一次接口签名引发的笑话
接口签名规则如下:
- 1.timestamp+method(请求方式大写)+path用base64编码,sha256加密
- 2.每次请求之前须签名下,
- 3.api-expiry设置过期时间
Sample 签名方式:
Java
import org.apache.commons.codec.binary.Hex;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
public class ApiSignGenerator {
public static String generateApiSign(long timestamp, String method, String path, String apiSecret) throws NoSuchAlgorithmException, InvalidKeyException {
String algorithm = "HmacSHA256";
String message = timestamp + (method == null ? "" : method.toUpperCase()) + (path == null ? "" : path);
byte[] encodedSecret = Base64.getEncoder().encode(apiSecret.getBytes());
SecretKeySpec secretKeySpec = new SecretKeySpec(encodedSecret, algorithm);
Mac mac = Mac.getInstance(algorithm);
mac.init(secretKeySpec);
byte[] bytes = mac.doFinal(message.getBytes());
return new String(Hex.encodeHex(bytes));
}
// If you want sent request to "https://api.xxxx.com/api/accounts", you can generate sign by doing this:
public static void getAccounts() throws InvalidKeyException, NoSuchAlgorithmException {
long timestamp = 1553596255786L; // System.currentTimeMillis();
String method = "GET";
String path = "/api/accounts";
String apiSecret = "NCtRU0JwZWZnVFVDZmlMRFduMk1hTFZDM05vS3g1Z3E1c1h6blB0RmxXRT0=";
String apiSign = generateApiSign(timestamp, method, path, apiSecret);
System.out.println("apiSign:" + apiSign);
// The console will print:"apiSign:e4c8f42e18b551dcebd5801bfa254498e98d20e0a5322b30c78a7004aa5a2669"
}
}
javascript:
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.js"></script>
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/Base64/1.0.1/base64.js"></script>
<script type="text/javascript">
function generateApiSign(timestamp, method, path, apiSecret) {
var message = timestamp + method + path;
var encodedSecret = window.btoa(apiSecret);
return CryptoJS.HmacSHA256(message, encodedSecret).toString();
};
// If you want sent request to "https://api.xxxx.com/api/accounts", you can generate sign by doing this:
function getAccounts() {
var timestamp = 1553596255786;//new Data().getMilliseconds();
var method = "GET";
var path = "/api/accounts";
var apiSecret = "NCtRU0JwZWZnVFVDZmlMRFduMk1hTFZDM05vS3g1Z3E1c1h6blB0RmxXRT0=";
var apiSign = generateApiSign(timestamp, method, path, apiSecret);
console.info("apiSign:" + apiSign);
// The console will print:"apiSign:e4c8f42e18b551dcebd5801bfa254498e98d20e0a5322b30c78a7004aa5a2669"
};
</script>
python:
def sign_request(method,path,apiSecret):
r_time = str(time.time()*1000)[0:13]
method = method.upper()
enbase64key = base64.b64encode(apiSecret.encode("utf-8")).decode("utf-8") //关键一步,将str用base64编码
message = r_time+method+path
# print(enbase64key,message)
api_sign = hmac.new(bytes(enbase64key, encoding='utf-8'), bytes(message, encoding='utf-8'),
digestmod=hashlib.sha256).digest()
HEX = api_sign.hex()
return (HEX,r_time)
def balances():
api_sign = sign_request("get", "/api/balances", "/UM0EDr+QhnAMR9yhsynXW1bAa1MxpOt8U+yvPJuHUk=")
header = {
"API-KEY": "77f485d5039455b9e7b48657dec357df",
"API-SIGN": api_sign[0],
"API-TIMESTAMP": api_sign[1],
"API-PASSCODE": "qwerdf886."
}
res = requests.get("http://116.6.110.50:8007/api/balances", headers=header)
print(res.text)
return ""
def batch_place_order(price,increasing,account):
#批量下订单,price 初始价格 increasing 每次递增价格 account 下多少单
index = 0
while(index<account):
# time.sleep(2)
index+= 1
price = float(price)
price+=increasing
print(index,price,type(price))
api_sign = sign_request("post", "/api/orders", "/UM0EDr+QhnAMR9yhsynXW1bAa1MxpOt8U+yvPJuHUk=")
header = {
"API-KEY": "77f485d5039455b9e7b48657dec357df",
"API-SIGN": api_sign[0],
"API-TIMESTAMP": api_sign[1],
"API-PASSCODE": "qwerdf886."
}
date = {
"instrumentId": "BXBT-ETH",
"orderType": "LIMIT",
"postOnly": False,
"price": str(price)[0:8],
"selfTradePrevention": "CN",
"side": "BUY",
"size": "1134",
"timeInForce": "GTC"
}
res = requests.post("http://116.6.110.50:8007/api/orders",headers = header,data=json.dumps(date))
print(res.text)
return ""
postman请求方式:
预执行脚本签名,通过大括号取值
