From 5941efd090dcdeb23a81fd9d68174e86ceea41e3 Mon Sep 17 00:00:00 2001 From: krabyu Date: Fri, 15 Mar 2024 17:38:57 +0800 Subject: [PATCH] =?UTF-8?q?=E3=80=90TRTC=5FFlutter=E3=80=91=E5=B0=86secret?= =?UTF-8?q?Key=E4=BF=AE=E6=94=B9=E4=B8=BASDKSecretKey?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- TRTC-API-Example/README.md | 6 +++--- TRTC-API-Example/README_zh-CN.md | 6 +++--- TRTC-API-Example/lib/Debug/GenerateTestUserSig.dart | 6 +++--- TRTC-Simple-Demo/README-zh_CN.md | 4 ++-- TRTC-Simple-Demo/README.md | 4 ++-- TRTC-Simple-Demo/lib/debug/GenerateTestUserSig.dart | 8 ++++---- TRTC-Simple-Demo/lib/debug/JsGenerateTestUserSig.dart | 2 +- TRTC-Simple-Demo/lib/ui/login.dart | 2 +- 8 files changed, 19 insertions(+), 19 deletions(-) diff --git a/TRTC-API-Example/README.md b/TRTC-API-Example/README.md index 72f1277..649ce23 100644 --- a/TRTC-API-Example/README.md +++ b/TRTC-API-Example/README.md @@ -45,7 +45,7 @@ This demo covers the following features (click to view the details of a feature) You have [signed up](https://www.tencentcloud.com/) for a Tencent Cloud account and completed identity verification. -### Obtaining `SDKAPPID` and `SECRETKEY` +### Obtaining `SDKAPPID` and `SDKSECRETKEY` 1. Log in to the TRTC console and select **Application Management** > **[Create application](https://console.tencentcloud.com/trtc/app/create)**. 2. Click **Create Application** and enter the application name such as `APIExample`. If you have already created an application, click **Select Existing Application**. @@ -58,13 +58,13 @@ You have [signed up](https://www.tencentcloud.com/) for a Tencent Cloud account 2. Set parameters in `GenerateTestUserSig.dart` as follows. > - SDKAPPID: a placeholder by default. Set it to the actual `SDKAppID`. -> - SECRETKEY: a placeholder by default. Set it to the actual key. +> - SDKSECRETKEY: a placeholder by default. Set it to the actual key. > ![#900px](https://imgcache.qq.com/operation/dianshi/other/flutter_sig.237b3ce20dde2fa6cac972f49169e7e539d691fd.png) 3. Click **Next** to complete the creation. 4. After compilation, click **Return to Overview Page**. -> !The method for generating `UserSig` described in this document involves configuring `SECRETKEY` in client code. In this method, `SECRETKEY` may be easily decompiled and reversed, and if your key is disclosed, attackers can steal your Tencent Cloud traffic. Therefore, **this method is suitable only for the local execution and debugging of the demo**. +> !The method for generating `UserSig` described in this document involves configuring `SDKSECRETKEY` in client code. In this method, `SDKSECRETKEY` may be easily decompiled and reversed, and if your key is disclosed, attackers can steal your Tencent Cloud traffic. Therefore, **this method is suitable only for the local execution and debugging of the demo**. > The correct `UserSig` distribution method is to integrate the calculation code of `UserSig` into your server and provide an application-oriented API. When `UserSig` is needed, your application can make a request to the business server for dynamic `UserSig`. For more information, please see [How to Calculate UserSig](https://intl.cloud.tencent.com/document/product/647/35166). diff --git a/TRTC-API-Example/README_zh-CN.md b/TRTC-API-Example/README_zh-CN.md index 77347a0..05da30e 100644 --- a/TRTC-API-Example/README_zh-CN.md +++ b/TRTC-API-Example/README_zh-CN.md @@ -47,7 +47,7 @@ 您已 [注册腾讯云](https://cloud.tencent.com/document/product/378/17985) 账号,并完成 [实名认证](https://cloud.tencent.com/document/product/378/3629)。 -### 申请 SDKAPPID 和 SECRETKEY +### 申请 SDKAPPID 和 SDKSECRETKEY 1. 登录实时音视频控制台,选择【开发辅助】>【[快速跑通 Demo](https://console.cloud.tencent.com/trtc/quickstart)】。 2. 输入应用名称,例如`APIExample`;若您已创建过应用,可以勾选【选择已有应用】,然后单击【创建】。 @@ -60,13 +60,13 @@ 2. 设置`GenerateTestUserSig.dart`文件中的相关参数: > - SDKAPPID:默认为 PLACEHOLDER ,请设置为实际的 SDKAppID。 -> - SECRETKEY:默认为 PLACEHOLDER ,请设置为实际的密钥信息。 +> - SDKSECRETKEY:默认为 PLACEHOLDER ,请设置为实际的密钥信息。 > ![#900px](https://qcloudimg.tencent-cloud.cn/raw/c8a787f11cb3f52a49ffd04ad0197d4b.png) 3. 返回实时音视频控制台,单击【已复制粘贴,下一步】。 4. 单击【关闭指引,进入控制台管理应用】。 -> !本文提到的生成 UserSig 的方案是在客户端代码中配置 SECRETKEY,该方法中 SECRETKEY 很容易被反编译逆向破解,一旦您的密钥泄露,攻击者就可以盗用您的腾讯云流量,因此**该方法仅适合本地跑通 Demo 和功能调试**。 +> !本文提到的生成 UserSig 的方案是在客户端代码中配置 SDKSECRETKEY,该方法中 SDKSECRETKEY 很容易被反编译逆向破解,一旦您的密钥泄露,攻击者就可以盗用您的腾讯云流量,因此**该方法仅适合本地跑通 Demo 和功能调试**。 > 正确的 UserSig 签发方式是将 UserSig 的计算代码集成到您的服务端,并提供面向 App 的接口,在需要 UserSig 时由您的 App 向业务服务器发起请求获取动态 UserSig。更多详情请参见 [服务端生成 UserSig](https://cloud.tencent.com/document/product/647/17275#Server)。 diff --git a/TRTC-API-Example/lib/Debug/GenerateTestUserSig.dart b/TRTC-API-Example/lib/Debug/GenerateTestUserSig.dart index c51ee54..ef590e1 100644 --- a/TRTC-API-Example/lib/Debug/GenerateTestUserSig.dart +++ b/TRTC-API-Example/lib/Debug/GenerateTestUserSig.dart @@ -6,7 +6,7 @@ /// Attention: do not use the code below in your commercial app. This is because: /// /// The code may be able to calculate UserSig correctly, but it is only for quick testing of the SDK’s basic features, not for commercial apps. -/// `SECRETKEY` in client code can be easily decompiled and reversed, especially on web. +/// `SDKSECRETKEY` in client code can be easily decompiled and reversed, especially on web. /// Once your key is disclosed, attackers will be able to steal your Tencent Cloud traffic. /// /// The correct method is to deploy the `UserSig` calculation code and encryption key on your project server so that your app can request from your server a `UserSig` that is calculated whenever one is needed. @@ -47,7 +47,7 @@ class GenerateTestUserSig { * Note: this method is for testing only. Before commercial launch, please migrate the UserSig calculation code and key to your backend server to prevent key disclosure and traffic stealing. * Reference: https://cloud.tencent.com/document/product/647/17275#Server */ - static String secretKey = ''; + static String sdkSecretKey = ''; /** * CDN发布功能 混流appId @@ -102,7 +102,7 @@ class GenerateTestUserSig { int sdkappid = sdkAppId; String contentToBeSigned = "TLS.identifier:$identifier\nTLS.sdkappid:$sdkappid\nTLS.time:$currTime\nTLS.expire:$expire\n"; - Hmac hmacSha256 = new Hmac(sha256, utf8.encode(secretKey)); + Hmac hmacSha256 = new Hmac(sha256, utf8.encode(sdkSecretKey)); Digest hmacSha256Digest = hmacSha256.convert(utf8.encode(contentToBeSigned)); return base64.encode(hmacSha256Digest.bytes); diff --git a/TRTC-Simple-Demo/README-zh_CN.md b/TRTC-Simple-Demo/README-zh_CN.md index 1b2a7dc..f6ad172 100644 --- a/TRTC-Simple-Demo/README-zh_CN.md +++ b/TRTC-Simple-Demo/README-zh_CN.md @@ -47,13 +47,13 @@ 3. 设置`GenerateTestUserSig.dart`文件中的相关参数: > - SDKAPPID:默认为 PLACEHOLDER ,请设置为实际的 SDKAppID。 -> - SECRETKEY:默认为 PLACEHOLDER ,请设置为实际的密钥信息。 +> - SDKSECRETKEY:默认为 PLACEHOLDER ,请设置为实际的密钥信息。 > ![#900px](https://qcloudimg.tencent-cloud.cn/raw/c8a787f11cb3f52a49ffd04ad0197d4b.png) 4. 返回实时音视频控制台,单击【已复制粘贴,下一步】。 5. 单击【关闭指引,进入控制台管理应用】。 -> 本文提到的生成 UserSig 的方案是在客户端代码中配置 SECRETKEY,该方法中 SECRETKEY 很容易被反编译逆向破解,一旦您的密钥泄露,攻击者就可以盗用您的腾讯云流量,因此**该方法仅适合本地跑通 Demo 和功能调试**。 +> 本文提到的生成 UserSig 的方案是在客户端代码中配置 SDKSECRETKEY,该方法中 SDKSECRETKEY 很容易被反编译逆向破解,一旦您的密钥泄露,攻击者就可以盗用您的腾讯云流量,因此**该方法仅适合本地跑通 Demo 和功能调试**。 > 正确的 UserSig 签发方式是将 UserSig 的计算代码集成到您的服务端,并提供面向 App 的接口,在需要 UserSig 时由您的 App 向业务服务器发起请求获取动态 UserSig。更多详情请参见[服务端生成 UserSig](https://cloud.tencent.com/document/product/647/17275#Server)。 diff --git a/TRTC-Simple-Demo/README.md b/TRTC-Simple-Demo/README.md index 198112e..87e7dc6 100644 --- a/TRTC-Simple-Demo/README.md +++ b/TRTC-Simple-Demo/README.md @@ -54,13 +54,13 @@ You have [signed up](https://www.tencentcloud.com/) for a Tencent Cloud account 3. Set parameters in `GenerateTestUserSig.dart` as follows. > - SDKAPPID: a placeholder by default. Set it to the actual `SDKAppID`. -> - SECRETKEY: a placeholder by default. Set it to the actual key. +> - SDKSECRETKEY: a placeholder by default. Set it to the actual key. > ![#900px](https://imgcache.qq.com/operation/dianshi/other/flutter_sig.237b3ce20dde2fa6cac972f49169e7e539d691fd.png) 4. Click **Next** to complete the creation. 5. After compilation, click **Return to Overview Page**. -> The method for generating `UserSig` described in this document involves configuring `SECRETKEY` in client code. In this method, `SECRETKEY` may be easily decompiled and reversed, and if your key is leaked, attackers can steal your Tencent Cloud traffic. Therefore, **this method is only suitable for the local execution and debugging of the demo**. +> The method for generating `UserSig` described in this document involves configuring `SDKSECRETKEY` in client code. In this method, `SDKSECRETKEY` may be easily decompiled and reversed, and if your key is leaked, attackers can steal your Tencent Cloud traffic. Therefore, **this method is only suitable for the local execution and debugging of the demo**. > The correct `UserSig` distribution method is to integrate the calculation code of `UserSig` into your server and provide an application-oriented API. When `UserSig` is needed, your application can send a request to the business server for a dynamic `UserSig`. For more information, please see [How do I calculate UserSig on the server?](https://intl.cloud.tencent.com/document/product/647/35166). diff --git a/TRTC-Simple-Demo/lib/debug/GenerateTestUserSig.dart b/TRTC-Simple-Demo/lib/debug/GenerateTestUserSig.dart index db0d090..a308263 100644 --- a/TRTC-Simple-Demo/lib/debug/GenerateTestUserSig.dart +++ b/TRTC-Simple-Demo/lib/debug/GenerateTestUserSig.dart @@ -7,7 +7,7 @@ * Attention: do not use the code below in your commercial app. This is because: * * The code may be able to calculate UserSig correctly, but it is only for quick testing of the SDK’s basic features, not for commercial apps. - * `SECRETKEY` in client code can be easily decompiled and reversed, especially on web. + * `SDKSECRETKEY` in client code can be easily decompiled and reversed, especially on web. * Once your key is disclosed, attackers will be able to steal your Tencent Cloud traffic. * * The correct method is to deploy the `UserSig` calculation code and encryption key on your project server so that your app can request from your server a `UserSig` that is calculated whenever one is needed. @@ -49,12 +49,12 @@ class GenerateTestUserSig { * Note: this method is for testing only. Before commercial launch, please migrate the UserSig calculation code and key to your backend server to prevent key disclosure and traffic stealing. * Reference: https://cloud.tencent.com/document/product/647/17275#Server */ - static String secretKey = ''; + static String sdkSecretKey = ''; static genTestSig(String userId) { if (kIsWeb) { return JsGenerateTestUserSig() - .jsGenTestUserSig(sdkAppId, secretKey, userId, expireTime); + .jsGenTestUserSig(sdkAppId, sdkSecretKey, userId, expireTime); } int currTime = _getCurrentTime(); String sig = ''; @@ -90,7 +90,7 @@ class GenerateTestUserSig { int sdkappid = sdkAppId; String contentToBeSigned = "TLS.identifier:$identifier\nTLS.sdkappid:$sdkappid\nTLS.time:$currTime\nTLS.expire:$expire\n"; - Hmac hmacSha256 = new Hmac(sha256, utf8.encode(secretKey)); + Hmac hmacSha256 = new Hmac(sha256, utf8.encode(sdkSecretKey)); Digest hmacSha256Digest = hmacSha256.convert(utf8.encode(contentToBeSigned)); return base64.encode(hmacSha256Digest.bytes); diff --git a/TRTC-Simple-Demo/lib/debug/JsGenerateTestUserSig.dart b/TRTC-Simple-Demo/lib/debug/JsGenerateTestUserSig.dart index 5fa584b..6bd5d55 100644 --- a/TRTC-Simple-Demo/lib/debug/JsGenerateTestUserSig.dart +++ b/TRTC-Simple-Demo/lib/debug/JsGenerateTestUserSig.dart @@ -8,5 +8,5 @@ class JsGenerateTestUserSig { external JsGenerateTestUserSig(); external constructor(); // ignore: non_constant_identifier_names - external String jsGenTestUserSig(SDKAPPID, SECRETKEY, userID, expireTime); + external String jsGenTestUserSig(SDKAPPID, SDKSECRETKEY, userID, expireTime); } diff --git a/TRTC-Simple-Demo/lib/ui/login.dart b/TRTC-Simple-Demo/lib/ui/login.dart index 416ebe2..f6fd7ef 100644 --- a/TRTC-Simple-Demo/lib/ui/login.dart +++ b/TRTC-Simple-Demo/lib/ui/login.dart @@ -69,7 +69,7 @@ class LoginPageState extends State { MeetingTool.toast('Please fill in Sdkappid', context); return; } - if (GenerateTestUserSig.secretKey == '') { + if (GenerateTestUserSig.sdkSecretKey == '') { MeetingTool.toast('Please fill in the key', context); return; }