最新消息:20210816 当前crifan.com域名已被污染,为防止失联,请关注(页面右下角的)公众号
    你的位置:在路上 > timestamp > 【未解决】分析mp.codeup.cn中核心参数_timestamp、_nonce、_sign逻辑

    【未解决】分析mp.codeup.cn中核心参数_timestamp、_nonce、_sign逻辑

    timestamp crifan 1448浏览
    折腾:
    【未解决】模拟mp.codeup.cn中调用queryAllPageByEbookId.do返回json数据
    期间,需要去分析,感觉是此处能请求成功的核心参数:
    • _timestamp
    • _nonce
    • _sign
    结果:
    _timestamp的:
    1583157835
    _nonce的:
     491fd5fc-b046-4bd7-870b-ccae94ccc23b
    _sign的
    47CBFDFACD3E0A0746E2391C7F78AD00
    都搜不到。。。
    看来是js内部生成的
    搜:
    queryAllPageByEbookId.do
    http://mp.codeup.cn/book/index.js?id=2020218

function fetch(params) {
    var url ='/ebookpageservices/queryAllPageByEbookId.do';
    if(params.data.bookId!=null){
        url='/ebookpageservices/queryAllPageByBookId.do'
    }
  crossDomainPost(PROJECT_NAME_BIZ,url,
    params.data,
    function (json) {
      params.success(json);
    });
}
    去搜:PROJECT_NAME_BIZ
    能找到:
    http://mp.codeup.cn/book/js/ytrequest.js

var PROJECT_NAME_BIZ='biz';
    去找:
    fetch(
    结果一直在搜索,没法结束。
    关闭页面,重新调试。
    重新调试:
    http://mp.codeup.cn/book/sample2.htm?id=52365&shelfId=4824&share_=6765370&sh=sh&vt_=1583111113754&_logined=1
    http://mp.codeup.cn/book/index.js?id=2020218
    完全下载下载到本地,去看看代码
    function fetch(params) {
    var url ='/ebookpageservices/queryAllPageByEbookId.do';
    if(params.data.bookId!=null){
        url='/ebookpageservices/queryAllPageByBookId.do'
    }
  crossDomainPost(PROJECT_NAME_BIZ,url,
    params.data,
    function (json) {
      params.success(json);
    });
}
    找到当前文件中被调用的地方:
    
function initData(id,bookId) {
  queryAllPages(id,bookId);
}


function queryAllPages(id,bookId) {
  fetch({
    data: { 'bookId':bookId,'ebookId': id,'edit':editor},
    success: function (res) {
      var pageList = res.data.data;
      var onlineStatus = res.data.onlineStatus;
      ebookConf = res.data.ebookConf;
      allPages = res.data.data;
      window.title=res.data.bookName;
        if(editor!=1 && onlineStatus == 0){
            $('.unauthorized-warp').css('display', 'flex');
            $('.unauthorized-tip1').html('电子样书暂时下架,请上架后再来哦');
            $('.unauthorized-tip1+a').attr('href', HOST.replace('mp','www'));
            $('.ebook-spin').css({"display":"none"});
            return;
        }
      if(ebookConf.formId){
        $('.userFeedback').show();
        queryFormModules(ebookConf.formId);
      }
      if(pageList.length) {
        initFilpbook(pageList, ebookConf || {})
        ;
        setShareData(ebookConf.ebookId ,bookId, res.data.thumbnails);
      } else {
        $('.unauthorized-warp').css('display', 'flex');
        $('.unauthorized-tip1+a').attr('href', HOST.replace('mp','www'));
          $('.ebook-spin').css({"display":"none"});
      }
        $('.opts .preview .preview-hover-wrap img').attr('src', HOST+'/qrService/genCommonQr.do?v=2&size=256&qrText='+HOST+'/book/sample2.htm?id='+ebookConf.ebookId);
    }
  })
}

var flipBookW, flipBookH;
window.onload = function () {
  var Request=new Object();
  Request=GetRequest();
  var bookId=Request['bookId'];
  editor=Request['edit'];
  var id=Request['id'];
  var bookshelfId=Request['shelfId'];
  var bookMallId=Request['mallId'];


  initData(id,bookId);
  // getLoginQr();
。。。
    所以是:
    window的onload -> initData -> queryAllPages -> fetch
    然后发现
    Request=GetRequest();
    也是当前文件,且是从输入中分析要的值:
    function GetRequest(){
  var url = location.search;//获取url中?后的字串
  var theRequest = new Object();
  if(url.indexOf("?") != -1){
    var str = url.substr(1),//抽取从 start 下标开始的指定数目的字符
        strs = str.split("&");
      for(var i = 0; i < strs.length; i++){
        theRequest[strs[i].split("=")[0]] = unescape(strs[i].split("=")[1]);
      }
  }
  return theRequest;
}
    此处先去自己从url
    http://mp.codeup.cn/book/sample2.htm?id=52365&shelfId=4824&share_=6765370&sh=sh&vt_=1583111113754&_logined=1
    分出:
    id = 52365
shelfId = 4824
share_ = 6765370
sh = sh
vt_ = 1583111113754
_logined = 1
    ->
    id = 52365
    此处没有bookId
    发现不影响,核心是id,即bookId
    然后主要是:
    分析crossDomainPost,搞清楚sign等参数的逻辑
    此处没有crossDomainPost的定义。
    去找:
    下载下来
    http://mp.codeup.cn/book/js/ytrequest.js
    拷贝出代码:
    function crossDomainPost(projectName,api,data,callback) {
    $.ajax({
        type: "post",
        url: genRequestUrl(HOST,projectName,api),
        data: requestSign(data),
        dataType: "json",
        crossDomain: true,
        //jquery.js
        xhrFields: {
            withCredentials: true
        },
        //zepto.js
        beforeSend: function (xhr, settings) {
           xhr.withCredentials=true;
        },
        success: function (result, status, xhr) {
            if ($.isFunction(callback)) callback(result);
        },
        error: function (xhr, errorType, error) {


        },
        complete: function (xhr, status) {


        }
    })
}
    以及:
    // ajax封装,请求接口加密
function requestSign(options) {
        // 加入时间戳和uuid参数
        options['_timestamp'] = Date.parse(new Date())/1000;
        options['_nonce'] = requestUuidV4();
        // 生成加密参数
        var hash ='';
        var newKeys = Object.keys(options).sort();
        for (var i = 0; i < newKeys.length; i++) {
            var key=newKeys[i];
            var val=options[key];
            hash+=( val=== null || val=== undefined)? '' : (val + '')+key+ '';
        }
        options['_sign'] =hex_md5(hash).toUpperCase();
    return options;
}
// 生成uuid
function requestUuidV4() {
    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
        var r = Math.random() * 16 | 0, v = c == 'x' ? r : (r & 0x3 | 0x8);
        return v.toString(16);
    });
}
    TODO:
    看来是都有源码,剩下就是:
    有空,需要时,再去转换成python代码
    暂时不需要。

    转载请注明:在路上 » 【未解决】分析mp.codeup.cn中核心参数_timestamp、_nonce、_sign逻辑

    Post Views: 1,901
    继续浏览有关 的文章

    与本文相关的文章

    83 queries in 0.240 seconds, using 19.05MB memory