1

webapp/controller/MarketController.class.php

@@ -27,6 +27,8 @@ const PRESALE_PREPARE = 1;
 const PRESALE_STARTED = 2;
 const PRESALE_SOLD_OUT = 3;
 
+const TOKEN_SALT = 'B8E6BD4F-FD7B-E2B8-6688-80A2D8632064';
+
 class MarketController extends BaseController {
 
     private function isTestMode()
@@ -191,6 +193,7 @@ class MarketController extends BaseController {
 
     public function buyBox()
     {
+        $token = getReqVal('token', '');
         $type = getReqVal('type', '');
         $buyerAddress = getReqVal('buyer_address', '');
         $price = getReqVal('price', '');
@@ -199,6 +202,10 @@ class MarketController extends BaseController {
         $signature = getReqVal('signature', '');
         $gameId = 2006;
         $funcId = 1;
+        if (!$this->isValidToken($buyerAddress, $token)) {
+            myself()->_rspErr(100, 'invalid token');
+            return;
+        }
         $this->buyBoxVerifySignature(
             $buyerAddress,
             $type,
@@ -322,7 +329,14 @@ class MarketController extends BaseController {
 
     public function queryOrder()
     {
+        $token = getReqVal('token', '');
+        $account = getReqVal('account', '');
         $orderId = getReqVal('order_id', '');
+        if (!$this->isValidToken($account, $token)) {
+            myself()->_rspErr(100, 'invalid token');
+            return;
+        }
+
         $orderDb = BoxOrder::findByOrderId($orderId);
         if ($orderDb) {
             if (!$orderDb['done']) {
@@ -350,6 +364,11 @@ class MarketController extends BaseController {
     public function getNftList()
     {
         $account = getReqVal('account', '');
+        $token = getReqVal('token', '');
+        if (!$this->isValidToken($account, $token)) {
+            myself()->_rspErr(100, 'invalid token');
+            return;
+        }
         $nftDbList = Nft::getNftList($account);
         $nftList = array();
         foreach ($nftDbList as $nftDb) {
@@ -364,7 +383,13 @@ class MarketController extends BaseController {
     public function getNftDetail()
     {
         $account = getReqVal('account', '');
+        $token = getReqVal('token', '');
         $tokenId = getReqVal('token_id', '');
+        if (!$this->isValidToken($account, $token)) {
+            myself()->_rspErr(100, 'invalid token');
+            return;
+        }
+
         $nftDb = Nft::getNft($tokenId);
         if (!$nftDb) {
             myself()->_rspErr(1, 'nft not exists');
@@ -507,7 +532,7 @@ class MarketController extends BaseController {
                 return;
             } else {
                 myself()->_rspData(array(
-                    'token' => ''
+                    'token' => $this->genToken($account, $nonce)
                 ));
             }
         }
@@ -527,4 +552,33 @@ class MarketController extends BaseController {
         return $web3ServiceCluster[rand() % count($web3ServiceCluster)];
     }
 
+    private function genToken($account, $nonce)
+    {
+        $data = array(
+            'account' => $account,
+            'rand' => uniqid(),
+            'nonce' => $nonce,
+            'createtime' => myself()->_getNowTime(),
+        );
+        $data['sign'] = md5(TOKEN_SALT . $data['account'] . $data['rand'] . $data['nonce'] . $data['createtime']);
+        return base64_encode(json_encode($data));
+    }
+
+    private function isValidToken($account, $token)
+    {
+        $deToken = base64_decode($token);
+        if (empty($data)) {
+            return false;
+        }
+        if (empty($account)) {
+            return false;
+        }
+        $data = json_decode($deToken);
+        $sign = md5(TOKEN_SALT . $data['account'] . $data['rand'] . $data['nonce'] . $data['createtime']);
+        if ($sign == $data['sign']) {
+            return phpcommon\isSameAccount($sign['account'], $account);
+        }
+        return false;
+    }
+
 }