import * as fs from 'fs' import * as path from 'path' import * as crypto from 'crypto' import axios from 'axios' import { Injectable, Logger } from '@nestjs/common' const MCHID = process.env.WX_MCHID const API_V3_KEY = process.env.WX_API_V3_KEY const NOTIFY_URL = process.env.WX_NOTIFY_URL const APPID = process.env.WX_APPID const WX_API_BASE = 'https://api.mch.weixin.qq.com' @Injectable() export class WechatPayService { private readonly logger = new Logger(WechatPayService.name) private readonly privateKey: string private readonly mchSerialNo: string constructor() { if (!MCHID || !API_V3_KEY || !APPID) { this.logger.warn('微信支付配置不完整,支付功能不可用') } const certDir = path.resolve(__dirname, '../../certs') if (!fs.existsSync(certDir)) { this.logger.error(`证书目录不存在: ${certDir}`) return } this.privateKey = fs.readFileSync(path.join(certDir, 'apiclient_key.pem'), 'utf8') const cert = fs.readFileSync(path.join(certDir, 'apiclient_cert.pem'), 'utf8') const certObj = new crypto.X509Certificate(cert) this.mchSerialNo = certObj.serialNumber this.logger.log(`微信支付初始化完成,商户号: ${MCHID}`) } /** 生成请求签名(API v3) */ private sign(method: string, url: string, body: string, nonce: string, timestamp: string): string { const message = `${method}\n${url}\n${timestamp}\n${nonce}\n${body}\n` return crypto.createSign('RSA-SHA256').update(message).sign(this.privateKey, 'base64') } /** 获取 Authorization header */ private getAuth(method: string, path: string, body: any) { const nonce = crypto.randomBytes(16).toString('hex') const timestamp = Math.floor(Date.now() / 1000).toString() const bodyStr = body ? JSON.stringify(body) : '' const signature = this.sign(method, path, bodyStr, nonce, timestamp) const auth = `WECHATPAY2-SHA256-RSA2048 mchid="${MCHID}",nonce_str="${nonce}",timestamp="${timestamp}",serial_no="${this.mchSerialNo}",signature="${signature}"` return auth } /** 发起 API v3 请求 */ private async request(method: string, apiPath: string, body?: any) { const url = `${WX_API_BASE}${apiPath}` const bodyStr = body ? JSON.stringify(body) : '' this.logger.log(`[wxpay-request] ${method} ${apiPath} 请求体: ${bodyStr}`) try { const res = await axios({ method, url, headers: { 'Authorization': this.getAuth(method, apiPath, body || ''), 'Content-Type': 'application/json', 'Accept': 'application/json', 'User-Agent': 'zhiyin-backend/1.0', }, data: body, }) this.logger.log(`[wxpay-request] ${method} ${apiPath} 成功: ${JSON.stringify(res.data)}`) return res.data } catch (e: any) { const errDetail = e.response?.data ? JSON.stringify(e.response.data) : e.message const errStatus = e.response?.status || '无状态码' this.logger.error(`[wxpay-request] ${method} ${apiPath} 失败 status=${errStatus}: ${errDetail}`) throw e } } /** Native 支付:获取二维码链接 */ async nativePay(description: string, outTradeNo: string, amount: number, openid?: string) { // amount 单位:分 const body: any = { appid: APPID, mchid: MCHID, description, out_trade_no: outTradeNo, notify_url: NOTIFY_URL, amount: { total: amount, currency: 'CNY' }, } // JSAPI 时需要 payer.openid if (openid) body.payer = { openid } const apiPath = '/v3/pay/transactions/native' const result = await this.request('POST', apiPath, body) return { codeUrl: result.code_url, outTradeNo } } /** JSAPI 支付:获取调起支付的参数 */ async jsapiPay(description: string, outTradeNo: string, amount: number, openid: string) { const body = { appid: APPID, mchid: MCHID, description, out_trade_no: outTradeNo, notify_url: NOTIFY_URL, amount: { total: amount, currency: 'CNY' }, payer: { openid }, } this.logger.log(`[jsapiPay] 下单参数: description=${description}, outTradeNo=${outTradeNo}, amount=${amount}, openid=${openid}`) this.logger.log(`[jsapiPay] 完整请求体: ${JSON.stringify(body)}`) const result = await this.request('POST', '/v3/pay/transactions/jsapi', body) this.logger.log(`[jsapiPay] 微信返回: ${JSON.stringify(result)}`) const prepayId = result.prepay_id if (!prepayId) { this.logger.error(`[jsapiPay] 微信返回缺少prepay_id: ${JSON.stringify(result)}`) throw new Error('微信下单失败: 缺少prepay_id') } // 生成小程序/JSAPI 调起支付参数 const nonce = crypto.randomBytes(16).toString('hex') const timestamp = Math.floor(Date.now() / 1000).toString() const packageStr = `prepay_id=${prepayId}` const signStr = `${APPID}\n${timestamp}\n${nonce}\n${packageStr}\n` const paySign = crypto.createSign('RSA-SHA256').update(signStr).sign(this.privateKey, 'base64') return { prepayId, payParams: { appId: APPID, timeStamp: timestamp, nonceStr: nonce, package: packageStr, signType: 'RSA', paySign, }, } } /** 验证并解密回调通知 */ verifyAndDecrypt(body: any, wechatSignature: string, wechatTimestamp: string, wechatNonce: string, returnRaw?: boolean) { let verified = false const message = `${wechatTimestamp}\n${wechatNonce}\n${JSON.stringify(body)}\n` const certDir = path.resolve(__dirname, '../../certs') const pemPath = path.join(certDir, 'pub_key.pem') if (fs.existsSync(pemPath)) { const platformCert = fs.readFileSync(pemPath, 'utf8') const verify = crypto.createVerify('RSA-SHA256').update(message) verified = verify.verify(platformCert, wechatSignature, 'base64') } else { this.logger.warn('pub_key.pem 不存在,跳过验签') } if (!verified) { this.logger.warn(`微信支付回调验签失败 — 请从商户平台下载最新公钥覆盖 pub_key.pem (https://pay.weixin.qq.com/)`) } // 2. 解密 resource(解密不依赖公钥,即使验签失败也尝试解密) try { const resource = body.resource const ciphertext = Buffer.from(resource.ciphertext, 'base64') const associatedData = resource.associated_data || '' const nonce = resource.nonce const key = API_V3_KEY if (!key) throw new Error('WX_API_V3_KEY 未配置') const authTag = ciphertext.subarray(ciphertext.length - 16) const data = ciphertext.subarray(0, ciphertext.length - 16) const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(key), nonce) decipher.setAAD(Buffer.from(associatedData)) decipher.setAuthTag(authTag) const decrypted = decipher.update(data) + decipher.final('utf8') const parsed = JSON.parse(decrypted) if (returnRaw) return parsed if (!verified) return null return parsed } catch (e) { this.logger.error(`解密回调 resource 失败: ${e.message}`) return null } } /** 查询订单 */ async queryOrder(outTradeNo: string) { return this.request('GET', `/v3/pay/transactions/out-trade-no/${outTradeNo}?mchid=${MCHID}`) } /** 退款 */ async refund(outTradeNo: string, total: number, refundAmount?: number, reason?: string) { const body: any = { out_trade_no: outTradeNo, out_refund_no: `RF${Date.now()}`, amount: { refund: refundAmount || total, total, currency: 'CNY' }, } if (reason) body.reason = reason return this.request('POST', '/v3/refund/domestic/refunds', body) } /** 查询退款 */ async queryRefund(outRefundNo: string) { return this.request('GET', `/v3/refund/domestic/refunds/${outRefundNo}`) } /** 下载微信平台证书(首次部署/证书过期时调用) */ async downloadPlatformCerts(): Promise { if (!API_V3_KEY) throw new Error('WX_API_V3_KEY 未配置') const certs = await this.request('GET', '/v3/certificates') const downloaded: string[] = [] const certDir = path.resolve(__dirname, '../../certs') if (!fs.existsSync(certDir)) fs.mkdirSync(certDir, { recursive: true }) for (const item of certs.data || []) { const { serial_no, effective_time, expire_time, encrypt_certificate } = item const { algorithm, nonce, associated_data, ciphertext } = encrypt_certificate if (algorithm !== 'AEAD_AES_256_GCM' || !nonce) continue const cipherBuf = Buffer.from(ciphertext, 'base64') const authTag = cipherBuf.subarray(cipherBuf.length - 16) const data = cipherBuf.subarray(0, cipherBuf.length - 16) const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(API_V3_KEY), nonce) decipher.setAAD(Buffer.from(associated_data)) decipher.setAuthTag(authTag) const decrypted = decipher.update(data) + decipher.final('utf8') const pemPath = path.join(certDir, 'pub_key.pem') fs.writeFileSync(pemPath, decrypted) downloaded.push(serial_no) this.logger.log(`微信平台证书已更新: ${serial_no}, 有效期至 ${expire_time}`) } return downloaded } }