diff --git a/webapp/controller/MarketController.class.php b/webapp/controller/MarketController.class.php index 8e111c4d..92952f87 100644 --- a/webapp/controller/MarketController.class.php +++ b/webapp/controller/MarketController.class.php @@ -27,6 +27,8 @@ const PRESALE_PREPARE = 1; const PRESALE_STARTED = 2; const PRESALE_SOLD_OUT = 3; +const TOKEN_SALT = 'B8E6BD4F-FD7B-E2B8-6688-80A2D8632064'; + class MarketController extends BaseController { private function isTestMode() @@ -191,6 +193,7 @@ class MarketController extends BaseController { public function buyBox() { + $token = getReqVal('token', ''); $type = getReqVal('type', ''); $buyerAddress = getReqVal('buyer_address', ''); $price = getReqVal('price', ''); @@ -199,6 +202,10 @@ class MarketController extends BaseController { $signature = getReqVal('signature', ''); $gameId = 2006; $funcId = 1; + if (!$this->isValidToken($buyerAddress, $token)) { + myself()->_rspErr(100, 'invalid token'); + return; + } $this->buyBoxVerifySignature( $buyerAddress, $type, @@ -322,7 +329,14 @@ class MarketController extends BaseController { public function queryOrder() { + $token = getReqVal('token', ''); + $account = getReqVal('account', ''); $orderId = getReqVal('order_id', ''); + if (!$this->isValidToken($account, $token)) { + myself()->_rspErr(100, 'invalid token'); + return; + } + $orderDb = BoxOrder::findByOrderId($orderId); if ($orderDb) { if (!$orderDb['done']) { @@ -350,6 +364,11 @@ class MarketController extends BaseController { public function getNftList() { $account = getReqVal('account', ''); + $token = getReqVal('token', ''); + if (!$this->isValidToken($account, $token)) { + myself()->_rspErr(100, 'invalid token'); + return; + } $nftDbList = Nft::getNftList($account); $nftList = array(); foreach ($nftDbList as $nftDb) { @@ -364,7 +383,13 @@ class MarketController extends BaseController { public function getNftDetail() { $account = getReqVal('account', ''); + $token = getReqVal('token', ''); $tokenId = getReqVal('token_id', ''); + if (!$this->isValidToken($account, $token)) { + myself()->_rspErr(100, 'invalid token'); + return; + } + $nftDb = Nft::getNft($tokenId); if (!$nftDb) { myself()->_rspErr(1, 'nft not exists'); @@ -507,7 +532,7 @@ class MarketController extends BaseController { return; } else { myself()->_rspData(array( - 'token' => '' + 'token' => $this->genToken($account, $nonce) )); } } @@ -527,4 +552,33 @@ class MarketController extends BaseController { return $web3ServiceCluster[rand() % count($web3ServiceCluster)]; } + private function genToken($account, $nonce) + { + $data = array( + 'account' => $account, + 'rand' => uniqid(), + 'nonce' => $nonce, + 'createtime' => myself()->_getNowTime(), + ); + $data['sign'] = md5(TOKEN_SALT . $data['account'] . $data['rand'] . $data['nonce'] . $data['createtime']); + return base64_encode(json_encode($data)); + } + + private function isValidToken($account, $token) + { + $deToken = base64_decode($token); + if (empty($data)) { + return false; + } + if (empty($account)) { + return false; + } + $data = json_decode($deToken); + $sign = md5(TOKEN_SALT . $data['account'] . $data['rand'] . $data['nonce'] . $data['createtime']); + if ($sign == $data['sign']) { + return phpcommon\isSameAccount($sign['account'], $account); + } + return false; + } + }