diff --git a/__pycache__/config.cpython-312.pyc b/__pycache__/config.cpython-312.pyc index 6d38c54..63b4247 100644 Binary files a/__pycache__/config.cpython-312.pyc and b/__pycache__/config.cpython-312.pyc differ diff --git a/blueprints/__pycache__/payment.cpython-312.pyc b/blueprints/__pycache__/payment.cpython-312.pyc index cdc6df4..78f2738 100644 Binary files a/blueprints/__pycache__/payment.cpython-312.pyc and b/blueprints/__pycache__/payment.cpython-312.pyc differ diff --git a/blueprints/payment.py b/blueprints/payment.py index aaffe82..86676a0 100644 --- a/blueprints/payment.py +++ b/blueprints/payment.py @@ -73,18 +73,9 @@ def payment_return(): logger.error("同步回调缺少签名参数") return "参数错误:缺少签名", 400 - # 验证签名前,先记录关键信息 - logger.info(f"验证订单号: {data.get('out_trade_no')}") - logger.info(f"支付宝交易号: {data.get('trade_no')}") - logger.info(f"支付金额: {data.get('total_amount')}") - - # 从数据中移除sign参数以进行验证 - verify_data = data.copy() - verify_data.pop('sign', None) - verify_data.pop('sign_type', None) # 也要移除sign_type - alipay_service = AlipayService() - success = alipay_service.verify_notify(verify_data, signature) + # 直接传递原始字典,由 verify_notify 处理 + success = alipay_service.verify_notify(data, signature) out_trade_no = data.get('out_trade_no') order = Order.query.filter_by(out_trade_no=out_trade_no).first() diff --git a/config.py b/config.py index 4215064..76d86d2 100644 --- a/config.py +++ b/config.py @@ -50,7 +50,7 @@ class Config: MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCJSgmesQisfxNdz5dUhdv3Anh6aOGyQ03t69cqnenFumyEiLFk1N9FBDRR6onUsW9ZUGf7+P1sn/TMHdoOQZzZsxYVCCj85820ORP/DHTyP0ONHfBj0GqnKig5o3OGosC9ieJT6QLBzycOmiv/3YcHSJQPQ3zlyUloPScD1UsslgpCFWF3c3UDstzhYy/i1LbNy63w+Hr/xj01f1JCzivJoir9erLpTbbjPcPbQXd9xpycwIyGufXbFh1kOE6q+WOZq6NAXCe0/leUwh+q5v0pTnWnY07iB9nQtL2qvXQIBZWGI6HV4NDnO6rblDf1oOwNWYKcjCtL045xcHfUWKlrAgMBAAECggEAO4qfp3JyJ5WpSYtJv3+aiYNJyxUHpW9pMeGR3MrF41pZzBUYknl8J4uOQWStyE/30c18e5xeFKk+2vOraXltVEFGN3Lli+HgpeQHVxsI8TMc0ewFINT4HG29KlpINUEKxGkzfl7VMkbsUnns0Tg7Yp5IkGIdne7xZkL3U8NCqh/0oHAczMTwV1gqOFetyENNhdqzZJgwjR5c2OIIsNAuq+s0CcIqIw6hSwKzYN3H2i+4UKXmgU9kB2pGIzyxOH41FbEZp/UAcv9m2ikK2oYSXIHozaEsYyUXZbvHn4vmz1+grwnMJy2UQZQUCOLjvkul7tGKcNXTFSCvtgudBMSQ2QKBgQDxKvs97C3CRqgM/GkajI3DVmCY9NZGj5fd75JVg0yIeYQ4tmUmVIepTfq/8YxmgUD284FAFeyfbcFMbZnP4MXQ5Ddun0je70P3snLhfCw52PG1ypxBHl/jzZPdecy5kPKSQIWK9dfaXzwvhRC+YFV2x2V+tcubfeGgZkJ4+79KPQKBgQCRu483SbkjIbKTlJVL1m8a8RtljEg0AxnGIOQQvpkNHWRRHEqE3ozkj3PUHicDh9MumyZSRm9ifSmbD+cYSnjpQYafD9pZQ4lFWE72rCrz2vTTiZKyd/VuuQl2wTcj57ffX7cCaXQ635O1w+tz4VXnZzFnN0Lx3KDQ76bpPEEExwKBgHpRqoyFtc/LtoCfpU9p6p0gum3aALRZMFXIpRfqOG8f8wgwuqzuQsCEZKHmCagT9rdKWkv+0r0qFdiF3nWpM6v3lIXvFC6+fGKth8cGDAhrGG10DjyZA1mvc0fp9wRHmEDFqPYKKyj/FK+ldhCZG7/a8oeJ/XMoLcAFHcHvLd6hAoGAFQnDmhKthHHX6tA3YVRag8Qs1VMUFVYhQWX8JqKtS6RjmAYCh/3szw4ahZO4xBy2kvLY7GW4rLou6HC6RtpxbBMGkS3jsqE6TuV5uMiQBtYkI+mnYNZKeyqBQECSaj+IXtndfJ6mpd0i4Mmg0wDDuv09t43Vvz6/hIokSWVmaX8CgYEApzBH2M3R3j/jz2Hb3cevI+3MaeSIZMCedj2oTI2VB+6cOfuCW+65uuj7VuZkjEWzHMt3jVWPBtjyp002D3unYfIiaFaXUK4hSeoOCVj9ma8xhqR278Llkhxgf6KDx2E43YeTtrg9jStHmuD+Wr4UV96MOuIyaKqOFQHs4P/sQqY= -----END RSA PRIVATE KEY-----""" # 应用私钥 ALIPAY_PUBLIC_KEY = """-----BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx6iXKiRpbs5WLHlb6fdoteef+vs+QxxtmwDL2IJwhEJ+OMrkwlKyd4noYaiGDy2YcyHKahb4bsHRoPLVEqLveuVFksjsiFTH2mUhuwuqDe//XwE4hHsguNL3nY72gZ6qjwbg5mAVrHRcKUi6XSLSP4pWdCzD0leZ4GA9Kw1WstCS4sGBcrzyHPhRvtdVFZR5UjNLVAaN6HIMNhW0TBXz4r1ihXMV4byeN3n0n6e6reBLXr222f7c5almGurq6D9pLqwAmsqWbQWbvitOjZRll+bjpa29JIkNi+jEpPdYpGjU3e0Tl8aWkKjtYXmDyWtdw00RkciHUR4hMuCZW5qIjwIDAQAB +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlDx4KdOtOQE+tBq6jHKKFenRaRe2gbBnleBk++5gki9IQuxVyZUGTJixstf2gELFHWrGanpnwmGggXsqG+Rm5ZLJOlmFM1k0XeAIDvi6tP/rM+ZDFSu1bMBYtT5vzgVZC7mzIvOp9gsT/puqd3aNZmlviLD0R6OYN0zvFX+5qADZV7A9ziA+nXPFSHreBh7yY/q9ophVZNeHGPoYkDVI5++RrF1cALKOdit0giN5vxpe3ch9z3E6+FZg3LiP+1RW3tMiDQfp/SlVs6bNhLUtmlI5r7+mtFCKDUCEpnQ3S9e0II6rzyVXRyKCFs7qi5YzyhhmO3tJJoe9ilEFyNzfRQIDAQAB -----END PUBLIC KEY-----""" # 支付宝公钥 ALIPAY_RETURN_URL = "http://331002.xyz:2010/payment/return" # 支付成功跳转地址 ALIPAY_NOTIFY_URL = "http://331002.xyz:2010/payment/notify" # 支付异步通知地址 diff --git a/services/__pycache__/alipay_service.cpython-312.pyc b/services/__pycache__/alipay_service.cpython-312.pyc index 697c3d5..e89946c 100644 Binary files a/services/__pycache__/alipay_service.cpython-312.pyc and b/services/__pycache__/alipay_service.cpython-312.pyc differ diff --git a/services/alipay_service.py b/services/alipay_service.py index 5da5710..1bf5e91 100644 --- a/services/alipay_service.py +++ b/services/alipay_service.py @@ -42,37 +42,34 @@ class AlipayService: def verify_notify(self, data, signature): """验证通知签名""" try: - logger.info(f"开始验证支付宝签名,数据: {data}") - logger.info(f"签名值: {signature}") - - # 验证必要参数 - if not signature: - logger.error("签名为空") + if not signature or not data: + logger.error("签名或数据为空") return False - if not data: - logger.error("数据为空") - return False - - # 创建数据副本,避免修改原数据 + # 创建数据副本 verify_data = data.copy() - # 移除sign和sign_type,这两个字段不参与验证 + # python-alipay-sdk 的 verify 方法会自动处理 sign 的移除 + # 但为了保险,我们手动移除它,保留其他所有字段 verify_data.pop('sign', None) - verify_data.pop('sign_type', None) alipay = self.get_alipay_client() + # 对于同步回调,sign_type 实际上是参与签名的(某些版本/接口) + # 对于异步通知,sign_type 通常不参与签名 + # alipay.verify 会根据情况处理 sign_type result = alipay.verify(verify_data, signature) - if result: - logger.info("签名验证成功") - else: + if not result: logger.error("签名验证失败") - logger.error(f"验证数据: {verify_data}") - logger.error(f"公钥配置: {self.public_key[:50]}...") - # 额外调试信息 - logger.error(f"App ID: {self.app_id}") - logger.error(f"是否调试模式: {self.debug}") + logger.error(f"待验证数据: {verify_data}") + logger.error(f"签名值: {signature}") + logger.error(f"使用的公钥前50位: {self.public_key[:50]}...") + + # 检查公钥是否可能是应用公钥而非支付宝公钥 + if self.private_key and self.public_key: + logger.warning("提示:如果签名持续验证失败,请确认 ALIPAY_PUBLIC_KEY 是“支付宝公钥”而非“应用公钥”") + else: + logger.info("签名验证成功") return result