Tighten WeChat payment resume flow

2026-05-05 13:40:44 +08:00 · 2026-04-21 00:33:23 +08:00
parent 1521d50399
commit 55e8dd550a
15 changed files with 514 additions and 98 deletions
--- a/frontend/src/views/auth/WechatPaymentCallbackView.vue
+++ b/frontend/src/views/auth/WechatPaymentCallbackView.vue
@@ -114,23 +114,17 @@ onMounted(async () => {
    return
  }

-  const openid = readParam('openid')
-  const state = readParam('state')
-  const scope = readParam('scope')
-  const paymentType = readParam('payment_type')
-  const amount = readParam('amount')
-  const orderType = readParam('order_type')
-  const planId = readParam('plan_id')
+  const resumeToken = readParam('wechat_resume_token')
  const redirectURL = new URL(
    normalizeRedirectPath(readParam('redirect')),
    window.location.origin,
  )

-  if (!openid) {
+  if (!resumeToken) {
    errorMessage.value = textWithFallback(
-      'auth.wechatPayment.callbackMissingOpenId',
-      '微信支付回调缺少 openid。',
-      'The WeChat payment callback is missing the openid.',
+      'auth.wechatPayment.callbackMissingResumeToken',
+      '微信支付回调缺少恢复令牌。',
+      'The WeChat payment callback is missing the resume token.',
    )
    return
  }
@@ -138,14 +132,8 @@ onMounted(async () => {
  const query: Record<string, string> = {
    ...Object.fromEntries(redirectURL.searchParams.entries()),
    wechat_resume: '1',
-    openid,
+    wechat_resume_token: resumeToken,
  }
-  if (state) query.state = state
-  if (scope) query.scope = scope
-  if (paymentType) query.payment_type = paymentType
-  if (amount) query.amount = amount
-  if (orderType) query.order_type = orderType
-  if (planId) query.plan_id = planId

  await router.replace({
    path: redirectURL.pathname,
--- a/frontend/src/views/auth/tests/WechatPaymentCallbackView.spec.ts
+++ b/frontend/src/views/auth/tests/WechatPaymentCallbackView.spec.ts
@@ -49,8 +49,8 @@ describe('WechatPaymentCallbackView', () => {
    })
  })

-  it('redirects back to purchase with openid and payment context from hash fragment', async () => {
-    locationState.current.hash = '#openid=openid-123&payment_type=wxpay&amount=12.5&order_type=balance&redirect=%2Fpurchase%3Ffrom%3Dwechat'
+  it('redirects back to purchase with an opaque resume token from hash fragment', async () => {
+    locationState.current.hash = '#wechat_resume_token=resume-token-123&redirect=%2Fpurchase%3Ffrom%3Dwechat'

    mount(WechatPaymentCallbackView)
    await flushPromises()
@@ -60,21 +60,18 @@ describe('WechatPaymentCallbackView', () => {
      query: {
        from: 'wechat',
        wechat_resume: '1',
-        openid: 'openid-123',
-        payment_type: 'wxpay',
-        amount: '12.5',
-        order_type: 'balance',
+        wechat_resume_token: 'resume-token-123',
      },
    })
  })

-  it('shows an error when the callback payload is missing openid', async () => {
+  it('shows an error when the callback payload is missing the resume token', async () => {
    locationState.current.hash = '#payment_type=wxpay'

    const wrapper = mount(WechatPaymentCallbackView)
    await flushPromises()

    expect(replaceMock).not.toHaveBeenCalled()
-    expect(wrapper.text()).toContain('微信支付回调缺少 openid。')
+    expect(wrapper.text()).toContain('微信支付回调缺少恢复令牌。')
  })
 })