Mini Program Development to Implement Unified Management of Access_Token

TOKEN Timer Refresher

1. Background

For developers who have used the API functions of the public platform, access_token will definitely be familiar to them. It is like a key to open the door of your home. As long as you have it, you can use most of the API functions of the public platform. Therefore, for developers, how to use access_token becomes particularly important. In the daily operation of API interfaces, we often encounter various questions: Why is my access_token suddenly illegal? Why did the access_token I just got expire after 10 minutes? In response to these questions, we provide a design solution for access_token to help developers understand how to use access_token.

For obtaining access_token, please refer to the official documentation of the public platform: auth.getAccessToken, Get Access token

2. Internal design of access_token

2.1 Timeliness of access_token

As we all know, access_token is generated by appid and appsecret. The steps of interior design are as follows:

(1) The developer uses https to request: GET https://API.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=APPID&secret=APPSECRET, passing in the parameters of appid and apppsecret.

(2) The public platform backend will verify whether the appid and hash (appsecret) match the storage. If they match, a new access_token will be generated based on the current timestamp.

(3) When a new access_token is generated, the expiration timestamp of the old access_token will be updated to the current timestamp.

(4) Return the new access_token to the developer.

Here is a diagram to illustrate the process of switching between old and new tokens:

A few points to note from the above diagram:

(1) The public platform storage layer only stores the new and old access_tokens, which means that if the developer calls the interface three times, the earliest access_token will become invalid immediately.

(2) Although the expiration time of the old access_token will be updated to the current time after requesting a new access_token, it will not become invalid immediately. For the principle, please refer to [2.2 Gradual expiration of access_token]

(3) For information security reasons, the public platform does not store appsecret in plain text, but only stores appid and the hash value of appsecret. Therefore, developers must keep appsecret properly. When the appsecret is suspected to be leaked, you need to log in to mp.weixin.qq.com in time to reset the appsecret.

2.2 Gradual expiration of access_token

From [Timeliness of access_token], we know that when a developer requests a new access_token, the expiration time of the old access_token will be updated to the current time, but it will not become invalid immediately because the public platform will provide [5 minutes of buffer time for the alternation between the new and old access_tokens], so it is also called access_token.

gradual failure.

The implementation principle is:

• Since the old access_token expiration timestamp has been refreshed, during the API interface request, after the access_token is unlocked, the expiration timestamp will be increased by 5 minutes, and then compared with the current device time. If it exceeds the current device time, it is considered invalid.
• The devices on the public platform will keep the clocks synchronized, but there may still be a time difference of 1-2 minutes between devices, so [5 minutes] is not an absolute time value. When developers obtain a new access_token, they should switch to the new access_token as soon as possible.

A few points to note from the above diagram:

(1) Due to differences in device time synchronization, developers may encounter situations where some requests to the API interface using the old access_token are successful while others fail. It is recommended that developers use the new access_token as soon as possible after obtaining it.

(2) By understanding the two diagrams, for developers, access_token is a very critical interface that cannot be adjusted randomly. It is recommended that developers manage access_token in a unified manner to avoid multiple requests that may cause the access_token to become invalid.

3. Unified management of access_token

Submit the update of access_token to the timer trigger to complete all interface calls that use access_token . Do not pass in access_token , and let the backend read it from the database

The following example shows the unified management of access_token code on the mini program cloud function side.

index.js requests and updates access_token

If on other terminals, you need to pass in APPID

const cloud = require('wx-server-sdk')
cloud.init({
  env: cloud.DYNAMIC_CURRENT_ENV
})
const timeutil = require('./timeutil');
// Configuration items that need to be modified const APPSECRET = ''
const axios = require('axios');
const db = cloud.database();
// Refresh and obtain configuration information regularly const CONFIG = 'cloud-token';
// Get the token
const URL = 'https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid={APPID}&secret={APPSECRET}'
function getAccessToken(APPID,APPSECRET){
  let url = URL;
  url = url.replace('{APPID}',APPID)
  url = url.replace('{APPSECRET}',APPSECRET)
  return new Promise(function(resolve,reject){
    axios.get(url).then(function (response) {
      console.log(response);
      resolve(response)
    })
    .catch(function (error) {
      console.log(error);
      reject(error)
    });
  })
}
// Cloud function entry function exports.main = async (event, context) => {
  const wxContext = cloud.getWXContext()
  // Automatically obtain the current application APPID
  var APPID = wxContext.APPID;
  return new Promise(function(resolve,reject){
    getAccessToken(APPID,APPSECRET).then(async res=>{
      console.log(res)
      let access_token = res.data.access_token;
      let ans = await db.collection(CONFIG).doc('access_token').set({
        data:{
          value:access_token,
          _updateTime:timeutil.TimeCode()
        }
      })
      resolve(ans)
    })
  }) 
}

config.json Timer trigger

Triggered every hour

{
  "triggers": [
    {
      "name": "myTrigger",
      "type": "timer",
      "config": "0 0 * * * * *"
    }
  ]
}

timeutil.js time tool class

function TimeCode() {
  var date = new Date();
  var year = date.getFullYear()
  var month = date.getMonth() + 1
  var day = date.getDate()

  var hour = date.getHours()
  var minute = date.getMinutes()
  var second = date.getSeconds()

  return [year, month, day].map(formatNumber).join('-') + ' ' + [hour, minute, second].map(formatNumber).join(':')
}
//Get the date function _formatTime(time) {
  var date = time.getFullYear() + 'year' + time.getMonth() + 'month' + time.getDate() + 'day'
  var ftime = time.getHours() + 'hours' + time.getMinutes() + 'minutes' + time.getSeconds() + 'seconds'
  return date + ftime;
}
function TimeCodeYmd(){
  var date = new Date();
  var year = date.getFullYear()
  var month = date.getMonth() + 1
  var day = date.getDate()

  return [year, month, day].map(formatNumber).join('-');
}
function formatNumber(n) {
  n = n.toString()
  return n[1] ? n : '0' + n
}
module.exports={
  TimeCode,
  TimeCodeYmd
}

Where access_token is used in other cloud functions, it is obtained by querying the database, and the two are logically coupled through the database.

Access_token query usage

const TOKEN = 'cloud-token';
//Get access_token 
  try {
    let tres = await db.collection(TOKEN).doc('access_token').get();
    access_token = tres.data.value;
    console.log(access_token)
  } catch (error) {
    console.log('--No token record--')
    return {
      errCode:-1,
      errMsg:'There is no TOKEN information in the database'
    }
  }

Reference Documentation

【1】Internal design of access_token for the public platform/Mini Program server API | WeChat Open Community (qq.com)

【2】auth.getAccessToken | WeChat Open Documentation (qq.com)

【3】Summary of WeChat Mini Program Development Skills (Part 3) - Cloud Development Time-Effective Data Refresh and Storage (access_token, etc.) - Kindear - cnblogs.com

This concludes this article about how to implement unified management of access_tokens in small program development. For more information on unified management of access_tokens in small programs, please search previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!