From f2f1d2f49ef2c589e9e90be43a78ab07a9ccecbd Mon Sep 17 00:00:00 2001
From: aozhiwei <aozhiwei@kingsome.cn>
Date: Fri, 4 Aug 2023 13:25:23 +0800
Subject: [PATCH] 1

---
 doc/Shop.py                                 |  2 +-
 webapp/services/callback/OutAppPurchase.php | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/doc/Shop.py b/doc/Shop.py
index 859a207a..8e906c9a 100644
--- a/doc/Shop.py
+++ b/doc/Shop.py
@@ -47,7 +47,7 @@ class Shop(object):
                     ['goods_id', '', '商品唯一id'],
                     ['goods_num', 0, '商品数量'],
                     ['network', '', '渠道那边定义的id'],
-                    ['crypto', '', '链货币目前只有ceg'],
+                    ['crypto', '', '链货币目前只有ceg eth'],
                     ['fiat', '', '货币(目前写死usd)'],
                     ['fiatAmount', '', '价格'],
                     ['payWayCode', '', '支付方式'],
diff --git a/webapp/services/callback/OutAppPurchase.php b/webapp/services/callback/OutAppPurchase.php
index f9d599af..7e24c54b 100644
--- a/webapp/services/callback/OutAppPurchase.php
+++ b/webapp/services/callback/OutAppPurchase.php
@@ -104,6 +104,22 @@ class OutAppPurchase {
     private function verifySign()
     {
         $params = array_merge($_REQUEST, array());
+        ksort($params);
+        $excludeKeys = array(
+            'c' => true,
+            'a' => true,
+            'action' => true,
+            'sign' => true
+        );
+        $arrSign = array();
+        foreach($params as $key => $val){
+            if (!array_key_exists($key, $excludeKeys)) {
+                array_push($arrSign, $key . '=' . $val);
+            }
+        }
+        $signStr = implode('&', $arrSign);
+        $sign = hash_hmac('sha256', $signStr, BUY_SERVER_PKEY);
+        return $sign == getReqVal('sign', '');
     }
 
 }