feat: 集成微信支付直连（Native + H5）及金融级安全修复

- 新增 wxpay provider（wechatpay-node-v3 SDK），支持 Native 扫码和 H5 跳转 - 新增 /api/wxpay/notify 回调路由，AES-256-GCM 解密 + RSA 签名验证 - 修复 confirmPayment count=0 静默成功、充值失败返回 true 等 P0 问题 - 修复 notifyUrl 硬编码 easypay、回调金额覆盖订单金额等 P1 问题 - 手续费计算改用 Prisma.Decimal 精确运算，消除浮点误差 - 支付宝 provider 移除冗余 paramsForVerify，fetch 添加超时 - 补充 .env.example 配置文档和 CLAUDE.md 支付渠道说明
2026-03-06 13:57:52 +08:00
parent e9e164babc
commit 937f54dec2
17 changed files with 728 additions and 28 deletions
--- a/src/lib/alipay/client.ts
+++ b/src/lib/alipay/client.ts
@@ -78,6 +78,7 @@ export async function execute<T extends AlipayResponse>(
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: new URLSearchParams(params).toString(),
+    signal: AbortSignal.timeout(10_000),
  });

  const data = await response.json();
--- a/src/lib/alipay/provider.ts
+++ b/src/lib/alipay/provider.ts
@@ -78,14 +78,7 @@ export class AlipayProvider implements PaymentProvider {
    }

    const sign = params.sign || '';
-    const paramsForVerify: Record<string, string> = {};
-    for (const [key, value] of Object.entries(params)) {
-      if (key !== 'sign' && key !== 'sign_type' && value !== undefined && value !== null) {
-        paramsForVerify[key] = value;
-      }
-    }
-
-    if (!env.ALIPAY_PUBLIC_KEY || !verifySign(paramsForVerify, env.ALIPAY_PUBLIC_KEY, sign)) {
+    if (!env.ALIPAY_PUBLIC_KEY || !verifySign(params, env.ALIPAY_PUBLIC_KEY, sign)) {
      throw new Error('Alipay notification signature verification failed');
    }