ttsign

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 14, 2026 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

Package ttsign reimplements the request signing the TikTok web client adds to its /api/* calls: the msToken query parameter and the X-Bogus device signature, with the newer a_bogus variant behind the same Signer. It depends on nothing outside the standard library and is deterministic under an injected clock and randomness source, so the derivation can be unit tested.

The signing is a faithful reimplementation of the public, logged-out web client behavior. It carries no account secret and reads only public data.

Index

Constants

View Source
const DefaultMsTokenLen = 128

DefaultMsTokenLen is the length of a freshly minted token. The real client mints a token of this order and the server rotates it through a Set-Cookie on the first answered call.

Variables

This section is empty.

Functions

func ABogus

func ABogus(query, body, userAgent string, nowSeconds int64) string

ABogus reimplements the newer a_bogus signature, also surfaced as the X-Gnarly header on recent page builds. It signs the same query string plus an optional request body and the User-Agent, and is longer than X-Bogus because it folds in a small browser environment vector. The tool sends X-Bogus by default and carries this path for endpoints that stop accepting X-Bogus.

The derivation reuses the shared primitives: the double MD5 of each input, a fixed environment vector, the timestamp, and the custom alphabet.

func MsToken

func MsToken(n int, rand func(int) []byte) string

MsToken returns an n character token drawn from the client's alphabet. The randomness source is injected so the output is reproducible under test. A logged-out call carries a freshly minted token as a bootstrap; the server accepts a well shaped one to start a session.

func XBogus

func XBogus(query, userAgent string, nowSeconds int64) string

XBogus reimplements the web client's X-Bogus derivation. The value is a function of the final sorted query string, the User-Agent, and a one second timestamp. The steps mirror the public algorithm: hash the query with a double MD5, hash the RC4 then base64 of the User-Agent the same way, fold both with the timestamp and the canvas constant into a byte array, checksum it, interleave it, RC4 it under a single byte key, and map the result through the custom alphabet.

nowSeconds is injected so the output is reproducible under test.

Types

type Signed

type Signed struct {
	Query   string
	Headers map[string]string
}

Signed is the result of signing: the final query string with msToken appended and the headers to send.

type Signer

type Signer struct {
	// NowMillis returns the current time in unix milliseconds.
	NowMillis func() int64
	// Rand returns n random bytes. It backs the msToken.
	Rand func(n int) []byte
	// MsTokenLen overrides the token length. Zero uses the default.
	MsTokenLen int
}

Signer signs a query string. The clock and randomness are injectable so the output is reproducible.

func (*Signer) Sign

func (s *Signer) Sign(rawQuery, userAgent string) Signed

Sign appends a fresh msToken to rawQuery, computes X-Bogus over the result and the User-Agent, and returns the final query plus the headers to set. The caller adds Referer and Origin.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL