fix: harden alipay direct pay flow

2026-03-10 11:52:37 +08:00
parent 2492031e13
commit 8b10bc3bd5
30 changed files with 1893 additions and 437 deletions
--- a/src/lib/alipay/provider.ts
+++ b/src/lib/alipay/provider.ts
@@ -11,7 +11,58 @@ import type {
 import { pageExecute, execute } from './client';
 import { verifySign } from './sign';
 import { getEnv } from '@/lib/config';
-import type { AlipayTradeQueryResponse, AlipayTradeRefundResponse, AlipayTradeCloseResponse } from './types';
+import type {
+  AlipayTradeQueryResponse,
+  AlipayTradeRefundResponse,
+  AlipayTradeCloseResponse,
+} from './types';
+import { parseAlipayNotificationParams } from './codec';
+
+export interface BuildAlipayPaymentUrlInput {
+  orderId: string;
+  amount: number;
+  subject: string;
+  notifyUrl?: string;
+  returnUrl?: string | null;
+  isMobile?: boolean;
+}
+
+function isTradeNotExistError(error: unknown): boolean {
+  if (!(error instanceof Error)) return false;
+  return error.message.includes('[ACQ.TRADE_NOT_EXIST]');
+}
+
+function getRequiredParam(params: Record<string, string>, key: string): string {
+  const value = params[key]?.trim();
+  if (!value) {
+    throw new Error(`Alipay notification missing required field: ${key}`);
+  }
+  return value;
+}
+
+export function buildAlipayPaymentUrl(input: BuildAlipayPaymentUrlInput): string {
+  const method = input.isMobile ? 'alipay.trade.wap.pay' : 'alipay.trade.page.pay';
+  const productCode = input.isMobile ? 'QUICK_WAP_WAY' : 'FAST_INSTANT_TRADE_PAY';
+
+  return pageExecute(
+    {
+      out_trade_no: input.orderId,
+      product_code: productCode,
+      total_amount: input.amount.toFixed(2),
+      subject: input.subject,
+    },
+    {
+      notifyUrl: input.notifyUrl,
+      returnUrl: input.returnUrl,
+      method,
+    },
+  );
+}
+
+export function buildAlipayEntryUrl(orderId: string): string {
+  const env = getEnv();
+  return new URL(`/pay/${orderId}`, env.NEXT_PUBLIC_APP_URL).toString();
+}

 export class AlipayProvider implements PaymentProvider {
  readonly name = 'alipay-direct';
@@ -22,42 +73,43 @@ export class AlipayProvider implements PaymentProvider {
  };

  async createPayment(request: CreatePaymentRequest): Promise<CreatePaymentResponse> {
-    const buildPayUrl = (mobile: boolean) => {
-      const method = mobile ? 'alipay.trade.wap.pay' : 'alipay.trade.page.pay';
-      const productCode = mobile ? 'QUICK_WAP_WAY' : 'FAST_INSTANT_TRADE_PAY';
-      return pageExecute(
-        {
-          out_trade_no: request.orderId,
-          product_code: productCode,
-          total_amount: request.amount.toFixed(2),
-          subject: request.subject,
-        },
-        {
-          notifyUrl: request.notifyUrl,
-          returnUrl: request.returnUrl,
-          method,
-        },
-      );
-    };
-
-    let url: string;
-    if (request.isMobile) {
-      try {
-        url = buildPayUrl(true);
-      } catch {
-        url = buildPayUrl(false);
-      }
-    } else {
-      url = buildPayUrl(false);
+    if (!request.isMobile) {
+      const entryUrl = buildAlipayEntryUrl(request.orderId);
+      return {
+        tradeNo: request.orderId,
+        payUrl: entryUrl,
+        qrCode: entryUrl,
+      };
    }

-    return { tradeNo: request.orderId, payUrl: url };
+    const payUrl = buildAlipayPaymentUrl({
+      orderId: request.orderId,
+      amount: request.amount,
+      subject: request.subject,
+      notifyUrl: request.notifyUrl,
+      returnUrl: request.returnUrl,
+      isMobile: true,
+    });
+
+    return { tradeNo: request.orderId, payUrl };
  }

  async queryOrder(tradeNo: string): Promise<QueryOrderResponse> {
-    const result = await execute<AlipayTradeQueryResponse>('alipay.trade.query', {
-      out_trade_no: tradeNo,
-    });
+    let result: AlipayTradeQueryResponse;
+    try {
+      result = await execute<AlipayTradeQueryResponse>('alipay.trade.query', {
+        out_trade_no: tradeNo,
+      });
+    } catch (error) {
+      if (isTradeNotExistError(error)) {
+        return {
+          tradeNo,
+          status: 'pending',
+          amount: 0,
+        };
+      }
+      throw error;
+    }

    let status: 'pending' | 'paid' | 'failed' | 'refunded';
    switch (result.trade_status) {
@@ -80,37 +132,41 @@ export class AlipayProvider implements PaymentProvider {
    };
  }

-  async verifyNotification(rawBody: string | Buffer, _headers: Record<string, string>): Promise<PaymentNotification> {
+  async verifyNotification(rawBody: string | Buffer, headers: Record<string, string>): Promise<PaymentNotification> {
    const env = getEnv();
-    const body = typeof rawBody === 'string' ? rawBody : rawBody.toString('utf-8');
-    const searchParams = new URLSearchParams(body);
+    const params = parseAlipayNotificationParams(rawBody, headers);

-    const params: Record<string, string> = {};
-    for (const [key, value] of searchParams.entries()) {
-      params[key] = value;
-    }
-
-    // sign_type 过滤：仅接受 RSA2
-    if (params.sign_type && params.sign_type !== 'RSA2') {
+    if (params.sign_type && params.sign_type.toUpperCase() !== 'RSA2') {
      throw new Error('Unsupported sign_type, only RSA2 is accepted');
    }

-    const sign = params.sign || '';
+    const sign = getRequiredParam(params, 'sign');
    if (!env.ALIPAY_PUBLIC_KEY || !verifySign(params, env.ALIPAY_PUBLIC_KEY, sign)) {
-      throw new Error('Alipay notification signature verification failed');
+      throw new Error(
+        'Alipay notification signature verification failed (check ALIPAY_PUBLIC_KEY uses Alipay public key, not app public key, and rebuild/redeploy the latest image)',
+      );
    }

-    // app_id 校验
-    if (params.app_id !== env.ALIPAY_APP_ID) {
+    const tradeNo = getRequiredParam(params, 'trade_no');
+    const orderId = getRequiredParam(params, 'out_trade_no');
+    const tradeStatus = getRequiredParam(params, 'trade_status');
+    const appId = getRequiredParam(params, 'app_id');
+
+    if (appId !== env.ALIPAY_APP_ID) {
      throw new Error('Alipay notification app_id mismatch');
    }

+    const amount = Number.parseFloat(getRequiredParam(params, 'total_amount'));
+    if (!Number.isFinite(amount) || amount <= 0) {
+      throw new Error('Alipay notification invalid total_amount');
+    }
+
    return {
-      tradeNo: params.trade_no || '',
-      orderId: params.out_trade_no || '',
-      amount: Math.round(parseFloat(params.total_amount || '0') * 100) / 100,
+      tradeNo,
+      orderId,
+      amount: Math.round(amount * 100) / 100,
      status:
-        params.trade_status === 'TRADE_SUCCESS' || params.trade_status === 'TRADE_FINISHED' ? 'success' : 'failed',
+        tradeStatus === 'TRADE_SUCCESS' || tradeStatus === 'TRADE_FINISHED' ? 'success' : 'failed',
      rawData: params,
    };
  }
@@ -130,8 +186,15 @@ export class AlipayProvider implements PaymentProvider {
  }

  async cancelPayment(tradeNo: string): Promise<void> {
-    await execute<AlipayTradeCloseResponse>('alipay.trade.close', {
-      out_trade_no: tradeNo,
-    });
+    try {
+      await execute<AlipayTradeCloseResponse>('alipay.trade.close', {
+        out_trade_no: tradeNo,
+      });
+    } catch (error) {
+      if (isTradeNotExistError(error)) {
+        return;
+      }
+      throw error;
+    }
  }
 }