hide form_api_secret

upyun · Oct 11, 2014 · cbba986 · cbba986
1 parent 10efc99
commit cbba986
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -14,7 +14,14 @@ eg:
 ```js
 document.getElementById('submit').onclick = function() {
     var ext = '.' + document.getElementById('file').files[0].name.split('.').pop();
-    var instance = new Sand('demonstration', '1+JY2ZqD5UVfw6hQ8EesYQO50Wo=', parseInt((new Date().getTime() + 3600000) / 1000));
+
+    var config = {
+        bucket: 'demonstration',
+        expiration: parseInt((new Date().getTime() + 3600000) / 1000),
+        signature: 'something'
+    };
+
+    var instance = new Sand(config);
     var options = {
         'notify_url': 'http://upyun.com'
     };
@@ -29,14 +36,23 @@ document.getElementById('submit').onclick = function() {
 
 ### 构建实例
 ```js
-new Sand(bucket, form_api_secret, expiration);
+new Sand(config);
 ```
 
 __参数说明__
 
-* `bucket`: 空间名称
-* `form_api_secret`: 表单 API 密钥
-* `expiration`: 上传请求过期时间（单位为：`秒`）
+* `config` 必要参数
+    * `bucket`: 空间名称
+    * `expiration`: 上传请求过期时间（单位为：`秒`）
+    * `signature`: 初始化上传所需的签名
+    * `form_api_secret`: 表单 API （慎用）
+
+__注意__
+
+其中 `signature` 和 `form_api_secret` 为互斥项，为了避免表单 API 泄露造成安全隐患，请尽可能根据[所需参数](https://github.com/upyun/js-multipart-upload/wiki/%E5%88%86%E5%9D%97%E4%B8%8A%E4%BC%A0%E8%AF%B4%E6%98%8E#%E5%85%83%E4%BF%A1%E6%81%AF)自行传入初始化上传所需的 `signature` 参数
+
+计算签名算法，请参考[文档](https://github.com/upyun/js-multipart-upload/wiki/%E5%88%86%E5%9D%97%E4%B8%8A%E4%BC%A0%E8%AF%B4%E6%98%8E#signature-%E5%92%8C-policy-%E7%AE%97%E6%B3%95)
+
 
 ### 设置额外上传参数
 

diff --git a/bower.json b/bower.json
@@ -1,6 +1,6 @@
 {
   "name": "upyun-multipart-upload",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "authors": [
     "Leigh Zhu <[email protected]>"
   ],

diff --git a/demo.html b/demo.html
@@ -66,7 +66,16 @@
 <script>
 	document.getElementById('submit').onclick = function() {
 		var ext = '.' + document.getElementById('file').files[0].name.split('.').pop();
-		var instance = new Sand('demonstration', '1+JY2ZqD5UVfw6hQ8EesYQO50Wo=', parseInt((new Date().getTime() + 3600000) / 1000));
+
+		var config = {
+			bucket: 'demonstration',
+			expiration: parseInt((new Date().getTime() + 3600000) / 1000),
+
+			// 尽量不要使用直接传表单 API 的方式，以防泄露造成安全隐患
+			form_api_secret: '1+JY2ZqD5UVfw6hQ8EesYQO50Wo='
+		};
+
+		var instance = new Sand(config);
 		var options = {
 			'notify_url': 'http://upyun.com'
 		};

diff --git a/lib/upyun-mu.js b/lib/upyun-mu.js
@@ -118,8 +118,11 @@
                     'file_size': chunkInfo.file_size,
                     'file_hash': chunkInfo.entire
                 };
-                //console.log(JSON.stringify(options));
-                var signature = calcSign(options, _config.form_api_secret);
+                if (self._signature) {
+                    var signature = self._signature;
+                } else {
+                    var signature = calcSign(options, _config.form_api_secret);
+                }
                 var policy = btoa(JSON.stringify(options));
                 var paramsData = {
                     policy: policy,
@@ -226,10 +229,12 @@
         });
     }
 
-    function Sand(bucket, form_api_secret, expiration) {
-        _config.bucket = bucket;
-        _config.form_api_secret = form_api_secret;
-        _config.expiration = expiration;
+    function Sand(config) {
+        _extend(_config, config);
+
+        if(config.signature) {
+            this._signature = config.signature;
+        }
 
         this.setOptions = function(options) {
             this.options = options;