Pit of WeChat applet login

Summary of the situation

1. Applet end has wx.login obtain code , then through the rear end code exchange session_key ;
2. wx.getUserInfo small terminal to get user information

When the login was first processed, the front-end obtained wx.login through code , and then wx.getUserInfo , and passed them to the back-end. The back-end performed sha1 verification, but every time I logged in, the first verification failed, resulting in Login is unsuccessful, you need to log in a second time.

Interface design itself is through code get to session_key and unionid to verify if the database exists on direct current user logs in, by the absence of sha1 After the success of information, access to information to decrypt user data to authenticate the user and the user is automatically registered after login.

problem analysis

I looked at the documentation of the applet carefully, but I didn’t find that it stated the sequence of calling these two interfaces. After many unsuccessful tests, I found out:

1. When the applet calls wx.login , will not session_key on the WeChat applet’s own server;
2. session_key has an expiration time. The specific expiration time applet document explains that the more frequently the applet is used, the longer the expiration time will be;
3. code has an expiration time, the expiration time is 5 minutes;
4. wx.login obtained by code is different each time, but if the session_key session_key obtained by the backend through the interface is the same as the code obtained by the session_key ;
5. The information obtained by the wx.getUserInfo through 060e7af5bd2187, the related signature depends on the wx.login generated by session_key for encryption;

The above is the mechanism of the small program. From this point of view, it is reasonable to call wx.login and then call the wx.getUserInfo interface to obtain user data, pass it to the backend, and then request session_key and then verify the user data for automatic registration. It should be feasible, but In fact, the pit is the first point.

In other words, when the applet calls wx.getUserInfo obtain user information, it uses the session_key generated by the last server request. When the data is transmitted to the backend together, the data is obtained through code , but at this time the last session_key has expired If it is, it will return the new session_key , and then it will cause the verification to fail.

Therefore, on the whole, through the rear end should first wx.login interface code acquired at the rear end to session_key and unionid , if unionid detecting a current user does not exist, cache session_key and unionid , and then inform the front end by wx.getUserInfo request to register backend interface and tie set.