docs(docs): 更新README

苏青安 · 苏青安 · commit 2cfd377e1446 · 2025-08-28T15:45:20.000+08:00
diff --git a/README.md b/README.md
@@ -5,21 +5,22 @@
   <hr width="50%"/>
 </div>
 
-A PHP package for request encryption, designed for quickly implementing secure communication between frontend and backend.
+A PHP toolkit for handling encrypted requests, enabling fast and secure front-end to back-end communication.
 
-In real-world development, there are often scenarios where requests need extra security: data must be encrypted to prevent sniffing, and requests should be protected against tampering or replay attacks. Coordinating encryption methods and signature rules with frontend teams each time can be cumbersome. To simplify this workflow, I created this PHP package and a companion npm package, allowing frontend developers to generate encrypted request parameters with a single function call, making it easy to implement secure API communication.
+In real-world development, you often encounter scenarios where requests need to be secure: data must be encrypted to prevent sniffing, and requests must be protected from tampering or replay attacks. Coordinating encryption methods and signature rules with the front-end can be cumbersome. This PHP package simplifies the process. Paired with a dedicated npm package, the front-end can generate encrypted request parameters with a single call, enabling secure and fast data transmission.
 
-Frontend companion npm package: [npm-encrypted-request](https://github.com/zxc7563598/npm-encrypted-request)
+Front-end companion npm package: [npm-encrypted-request](https://github.com/zxc7563598/npm-encrypted-request)
 
-**This project has been parsed by Zread. If you need a quick overview of the project, you can click here to view it：[Understand this project](https://zread.ai/zxc7563598/php-encrypted-request)**
+**This project has been parsed by Zread. To quickly understand it, you can click here:** **[Learn More](https://zread.ai/zxc7563598/php-encrypted-request)**
 
 ## Features
 
-- 🔐 AES-128-CBC decryption of frontend-encrypted data to prevent leaks
-- ✍️ Dynamic MD5 signature verification to prevent forged signatures
-- ⏰ Timestamp validation (in seconds) with configurable tolerance, to prevent request hijacking
-- ⚙️ Configurable via `.env` file or array
-- 🧩 Extensible with custom decryptors
+- ♾️ **Hybrid encryption**: AES key is randomly generated, no need for front-end to store a fixed key, improving security
+- 🔐 **AES-128-CBC decryption**: Securely decrypt front-end encrypted data, back-end only needs to configure the RSA private key
+- ✍️ **Dynamic MD5 signature verification**: Prevents forged requests
+- ⏰ **Second-level timestamp validation**: Customizable tolerance to prevent request hijacking
+- ⚙️ **Flexible configuration**: Use `.env` or pass an array directly
+- 🧠 **Minimal code changes required**: Front-end can securely send data without worrying about the underlying logic
 
 ## Installation
 
@@ -29,25 +30,19 @@ composer require hejunjie/encrypted-request
 
 ## Configuration Example
 
-You can configure via `.env` file:
+You can configure via `.env`:
 
 ```dotenv
-APP_KEY=your-app-key
+RSA_PRIVATE_KEY=your-private-key
 DEFAULT_TIMESTAMP_DIFF=60
-
-# Optional when using a custom decryptor
-AES_KEY=your-aes-key
-AES_IV=your-aes-iv
 ```
 
-Or pass configuration as an array:
+Or pass an array directly:
 
 ```php
 $config = [
-    'APP_KEY' => 'your-app-key', // Required: key used for signature verification (32 alphanumeric characters)
-    'DEFAULT_TIMESTAMP_DIFF' => 60, // Required: maximum allowed timestamp difference in seconds
-    'AES_KEY' => 'your-aes-key', // Optional: AES encryption key (16 characters); not needed for custom decryptor
-    'AES_IV' => 'your-aes-iv' // Optional: AES initialization vector (16 characters); not needed for custom decryptor
+    'RSA_PRIVATE_KEY' => 'your-private-key', // Private key string (including -----BEGIN PRIVATE KEY-----)
+    'DEFAULT_TIMESTAMP_DIFF' => 60, // Optional, used to validate request expiry in seconds, default is 60
 ];
 ```
 
@@ -58,14 +53,17 @@ $config = [
 ```php
 use Hejunjie\EncryptedRequest\EncryptedRequestHandler;
 
-$param = $_POST; // Fetch frontend request parameters
+$params = $_POST; // Obtain front-end request parameters
+
+$config = ['RSA_PRIVATE_KEY' => 'your-private-key']; // Not needed if using .env
 
-$handler = new EncryptedRequestHandler();
+$handler = new EncryptedRequestHandler($config);
 try {
     $data = $handler->handle(
-        $param['en_data'] ?? '',
-        $param['timestamp'] ?? '',
-        $param['sign'] ?? ''
+        $params['en_data'] ?? '',
+        $params['enc_payload'] ?? '',
+        $params['timestamp'] ?? '',
+        $params['sign'] ?? ''
     );
     // $data contains the decrypted array
 } catch (\Hejunjie\EncryptedRequest\Exceptions\SignatureException $e) {
@@ -77,67 +75,28 @@ try {
 }
 ```
 
-### Custom Decryptor
-
-> In most cases, if your `AES_KEY`, `AES_IV`, and `APP_KEY` remain confidential, the default AES-128-CBC decryption is sufficient for secure API communication.
-
-> Custom decryptors are mainly for special scenarios, such as using a completely different encryption algorithm or requiring higher security standards.
+## Front-end Integration
 
-> If your project demands extremely high confidentiality, it is recommended to design your own encryption rules rather than relying solely on the default AES implementation.
-
-```php
-class MyCustomDecryptor implements \Hejunjie\EncryptedRequest\Contracts\DecryptorInterface
-{
-    /**
-     * Decrypt method
-     *
-     * @param string $data Encrypted data
-     *
-     * @return array Decrypted array
-     * @throws \Hejunjie\EncryptedRequest\Exceptions\DecryptionException
-     */
-    public function decrypt(string $data): array
-    {
-        // Custom decryption logic
-    }
-}
-
-$customDecryptor = new MyCustomDecryptor();
-$handler = new EncryptedRequestHandler($customDecryptor);
-```
-
-## Frontend Integration
-
-Frontend can use the [hejunjie-encrypted-request](https://github.com/zxc7563598/npm-encrypted-request) npm package to generate encrypted data and send it to the PHP backend:
+The front-end uses the [hejunjie-encrypted-request](https://github.com/zxc7563598/npm-encrypted-request) npm package to generate encrypted data and send it to the PHP back-end:
 
 ```typescript
 import { encryptRequest } from "hejunjie-encrypted-request";
 
 const encrypted = encryptRequest(
   { message: "Hello" },
   {
-    appKey: "your-app-key",
-    aesKey: "your-aes-key",
-    aesIv: "your-aes-iv",
-    token: "your-token",
+    rsaPubKey: "your-public-key",
   }
 );
 ```
 
-The PHP backend can directly use `EncryptedRequestHandler` to decrypt.
-
-## Notes
-
-1. AES key and IV must be 16 characters.
-2. Timestamp is in seconds; `DEFAULT_TIMESTAMP_DIFF` is the maximum allowed difference. Be mindful of time zones.
-3. Frontend `appKey`, `aesKey`, and `aesIv` must match backend, otherwise signature verification will fail.
-4. ​`token` is optional and will be passed together with encrypted data.
+The PHP back-end can directly decrypt using `EncryptedRequestHandler`.
 
 ## Compatibility
 
 - PHP \>\= 8.1
-- Compatible with any PSR-4 autoloading framework or plain PHP project
+- Works with any PSR-4 autoloading framework or plain PHP project
 
 ## Development & Contribution
 
-Feel free to submit issues or pull requests, contribute new decryptors, optimize functionality, or add examples.
+Contributions are welcome! Submit issues or pull requests to add new decoders, optimize features, or provide examples.
diff --git a/README.zh-CN.md b/README.zh-CN.md
@@ -15,11 +15,12 @@ PHP 请求加密处理工具包，用于快速实现安全的前后端通信。
 
 ## 功能特性
 
-- 🔐 AES-128-CBC 解密前端加密数据，防止数据泄露
+- ♾️ 混合加密，AES 密钥随机生成，前端不需要存储固定密钥，提高安全性
+- 🔐 AES-128-CBC 解密前端加密数据，防止数据泄露，后端只需配置 RSA 私钥即可
 - ✍️ 动态 MD5 签名校验，防止伪造签名
 - ⏰ 秒级时间戳验证，可自定义误差范围，防止劫持请求
 - ⚙️ 支持通过 `.env` 或数组传入配置
-- 🧩 可扩展自定义解密器
+- 🧠 对代码改动极小，配套 npm 无需关注原理即可安全传输数据
 
 ## 安装
 
@@ -32,22 +33,16 @@ composer require hejunjie/encrypted-request
 可以通过 `.env` 文件配置：
 
 ```dotenv
-APP_KEY=your-app-key
+RSA_PRIVATE_KEY=your-private-key
 DEFAULT_TIMESTAMP_DIFF=60
-
-# 自定义解密器时可不传
-AES_KEY=your-aes-key
-AES_IV=your-aes-iv
 ```
 
 也可以通过数组直接传入：
 
 ```php
 $config = [
-    'APP_KEY' => 'your-app-key', // 必传，签名密钥，用于接口签名校验（32位字母或数字）
-    'DEFAULT_TIMESTAMP_DIFF' => 60, // 必传，用于验证请求是否过期，秒级
-    'AES_KEY' => 'your-aes-key', // 非必传，AES 加密的密钥（16位），自定义解密器时可不传
-    'AES_IV' => 'your-aes-iv' // 非必传，AES 加密的初始化向量（16位），自定义解密器时可不传
+    'RSA_PRIVATE_KEY' => 'your-private-key', // 私钥字符串（包含 -----BEGIN PRIVATE KEY-----）
+    'DEFAULT_TIMESTAMP_DIFF' => 60, // 非必传，用于验证请求是否过期，秒级，默认60
 ];
 ```
 
@@ -60,10 +55,13 @@ use Hejunjie\EncryptedRequest\EncryptedRequestHandler;
 
 $param = $_POST; // 自行获取前端请求的参数
 
-$handler = new EncryptedRequestHandler();
+$config = ['RSA_PRIVATE_KEY' => 'your-private-key']; // 如果通过.env配置则无需在此处传递
+
+$handler = new EncryptedRequestHandler($config);
 try {
     $data = $handler->handle(
         $param['en_data'] ?? '',
+        $param['enc_payload'] ?? '',
         $param['timestamp'] ?? '',
         $param['sign'] ?? ''
     );
@@ -77,35 +75,6 @@ try {
 }
 ```
 
-### 自定义解密器
-
-> 实际上，对于绝大多数场景，如果你的 AES_KEY、AES_IV 和 APP_KEY 保密，默认的 AES-128-CBC 解密已经足够满足接口数据加密的需求。
-
-> 自定义解密器主要适用于特殊场景，比如需要使用完全不同的加密算法或对加密规则有更高安全要求。
-
-> 如果你的项目对保密性有极高要求，建议自行设计和实现接口数据的加密规则，而不是使用公开方案。
-
-```php
-class MyCustomDecryptor implements \Hejunjie\EncryptedRequest\Contracts\DecryptorInterface
-{
-    /**
-     * 解密方法
-     *
-     * @param string $data 加密数据
-     *
-     * @return array 解密后的数组
-     * @throws \Hejunjie\EncryptedRequest\Exceptions\DecryptionException
-     */
-    public function decrypt(string $data): array
-    {
-        // 自定义解密逻辑
-    }
-}
-
-$customDecryptor = new MyCustomDecryptor();
-$handler = new EncryptedRequestHandler($customDecryptor);
-```
-
 ## 前端配合
 
 前端使用 [hejunjie-encrypted-request](https://github.com/zxc7563598/npm-encrypted-request) npm 包生成加密数据，并发送给 PHP 后端：
@@ -116,23 +85,13 @@ import { encryptRequest } from "hejunjie-encrypted-request";
 const encrypted = encryptRequest(
   { message: "Hello" },
   {
-    appKey: "your-app-key",
-    aesKey: "your-aes-key",
-    aesIv: "your-aes-iv",
-    token: "your-token",
+    rsaPubKey: "your-public-key",
   }
 );
 ```
 
 PHP 后端直接使用 `EncryptedRequestHandler` 解密即可。
 
-## 注意事项
-
-1. AES 密钥和向量必须为 16 位。
-2. 时间戳单位为秒，`DEFAULT_TIMESTAMP_DIFF` 为允许的最大时间差；需要注意时区问题。
-3. 前端 `appKey` / `aesKey` / `aesIv` 与后端保持一致，否则签名验证失败。
-4. ​`token` 可选，会与密文一起传给 PHP 后端
-
 ## 兼容性
 
 - PHP \>\= 8.1
