Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of "how to achieve API interface in WeChat Mini Programs". The editor shows you the operation process through an actual case. The operation method is simple, fast and practical. I hope this article "how to achieve API interface in WeChat Mini Programs" can help you solve the problem.

one。 The necessity of Interface Security

Recently, our company's Mini Program will be launched, but the mini program side is responsible for outsourcing, we are responsible for providing the back-end interface. This may cause interface security problems. Some people with ulterior motives can get the background interface information by grabbing packets or other means. if they do not do permission verification, they can call the background interface at will to tamper with data and attack the server. can have a serious impact on an enterprise.

Therefore, in order to prevent malicious calls, the protection and permission verification of the background interface are very important.

Although Mini Program is escorted by HTTPs and Wechat, we still need to strengthen security awareness and carry out security protection and permission verification on the back-end interfaces.

two。 Mini Program interface protection

Login process of Mini Program:

The mini program gets the code through wx.login () and sends it to the background server.

The backend server uses Mini Program's appid, appsecret and code to call Wechat API service in exchange for session_key and openid (openid can be understood as the unique identification number of each user in the Mini Program)

The background server customizes to generate a 3rd_session, which is used as the key value of openid and session_key. The latter, as a value, saves a copy on the background server or redis or mysql, and passes 3rd_session to Mini Program.

After receiving the 3rd_session on Mini Program, save it to the local cache, such as wx.setStorageSync (KEY,DATA)

Subsequent Mini Program users send requests to backend servers with 3rd_session, which can be placed in the header header or body

The background server takes 3rd_session as key, reads out the value value (that is, the combined value of openid and session_key) under the condition that the 3rd_session does not expire, determines which user sent the request through openid, compares it with the sent Boy value (if any), and then calls the background logic to process it.

Return business data to the mini program.

The session key session_key is a key that encrypts and signs user data. In order to apply its own data security, the developer server should not send the session key to Mini Program, nor should it provide this key to the public.

Session_key is mainly used to encrypt and decrypt wx.getUserInfo API data, as shown in the following figure:

SessionId

In WeChat Mini Programs's development, each request initiated by wx.request () is a different session for the server. What do you mean? That is to say, unlike browsers, each request of Mini Program is equivalent to being sent with a different browser. That is, the sessionId is different between different requests (in fact, Mini Program cookie does not carry sessionId).

As shown in the following figure:

In fact, every wx.request () request of Mini Program does not contain cookie information, that is, no sessionId information.

But we can add it to the header in each wx.request ().

Interface protection method

Using HTTPS to prevent packet grabbing, using https will at least make it more difficult for the cracker to grab the bag.

To encrypt the interface parameters, encrypt the data through md5 + timestamp + random string (salt), then transmit the MD5 encrypted data, timestamp and original data to the background, which specifies a valid time. If the decrypted data is within this period and the decrypted data is consistent with the original data, it is considered to be a normal request. Encryption algorithms such as aes/des can also be used, and the local information of the client can be added as the basis for judgment.

Local encryption confusion, the above-mentioned encryption and decryption data and algorithms, do not directly put in the local code, because it is easy to decompile and crack, it is recommended to put into a separate module, and the more confused the function name, the more difficult to read and more secure.

User-Agent and Referer restrictions

Login authentication protected by api, including device authentication and user authentication, can be used to determine whether a user is logged in by checking session, etc.

Limit the number of visits to api, and limit the number of api calls per minute, which can be restricted through session or ip.

Regularly monitor, check logs, detect abnormal interface access

This is the end of the introduction on "how to implement the API interface in WeChat Mini Programs". Thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.