初始化：职引项目 v1.0

backend/src/modules/payment/wechat-pay.service.ts

@@ -0,0 +1,152 @@
+import * as fs from 'fs'
+import * as path from 'path'
+import * as crypto from 'crypto'
+import axios from 'axios'
+import { Injectable, Logger } from '@nestjs/common'
+
+const MCHID = process.env.WX_MCHID
+const API_V3_KEY = process.env.WX_API_V3_KEY
+const NOTIFY_URL = process.env.WX_NOTIFY_URL
+const APPID = process.env.WX_APPID
+const WX_API_BASE = 'https://api.mch.weixin.qq.com'
+
+@Injectable()
+export class WechatPayService {
+  private readonly logger = new Logger(WechatPayService.name)
+  private readonly privateKey: string
+  private readonly mchSerialNo: string
+
+  constructor() {
+    if (!MCHID || !API_V3_KEY || !APPID) {
+      this.logger.warn('微信支付配置不完整，支付功能不可用')
+    }
+    const certDir = path.resolve(__dirname, '../../certs')
+    this.privateKey = fs.readFileSync(path.join(certDir, 'apiclient_key.pem'), 'utf8')
+    // 从证书中提取序列号
+    const cert = fs.readFileSync(path.join(certDir, 'apiclient_cert.pem'), 'utf8')
+    const certObj = new crypto.X509Certificate(cert)
+    this.mchSerialNo = certObj.serialNumber
+    this.logger.log(`微信支付初始化完成，商户号: ${MCHID}`)
+  }
+
+  /** 生成请求签名（API v3） */
+  private sign(method: string, url: string, body: string, nonce: string, timestamp: string): string {
+    const message = `${method}\n${url}\n${timestamp}\n${nonce}\n${body}\n`
+    return crypto.createSign('RSA-SHA256').update(message).sign(this.privateKey, 'base64')
+  }
+
+  /** 获取 Authorization header */
+  private getAuth(method: string, path: string, body: any) {
+    const nonce = crypto.randomBytes(16).toString('hex')
+    const timestamp = Math.floor(Date.now() / 1000).toString()
+    const bodyStr = body ? JSON.stringify(body) : ''
+    const signature = this.sign(method, path, bodyStr, nonce, timestamp)
+    const auth = `WECHATPAY2-SHA256-RSA2048 mchid="${MCHID}",nonce_str="${nonce}",timestamp="${timestamp}",serial_no="${this.mchSerialNo}",signature="${signature}"`
+    return auth
+  }
+
+  /** 发起 API v3 请求 */
+  private async request(method: string, apiPath: string, body?: any) {
+    const url = `${WX_API_BASE}${apiPath}`
+    try {
+      const res = await axios({
+        method,
+        url,
+        headers: {
+          'Authorization': this.getAuth(method, apiPath, body || ''),
+          'Content-Type': 'application/json',
+          'Accept': 'application/json',
+          'User-Agent': 'zhiyin-backend/1.0',
+        },
+        data: body,
+      })
+      return res.data
+    } catch (e: any) {
+      this.logger.error(`微信支付请求失败: ${method} ${apiPath}`, e.response?.data || e.message)
+      throw e
+    }
+  }
+
+  /** Native 支付：获取二维码链接 */
+  async nativePay(description: string, outTradeNo: string, amount: number, openid?: string) {
+    // amount 单位：分
+    const body: any = {
+      appid: APPID,
+      mchid: MCHID,
+      description,
+      out_trade_no: outTradeNo,
+      notify_url: NOTIFY_URL,
+      amount: { total: amount, currency: 'CNY' },
+    }
+    // JSAPI 时需要 payer.openid
+    if (openid) body.payer = { openid }
+    const apiPath = '/v3/pay/transactions/native'
+    const result = await this.request('POST', apiPath, body)
+    return { codeUrl: result.code_url, outTradeNo }
+  }
+
+  /** JSAPI 支付：获取调起支付的参数 */
+  async jsapiPay(description: string, outTradeNo: string, amount: number, openid: string) {
+    const body = {
+      appid: APPID,
+      mchid: MCHID,
+      description,
+      out_trade_no: outTradeNo,
+      notify_url: NOTIFY_URL,
+      amount: { total: amount, currency: 'CNY' },
+      payer: { openid },
+    }
+    const result = await this.request('POST', '/v3/pay/transactions/jsapi', body)
+    const prepayId = result.prepay_id
+    // 生成小程序/JSAPI 调起支付参数
+    const nonce = crypto.randomBytes(16).toString('hex')
+    const timestamp = Math.floor(Date.now() / 1000).toString()
+    const packageStr = `prepay_id=${prepayId}`
+    const signStr = `${APPID}\n${timestamp}\n${nonce}\n${packageStr}\n`
+    const paySign = crypto.createSign('RSA-SHA256').update(signStr).sign(this.privateKey, 'base64')
+    return {
+      prepayId,
+      payParams: {
+        appId: APPID,
+        timeStamp: timestamp,
+        nonceStr: nonce,
+        package: packageStr,
+        signType: 'RSA',
+        paySign,
+      },
+    }
+  }
+
+  /** 验证并解密回调通知 */
+  verifyAndDecrypt(body: any, wechatSignature: string, wechatTimestamp: string, wechatNonce: string) {
+    // 1. 验签
+    const message = `${wechatTimestamp}\n${wechatNonce}\n${JSON.stringify(body)}\n`
+    const certDir = path.resolve(__dirname, '../../certs')
+    const platformCert = fs.readFileSync(path.join(certDir, 'pub_key.pem'), 'utf8')
+    const verify = crypto.createVerify('RSA-SHA256').update(message)
+    const isValid = verify.verify(platformCert, wechatSignature, 'base64')
+    if (!isValid) {
+      this.logger.warn('微信支付回调验签失败')
+      return null
+    }
+    // 2. 解密 resource
+    const resource = body.resource
+    const ciphertext = Buffer.from(resource.ciphertext, 'base64')
+    const associatedData = resource.associated_data || ''
+    const nonce = resource.nonce
+    const key = API_V3_KEY
+    // AES-256-GCM 解密
+    const authTag = ciphertext.subarray(ciphertext.length - 16)
+    const data = ciphertext.subarray(0, ciphertext.length - 16)
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, nonce)
+    decipher.setAAD(Buffer.from(associatedData))
+    decipher.setAuthTag(authTag)
+    const decrypted = decipher.update(data) + decipher.final('utf8')
+    return JSON.parse(decrypted)
+  }
+
+  /** 查询订单 */
+  async queryOrder(outTradeNo: string) {
+    return this.request('GET', `/v3/pay/transactions/out-trade-no/${outTradeNo}?mchid=${MCHID}`)
+  }
+}