txai-dev/zhiyin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
310176a11b9753d611340fc5ac5093a4deba13ea
zhiyin/backend/src/modules/payment/wechat-pay.service.ts
T

225 lines
9.0 KiB
TypeScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import * as fs from 'fs'
import * as path from 'path'
import * as crypto from 'crypto'
import axios from 'axios'
import { Injectable, Logger } from '@nestjs/common'
const MCHID = process.env.WX_MCHID
const API_V3_KEY = process.env.WX_API_V3_KEY
const NOTIFY_URL = process.env.WX_NOTIFY_URL
const APPID = process.env.WX_APPID
const WX_API_BASE = 'https://api.mch.weixin.qq.com'
@Injectable()
export class WechatPayService {
private readonly logger = new Logger(WechatPayService.name)
private readonly privateKey: string
private readonly mchSerialNo: string
constructor() {
if (!MCHID || !API_V3_KEY || !APPID) {
this.logger.warn('微信支付配置不完整,支付功能不可用')
}
const certDir = path.resolve(__dirname, '../../certs')
if (!fs.existsSync(certDir)) {
this.logger.error(`证书目录不存在: ${certDir}`)
return
}
this.privateKey = fs.readFileSync(path.join(certDir, 'apiclient_key.pem'), 'utf8')
const cert = fs.readFileSync(path.join(certDir, 'apiclient_cert.pem'), 'utf8')
const certObj = new crypto.X509Certificate(cert)
this.mchSerialNo = certObj.serialNumber
this.logger.log(`微信支付初始化完成,商户号: ${MCHID}`)
}
/** 生成请求签名(API v3 */
private sign(method: string, url: string, body: string, nonce: string, timestamp: string): string {
const message = `${method}\n${url}\n${timestamp}\n${nonce}\n${body}\n`
return crypto.createSign('RSA-SHA256').update(message).sign(this.privateKey, 'base64')
}
/** 获取 Authorization header */
private getAuth(method: string, path: string, body: any) {
const nonce = crypto.randomBytes(16).toString('hex')
const timestamp = Math.floor(Date.now() / 1000).toString()
const bodyStr = body ? JSON.stringify(body) : ''
const signature = this.sign(method, path, bodyStr, nonce, timestamp)
const auth = `WECHATPAY2-SHA256-RSA2048 mchid="${MCHID}",nonce_str="${nonce}",timestamp="${timestamp}",serial_no="${this.mchSerialNo}",signature="${signature}"`
return auth
}
/** 发起 API v3 请求 */
private async request(method: string, apiPath: string, body?: any) {
const url = `${WX_API_BASE}${apiPath}`
const bodyStr = body ? JSON.stringify(body) : ''
this.logger.log(`[wxpay-request] ${method} ${apiPath} 请求体: ${bodyStr}`)
try {
const res = await axios({
method,
url,
headers: {
'Authorization': this.getAuth(method, apiPath, body || ''),
'Content-Type': 'application/json',
'Accept': 'application/json',
'User-Agent': 'zhiyin-backend/1.0',
},
data: body,
})
this.logger.log(`[wxpay-request] ${method} ${apiPath} 成功: ${JSON.stringify(res.data)}`)
return res.data
} catch (e: any) {
const errDetail = e.response?.data ? JSON.stringify(e.response.data) : e.message
const errStatus = e.response?.status || '无状态码'
this.logger.error(`[wxpay-request] ${method} ${apiPath} 失败 status=${errStatus}: ${errDetail}`)
throw e
}
}
/** Native 支付:获取二维码链接 */
async nativePay(description: string, outTradeNo: string, amount: number, openid?: string) {
// amount 单位:分
const body: any = {
appid: APPID,
mchid: MCHID,
description,
out_trade_no: outTradeNo,
notify_url: NOTIFY_URL,
amount: { total: amount, currency: 'CNY' },
}
// JSAPI 时需要 payer.openid
if (openid) body.payer = { openid }
const apiPath = '/v3/pay/transactions/native'
const result = await this.request('POST', apiPath, body)
return { codeUrl: result.code_url, outTradeNo }
}
/** JSAPI 支付:获取调起支付的参数 */
async jsapiPay(description: string, outTradeNo: string, amount: number, openid: string) {
const body = {
appid: APPID,
mchid: MCHID,
description,
out_trade_no: outTradeNo,
notify_url: NOTIFY_URL,
amount: { total: amount, currency: 'CNY' },
payer: { openid },
}
this.logger.log(`[jsapiPay] 下单参数: description=${description}, outTradeNo=${outTradeNo}, amount=${amount}, openid=${openid}`)
this.logger.log(`[jsapiPay] 完整请求体: ${JSON.stringify(body)}`)
const result = await this.request('POST', '/v3/pay/transactions/jsapi', body)
this.logger.log(`[jsapiPay] 微信返回: ${JSON.stringify(result)}`)
const prepayId = result.prepay_id
if (!prepayId) {
this.logger.error(`[jsapiPay] 微信返回缺少prepay_id: ${JSON.stringify(result)}`)
throw new Error('微信下单失败: 缺少prepay_id')
}
// 生成小程序/JSAPI 调起支付参数
const nonce = crypto.randomBytes(16).toString('hex')
const timestamp = Math.floor(Date.now() / 1000).toString()
const packageStr = `prepay_id=${prepayId}`
const signStr = `${APPID}\n${timestamp}\n${nonce}\n${packageStr}\n`
const paySign = crypto.createSign('RSA-SHA256').update(signStr).sign(this.privateKey, 'base64')
return {
prepayId,
payParams: {
appId: APPID,
timeStamp: timestamp,
nonceStr: nonce,
package: packageStr,
signType: 'RSA',
paySign,
},
}
}
/** 验证并解密回调通知 */
verifyAndDecrypt(body: any, wechatSignature: string, wechatTimestamp: string, wechatNonce: string, returnRaw?: boolean) {
let verified = false
const message = `${wechatTimestamp}\n${wechatNonce}\n${JSON.stringify(body)}\n`
const certDir = path.resolve(__dirname, '../../certs')
const pemPath = path.join(certDir, 'pub_key.pem')
if (fs.existsSync(pemPath)) {
const platformCert = fs.readFileSync(pemPath, 'utf8')
const verify = crypto.createVerify('RSA-SHA256').update(message)
verified = verify.verify(platformCert, wechatSignature, 'base64')
} else {
this.logger.warn('pub_key.pem 不存在,跳过验签')
}
if (!verified) {
this.logger.warn(`微信支付回调验签失败 — 请从商户平台下载最新公钥覆盖 pub_key.pem (https://pay.weixin.qq.com/)`)
}
// 2. 解密 resource(解密不依赖公钥,即使验签失败也尝试解密)
try {
const resource = body.resource
const ciphertext = Buffer.from(resource.ciphertext, 'base64')
const associatedData = resource.associated_data || ''
const nonce = resource.nonce
const key = API_V3_KEY
if (!key) throw new Error('WX_API_V3_KEY 未配置')
const authTag = ciphertext.subarray(ciphertext.length - 16)
const data = ciphertext.subarray(0, ciphertext.length - 16)
const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(key), nonce)
decipher.setAAD(Buffer.from(associatedData))
decipher.setAuthTag(authTag)
const decrypted = decipher.update(data) + decipher.final('utf8')
const parsed = JSON.parse(decrypted)
if (returnRaw) return parsed
if (!verified) return null
return parsed
} catch (e) {
this.logger.error(`解密回调 resource 失败: ${e.message}`)
return null
}
}
/** 查询订单 */
async queryOrder(outTradeNo: string) {
return this.request('GET', `/v3/pay/transactions/out-trade-no/${outTradeNo}?mchid=${MCHID}`)
}
/** 退款 */
async refund(outTradeNo: string, total: number, refundAmount?: number, reason?: string) {
const body: any = {
out_trade_no: outTradeNo,
out_refund_no: `RF${Date.now()}`,
amount: { refund: refundAmount || total, total, currency: 'CNY' },
}
if (reason) body.reason = reason
return this.request('POST', '/v3/refund/domestic/refunds', body)
}
/** 查询退款 */
async queryRefund(outRefundNo: string) {
return this.request('GET', `/v3/refund/domestic/refunds/${outRefundNo}`)
}
/** 下载微信平台证书(首次部署/证书过期时调用) */
async downloadPlatformCerts(): Promise<string[]> {
if (!API_V3_KEY) throw new Error('WX_API_V3_KEY 未配置')
const certs = await this.request('GET', '/v3/certificates')
const downloaded: string[] = []
const certDir = path.resolve(__dirname, '../../certs')
if (!fs.existsSync(certDir)) fs.mkdirSync(certDir, { recursive: true })
for (const item of certs.data || []) {
const { serial_no, effective_time, expire_time, encrypt_certificate } = item
const { algorithm, nonce, associated_data, ciphertext } = encrypt_certificate
if (algorithm !== 'AEAD_AES_256_GCM' || !nonce) continue
const cipherBuf = Buffer.from(ciphertext, 'base64')
const authTag = cipherBuf.subarray(cipherBuf.length - 16)
const data = cipherBuf.subarray(0, cipherBuf.length - 16)
const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(API_V3_KEY), nonce)
decipher.setAAD(Buffer.from(associated_data))
decipher.setAuthTag(authTag)
const decrypted = decipher.update(data) + decipher.final('utf8')
const pemPath = path.join(certDir, 'pub_key.pem')
fs.writeFileSync(pemPath, decrypted)
downloaded.push(serial_no)
this.logger.log(`微信平台证书已更新: ${serial_no}, 有效期至 ${expire_time}`)
}
return downloaded
}
}
Reference in New Issue View Git Blame Copy Permalink