=>condition: hashcode == signature? op5=>operation: Confirm that the data source is wechat background ipop2=>inputoutput: hold echostr Return to wechat background for authentication Token ed=>end: Continue other services op6=>operation: Make sure the data source is not wechat background ipop3=>inputoutput: Do not handle st->ipop1->op1->cd1->op2->op3->op4->cd2->op5->ipop2->ed cd1(yes)->op2 cd1(no)->op6->ipop3->ed cd2(yes)->op5 cd2(no)->op6
-
The java code is implemented as follows:
@GetMapping("/getToken") @ResponseBody public String getToken(TokenDTO tokenDTO, HttpServletResponse response){ if ((StringUtils.isBlank(tokenDTO.getSignature()) || StringUtils.isBlank(tokenDTO.getTimestamp()) || StringUtils.isBlank(tokenDTO.getNonce()) || StringUtils.isBlank(tokenDTO.getEchostr()))) { return ""; } String[] arr = new String[]; Arrays.sort(arr); StringBuffer sb = new StringBuffer(); sb.append(arr[0]).append(arr[1]).append(arr[2]); String hash = null; try { hash = new String(Hex.encodeHex(MessageDigest.getInstance("SHA-1"). digest(sb.toString().getBytes(Constant.charset)))); } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) { e.printStackTrace(); } return (StringUtils.isNoneBlank(hash) && hash.equals(tokenDTO.getSignature())) ? tokenDTO.getEchostr() : ""; }