0

我正在尝试使用 Gigya 的评论通知功能,并遵循以下指南:http: //developers.gigya.com/010_Developer_Guide/18_Plugins/022_Comments_Version_2/Comment_Notifications

我开发了以下代码:

<?php

    require_once('GSSDK.php');

    $event = $_POST['event'];
    $eventData = $_POST['eventData'];
    $nonce = $_POST['nonce'];
    $timestamp = $_POST['timestamp'];
    $signature = $_POST['signature'];
    $signatureBase = sprintf("%s_%s_%s_%s", $event, $eventData, $nonce, $timestamp);
    $expectedSignature = SigUtils::calcSignature(
        $signatureBase,
        MY_SECRET_KEY);

    if($signature !== $expectedSignature) {
        header('HTTP/1.0 403 Forbidden');
        die();
    }

    //Some other stuff
    exit();

?>

但它永远不会到达“//其他一些东西”部分。预期的签名总是与 Gigya 服务器提供的签名不同。我究竟做错了什么?

4

1 回答 1

0

请尝试以下代码:

<?php

  static function calcSignature($baseString,$key)
  {
    $baseString = utf8_encode($baseString);
    $rawHmac = hash_hmac("sha1", utf8_encode($baseString), base64_decode($key), true);
    $sig = base64_encode($rawHmac); 
    return $sig;
  }

  function checkSignature() 
  {
    $event = $_POST["event"];
    $eventData = $_POST["eventData"];
    $nonce = $_POST["nonce"];
    $timestamp = $_POST["timestamp"];
    $signature = $_POST["signature"];

    $signatureBase = $event . "_" . $eventData . "_" . $nonce . "_" . $timestamp;
    $secret = "[your gigya secret key]";
    $expectedSignature = calcSignature($signatureBase, $secret);        

    // Now compare the expectedSignature value to the signature value returned in the callback
    if ($signature !== $expectedSignature) 
    {
      header('HTTP/1.0 403 Forbidden');
      die();
    }
  }

  checkSignature();
  //Some other stuff
  exit();
?>

此代码删除了对 GigyaSDK 的依赖,只是为了检查签名。提供的方法与 GigyaSDK 使用的方法相同,但这里的优点是内存占用要小得多,因为不需要加载整个 GigyaSDK。

此外,我不确定这是否是故意的,但您的比较有代码:

if(!$signature !== $expectedSignature) {

代替:

if ($signature !== $expectedSignature) {

我不太确定 $signature 上无关的逻辑非运算符的目的是什么,但这似乎会导致意外行为。

于 2015-03-31T19:57:46.287 回答