All Products
Search
Document Center

DataV:Check the validity of digitally signed parameters in a token

Last Updated:Apr 27, 2023

This topic describes how to use the Token parameter for signature verification on the Publish DataV dashboard. This verification method allows you to perform signature authentication on parameters that are passed for data presentation on projects. This prevents the parameters in the URL of a published project from being tampered with and ensures the security of project data and user privacy information.

Prerequisites

Before you use this method, make sure that:

  • Data visualization screenUse token authenticationFor more information, see Publish a visualized application on a PC.

  • The data visualization dashboard uses Get to pass parameters in the URL (add parameters directly after the URL).

  • The parameters passed in the URL of the data visualization screen must not be tampered with.

Scenarios

The following example describes the background information of this verification method.

A user's system is embedded with a DataV big screen, the URL is calculated by token, and the user's job number is passed to the data visualization big screen by Get to display the corresponding data, and the data visualization big screen can be accessed by https://datav.aliyuncs.com/share/xxx?_datav_time=1556022195845&_datav_signature=%2BDZFj3QDIla%2F00fBZLdJMgk2Z1Ocs9MLL1******%3D&workid=123.

The workid (job ID) is the parameter passed on the data visualization screen and may be tampered with. For example, if the employee whose job number is 123 changes the URL to https://datav.aliyuncs.com/share/xxx?_datav_time=1556022195845&_datav_signature=%2BDZFj3QDIla%2F00fBZLdJMgk2Z1Ocs9MLL1******%3D&workid=124, you can see the information of the employee whose job number is 124. To prevent passed parameters from being tampered with, you must enable signature authentication. After you enable signature authentication, if the passed parameters in a URL are unexpectedly changed, the project cannot be viewed by using the new URL.

Parameter Rules

The name of the parameter that you want to sign must be a valid parameter name that starts with datav_sign_. The regular expression for this parameter name is /^datav_sign_.*/.

Note

Signature authentication is not supported for parameters that do not meet the naming conventions. However, parameter values can be changed. Signature parameters are sorted in ascending order.

URL with signature parameters

The following example shows the sample Node.js code:

const crypto = require('crypto');
const querystring = require('querystring');
const signedQueryParamReg = /^ datav_sign_.*/; // Parameters that conform to this regular expression need to be signed. 

const token = "93TWnmeBtxxxxxxxxxx3thGyAgzennsS";
const screenID ="b92xxxxxxxxxxxxxxxxxx27b4c538cd4";
const time = Date.now();

const customeParams = {
  datav_sign_no: 123998,
  name: 123
};
let signParamsStr = Object.keys(customeParams)
  .filter(paramName => customeParams[paramName] && signedQueryParamReg.test(paramName))
  .sort()
  .map(param => `${param}=${customeParams[param]}`)
  .join('&');
let stringToSign = [screenID, time];
signParamsStr && stringToSign.push(signParamsStr);
stringToSign = stringToSign.join('|');
let signature = crypto.createHmac('sha256', token).update(stringToSign).digest().toString('base64');
let queryParams = {
  _datav_time: time,
  _datav_signature: signature
};

Object.keys(customeParams).forEach(paramName => {
  queryParams[paramName] = customeParams[paramName];
});

let url = `https://datav.aliyuncs.com/share/${screenID}?${querystring.stringify(queryParams)}`;
console.log(url);

The URL obtained using the above code example is: https://datav.aliyuncs.com/share/b92db8e09358c82efca0727b4c538cd4?_datav_time=1556023246894&_datav_signature=GGSbvxlemUeBoRVco8JgrJVWRcmao7NuRYt2O******%3D&datav_sign_no=123998&name=123. During the validity period of the URL, if the value of the datav_sign_no field is modified, the link cannot be accessed. If the value of the name field is modified, the link can still be accessed because the datav_sign_no complies with the parameter rules and participates in signature calculation. However, the name does not comply with the signature parameter rules and does not perform signature calculation.

Procedure

  1. Determine the names of the parameters that must be signed. These parameters cannot be tampered with after they are passed.

  2. After the data visualization dashboard is developed, Use token authenticationPublish a data visualization dashboard. For more information, see Publish a visualization application on a PC.

  3. Calculate the URL of the data visualization dashboard. For more information, see Calculate the URL with signature parameters.

  4. Use the URL calculated in the previous step to access the data visualization screen. During the access, the system automatically verifies the parameter signature.

    If the verification succeeds and you change the signature parameters in the URL, the access is denied when you access the URL next time.