更新

js/core/verifyServer.js

@@ -0,0 +1,116 @@
+// TODO: 替换为自己的盐
+// 服务器接收来自 app 的请求的盐
+const saltApp2End = "123321";
+// 服务器发送数据到 app 的盐
+const saltEnd2App = "123321";
+
+addEventListener("fetch", (event) => {
+  event.respondWith(handleRequest(event.request));
+});
+
+async function handleRequest(request) {
+  let params;
+
+  try {
+    params = await request.json();
+  } catch (error) {
+    return new Response();
+  }
+
+  if (!params || Object.keys(params).length === 0) {
+    return new Response();
+  }
+
+  if (!(await _verifySignFromApp(params))) {
+    return new Response();
+  }
+
+  if (!_verifyTimestamp(params.date)) {
+    return new Response();
+  }
+
+  let responseData = {};
+  let sid = params.sid;
+  //TODO: 判断 sid 是否是允许的用户
+  // 如果使用 cloudflare worker，可以使用 KV 存储 key: sid  value：与用户定义的其它标识 例如邮箱
+  if (sid) {
+    responseData.pass = true;
+  } else {
+    responseData.pass = false;
+  }
+
+  const signedResponse = await _signResponse2App(
+    responseData,
+    params.sessionId
+  );
+
+  return new Response(JSON.stringify(signedResponse), {
+    headers: { "Content-Type": "application/json" },
+  });
+}
+
+async function _verifySignFromApp(params) {
+  const { sign, ...otherParams } = params;
+  if (
+    !sign ||
+    !otherParams.random ||
+    !otherParams.date ||
+    !otherParams.sessionId ||
+    !otherParams.sid
+  )
+    return false;
+
+  const sortedParams = Object.entries(otherParams)
+    .sort((a, b) => b[0].localeCompare(a[0]))
+    .map(([key, value]) => `${key}=${value}`)
+    .join("&");
+
+  const salt =
+    saltApp2End + otherParams.random.slice(-4) + otherParams.date.slice(-4);
+  const signStr = salt + sortedParams;
+  const calculatedSign = await _keyToSha256(signStr);
+
+  return calculatedSign === sign;
+}
+
+async function _signResponse2App(data, sessionId) {
+  const signMap = { ...data };
+  // 64位随机数
+  const random = crypto.randomUUID().slice(-64);
+  const date = Date.now().toString();
+
+  signMap.random = random;
+  signMap.date = date;
+  signMap.sessionId = sessionId;
+
+  const sortedParams = Object.entries(signMap)
+    .sort((a, b) => b[0].localeCompare(a[0]))
+    .map(([key, value]) => `${key}=${value}`)
+    .join("&");
+
+  const salt = saltEnd2App + random.slice(-4) + date.slice(-4);
+  const signStr = salt + sortedParams;
+  signMap.sign = await _keyToSha256(signStr);
+
+  return signMap;
+}
+
+async function _keyToSha256(input) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(input);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(hashBuffer))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+}
+
+// 验证时间戳
+function _verifyTimestamp(timestamp) {
+  // 时间为了保证任意时区都一致 所以使用格林威治时间
+  const currentTimeString = new Date().toISOString();
+  const currentTime = new Date(currentTimeString).getTime();
+  const requestTime = parseInt(timestamp);
+  const timeDifference = Math.abs(currentTime - requestTime);
+  // 检查时间差是否小于2分钟（120000毫秒）
+  return timeDifference < 120000;
+}