增加七牛回调配置与签名验签能力
This commit is contained in:
hello-dd-code
@@ -9,6 +9,7 @@ import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"path"
|
||||
"regexp"
|
||||
"strings"
|
||||
@@ -18,7 +19,9 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
ErrQiniuNotConfigured = errors.New("qiniu is not configured")
|
||||
ErrQiniuNotConfigured = errors.New("qiniu is not configured")
|
||||
ErrQiniuCallbackUnauthorized = errors.New("qiniu callback unauthorized")
|
||||
ErrQiniuCallbackInvalidHeader = errors.New("qiniu callback authorization header is invalid")
|
||||
)
|
||||
|
||||
type QiniuService struct {
|
||||
@@ -79,6 +82,19 @@ func (s *QiniuService) CreateUploadToken(miniProgramID uint, userID uint, filena
|
||||
// 上传完成后返回给前端的 JSON(七牛会做变量替换)
|
||||
"returnBody": `{"key":"$(key)","hash":"$(etag)","fsize":$(fsize),"mimeType":"$(mimeType)"}`,
|
||||
}
|
||||
if callbackURL := strings.TrimSpace(s.cfg.CallbackURL); callbackURL != "" {
|
||||
putPolicy["callbackUrl"] = callbackURL
|
||||
callbackBody := strings.TrimSpace(s.cfg.CallbackBody)
|
||||
if callbackBody == "" {
|
||||
callbackBody = "key=$(key)&hash=$(etag)&fsize=$(fsize)&mimeType=$(mimeType)"
|
||||
}
|
||||
callbackBodyType := strings.TrimSpace(s.cfg.CallbackBodyType)
|
||||
if callbackBodyType == "" {
|
||||
callbackBodyType = "application/x-www-form-urlencoded"
|
||||
}
|
||||
putPolicy["callbackBody"] = callbackBody
|
||||
putPolicy["callbackBodyType"] = callbackBodyType
|
||||
}
|
||||
|
||||
policyJSON, err := json.Marshal(putPolicy)
|
||||
if err != nil {
|
||||
@@ -100,6 +116,54 @@ func (s *QiniuService) CreateUploadToken(miniProgramID uint, userID uint, filena
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *QiniuService) VerifyCallbackSignature(req *http.Request, rawBody []byte) error {
|
||||
if s.cfg.AccessKey == "" || s.cfg.SecretKey == "" {
|
||||
return ErrQiniuNotConfigured
|
||||
}
|
||||
|
||||
authHeader := strings.TrimSpace(req.Header.Get("Authorization"))
|
||||
if authHeader == "" {
|
||||
return ErrQiniuCallbackInvalidHeader
|
||||
}
|
||||
|
||||
parts := strings.SplitN(authHeader, " ", 2)
|
||||
if len(parts) != 2 {
|
||||
return ErrQiniuCallbackInvalidHeader
|
||||
}
|
||||
scheme := strings.TrimSpace(parts[0])
|
||||
if !strings.EqualFold(scheme, "QBox") {
|
||||
// 七牛上传回调使用 QBox;其它 scheme 视为非法。
|
||||
return ErrQiniuCallbackInvalidHeader
|
||||
}
|
||||
|
||||
token := strings.TrimSpace(parts[1])
|
||||
tokenParts := strings.SplitN(token, ":", 2)
|
||||
if len(tokenParts) != 2 {
|
||||
return ErrQiniuCallbackInvalidHeader
|
||||
}
|
||||
accessKey := strings.TrimSpace(tokenParts[0])
|
||||
providedSign := strings.TrimSpace(tokenParts[1])
|
||||
if accessKey == "" || providedSign == "" {
|
||||
return ErrQiniuCallbackInvalidHeader
|
||||
}
|
||||
if accessKey != s.cfg.AccessKey {
|
||||
return ErrQiniuCallbackUnauthorized
|
||||
}
|
||||
|
||||
signing := req.URL.Path
|
||||
if req.URL.RawQuery != "" {
|
||||
signing += "?" + req.URL.RawQuery
|
||||
}
|
||||
signing += "\n"
|
||||
signing += string(rawBody)
|
||||
|
||||
expected := urlSafeBase64NoPad(hmacSHA1([]byte(s.cfg.SecretKey), []byte(signing)))
|
||||
if !hmac.Equal([]byte(providedSign), []byte(expected)) {
|
||||
return ErrQiniuCallbackUnauthorized
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func hmacSHA1(secret []byte, data []byte) []byte {
|
||||
mac := hmac.New(sha1.New, secret)
|
||||
mac.Write(data)
|
||||
|
||||
Reference in New Issue
Block a user