On QR in software automatic testing_ Login logic of code

   In everyday life , QR code appears in many scenes , For example, payment 、 System login 、 App download 、 Train code, etc . In essence, QR code login is also a way of login authentication , In short , There are two main processes in this certification , “ Tell the system who I am ” and “ Prove to the system who I am ”. for example Account password login , The account number is to tell the system who I am , The password is to prove to the system who I am ; Mobile phone verification code login , Cell phone number is to tell the system who I am , Captcha is to prove to the system who I am ; Mobile app scanning PC Terminal QR code , After the mobile terminal confirms , The account number is in PC The end login is successful .

   Two dimensional code is similar to bar code , It's just that it doesn't store numbers , It can also be any string , You can think , It's just another representation of strings , There is a set based on token Authentication mechanism of . This token It's actually a string of strings with a special meaning , The point of it is , You can find the corresponding account and device information through it , The client gets this token after , You need to do a local save , Every time you visit the system API Take them with you token And device information . The server can use token Find the account and device information bound to it , Then compare the bound device information with the device information sent by the client each time , If the same , So the verification passed , return AP Interface response data , If different , That is, the verification fails and access is denied . This process starts from the front , We can see , The client doesn't and doesn't need to save your password , contrary , It's preserved token.

   In order to know the status of the QR code in time , After the client shows the QR code ,PC The server keeps polling the server , Like polling every second , Request the server to tell the status and related information of the current QR code . Users use their mobile phones to scan PC The end of the QR code , Get the QR code from the QR code ID, Then call the server API Combine the identity information of mobile terminal with two-dimensional code ID Send it to the server together . After the server receives it , It can combine identity information with two-dimensional code ID Binding , Generate temporary token. And then back to the phone . because PC The client has been polling the QR code status , So at this time, the state of the QR code changes , It can update the QR code status to scanned on the interface . So why do you need to return a temporary token Well ？ temporary token And token equally , It's also a kind of identity document , The difference is that it can only be used once , It's useless after use .

   The mobile terminal receives the temporary token After that, the login confirmation interface will pop up , When the user clicks confirm , Mobile phones carry temporary token The interface used to call the server , Tell the server , I have confirmed . After the server receives the confirmation , According to the QR code ID Bound device information and account information , Generate users PC End login token. Now PC The polling interface at the end , It can tell that the state of the QR code has become " Confirmed ". And you can get the login information from the server token. Come here , Login is successful , Back end PC You can use token To access the resources of the server .

   Try to login JD Examples of the official website , Specify .

   open JD Login screen , so QR_Code with 2 individual Cookies, And the Lord API Interface . Which is displayed at the end of the interface t=1657781923616 Indicates the corresponding Unix Time stamp ( Granwich seconds ).

   According to many observations t The next seconds change , It's all fixed 13 position , You can use... In your code round(time.time()*1000) The method of rounding 13 digit . Then print directly cookies, You get As mentioned above 2 individual cookies Of key_value Right dict .

   hold QR_Code Download to Local, And code it into b64, The result is b’iVBORxxxxxxx

   Put the extra " b’ " Get rid of , The main method can be used split() The way to list [1] Value , Or if you are proficient in regular , Direct use findall To match .

   At the beginning, I introduced QR_Code Of principle , The background will automatically update the status and API Interface , As can be seen from the figure below ,JQuery hinder 7 Bits are randomly generated , There is no rule . Therefore, it is almost impossible to crack this login .

   Try using your phone manually app Go to scan after login , The corresponding token.

   therefore , To achieve QR_Code Sign in , You can only manually App After scanning, get token, Then you can perform various operations in the background ; Or by Selenium and Appium Combination , Realize automatic scanning and login . About Appium Application in automated testing , You can read my blog related articles , I don't want to repeat it here .