Documentation
¶
Overview ¶
Package dysign reimplements the request signing the Douyin web client adds to its /aweme/v1/web/* calls: the msToken query parameter and the X-Bogus device signature, with the newer a_bogus variant behind the same Signer. Douyin and TikTok are both ByteDance and use the same signing scheme. It depends on nothing outside the standard library and is deterministic under an injected clock and randomness source, so the derivation can be unit tested.
The signing is a faithful reimplementation of the public, logged-out web client behavior. It carries no account secret and reads only public data.
Index ¶
Constants ¶
const DefaultMsTokenLen = 128
DefaultMsTokenLen is the length of a freshly minted token. The real client mints a token of this order and the server rotates it through a Set-Cookie on the first answered call.
Variables ¶
This section is empty.
Functions ¶
func ABogus ¶
ABogus reimplements the newer a_bogus signature, also surfaced as the X-Gnarly header on recent page builds. It signs the same query string plus an optional request body and the User-Agent, and is longer than X-Bogus because it folds in a small browser environment vector. The tool sends X-Bogus by default and carries this path for endpoints that stop accepting X-Bogus.
The derivation reuses the shared primitives: the double MD5 of each input, a fixed environment vector, the timestamp, and the custom alphabet.
func MsToken ¶
MsToken returns an n character token drawn from the client's alphabet. The randomness source is injected so the output is reproducible under test. A logged-out call carries a freshly minted token as a bootstrap; the server accepts a well shaped one to start a session.
func XBogus ¶
XBogus reimplements the web client's X-Bogus derivation. The value is a function of the final sorted query string, the User-Agent, and a one second timestamp. The steps mirror the public algorithm: hash the query with a double MD5, hash the RC4 then base64 of the User-Agent the same way, fold both with the timestamp and the canvas constant into a byte array, checksum it, interleave it, RC4 it under a single byte key, and map the result through the custom alphabet.
nowSeconds is injected so the output is reproducible under test.
Types ¶
type Signed ¶
Signed is the result of signing: the final query string with msToken appended and the headers to send.
type Signer ¶
type Signer struct {
// NowMillis returns the current time in unix milliseconds.
NowMillis func() int64
// Rand returns n random bytes. It backs the msToken.
Rand func(n int) []byte
// MsTokenLen overrides the token length. Zero uses the default.
MsTokenLen int
}
Signer signs a query string. The clock and randomness are injectable so the output is reproducible.