From 5dc2fbd0e7d4e89b90aa9edbea86ee578fac7ddd Mon Sep 17 00:00:00 2001
From: 24024 <240241002@qq.com>
Date: Wed, 14 Jan 2026 19:57:43 +0800
Subject: [PATCH] =?UTF-8?q?fix(payment):=20=E4=BC=98=E5=8C=96=E6=94=AF?=
 =?UTF-8?q?=E4=BB=98=E5=9B=9E=E8=B0=83=E7=AD=BE=E5=90=8D=E9=AA=8C=E8=AF=81?=
 =?UTF-8?q?=E9=80=BB=E8=BE=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 取消支付回调中签名前日志冗余输出，简化验证流程
- verify_notify方法中合并签名和数据为空的校验，减少日志行
- 调整sign和sign_type参数移除逻辑，兼容不同通知类型的签名校验
- 增加验证失败时的详细日志，帮助定位公钥配置问题
- 提示可能公钥使用错误，改善错误排查体验
---
 __pycache__/config.cpython-312.pyc            | Bin 4123 -> 4123 bytes
 .../__pycache__/payment.cpython-312.pyc       | Bin 8105 -> 7522 bytes
 blueprints/payment.py                         |  13 +-----
 config.py                                     |   2 +-
 .../alipay_service.cpython-312.pyc            | Bin 4369 -> 4178 bytes
 services/alipay_service.py                    |  39 ++++++++----------
 6 files changed, 21 insertions(+), 33 deletions(-)

diff --git a/__pycache__/config.cpython-312.pyc b/__pycache__/config.cpython-312.pyc
index 6d38c547f397c9c2d778a92ebc1f9668e3564faa..63b4247c9958f281a01db61b5754f960970fd9f9 100644
GIT binary patch
delta 369
zcmWN;J92_R007X;q;ujO(r+P3fT85Kd<6kTp!2gX8v*&O1ZZq>3vZAvlVjurX>*d~
zz5Db1dGbA-P9FY!ynjx9C%0VfU+kktJzoP<uK8EPwjnBmU4RyNFPAxz&j4`vOhnVa
z_R)}T^tDC$mYx<^bD*(p^j%q%Z-tI=+}1h>3NCdlFE8M7er94MnQBLPx|%ghkg71e
z&i6|>p=+)iadb-+p%~51t3=$cXVtYnvO6~|@{Twv6YyT*GGhm0z}1qPMuH@cL;_{J
zf}znMITMCtR*RP^i&7UE`s$LL)yU)k2pTv)NRI6t31u*GxvsAed&tC*)p!6?%sONR
z=5erP>5{1ashWj()be{bb2hZdO|B6@L7`%+8%3*1pAALCm?qzhLlg&tt-w~O373pR
YmK7dLE$f0rl522q$5Y^c$xlCze_~X76951J

delta 369
zcmWN;K~{o5007W>?R<5I_ADYCD3>bAC?gpP1MC<WWd=}Sz!4X9kWSI-7@eSPC#nBG
z?mzAa-*<O|tAE#TpM&4Q``KWD&D@Fz9V1u}W0xLVN_WahD6i*pTS^mYi>1tFOXX$N
z<g&2)6daCW%q+9l!lZ|GoDo0-bdPJ~&uVm{oj=b77i_+TTIpq->}r!fJOpwEGAQ<)
zgNBFjN!v%pd(9=;>*d&QpqtnpGlC7;tU-m->BUqF8UbrOvgIQd?Q{c#HA$LF57(J{
zYEyq6xw^+4<d0*=fQyxrVRbtRE}(g2S+Mc}>8Ue3s0V`@4V|E%(KK!Ml<09$T3u5c
zW-zKyEyty(F?q%0#M&1gxkaH6Ud7sIxyT)+@L9D^!^+~`kgD6_ImWro+b}529=EAf
YRX0x<^jwgwx@m;<dcoz_<o4(04=1;M(*OVf

diff --git a/blueprints/__pycache__/payment.cpython-312.pyc b/blueprints/__pycache__/payment.cpython-312.pyc
index cdc6df46f87a50c23e29def7cf4320f9f2c46296..78f27388d350d9ee69259edc669859b4004d5273 100644
GIT binary patch
delta 692
zcmZ2!|Hz8(G%qg~0}$l4q-TB>-N>iK#k7lQvW&3$<V3DBjDnL@cr=7+7-|?-Gl5hw
zFw`>FFl6ygz925cQp-{zGWia(%w#iB5xyFhHEgRHA!@RuC-38uW@W8mE>fH9z$LHD
zUc)k*VJ;I)o{^zM7NU}YA%!D_vxapI*W@Z*O;v7mb(K8I3?*_fwJHonwzX`NxaE_1
zOB7*(HE?S|R-|yQ;e$Dqks*a2r#gW&revl_h7`eCwmP<8C|%B2&QQS|$xzOyDKy!O
zZwYIWGSHgI0sQZn{WJw9I|!Iet`~4JV86wZl30>>i?cX0Juk7Ov?#U65~!}o0Yrdw
z6q$nv3m{R<4kRZ37myY52QutIB67e`YGC-lCOuhCFj)MFq}pux4!#FM3fG17E(+<b
zDA^EsS;&5}jL>#<7ZHYo7EVk+>aev0kUS#7=_<v1MApbvl=&z>BanSml+{&g^Dm)D
zHm+M7B}IuTsquOFlOrVE8SN)8kPKpUnEY9Cw!b6LT0c$MB4;37<N_jCK!gT}a0d~Z
zAi@Jg@PY_W5Wx*1yg-CEi0}asDj*_s@?EJgDPIuN4@97OJ#@0Kv^i@GP$qtJr}Q@_
zM(4>5a*A3Y?-zkYS2BDCk_<)GK;jpNO>TZlX-=wLQ3j9;N<PI`C!dyE$}h`k^_iK0
UN%jL1koCcCa)Z1oOFB>*06}?`00000

delta 1130
zcmZ{kT}TvB6vyv;?(B{`v+l0$YMPq+;TrT1K_=*~yJaP0UlQ7jZI0PmtTK+7G~35R
zR8Ux*B0&U|B29CRf});!$%lGaaj95(h|tKF5Q^xrds`<hXkdQlf6xEiJNH~J^Qn3w
zD805?EeJnP&UeJX^+>9;&^av3+58Z-yn#B)dXCdkrxkJ?4w;{%NGU=?XqcX)VASd7
zOoj_5?Ph+BVKxl6<?m_PB`BoBBPI`07BhUzWg#LuB!yPQN!susB<43LIcrl|Ue-it
zaz!K<o#}KL+104iI%O=CV2!Or{&bMwG`CURS!k%$*jc=)4W)BaR@`-*EhM|<c%4;!
z5VDk%OFEZrJX=X2t<0FC$cjzpr*fepC*ZaJTi5R>N7@FX)`QfVgz2VO(&p5>Mp8Ge
zJw3%Xm1nd?AtnF6b*^J{8{L8wF=0AuI=B-1s6KR>X+eEdzzsih?jG&U#h+PvaP>>_
z!k6i>#cQ`02cA}!s^vJ_>%{ncE4lDuaB+Hg;rZRqgYetU2$~vI+FRpYz0#kOrAs%K
z#)k1!A5Jx9%ssJ=c&pam-43JHuXMlxH>E9NhHdNW?$0pYUET0X3j2f%t3<VEwmPcy
zs_hx^RJ$5G*569<>NdQV8iq32!3tPHX@LtGWs|)L4}$pZ8N=7{JX+>G&><f@_nk*(
zc|g1(rt<ycY*LsIX4cPFgi`*xlrx+bA|C`P>sF3$Nmfl%%{0t!45lhWDQ8_;2(P%;
z<0DP?n@5|+<MZB{l&3c345o$9GLKyA?!<1y;KXI|z2F#-ugHV^2%8qX#z-t0X-W%~
z3kANRlFQP2d+9s-raAkj@iWhM&)e%^PJZgIuR$-Xwr|AYmB&q3W8TFuv;5|rwajc4
zMRYB<i+P;1weXxuIt06GCshZBT?eQzJai51jo@Tspjh33qgqeE5>ycECI}ET5LgNJ
z5Qqeg1bYeg5qJoKaL0Y9a6gd;2(kxG6uAM|HWh5;j$nEGairh}P3?f{qB5Qwzj_3s
nMTM4=Sdw2t&s(@ybkF9as=qOaE?%awTHZ&&wqh@P0{g!JPWTWR

diff --git a/blueprints/payment.py b/blueprints/payment.py
index aaffe82..86676a0 100644
--- a/blueprints/payment.py
+++ b/blueprints/payment.py
@@ -73,18 +73,9 @@ def payment_return():
             logger.error("同步回调缺少签名参数")
             return "参数错误：缺少签名", 400
         
-        # 验证签名前，先记录关键信息
-        logger.info(f"验证订单号: {data.get('out_trade_no')}")
-        logger.info(f"支付宝交易号: {data.get('trade_no')}")
-        logger.info(f"支付金额: {data.get('total_amount')}")
-        
-        # 从数据中移除sign参数以进行验证
-        verify_data = data.copy()
-        verify_data.pop('sign', None)
-        verify_data.pop('sign_type', None)  # 也要移除sign_type
-        
         alipay_service = AlipayService()
-        success = alipay_service.verify_notify(verify_data, signature)
+        # 直接传递原始字典，由 verify_notify 处理
+        success = alipay_service.verify_notify(data, signature)
         
         out_trade_no = data.get('out_trade_no')
         order = Order.query.filter_by(out_trade_no=out_trade_no).first()
diff --git a/config.py b/config.py
index 4215064..76d86d2 100644
--- a/config.py
+++ b/config.py
@@ -50,7 +50,7 @@ class Config:
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCJSgmesQisfxNdz5dUhdv3Anh6aOGyQ03t69cqnenFumyEiLFk1N9FBDRR6onUsW9ZUGf7+P1sn/TMHdoOQZzZsxYVCCj85820ORP/DHTyP0ONHfBj0GqnKig5o3OGosC9ieJT6QLBzycOmiv/3YcHSJQPQ3zlyUloPScD1UsslgpCFWF3c3UDstzhYy/i1LbNy63w+Hr/xj01f1JCzivJoir9erLpTbbjPcPbQXd9xpycwIyGufXbFh1kOE6q+WOZq6NAXCe0/leUwh+q5v0pTnWnY07iB9nQtL2qvXQIBZWGI6HV4NDnO6rblDf1oOwNWYKcjCtL045xcHfUWKlrAgMBAAECggEAO4qfp3JyJ5WpSYtJv3+aiYNJyxUHpW9pMeGR3MrF41pZzBUYknl8J4uOQWStyE/30c18e5xeFKk+2vOraXltVEFGN3Lli+HgpeQHVxsI8TMc0ewFINT4HG29KlpINUEKxGkzfl7VMkbsUnns0Tg7Yp5IkGIdne7xZkL3U8NCqh/0oHAczMTwV1gqOFetyENNhdqzZJgwjR5c2OIIsNAuq+s0CcIqIw6hSwKzYN3H2i+4UKXmgU9kB2pGIzyxOH41FbEZp/UAcv9m2ikK2oYSXIHozaEsYyUXZbvHn4vmz1+grwnMJy2UQZQUCOLjvkul7tGKcNXTFSCvtgudBMSQ2QKBgQDxKvs97C3CRqgM/GkajI3DVmCY9NZGj5fd75JVg0yIeYQ4tmUmVIepTfq/8YxmgUD284FAFeyfbcFMbZnP4MXQ5Ddun0je70P3snLhfCw52PG1ypxBHl/jzZPdecy5kPKSQIWK9dfaXzwvhRC+YFV2x2V+tcubfeGgZkJ4+79KPQKBgQCRu483SbkjIbKTlJVL1m8a8RtljEg0AxnGIOQQvpkNHWRRHEqE3ozkj3PUHicDh9MumyZSRm9ifSmbD+cYSnjpQYafD9pZQ4lFWE72rCrz2vTTiZKyd/VuuQl2wTcj57ffX7cCaXQ635O1w+tz4VXnZzFnN0Lx3KDQ76bpPEEExwKBgHpRqoyFtc/LtoCfpU9p6p0gum3aALRZMFXIpRfqOG8f8wgwuqzuQsCEZKHmCagT9rdKWkv+0r0qFdiF3nWpM6v3lIXvFC6+fGKth8cGDAhrGG10DjyZA1mvc0fp9wRHmEDFqPYKKyj/FK+ldhCZG7/a8oeJ/XMoLcAFHcHvLd6hAoGAFQnDmhKthHHX6tA3YVRag8Qs1VMUFVYhQWX8JqKtS6RjmAYCh/3szw4ahZO4xBy2kvLY7GW4rLou6HC6RtpxbBMGkS3jsqE6TuV5uMiQBtYkI+mnYNZKeyqBQECSaj+IXtndfJ6mpd0i4Mmg0wDDuv09t43Vvz6/hIokSWVmaX8CgYEApzBH2M3R3j/jz2Hb3cevI+3MaeSIZMCedj2oTI2VB+6cOfuCW+65uuj7VuZkjEWzHMt3jVWPBtjyp002D3unYfIiaFaXUK4hSeoOCVj9ma8xhqR278Llkhxgf6KDx2E43YeTtrg9jStHmuD+Wr4UV96MOuIyaKqOFQHs4P/sQqY=
 -----END RSA PRIVATE KEY-----"""  # 应用私钥
     ALIPAY_PUBLIC_KEY = """-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx6iXKiRpbs5WLHlb6fdoteef+vs+QxxtmwDL2IJwhEJ+OMrkwlKyd4noYaiGDy2YcyHKahb4bsHRoPLVEqLveuVFksjsiFTH2mUhuwuqDe//XwE4hHsguNL3nY72gZ6qjwbg5mAVrHRcKUi6XSLSP4pWdCzD0leZ4GA9Kw1WstCS4sGBcrzyHPhRvtdVFZR5UjNLVAaN6HIMNhW0TBXz4r1ihXMV4byeN3n0n6e6reBLXr222f7c5almGurq6D9pLqwAmsqWbQWbvitOjZRll+bjpa29JIkNi+jEpPdYpGjU3e0Tl8aWkKjtYXmDyWtdw00RkciHUR4hMuCZW5qIjwIDAQAB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlDx4KdOtOQE+tBq6jHKKFenRaRe2gbBnleBk++5gki9IQuxVyZUGTJixstf2gELFHWrGanpnwmGggXsqG+Rm5ZLJOlmFM1k0XeAIDvi6tP/rM+ZDFSu1bMBYtT5vzgVZC7mzIvOp9gsT/puqd3aNZmlviLD0R6OYN0zvFX+5qADZV7A9ziA+nXPFSHreBh7yY/q9ophVZNeHGPoYkDVI5++RrF1cALKOdit0giN5vxpe3ch9z3E6+FZg3LiP+1RW3tMiDQfp/SlVs6bNhLUtmlI5r7+mtFCKDUCEpnQ3S9e0II6rzyVXRyKCFs7qi5YzyhhmO3tJJoe9ilEFyNzfRQIDAQAB
 -----END PUBLIC KEY-----"""  # 支付宝公钥
     ALIPAY_RETURN_URL = "http://331002.xyz:2010/payment/return"  # 支付成功跳转地址
     ALIPAY_NOTIFY_URL = "http://331002.xyz:2010/payment/notify"  # 支付异步通知地址
diff --git a/services/__pycache__/alipay_service.cpython-312.pyc b/services/__pycache__/alipay_service.cpython-312.pyc
index 697c3d5f481aabc17aaace1f924d9c7ac02d02df..e89946c097597324bd3d0a6fd49971d591d6e0ae 100644
GIT binary patch
delta 1067
zcmZ8eTTByC5WTzIE^OPSTen--(xw%NrfDQ#d?3CB8jXMt;s=R@7^?)-niMOdRjScg
z4MgfiTY(BBVDP~!F;VgLp(Z5$6m6msKG1Zx^h-3F`1tWIYq4=Y&d$u4IWx02kn_fx
z@tUSp09nKNy85m3ScaK0hHwCafC66JjeD_1!!e1UH`q(+VL7HEG0==C*hlFhrJ}Jk
zxLCvL6i(tUYLyHFUeG|nT9pM;!%2e8R(SCwcUtLHHg^6edKg#1pDG%<D192~Rdj(c
z4!@|l`8dssr^d>3q^*%A?joF&5p)5kDy+DRrA*F{{Zw=>mby|ivhU{pZPK8VRI}A7
zTFNSr!m|>OY2bIY9rlrIi<3T<nUwUB$u?<OXU08k@?Z>911E8sJVQ3)^0x_V0w)yJ
zpb4`vo<&F@ai?{5<ZQy%8Sfd04?Ppw+dLdf%dY6ZE?yfI+lFHg$K$uh9aBVOeVwb)
zvk2;F1Fb`K!m|sq0vyxuEj-G^o<5Iv48}Xp3m5Jst_}#7+Ey0Cp0*WR6Uz~MQjwpZ
z?>UY<@k)EVfBf^4PT|%$@n-kmfvsobkB4MMp?_@l{=nxaXuk*XzTw&7e(UD)Z96wt
z*Y4c2rF>gS?e?;2s~8&j<m(nYMq-acLh*1|9{R}_p7pgR!Z#5ojCY`Y7V`5)%fsX`
zqQ70Z+yk5GV)%&8W2K{}(wg?UUG=WIDWcwW@F*1Ni!E04%04hh<WT$v*3?%z%@~53
zfF@#I5oK1s&os@EAluSoyJ73H`?t@f13K%<j!Qd2j^5I!#x}$8?>PG;XMf8r^E(i0
zFa>J@HN9&`skdCQ-|>;<7xW6F%<^PlDHzQjr6cAI(H3Uo-(=|2;F>{u#JnoXtX`-q
zdZ>SHd1RSjCvqZdDk4Rd6Z<3P-BG3rt)<U;$L79aa|ekL?H%p3-WaS5RL%jAw-^5g
z09S*fee_0u#Wy9;Wd_v&b;MK<WeR6l-e2(}rp@{aaEgZm+NDc!(Z4yzm$IO{#Deg}
zIs?L&ELBD+UYc^t2*oQxSw_L%+9GTtT*0iu^57w6y=@a}b4!o!CM775z$if$f?w(D
ajvRG*4j<Uy-U=s~LahVC_^&|1`JzA2I90a*

delta 1119
zcmZXSO-vI(6vt<}{b1W|yDj~KQmGmwwNM43QN#}rTa_pWPipXD)lfe$l?E}3RE@EI
z5Wta8C4`!Y7DZYT6A7YXj9$E~x{1Vikc2JtBpNSza;8fabr1j9_j~_0@6GJKb9OJ&
zz0qpb06*j5BaN-hsLnyFyc7VvfJOysCj~i(Hmgf5GEUY9`ehFw@d5w=Cp%?nM$cg}
z4MD4%gCwe#73WA%K!p;tT|seFfJV2~xdx?Q^+5K!HcNB<q9CBbRfSNC-pX?g6er78
zv?(}6(25-DLY7`MfnpD6MyucwM*Rn70Mww3YCBpFO$vqs0UepZqVj9=K_Bqz`l)~H
zRy{Vc(r}9vA3Tq2VrOyQxHu!dlM6vUjhlGd4b9f9gHvW35QpD5oSQue1bcyB)uueF
zY?VuE3v2<WslA{Dx=bO`BYpqcT;g0hd~0@KaQ5Ldv8yAr0%LI^EZ(~+B~v#NGf$%8
zNWYZ-GI1@{)1FLqj8r;98tj#@7@oi}^E;jy8=oB-_hv|{hu9_ZQGTlN$cf#-rP!I7
zKq_Bo73mVM4E%@1JEL=t217brvf%S&cEk+{6E6;@uMeg#cFaD-Go{NhIzxFpo-;Ys
zCr>(e)MA?nvs5%8cHNyzUYJYtq~f>5iOxzV`oUBx<c%i|H=%NE5ly~I(2NBIw3piV
z;lD2o=H*3n-Y3S`S$DaP&)+g>npE;OpTKNiU{QChF}9z#l?hDwS0ykxKCzZwrkjZ#
z5ZIC_Yr%A`^&c{?1opxK*G*TSJ5q-Ot*x{Ea(&brs}&g66l2Xqb@6tSz<55J^FEl}
zZ_V!a=F*6F%53j#=x&H@NYd}kl@af>-c0t^bZhv6)dE{KZv>|N$gb~tV6c)Ict@GQ
zmS@|ajUSCS@Qw`vTlEL|6HP-+V+Y5Ayr+gQ-8xypJA4AWeTKD^WKMB9E>CENG_f|`
zu|{CmE)?>G70KGiJ4bgWt9Zv2fvrZ<x;3jx@XejCR&84eUZ|}^msNZ4^3qUa!^^9c
zwAV?!s#xx|Q?Km`uM<`2*TGFFq+bh*(Xf7_Ycsii^7(>FA~i(viP*6G%&9uw<PRM?
Uv?=IAMz&191H!y-fM~|_3s6X05&!@I

diff --git a/services/alipay_service.py b/services/alipay_service.py
index 5da5710..1bf5e91 100644
--- a/services/alipay_service.py
+++ b/services/alipay_service.py
@@ -42,37 +42,34 @@ class AlipayService:
     def verify_notify(self, data, signature):
         """验证通知签名"""
         try:
-            logger.info(f"开始验证支付宝签名，数据: {data}")
-            logger.info(f"签名值: {signature}")
-            
-            # 验证必要参数
-            if not signature:
-                logger.error("签名为空")
+            if not signature or not data:
+                logger.error("签名或数据为空")
                 return False
             
-            if not data:
-                logger.error("数据为空")
-                return False
-            
-            # 创建数据副本，避免修改原数据
+            # 创建数据副本
             verify_data = data.copy()
             
-            # 移除sign和sign_type，这两个字段不参与验证
+            # python-alipay-sdk 的 verify 方法会自动处理 sign 的移除
+            # 但为了保险，我们手动移除它，保留其他所有字段
             verify_data.pop('sign', None)
-            verify_data.pop('sign_type', None)
             
             alipay = self.get_alipay_client()
+            # 对于同步回调，sign_type 实际上是参与签名的（某些版本/接口）
+            # 对于异步通知，sign_type 通常不参与签名
+            # alipay.verify 会根据情况处理 sign_type
             result = alipay.verify(verify_data, signature)
             
-            if result:
-                logger.info("签名验证成功")
-            else:
+            if not result:
                 logger.error("签名验证失败")
-                logger.error(f"验证数据: {verify_data}")
-                logger.error(f"公钥配置: {self.public_key[:50]}...")
-                # 额外调试信息
-                logger.error(f"App ID: {self.app_id}")
-                logger.error(f"是否调试模式: {self.debug}")
+                logger.error(f"待验证数据: {verify_data}")
+                logger.error(f"签名值: {signature}")
+                logger.error(f"使用的公钥前50位: {self.public_key[:50]}...")
+                
+                # 检查公钥是否可能是应用公钥而非支付宝公钥
+                if self.private_key and self.public_key:
+                    logger.warning("提示：如果签名持续验证失败，请确认 ALIPAY_PUBLIC_KEY 是“支付宝公钥”而非“应用公钥”")
+            else:
+                logger.info("签名验证成功")
             
             return result