一次接口签名引发的笑话

接口签名规则如下：

1. 1.timestamp+method(请求方式大写)+path用base64编码，sha256加密
2. 2.每次请求之前须签名下，
3. 3.api-expiry设置过期时间

Sample 签名方式：

Java 

import org.apache.commons.codec.binary.Hex;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;

public class ApiSignGenerator {

    public static String generateApiSign(long timestamp, String method, String path, String apiSecret) throws NoSuchAlgorithmException, InvalidKeyException {
        String algorithm = "HmacSHA256";
        String message = timestamp + (method == null ? "" : method.toUpperCase()) + (path == null ? "" : path);
        byte[] encodedSecret = Base64.getEncoder().encode(apiSecret.getBytes());
        SecretKeySpec secretKeySpec = new SecretKeySpec(encodedSecret, algorithm);
        Mac mac = Mac.getInstance(algorithm);
        mac.init(secretKeySpec);
        byte[] bytes = mac.doFinal(message.getBytes());
        return new String(Hex.encodeHex(bytes));
     }

    // If you want sent request to "https://api.xxxx.com/api/accounts", you can generate sign by doing this:
    public static void getAccounts() throws InvalidKeyException, NoSuchAlgorithmException {
        long timestamp = 1553596255786L; // System.currentTimeMillis();
        String method = "GET";
        String path = "/api/accounts";
        String apiSecret = "NCtRU0JwZWZnVFVDZmlMRFduMk1hTFZDM05vS3g1Z3E1c1h6blB0RmxXRT0=";
        String apiSign = generateApiSign(timestamp, method, path, apiSecret);
        System.out.println("apiSign:" + apiSign);
        // The console will print:"apiSign:e4c8f42e18b551dcebd5801bfa254498e98d20e0a5322b30c78a7004aa5a2669"
    }

}

javascript:

<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.js"></script>
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/Base64/1.0.1/base64.js"></script>
<script type="text/javascript">
    function generateApiSign(timestamp, method, path, apiSecret) {
        var message = timestamp + method + path;
        var encodedSecret = window.btoa(apiSecret);
        return CryptoJS.HmacSHA256(message, encodedSecret).toString();
    };


    // If you want sent request to "https://api.xxxx.com/api/accounts", you can generate sign by doing this:
    function getAccounts() {
        var timestamp = 1553596255786;//new Data().getMilliseconds();
        var method = "GET";
        var path = "/api/accounts";
        var apiSecret = "NCtRU0JwZWZnVFVDZmlMRFduMk1hTFZDM05vS3g1Z3E1c1h6blB0RmxXRT0=";
        var apiSign = generateApiSign(timestamp, method, path, apiSecret);
        console.info("apiSign:" + apiSign);
        // The console will print:"apiSign:e4c8f42e18b551dcebd5801bfa254498e98d20e0a5322b30c78a7004aa5a2669"
    };

</script>

　

python：

def sign_request(method,path,apiSecret):
    r_time = str(time.time()*1000)[0:13]
    method = method.upper()

    enbase64key = base64.b64encode(apiSecret.encode("utf-8")).decode("utf-8") //关键一步，将str用base64编码
    message = r_time+method+path
    # print(enbase64key,message)
    api_sign = hmac.new(bytes(enbase64key, encoding='utf-8'), bytes(message, encoding='utf-8'),
                         digestmod=hashlib.sha256).digest()
    HEX = api_sign.hex()

    return (HEX,r_time)

def balances():
    api_sign = sign_request("get", "/api/balances", "/UM0EDr+QhnAMR9yhsynXW1bAa1MxpOt8U+yvPJuHUk=")
    header = {
        "API-KEY": "77f485d5039455b9e7b48657dec357df",
        "API-SIGN": api_sign[0],
        "API-TIMESTAMP": api_sign[1],
        "API-PASSCODE": "qwerdf886."
    }
    res = requests.get("http://116.6.110.50:8007/api/balances", headers=header)
    print(res.text)

    return ""

def batch_place_order(price,increasing,account):
    #批量下订单，price 初始价格 increasing 每次递增价格 account 下多少单
    index = 0
    while(index<account):
        # time.sleep(2)
        index+= 1
        price = float(price)
        price+=increasing
        print(index,price,type(price))
        api_sign = sign_request("post", "/api/orders", "/UM0EDr+QhnAMR9yhsynXW1bAa1MxpOt8U+yvPJuHUk=")
        header = {
            "API-KEY": "77f485d5039455b9e7b48657dec357df",
            "API-SIGN": api_sign[0],
            "API-TIMESTAMP": api_sign[1],
            "API-PASSCODE": "qwerdf886."
        }

        date = {
            "instrumentId": "BXBT-ETH",
            "orderType": "LIMIT",
            "postOnly": False,
            "price": str(price)[0:8],
            "selfTradePrevention": "CN",
            "side": "BUY",
            "size": "1134",
            "timeInForce": "GTC"
        }
        res = requests.post("http://116.6.110.50:8007/api/orders",headers = header,data=json.dumps(date))
        print(res.text)
    return  ""

　　

　　postman请求方式：

　　预执行脚本签名，通过大括号取值