In Yii 2, secure URL signature and authentication based on sam-it/yii2-urlsigner
1. The web application authorization of the micro-connection of Weibo (the user who guides the user to enter the authorization page to log in to the authorization page to agree to the web application of the micro-connection of Weibo), the rap document, as shown in Figure 1
Figure 1
2. Since the channel publishing interface is the underlying service, all interfaces are allowed to visit by tourists, which leads to the user. Implement secure URL signatures and validation to prevent this from happening
3. Environment variable configuration in Rancher
CHANNEL_PUB_API_CFG_NGINX_API_SERVER_NAME=wjdev2.chinamcloud.com # Nginx 服务器名称(接口域名、建议入方向仅支持内网)
CHANNEL_PUB_API_CFG_NGINX_API_LISTEN=80 # Nginx 服务器监听端口(接口域名、建议入方向仅支持内网)
CHANNEL_PUB_API_CFG_NGINX_API_SCHEME=https # Nginx 服务器 URI 方案的协议(接口域名、建议入方向仅支持内网、范围:[http, https, 空字符串])
CHANNEL_PUB_API_CFG_NGINX_AUTH_SERVER_NAME=wjdev2.chinamcloud.com # Nginx 服务器名称(授权域名、建议入方向可支持外网)
CHANNEL_PUB_API_CFG_NGINX_AUTH_LISTEN=81 # Nginx 服务器监听端口(授权域名、建议入方向可支持外网)
CHANNEL_PUB_API_CFG_NGINX_AUTH_SCHEME=https # Nginx 服务器 URI 方案的协议(授权域名、建议入方向可支持外网、范围:[http, https, 空字符串])
CHANNEL_PUB_API_CFG_AUTH_HOST_INFO=https://wjdev2.chinamcloud.com:8662 // 渠道发布接口授权的 HOME URL
CHANNEL_PUB_API_CFG_AUTH_BASE_URL= // 渠道发布接口授权的 BASE URL
4. Install sam-it/yii2-urlsigner based on composer, the URL:https://github.com/SAM-IT/yii2-urlsigner, execute the command
PS E:\wwwroot\channel-pub-api> composer require --prefer-dist SAM-IT/yii2-urlsigner
Using version ^2.0 for sam-it/yii2-urlsigner
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 2 installs, 0 updates, 0 removals
- Installing sam-it/yii2-urlsigner (v2.0.0): Downloading (100%)
- Installing intervention/image (2.4.2): Downloading (100%)
intervention/image suggests installing intervention/imagecache (Caching extension for the Intervention Image library)
Writing lock file
Generating autoload files
5. Realize the interface: Obtain the link to the web application authorization of the micro-connection of Weibo (the user who guides the user to the authorization page to log in to the authorization page to agree to the authorization, and create the micro-connected web application of Weibo), edit it \weibo\rests\oauth2\authorizeaction.php
<?php
/**
* @link http://www.yiiframework.com/
* @copyright Copyright (c) 2008 Yii Software LLC
* @license http://www.yiiframework.com/license/
*/
namespace weibo\rests\oauth2;
use Yii;
use weibo\models\Channel;
use weibo\models\ChannelType;
use weibo\models\WeiboWeiboConnectWebAppUserCreateParam;
use weibo\services\ChannelService;
use weibo\services\ChannelTypeService;
use weibo\services\WeiboWeiboConnectWebAppService;
use SamIT\Yii2\UrlSigner\UrlSigner;
use yii\base\Model;
use yii\helpers\Url;
use yii\web\NotFoundHttpException;
use yii\web\UnprocessableEntityHttpException;
/**
* 获取微博的微连接的网页应用授权(引导用户进入授权页面登录同意授权、创建微博的微连接的网页应用的用户)的链接
*
* 1、请求参数列表
* (1)source:必填,来源,xContent:内容库;vms:视频管理系统;scms:内容管理系统;spider:自媒体;channel-pub-api:渠道发布接口
* (2)source_uuid:必填,来源ID(UUID)
* (3)user_name:必填,用户名称
* (4)permission:必填,权限,1:同步;2:发布;3:同步与发布
* (5)status:可选,状态,0:禁用;1:启用,默认:1
* (6)redirect_uri:可选,微博的微连接的网页应用授权后重定向的回调链接,其值需要 Base64 编码,默认:渠道发布接口授权成功提示页面的网址
*
* 2、输入数据验证规则
* (1)存在性:基于代码,weibo:微博查询资源(渠道),如果不存在,则返回失败
* (2)比对(status !== 1):判断状态(渠道),如果未启用,则返回失败
* (3)存在性:基于代码,weibo_weibo_connect_web:微博的微连接的网页应用查询资源(渠道的类型),如果不存在,则返回失败
* (4)比对(status !== 1):判断状态(渠道的类型),如果未启用,则返回失败
* (5)存在性:基于 App ID 查询资源(微博的微连接的网页应用),如果不存在,则返回失败
* (6)比对(status !== 1):判断状态(微博的微连接的网页应用),如果未启用,则返回失败
* (7)必填:source、source_uuid、user_name、permission
* (8)默认值(1):status
* (9)默认值(渠道发布接口授权成功提示页面的网址):redirect_uri
* (10)网址(Base64 解码):redirect_uri
*
* 3、操作数据
* (1)URL 签名
* (2)基于渠道发布接口授权配置,返回授权链接
*
* For more details and usage information on AuthorizeAction, see the [guide article on rest controllers](guide:rest-controllers).
*
* @author Qiang Wang <shuijingwanwq@163.com>
* @since 1.0
*/
class AuthorizeAction extends Action
{
/**
* @var string the scenario to be assigned to the new model before it is validated and saved.
*/
public $scenario = Model::SCENARIO_DEFAULT;
/**
* @var string the name of the view action. This property is need to create the URL when the model is successfully created.
*/
public $viewAction = 'view';
/**
* Authorizes a new model.
* @throws NotFoundHttpException 如果未找到数据模型,将抛出 404 HTTP 异常
* @throws UnprocessableEntityHttpException 如果找到数据模型,状态未启用,将抛出 422 HTTP 异常
* @throws \Throwable
*/
public function run()
{
if ($this->checkAccess) {
call_user_func($this->checkAccess, $this->id);
}
// 基于代码查找状态为启用的数据模型(渠道)
$channelEnabledItem = ChannelService::findModelEnabledByCode(Channel::CODE_WEIBO);
// 基于代码查找状态为启用的数据模型(渠道的类型)
$channelTypeEnabledItem = ChannelTypeService::findModelEnabledByCode(ChannelType::CODE_WEIBO_WEIBO_CONNECT_WEB);
// 基于 App ID 查找状态为启用的数据模型(微博的微连接的网页应用)
$weiboWeiboConnectWebAppEnabledItem = WeiboWeiboConnectWebAppService::findModelEnabledByAppId(Yii::$app->params['weiboAuth']['weiboConnectWebApp']['appId']);
$request = Yii::$app->request;
$get = $request->get();
$base64DecodeRedirectUri = base64_decode($request->get('redirect_uri', base64_encode(Yii::$app->params['auth']['hostInfo'] . Yii::$app->params['auth']['baseUrl'])), true);
// Base64 解码失败
if ($base64DecodeRedirectUri === false) {
throw new UnprocessableEntityHttpException(Yii::t('error', Yii::t('error', 244006)));
}
$get['redirect_uri'] = $base64DecodeRedirectUri;
/* 微博的微连接的网页应用授权(引导用户进入授权页面登录同意授权)参数 */
$weiboWeiboConnectWebAppUserCreateParam = new WeiboWeiboConnectWebAppUserCreateParam();
// 把请求数据填充到模型中
if (!$weiboWeiboConnectWebAppUserCreateParam->load($get, '')) {
throw new UnprocessableEntityHttpException(Yii::t('error', Yii::t('error', 244003)));
}
// 验证模型
if (!$weiboWeiboConnectWebAppUserCreateParam->validate()) {
$weiboWeiboConnectWebAppUserCreateParamResult = self::handleValidateError($weiboWeiboConnectWebAppUserCreateParam);
if ($weiboWeiboConnectWebAppUserCreateParamResult['status'] === false) {
throw new UnprocessableEntityHttpException($weiboWeiboConnectWebAppUserCreateParamResult['message']);
}
}
$pathInfo = '/weibo-oauth2/authorize';
$base64EncodeRedirectUri = base64_encode($base64DecodeRedirectUri);
// URL 签名
$urlSigner = new UrlSigner([
'secret' => Yii::$app->params['urlSigner']['secret']
]);
$route = [
$pathInfo,
'group_id' => $get['group_id'],
'source' => $get['source'],
'source_uuid' => $get['source_uuid'],
'user_name' => $get['user_name'],
'permission' => $get['permission'],
'status' => $weiboWeiboConnectWebAppUserCreateParam->status,
'redirect_uri' => $base64EncodeRedirectUri,
];
// 是否允许添加额外参数:否,将到期时间设置为 1 分钟
$urlSigner->signParams($route, false, (new \DateTime())->add(new \DateInterval('PT' . Yii::$app->params['urlSigner']['timeOut'] . 'M')));
// 包含 host info 的整个 URL
$scheme = empty(Yii::$app->params['nginxAuthScheme']) ? true : Yii::$app->params['nginxAuthScheme'];
$route[0] = Yii::$app->params['auth']['hostInfo'] . Yii::$app->params['auth']['baseUrl'] . $pathInfo;
$data['url'] = Url::to($route, $scheme);
return ['code' => 10000, 'message' => Yii::t('success', '144008'), 'data' => $data];
}
}
6. The interface response is as follows:
{
"code": 10000,
"message": "获取微博的微连接的网页应用授权(引导用户进入授权页面登录同意授权、创建微博的微连接的网页应用的用户)的链接成功",
"data": {
"url": "http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=2&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547801689&hmac=17h9ZhIxaDLRWmINHOZ-Syh9X-x7VCj9enotVRjbE_A"
}
}
7. Edit \frontend\controllers\weibooauth2controller.php, that is Weibo’s micro-connected web application authorization
<?php
/**
* Created by PhpStorm.
* User: Qiang Wang
* Date: 2018/12/20
* Time: 15:57
*/
namespace frontend\controllers;
use Yii;
use frontend\models\Channel;
use frontend\models\ChannelType;
use frontend\models\ChannelAppSource;
use frontend\models\WeiboWeiboConnectWebAppUserCreateParam;
use frontend\models\WeiboWeiboConnectWebAppUser;
use frontend\models\redis\WeiboWeiboConnectWebAppUserAccessToken as RedisWeiboWeiboConnectWebAppUserAccessToken;
use frontend\services\ChannelService;
use frontend\services\ChannelTypeService;
use frontend\services\WeiboWeiboConnectWebAppService;
use frontend\services\ChannelAppSourceService;
use frontend\services\WeiboWeiboConnectWebAppUserService;
use frontend\services\WeiboWeiboConnectWebAppAccessTokenService;
use SamIT\Yii2\UrlSigner\UrlSigner;
use SamIT\Yii2\UrlSigner\HmacFilter;
use yii\base\DynamicModel;
use yii\base\Model;
use yii\web\Controller;
use yii\web\Response;
use yii\helpers\ArrayHelper;
use yii\helpers\Url;
use yii\web\ServerErrorHttpException;
use yii\web\NotFoundHttpException;
use yii\web\UnprocessableEntityHttpException;
/**
* Class WeiboOauth2Controller
* @package frontend\controllers
*
* 微博的微连接的网页应用授权 {auth_url}/weibo-oauth2
*
* @author Qiang Wang <shuijingwanwq@163.com>
* @since 1.0
*/
class WeiboOauth2Controller extends Controller
{
/**
* {@inheritdoc}
*/
public function actions()
{
return [
'error' => [
'class' => 'yii\web\ErrorAction',
],
];
}
public function behaviors()
{
return [
'hmacFilter' => [
'class' => HmacFilter::class,
'signer' => new UrlSigner([
'secret' => Yii::$app->params['urlSigner']['secret']
]),
],
];
}
/**
* 处理模型错误
* @param object $model 模型
* @return array
* 格式如下:
*
* [
* 'status' => false, // 失败
* 'code' => 214003, // 返回码
* 'message' => '数据验证失败:权限不能为空。', // 说明
* ]
*
* @throws ServerErrorHttpException
*/
public static function handleValidateError($model)
{
if ($model->hasErrors()) {
$response = Yii::$app->getResponse();
$response->setStatusCode(422, 'Data Validation Failed.');
$firstError = '';
foreach ($model->getFirstErrors() as $message) {
$firstError = $message;
break;
}
return ['status' => false, 'code' => 214003, 'message' => Yii::t('error', Yii::t('error', Yii::t('error', '214003'), ['first_error' => $firstError]))];
} elseif (!$model->hasErrors()) {
throw new ServerErrorHttpException('Failed to create the object for unknown reason.');
}
}
/**
* 处理模型填充与验证
* @param object $model 模型
* @param array $requestParams 请求参数
* @return array
* 格式如下:
*
* [
* 'status' => true, // 成功
* ]
*
* [
* 'status' => false, // 失败
* 'code' => 214002, // 返回码
* 'message' => '数据验证失败:权限不能为空。', // 说明
* ]
*
* @throws ServerErrorHttpException
*/
public static function handleLoadAndValidate($model, $requestParams)
{
// 把请求数据填充到模型中
if (!$model->load($requestParams)) {
return ['status' => false, 'code' => 214002, 'message' => Yii::t('error', '214002')];
}
// 验证模型
if (!$model->validate()) {
return self::handleValidateError($model);
}
return ['status' => true];
}
/**
* 引导用户进入授权页面登录同意授权(302 跳转至平台的请求授权页面)
*
* 1、请求参数列表
* (1)source:必填,来源,xContent:内容库;vms:视频管理系统;scms:内容管理系统;spider:自媒体;channel-pub-api:渠道发布接口
* (2)source_uuid:必填,来源ID(UUID)
* (3)user_name:必填,用户名称
* (4)permission:必填,权限,1:同步;2:发布;3:同步与发布
* (5)status:可选,状态,0:禁用;1:启用,默认:1
* (6)redirect_uri:必填,微博的微连接的网页应用授权后重定向的回调链接,其值需要 Base64 编码
*
* 2、输入数据验证规则
* (1)存在性:基于代码,weibo:微博查询资源(渠道),如果不存在,则返回失败
* (2)比对(status !== 1):判断状态(渠道),如果未启用,则返回失败
* (3)存在性:基于代码,weibo_weibo_connect_web:微博的微连接的网页应用查询资源(渠道的类型),如果不存在,则返回失败
* (4)比对(status !== 1):判断状态(渠道的类型),如果未启用,则返回失败
* (5)存在性:基于 App ID 查询资源(微博的微连接的网页应用),如果不存在,则返回失败
* (6)比对(status !== 1):判断状态(微博的微连接的网页应用),如果未启用,则返回失败
* (7)必填:source、source_uuid、user_name、permission、redirect_uri
* (8)默认值(1):status
* (9)网址(Base64 解码):redirect_uri
* (10)Base64 编码:user_name
*
* 3、操作数据
* (1)URL 签名
* (2)302 跳转至 https://api.weibo.com/oauth2/authorize?response_type=code&client_id=3815687113&redirect_uri=http%3A%2F%2Fwww.channel-pub-api-localhost.chinamcloud.com%2Fweibo-oauth2%2Faccess-token%3Fgroup_id%3Dspider%26source%3Dspider%26source_uuid%3D825e6d5e36468cc4bf536799ce3565cf%26user_name%3D%E5%8D%8E%E6%A0%96%E4%BA%91%26permission%3D3%26status%3D1%26redirect_uri%3DaHR0cDovL3d3dy56bXQuY29t
*
* @throws NotFoundHttpException 如果未找到数据模型,将抛出 404 HTTP 异常
* @throws UnprocessableEntityHttpException 如果找到数据模型,状态未启用,将抛出 422 HTTP 异常
* @throws \Throwable
*/
public function actionAuthorize()
{
// 基于代码查找状态为启用的数据模型(渠道)
$channelEnabledItem = ChannelService::findModelEnabledByCode(Channel::CODE_WEIBO);
// 基于代码查找状态为启用的数据模型(渠道的类型)
$channelTypeEnabledItem = ChannelTypeService::findModelEnabledByCode(ChannelType::CODE_WEIBO_WEIBO_CONNECT_WEB);
// 基于 App ID 查找状态为启用的数据模型(微博的微连接的网页应用)
$weiboWeiboConnectWebAppEnabledItem = WeiboWeiboConnectWebAppService::findModelEnabledByAppId(Yii::$app->params['weiboAuth']['weiboConnectWebApp']['appId']);
$request = Yii::$app->request;
$get = $request->get();
$base64DecodeRedirectUri = base64_decode($request->get('redirect_uri'), true);
/* 判断请求参数中租户ID是否存在 */
if (empty($get['group_id'])) {
throw new UnprocessableEntityHttpException(Yii::t('error', '214004'), 214004);
}
// Base64 解码失败
if ($base64DecodeRedirectUri === false) {
throw new UnprocessableEntityHttpException(Yii::t('error', Yii::t('error', 214001)));
}
$get['redirect_uri'] = $base64DecodeRedirectUri;
/* 微博的微连接的网页应用授权(引导用户进入授权页面登录同意授权)参数 */
$weiboWeiboConnectWebAppUserCreateParam = new WeiboWeiboConnectWebAppUserCreateParam();
// 把请求数据填充到模型中
if (!$weiboWeiboConnectWebAppUserCreateParam->load($get, '')) {
throw new UnprocessableEntityHttpException(Yii::t('error', Yii::t('error', 214002)));
}
// 验证模型
if (!$weiboWeiboConnectWebAppUserCreateParam->validate()) {
$weiboWeiboConnectWebAppUserCreateParamResult = self::handleValidateError($weiboWeiboConnectWebAppUserCreateParam);
if ($weiboWeiboConnectWebAppUserCreateParamResult['status'] === false) {
throw new UnprocessableEntityHttpException($weiboWeiboConnectWebAppUserCreateParamResult['message']);
}
}
$pathInfo = '/weibo-oauth2/access-token';
$base64EncodeRedirectUri = base64_encode($base64DecodeRedirectUri);
$base64EncodeUserName = base64_encode($get['user_name']);
// URL 签名
$urlSigner = new UrlSigner([
'secret' => Yii::$app->params['urlSigner']['secret']
]);
$route = [
$pathInfo,
'group_id' => $get['group_id'],
'source' => $get['source'],
'source_uuid' => $get['source_uuid'],
'user_name' => $base64EncodeUserName,
'permission' => $get['permission'],
'status' => $weiboWeiboConnectWebAppUserCreateParam->status,
'redirect_uri' => $base64EncodeRedirectUri,
];
// 是否允许添加额外参数:是,将到期时间设置为 1 分钟
$urlSigner->signParams($route, true, (new \DateTime())->add(new \DateInterval('PT' . Yii::$app->params['urlSigner']['timeOut'] . 'M')));
// 包含 host info 的整个 URL,编码 URL 字符串
$scheme = empty(Yii::$app->params['nginxAuthScheme']) ? true : Yii::$app->params['nginxAuthScheme'];
$route[0] = Yii::$app->params['auth']['hostInfo'] . Yii::$app->params['auth']['baseUrl'] . $pathInfo;
$redirectUri = urlencode(Url::to($route, $scheme));
/* 浏览器 302 跳转:引导用户进入授权页面登录同意授权,获取 code */
Yii::$app->response->redirect(Yii::$app->params['weiboAuth']['hostInfo'] . Yii::$app->params['weiboAuth']['baseUrl'] . '/authorize?response_type=code&client_id=' . Yii::$app->params['weiboAuth']['weiboConnectWebApp']['appId'] . '&redirect_uri=' . $redirectUri);
}
/**
* 通过 Code 换取第三方授权 Access Token,相应数据操作、创建微博的微连接的网页应用的用户
*
* 1、请求参数列表
* (1)source:必填,来源,xContent:内容库;vms:视频管理系统;scms:内容管理系统;spider:自媒体;channel-pub-api:渠道发布接口
* (2)source_uuid:必填,来源ID(UUID)
* (3)user_name:必填,用户名称
* (4)permission:必填,权限,1:同步;2:发布;3:同步与发布
* (5)status:可选,状态,0:禁用;1:启用,默认:1
* (6)redirect_uri:必填,微博的微连接的网页应用授权后重定向的回调链接,其值需要 Base64 编码
* (7)code:必填,用户进入授权页面登录同意授权后所获取到的 Auth Code
*
* 2、输入数据验证规则
* (1)存在性:基于代码,weibo:微博查询资源(渠道),如果不存在,则返回失败
* (2)比对(status !== 1):判断状态(渠道),如果未启用,则返回失败
* (3)存在性:基于代码,weibo_weibo_connect_web:微博的微连接的网页应用查询资源(渠道的类型),如果不存在,则返回失败
* (4)比对(status !== 1):判断状态(渠道的类型),如果未启用,则返回失败
* (5)存在性:基于 App ID 查询资源(微博的微连接的网页应用),如果不存在,则返回失败
* (6)比对(status !== 1):判断状态(微博的微连接的网页应用),如果未启用,则返回失败
* (7)必填:source、source_uuid、user_name、permission、redirect_uri、code
* (8)默认值(1):status
* (9)网址(Base64 解码):redirect_uri
* (10)整数:permission、status
* (11)字符串(最大长度:32):source、user_name
* (12)字符串(最大长度:64):source_uuid
* (13)范围([1, 2, 3]):permission
* (14)范围([0, 1]):status
* (15)Base64 解码:user_name
*
* 3、操作数据
* (1)HTTP 请求,通过 Code 换取第三方授权 Access Token
* (2)基于 授权第三方用户的用户唯一标识 查询微博的微连接的网页应用的用户是否存在,如果已存在,则返回失败
* (3)创建 MySQL 模型(渠道的应用的来源)
* (4)创建 MySQL 模型(微博的微连接的网页应用的用户)
* (5)基于 Access Token 插入/更新数据至微博的微连接的网页应用的用户的访问令牌(Redis)
* (6)浏览器 302 跳转:微博的微连接的网页应用授权后重定向的回调链接 http://www.zmt.com/?group_id=spider&code=10000&message=微博的微连接的网页应用授权成功&channel_app_source_uuid=c0ec27fe080c11e997a954ee75d2ebc1
*
* @throws NotFoundHttpException 如果未找到数据模型,将抛出 404 HTTP 异常
* @throws UnprocessableEntityHttpException 如果找到数据模型,状态未启用,将抛出 422 HTTP 异常
* @throws \Throwable
*/
public function actionAccessToken()
{
// 基于代码查找状态为启用的数据模型(渠道)
$channelEnabledItem = ChannelService::findModelEnabledByCode(Channel::CODE_WEIBO);
// 基于代码查找状态为启用的数据模型(渠道的类型)
$channelTypeEnabledItem = ChannelTypeService::findModelEnabledByCode(ChannelType::CODE_WEIBO_WEIBO_CONNECT_WEB);
// 基于 App ID 查找状态为启用的数据模型(微博的微连接的网页应用)
$weiboWeiboConnectWebAppEnabledItem = WeiboWeiboConnectWebAppService::findModelEnabledByAppId(Yii::$app->params['weiboAuth']['weiboConnectWebApp']['appId']);
$request = Yii::$app->request;
$get = $request->get();
$code = $request->get('code');
$base64DecodeRedirectUri = base64_decode($request->get('redirect_uri'), true);
$base64DecodeUserName = base64_decode($request->get('user_name'), true);
/* 判断请求参数中租户ID是否存在 */
if (empty($get['group_id'])) {
throw new UnprocessableEntityHttpException(Yii::t('error', '214004'), 214004);
}
// Base64 解码失败
if ($base64DecodeRedirectUri === false) {
throw new UnprocessableEntityHttpException(Yii::t('error', Yii::t('error', 214001)));
}
// Base64 解码失败
if ($base64DecodeUserName === false) {
throw new UnprocessableEntityHttpException(Yii::t('error', Yii::t('error', 214005)));
}
$get['redirect_uri'] = $base64DecodeRedirectUri;
$get['user_name'] = $base64DecodeUserName;
/* 通过 Code 换取第三方授权 Access Token,相应数据操作参数 */
$weiboWeiboConnectWebAppUserCreateParam = new WeiboWeiboConnectWebAppUserCreateParam();
// 把请求数据填充到模型中
if (!$weiboWeiboConnectWebAppUserCreateParam->load($get, '')) {
throw new UnprocessableEntityHttpException(Yii::t('error', Yii::t('error', 214002)));
}
// 验证模型
if (!$weiboWeiboConnectWebAppUserCreateParam->validate()) {
$weiboWeiboConnectWebAppUserCreateParamResult = self::handleValidateError($weiboWeiboConnectWebAppUserCreateParam);
if ($weiboWeiboConnectWebAppUserCreateParamResult['status'] === false) {
throw new UnprocessableEntityHttpException($weiboWeiboConnectWebAppUserCreateParamResult['message']);
}
}
// Code 参数不存在
if (!isset($code)) {
$errorCode = $request->get('error_code');
$errorMsg = $request->get('error_description');
if (!isset($errorCode)) {
$errorCode = 0;
}
if (!isset($errorMsg)) {
$errorMsg = '';
}
throw new UnprocessableEntityHttpException(Yii::t('error', Yii::t('error', Yii::t('error', '214006'), ['error_code' => $errorCode, 'error_msg' => $errorMsg])));
}
/* 通过 Code 换取第三方授权 Access Token,相应数据操作 */
$weiboWeiboConnectWebAppAccessTokenService = new WeiboWeiboConnectWebAppAccessTokenService();
/* HTTP 请求,通过 Code 换取第三方授权 Access Token */
$httpAccessTokenData = [
'grantType' => RedisWeiboWeiboConnectWebAppUserAccessToken::GRANT_TYPE_AUTHORIZATION_CODE,
'clientId' => Yii::$app->params['weiboAuth']['weiboConnectWebApp']['appId'],
'clientSecret' => Yii::$app->params['weiboAuth']['weiboConnectWebApp']['appSecret'],
'redirectUri' => Yii::$app->params['weiboAuth']['weiboConnectWebApp']['authCallbackUrl'],
'code' => $code,
];
$accessToken = $weiboWeiboConnectWebAppAccessTokenService->httpAccessToken($httpAccessTokenData);
/*
$accessToken = [
'access_token' => '2.00OaBgKGXWOOKE92b7df5350ZJoY9D',
'remind_in' => '157679999',
'expires_in' => 157679999,
'uid' => '5654576218',
'isRealName' => 'false',
];
*/
/* 实例化多个模型 */
// 渠道的应用的来源
$channelAppSource = new ChannelAppSource([
'scenario' => ChannelAppSource::SCENARIO_CREATE,
]);
// 转换创建微博的微连接的网页应用的用户参数,多模型的填充、验证的实现
$get[$channelAppSource->formName()]['source'] = $weiboWeiboConnectWebAppUserCreateParam->source;
$get[$channelAppSource->formName()]['source_uuid'] = $weiboWeiboConnectWebAppUserCreateParam->source_uuid;
$get[$channelAppSource->formName()]['status'] = $weiboWeiboConnectWebAppUserCreateParam->status;
$channelAppSourceResult = self::handleLoadAndValidate($channelAppSource, $get);
if ($channelAppSourceResult['status'] === false) {
throw new UnprocessableEntityHttpException($channelAppSourceResult['message']);
}
// 微博的微连接的网页应用的用户
/* @var $model \yii\db\ActiveRecord */
$model = new WeiboWeiboConnectWebAppUser([
'scenario' => WeiboWeiboConnectWebAppUser::SCENARIO_CREATE,
]);
// 转换创建微博的微连接的网页应用的用户参数,多模型的填充、验证的实现
$get[$model->formName()] = [
'weibo_weibo_connect_web_app_id' => $weiboWeiboConnectWebAppEnabledItem->id,
'user_id' => $accessToken['uid'],
'user_name' => $weiboWeiboConnectWebAppUserCreateParam->user_name,
'permission' => $weiboWeiboConnectWebAppUserCreateParam->permission,
'status' => $weiboWeiboConnectWebAppUserCreateParam->status,
];
$modelResult = self::handleLoadAndValidate($model, $get);
if ($modelResult['status'] === false) {
throw new UnprocessableEntityHttpException($modelResult['message']);
}
/* 操作数据(事务) */
$weiboWeiboConnectWebAppService = new WeiboWeiboConnectWebAppService();
$weiboWeiboConnectWebAppServiceUserUpdateResult = $weiboWeiboConnectWebAppService->userCreate($channelEnabledItem, $channelTypeEnabledItem, $channelAppSource, $model);
if ($weiboWeiboConnectWebAppServiceUserUpdateResult['status'] === false) {
throw new ServerErrorHttpException($weiboWeiboConnectWebAppServiceUserUpdateResult['message'], $weiboWeiboConnectWebAppServiceUserUpdateResult['code']);
}
// 基于 Access Token 插入/更新数据至微博的微连接的网页应用的用户的访问令牌(Redis)
$data = [
'weiboWeiboConnectWebAppId' => $weiboWeiboConnectWebAppServiceUserUpdateResult['data']['weibo_weibo_connect_web_app_id'],
'channelAppSourceId' => $weiboWeiboConnectWebAppServiceUserUpdateResult['data']['channel_app_source_id'],
'channelAppSourceUuid' => $weiboWeiboConnectWebAppServiceUserUpdateResult['data']['channel_app_source_uuid'],
'weiboWeiboConnectWebAppUserId' => $weiboWeiboConnectWebAppServiceUserUpdateResult['data']['id'],
'weiboWeiboConnectWebAppUserUuid' => $weiboWeiboConnectWebAppServiceUserUpdateResult['data']['uuid'],
'grantType' => RedisWeiboWeiboConnectWebAppUserAccessToken::GRANT_TYPE_AUTHORIZATION_CODE,
];
$result = $weiboWeiboConnectWebAppAccessTokenService->saveModel(ArrayHelper::merge($data, $accessToken));
if ($result['status'] === false) {
throw new ServerErrorHttpException($result['message'], $result['code']);
}
/* 浏览器 302 跳转:微博的微连接的网页应用授权后重定向的回调链接 */
$pos = strpos($get['redirect_uri'], '?');
if ($pos === false) {
$redirectUri = $get['redirect_uri'] . '?group_id=' . $get['group_id'] . '&code=10000&message=' . Yii::t('success', '114001') . '&channel_app_source_uuid=' . $weiboWeiboConnectWebAppServiceUserUpdateResult['data']['channel_app_source_uuid'];
} else {
$redirectUri = $get['redirect_uri'] . '&group_id=' . $get['group_id'] . '&code=10000&message=' . Yii::t('success', '114001') . '&channel_app_source_uuid=' . $weiboWeiboConnectWebAppServiceUserUpdateResult['data']['channel_app_source_uuid'];
}
Yii::$app->response->redirect($redirectUri);
}
}
8. Test URL verification, modify/delete/add parameters, in line with expectations, as shown in Figure 2
Figure 2
Get the link:
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=2&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547801689&hmac=17h9ZhIxaDLRWmINHOZ-Syh9X-x7VCj9enotVRjbE_A
Modify parameters: permission=1
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=1&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547801689&hmac=17h9ZhIxaDLRWmINHOZ-Syh9X-x7VCj9enotVRjbE_A
Forbidden (#403)
This security code in this URL invalid
Modify parameters: expires=1547801680
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=1&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547801680&hmac=17h9ZhIxaDLRWmINHOZ-Syh9X-x7VCj9enotVRjbE_A
Forbidden (#403)
This security code in this URL invalid
Modification parameters: HMAC=17H9ZhiXADLRWMinhoz-SYH9X-X7VCJ9ENOTVRJBE_0
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=2&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547801689&hmac=17h9ZhIxaDLRWmINHOZ-Syh9X-x7VCj9enotVRjbE_0
Forbidden (#403)
This security code in this URL invalid
Delete parameter: status=1
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=2&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547801689&hmac=17h9ZhIxaDLRWmINHOZ-Syh9X-x7VCj9enotVRjbE_A
Forbidden (#403)
This security code in this URL invalid
Delete parameter: expires=1547801689
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=2&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&hmac=17h9ZhIxaDLRWmINHOZ-Syh9X-x7VCj9enotVRjbE_A
Forbidden (#403)
This security code in this URL invalid
Add parameter: P=1
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=2&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547801689&hmac=17h9ZhIxaDLRWmINHOZ-Syh9X-x7VCj9enotVRjbE_A&p=1
Forbidden (#403)
This security code in this URL invalid
9. Test URL verification and delete URLs Signature: Expires=1547801689&hmac=17h9ZhixAdlrwminhoz-SYH9X-X7VCJ9EnTVRJBE_A, in line with expectations, as shown in Figure 3
Figure 3
Delete parameters: expires=1547801689&hmac=17h9ZhixAdlrwminhoz-syh9x-x7vcj9eNOTVRJBE_A
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=2&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t
Forbidden (#403)
This security code for this URL is missing
10. Test URL verification, after 1 minute of timeout, as expected, as shown in Figure 4
Figure 4
After 1 minute of timeout:
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=2&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547801689&hmac=17h9ZhIxaDLRWmINHOZ-Syh9X-x7VCj9enotVRjbE_A
Forbidden (#403)
This URL has expired
11. Test the URL verification, whether to jump back from Weibo, whether to add additional parameters: Yes, code=7c104c4d67fa8b246ca8081248486be1, as expected, as shown in Figure 5
Figure 5
Get the link:
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=2&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547802531&hmac=6S7d_3MtbrpT3KOlwJl_6gkg1HItB0nhy1kH4h7uiyY
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/access-token?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=5Y2O5qCW5LqRMTY1ODM5Nzk2Mg%3D%3D&permission=2&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547802545¶ms=group_id%2Csource%2Csource_uuid%2Cuser_name%2Cpermission%2Cstatus%2Credirect_uri%2Cexpires&hmac=R_DEzUDJTpQDkwquF_-pKT_4oJdOxnw3PE_eUaW70jY&code=7c104c4d67fa8b246ca8081248486be1
Modify parameters: permission=1
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/access-token?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=5Y2O5qCW5LqRMTY1ODM5Nzk2Mg%3D%3D&permission=1&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547802545¶ms=group_id%2Csource%2Csource_uuid%2Cuser_name%2Cpermission%2Cstatus%2Credirect_uri%2Cexpires&hmac=R_DEzUDJTpQDkwquF_-pKT_4oJdOxnw3PE_eUaW70jY&code=7c104c4d67fa8b246ca8081248486be1
Forbidden (#403)
This security code in this URL invalid
Delete parameter: status=1
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/access-token?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=5Y2O5qCW5LqRMTY1ODM5Nzk2Mg%3D%3D&permission=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1547802545¶ms=group_id%2Csource%2Csource_uuid%2Cuser_name%2Cpermission%2Cstatus%2Credirect_uri%2Cexpires&hmac=R_DEzUDJTpQDkwquF_-pKT_4oJdOxnw3PE_eUaW70jY&code=7c104c4d67fa8b246ca8081248486be1
Forbidden (#403)
This security code in this URL invalid
12. The URL signature and verification have been implemented. The problem at this stage is the URL after the same signature, which can be opened multiple times within 1 minute, and there are still security problems. It is necessary to ensure that 1 signature is only used once, and it will expire after use. After $urlsigner->signparams(), store the HMAC in Redis, the expiration time is 60 seconds, as shown in Figure 6
Figure 6
// 是否允许添加额外参数:否,将到期时间设置为 1 分钟
$urlSigner->signParams($route, false, (new \DateTime())->add(new \DateInterval('PT' . Yii::$app->params['urlSigner']['timeOut'] . 'M')));
// 获取 redis 组件
$redis = Yii::$app->redis;
// 将字符串值 $route['hmac'] . '_' . $route['expires'] 关联到 md5($route['hmac']),过期时间为 60 秒
$redis->set(Yii::$app->params['redisCommand']['keyPrefix'] . md5($route['hmac']), $route['hmac'] . '_' . $route['expires'], 'ex', Yii::$app->params['urlSigner']['timeOut'] * 60);
// 是否允许添加额外参数:是,将到期时间设置为 1 分钟
$urlSigner->signParams($route, true, (new \DateTime())->add(new \DateInterval('PT' . Yii::$app->params['urlSigner']['timeOut'] . 'M')));
// 获取 redis 组件
$redis = Yii::$app->redis;
// 将字符串值 $route['hmac'] . '_' . $route['expires'] 关联到 md5($route['hmac']),过期时间为 60 秒
$redis->set(Yii::$app->params['redisCommand']['keyPrefix'] . md5($route['hmac']), $route['hmac'] . '_' . $route['expires'], 'ex', Yii::$app->params['urlSigner']['timeOut'] * 60);
13. Create the filter common\filters\hmacFilter, inherit to samit\yii2\urlsigner\hmacFilter, and execute after the hmacfilter filter, if redis hmac If there is, the Redis HMAC will be deleted, and the response is true, and if the Redis HMAC does not exist, the response is FALSE. Create new \common\filters\hmacfilter.php
<?php
namespace common\filters;
use Yii;
use SamIT\Yii2\UrlSigner\InvalidHmacException;
/**
* 检查 URL 中的有效 HMAC,是否已经被请求过 1 次
* @package common\fixtures
*
* @author Qiang Wang <shuijingwanwq@163.com>
* @since 1.0
*/
class HmacFilter extends \SamIT\Yii2\UrlSigner\HmacFilter
{
/**
* @param \yii\base\Action $action
* @throws \Exception
* @return bool
*/
public function beforeAction($action)
{
$result = parent::beforeAction($action);
if ($result === true) {
// 获取 redis 组件
$redis = Yii::$app->redis;
$request = $action->controller->module->get('request');
$hmac = Yii::$app->params['redisCommand']['keyPrefix'] . md5($request->get('hmac'));
if ($redis->get($hmac)) {
$redis->del($hmac);
return $result;
} else {
throw new InvalidHmacException();
}
}
}
}
14. Edit \frontend\controllers\weibooauth2controller.php, i.e. Weibo’s micro-connected web application authorization
use common\filters\HmacFilter;
15. Test URL verification, modify parameters, in line with expectations
The obtained link, the first verification passed, the second verification failed:
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=2&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1548050429&hmac=jU4Vo4n2Pe04ymy0UHnqB-_hSjZquOHzkKyU0SCcUPU
第 2 次验证失败
Forbidden (#403)
This security code in this URL invalid
Modify parameters: permission=1
http://www.channel-pub-api-localhost.chinamcloud.com/weibo-oauth2/authorize?group_id=spider&source=spider&source_uuid=825e6d5e36468cc4bf536799ce3565cf&user_name=%E5%8D%8E%E6%A0%96%E4%BA%911658397962&permission=1&status=1&redirect_uri=aHR0cDovL3d3dy56bXQuY29t&expires=1548050429&hmac=jU4Vo4n2Pe04ymy0UHnqB-_hSjZquOHzkKyU0SCcUPU
Forbidden (#403)
This security code in this URL invalid
