# Server-side access to open data

Small programs can access open data provided by WeChat through various front-end interfaces. Considering that the developer service also needs access to this open data, WeChat provides two ways to obtain it:

# Method 1: Developer background check and decrypt open data

WeChat will sign and encrypt these open data. Developers can verify the signature and decryption of the data after getting the open data to ensure that the data is not tampered with.

Signature verification and data encryption and decryption involve the user's session key session_key。 The developer should go through the wx.login Login process to get the session key session_key And saved on the server. For data not to be tampered with, developers should not put session_key To an environment outside the server such as the Mini Program client.

# Data signature verification

In order to ensure the security of the user data returned by the open interface, WeChat will sign the clear data. Developers can verify the signature of the packet according to the business needs to ensure the integrity of the data.

  1. By calling an interface, such as [wx.getUserInfo ]((wx.getUserInfo ))) Get the data, the interface will return at the same time The rawData, the signature, where the signature = sha1( rawData + session_key )
  2. The developer will signature、rawData Sent to the developer server for verification. The server utilizes the user's corresponding session_key Use the same algorithm to calculate the signature signature2 , compared to signature and signature2 The integrity of the data can be verified.

Such as Data validation for wx.getUserInfo:

The rawData returned by the interface:

{
  "nickName": "Band",
  "gender": 1,
  "language": "zh_CN",
  "city": "Guangzhou",
  "province": "Guangdong",
  "country": "CN",
  "avatarUrl": "http://wx.qlogo.cn /mmopen /vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"
}

User's session-key:

HyVFkGl5F5OQWJZZaNzBBg==

The character string used for signing is:

{"nickName":"Band","gender":1,"language":"zh_CN","city":"Guangzhou","province":"Guangdong","country":"CN","avatarUrl":"http://wx.qlogo.cn /mmopen /vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"}HyVFkGl5F5OQWJZZaNzBBg==

The result using sha1 is

75e81ceda165f4ffa64f4068af58c64b8f54b88c 

# Encryption data decryption algorithm

Interface if it involves sensitive data such as[wx.getUserInfo ]((wx.getUserInfo ))Of which openId and UnionId), the plaintext content of the interface will not contain these sensitive data. Developers who need access to sensitive data, need to interface to return theEncrypted data(encryptedData) Symmetric decryption. The decryption algorithm is as follows:

  1. The algorithm used for symmetric decryption is AES-128-CBC, data using PKCS#7 Fill.
  2. The target ciphertext for symmetric decryption is Base64_Decode(encryptedData)。
  3. Symmetric decryption key aeskey = Base64_Decode(session_key), aeskey Is 16 bytes.
  4. Symmetric decryption algorithm initial vector For Base64_Decode(iv), where iv is returned by the data interface.

WeChat official provides a variety of programming language sample code ((Click to download)。The interface names are consistent for each language type. The invocation can refer to the example.

In addition, in order to verify the validity of the application data, a watermark is added to the sensitive data.( watermark )

Watermark Parameter Dxplaination:

parameter type Introductions
appid String Attribution of sensitive data ApplId, the developer can verify this parameter with its own appId Is consistent
timestamp Int Sensitive data acquisition timestamps, Developers can use data timeliness verification

Such as interface [wx.getUserInfo ]((wx.getUserInfo )) Sensitive data. watermark:

{
    "openId": "OPENID",
    "nickName": "NICKNAME",
    "gender": GENDER,
    "city": "CITY",
    "province": "PROVINCE",
    "country": "COUNTRY",
    "avatarUrl": "AVATARURL",
    "unionId": "UNIONID",
    "watermark":
    {
        "appid":"APPID" 
        "timestamp":TIMESTAMP
    }
}

Note:

  1. The json data obtained after decryption may add new fields according to demand, and the old fields will not change and delete, and the developer needs to reserve enough space.

# Session key session_key validity

If the developer meets because session_key Incorrect and failed to verify the signature or decrypt, please pay attention to the following session_key Relevant considerations.

  1. wx.login When invoked, the user's session_key mayWill be updated so that the old session_key Failure (refresh mechanism has a minimum period, if the same user calls multiple times in a short period of time wx.login, not every call results in session_key Refresh). The developer should call only when it is clear that it needs to be logged in again wx.login, Timely Adoption code2Session Interface to update the server's stored session_key。
  2. WeChat will not session_key The validity period is communicated to the developer. We will be based on the user's behavior of using the Mini Program session_key For renewal. The more frequently the user uses the Mini Program, session_key The longer the validity period.
  3. The developer is in session_key Failure, you can obtain a valid session_key。Use interface wx.checkSessionCan verify session_key Is effective, thus avoiding the Mini Program to repeat the login process.
  4. When a developer implements a custom login state, he can consider session_key The validity period can be used as the validity period of its own login state, and the customized timeliness policy can also be implemented.

# Method 2: Direct access to open data

Interface if it involves sensitive data such aswx.getWeRunData), the plaintext content of the interface will not contain the sensitive data, but will contain a cloudID Field, the data can be accessed through a cloud function. The full process is as follows:

1. Obtain cloudID

use 2.7.0 Or above version of the base library, if the Mini Program has been opened cloud development, in the return value of the open data interface can be passed through the cloudID Field Gets (with the encryptedData Sibling),cloudID Good for five minutes.

2. Call Cloud Functions

When a cloud function is called, the value of the incoming Data Parameter, if there are top-level fields with values that are passed through the wx.cloud.CloudID Constructed CloudID, when the cloud function is called, the values of these fields are replaced with cloudID Corresponding open data, a single call can replace up to 5 individual CloudID

Example:

After the Mini Program gets the cloudID Then initiate the call:

wx.cloud.callFunction({
  name: 'myFunction',
  data: {
    weRunData: wx.cloud.CloudID('xxx' ), // this CloudID Value to the cloud function end will be replaced
    obj: {
      shareInfo: wx.cloud.CloudID('yyy'), // Non-top-level field CloudID Will not be replaced, will be displayed as a character string
    }
  }
})

In the cloud function received event Example:

// event
{
  // weRunData Has been replaced with Open Data
  "weRunData": {
    "cloudID": "xxx," 
    "data": {
      "stepInfoList": [
        {
          "step": 5000,
          "timestamp": 1554814312,
        }
      ],
      "watermark": {
        "appid":  "wx1111111111",
        "timestamp": 1554815786
      }
    }
  },
  "obj": {
    // Non-top-level fields remain as is
    "shareInfo": "yyy",
  }
}

if cloudID Illegal or expired, then in the event Will be a file containing the error code, error message, and the original cloudID Of the object. Be overdue cloudID Example of exchange results:

// event
{
  "weRunData": {
    "cloudID": "xxx," 
    "errCode": -601006,
    "errMsg": "cloudID expired."
  },
  // ...
}