May 18, 2021 WeChat Mini Program Development Document
Small programs can obtain the open data provided by WeChat through various front-end interfaces. Given that the developer server also needs access to this open data, WeChat offers two ways to get it:
WeChat will sign and encrypt these open data. When developers get open data in the background, they can verify the signature and decrypt the data to ensure that it is not tampered with.
Signature validation and data decryption involve the user's session key session_key. D evelopers should obtain the session key in advance through the wx.login login process session_key stored on the server. In order that data is not tampered with, developers should not session_key to environments outside the server, such as small program clients.
In order to ensure the security of the open interface to return user data, WeChat will sign clear text data. Developers can sign packets according to business needs to ensure the integrity of the data.
Such as WX.GetUserInfo data check:
Rawdata returned by the interface:
{
"nickName": "Band",
"gender": 1,
"language": "zh_CN",
"city": "Guangzhou",
"province": "Guangdong",
"country": "CN",
"avatarUrl": "http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"
}
User's session-key:
HyVFkGl5F5OQWJZZaNzBBg==
The string used for signatures is:
{"nickName":"Band","gender":1,"language":"zh_CN","city":"Guangzhou","province":"Guangdong","country":"CN","avatarUrl":"http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"}HyVFkGl5F5OQWJZZaNzBBg==
The result obtained using SHA1 is
75e81ceda165f4ffa64f4068af58c64b8f54b88c
Interface If involve sensitive data (such as OpenID and UNIONID among wx.getuserinfo), the apparent content of the interface will not contain these sensitive data.If the developer needs to obtain sensitive data, the encrypted data (EncryptedData) returned by the interface needs to be symmetrical.The decryption algorithm is as follows:
WeChat official provides sample code for multiple programming languages ((( click to download ).The interface names for each language type are consistent.The call mode can be referred to the example.
In addition, in order to apply the validity of the verification data, data watermark is added in sensitive data (Watermark)
Watermark parameter description:
Parameters | Type | Description |
---|---|---|
appid | String | Sensitive data belongs to the appId, and developers can verify that this parameter is consistent with their appId |
timestamp | Int | Timestamps obtained by sensitive data, which developers can use for data time-sensitive checks |
Such as watermark in the interface wx.getUserInfo sensitive data:
{
"openId": "OPENID",
"nickName": "NICKNAME",
"gender": GENDER,
"city": "CITY",
"province": "PROVINCE",
"country": "COUNTRY",
"avatarUrl": "AVATARURL",
"unionId": "UNIONID",
"watermark":
{
"appid":"APPID",
"timestamp":TIMESTAMP
}
}
Note:
If a developer experiences a session_key or decryption failure because the session_key is incorrect, follow these considerations.
If the interface involves sensitive data, such as wx.getWeRunData, the clear text content of the interface will not contain the sensitive data, but will contain a cloudID field for the corresponding sensitive data in the returned interface, and the data can be obtained through the cloud function. The complete process is as follows:
1. Get the cloudID
With the base library of version 2.7.0 or above, if the applet is already on for cloud development, the cloudID is valid for five minutes in the return value of the open data interface, which can be obtained from the cloudID field (the same level as encryptedData).
2. Call the cloud function
When the cloud function is called, the values of the incoming data parameters, if the value of the top-level fields are CloudID constructed from wx.cloud.CloudID, the values of those fields are replaced with open data corresponding to the cloudID when the cloud function is called, and up to 5 CloudIDs can be replaced at a time.
Example:
Make a call after the applet gets the cloudID:
wx.cloud.callFunction({
name: 'myFunction',
data: {
weRunData: wx.cloud.CloudID('xxx'), // 这个 CloudID 值到云函数端会被替换
obj: {
shareInfo: wx.cloud.CloudID('yyy'), // 非顶层字段的 CloudID 不会被替换,会原样字符串展示
}
}
})
Example of event received in a cloud function:
// event
{
// weRunData 的值已被替换为开放数据
"weRunData": {
"cloudID": "xxx",
"data": {
"stepInfoList": [
{
"step": 5000,
"timestamp": 1554814312,
}
],
"watermark": {
"appid": "wx1111111111",
"timestamp": 1554815786
}
}
},
"obj": {
// 非顶层字段维持原样
"shareInfo": "yyy",
}
}
If the cloudID is illegal or out of date, what you get in event is an object that contains error codes, error messages, and the original cloudID. Example of an expired cloudID in exchange for results:
// event
{
"weRunData": {
"cloudID": "xxx",
"errCode": -601006,
"errMsg": "cloudID expired."
},
// ...
}