Mini Program
取消
Development
中文
EN
取消
  • Guide

    • # Mini Programs encrypt network channel

    From the base library 2.17.3 Start support

    # I. Introduction to Functions

    In the process of front-end development and debugging, developers usually use proxy software to forward the request of the project service they developed, which is convenient for switching development environment and testing.

    Proxy software can be found in client and The real server. Data transfer between.

    At this point, the proxy software can decrypt and view the data collected through the SSL The encrypted data is then re-encrypted to send the data to the original destination. For householders and waiters, TA We still think we are in a secure encrypted connection when in fact the security of the data has been breached.

    In addition to listening, since the proxy software can decrypt SSL Encrypted communication and therefore also supports modifying data in transit or even inserting malicious content. The above-mentioned middleman agent can also be maliciously used by criminals to arbitrarily listen to all requests on their own devices.

    TA They will be running on their own devices developed by other developers.Mini Program、WEB web page orNative app, and then through an intermediate agent to obtain and tamper with the normally requestedRequest packageandResponse package, and replay the target request for malicious purposes (such as swiping experience, modifying game results, creating 1 Penny orders, etc.).

    In order to prevent man-in-the-middle attacks, we need to SSL On the basis of encryption, the plaintext of the request packet and the response packet is encrypted again. This method can provide an additional layer of security, ensuring that the data remains safe even after being decrypted by the proxy software.

    At present, the WeChat team provides two solutions for encrypted network channels:

    1. API Self Realization Program: WeChat platform maintains a reliable user dimension Key, the developer can separately pass the Mini Program front end API and the server interface provided by the WeChat backend, and realize the encryption of the request packet.
    2. WeChat Gateway Solution: WeChat team combined with years of experience in security protection launchedWeChat GatewayIt has a systematic and multi-level security protection capability. Once the developer is plugged in, it will transferMini ProgramreachDeveloper ServicesThe communication link is automatically switched from the public network link to the WeChat special line link, and the request content is encrypted in two layers throughout the process to effectively prevent man-in-the-middle agent attack.

    Get Encryption key Information needs to send requests to the WeChat platform, which is time-consuming and thus a burden on business performance.If developers want to secure encryption while reducing business-irrelevant time, they can use WeChat gateway solutions.

    # II. API Self-realization scheme

    In order to avoid the interception and tampering of data when the mini program communicates with the developer's background, the WeChat platform maintains a reliable user dimension. Key, used for Mini Program and background communication encryption and signature.

    Developers can separately through the Mini Program front end API And WeChat backend to provide the server interface, access to the user encryption key。

    WeChat platform only provides reliable encryption Key, developers need to implement their own encryption methods, to the server interface to request data endpoint encryption and decryption.

    In Mini Programs, developers can useUserCryptoManager.getLatestUserKeyGet Get the user's most recent encryption key information.

    # 2.1 Front End Call Example

    const Somedata = 'xxxxx' 
const userCryptoManager = wx.getUserCryptoManager()
userCryptoManager.getLatestUserKey({
    success({encryptKey, iv, version, expireTime}) {
        const encryptedData = someAESEncryptMethod(encryptKey, iv, Somedata)
        wx.request({
           data: encryptedData,
           success(res) {
                const decryptedData  = someAESDEcryptMethod(encryptKey, iv, res.data)
                console.log(decryptedData )
           }
        })
    }
})

    someAESEncryptMethod and someAESDEcryptMethod Respectively, encryption and decryption functions, by the developer to introduce their own encryption and decrypting library to achieve, the basis of the library does not provide encryption and decryption capabilities.

    Developers can refer to the open source encryption library: https://github.com/flash1293/aes-wasm https://github.com/ricmoo/aes-js

    According to your business situation, find the appropriate encryption method:

    • Asymmetric Encryption: The client and the server maintain two sets of public and private encryption keys. Each time the interface requests, the plaintext data is encrypted first, and the other party receives the ciphertext and decrypts it with the corresponding reverse key. Common asymmetric encryption is RSA, DSA, ECC, asymmetric encryption security is high, but the encryption and decryption speed is slow, not suitable for the request body or response body is too large.
    • Symmetric Encryption: The client and server maintain a set of keys that encrypt the plaintext data on each interface request and decrypt it when received by the other party using the same key. Common symmetric encryption is DES, 3DES, IDEA, RC5, RC6, Blowfish, symmetric encryption and decryption speed is fast, suitable for big data encryption and decryption processing, security has declined.
    • Integration programmes: When the request is made, the client encrypts the plaintext with symmetric encryption, the symmetric key is randomly generated, then encrypts the preceding symmetric key with asymmetric encryption, and finally sends the ciphertext and the encrypted symmetric key content together.When received by the server, it decrypts according to the reverse process, and the response packet is the same process.

    On the developer server side, you can callgetUserEncryptKeyThe background interface gets the user's last three keys. While getting the key, the interface will carry version information, and the developer can compare the version to choose the corresponding key to encrypt and decrypt the data.

    # 2.2 Server-side call example

    curl -X POST "https://api.weixin.qq.com/wxa/business/getuserencryptkey?access_token=ACCESS_TOKEN&openid=OPENID&signature=SIGNATURE&sig_method=hmac_sha256"

    # III. WeChat Gateway Scheme

    You can refer to this document to access the WeChat gateway:Mini Program Access WeChat Gateway