search

fzlee / alipay

Python Alipay(支付宝) SDK with SHA1/SHA256 support
Other
1.28k stars 378 forks source link

3.0如何获取请求返回状态 #151

Closed beimusky closed 1 year ago

beimusky commented 1 year ago

比如 alipay = Alipay(...)

alipay.client_api( "alipay.trade.page.pay", biz_content={ "out_trade_no": "20161112", "total_amount": 0.01, "subject": "an order" }, return_url="https://example.com", # this is optional )

如何拿到状态,后端确认前端请求的是否正确?

fzlee commented 1 year ago

client_api, server_api 都有返回的

beimusky commented 1 year ago

我看到只返回一个长字符串,不带code 即使请求参数有误,也会正常返回

fzlee commented 1 year ago

有例子吗

beimusky commented 1 year ago

data={ "make_type": "alipay.trade.page.pay", "total_amount": 0.01, "subject": "an order", "product_code":"FAST_INSTANT_TRADE_PAY" }

message = dc_alipay.client_api( make_type, biz_content=data, return_url="https://www.xxx.com.cn", # this is optional )

返回参数: alipay_root_cert_sn=687b59193f3f462dd5336e5abf83c5d8_02941eef3187dddf3d3b83462e1dfcf6&app_cert_sn=db21f9215810f8815836311021f617e5&app_id=2021003183690727&biz_content=%7B%22make_type%22%3A%22alipay.trade.page.pay%22%2C%22total_amount%22%3A0.01%2C%22subject%22%3A%22an+order%22%2C%22product_code%22%3A%22FAST_INSTANT_TRADE_PAY%22%2C%22out_trade_no%22%3A%2220230329_155128_407218_vr7k0NwO%22%7D&charset=utf-8&method=alipay.trade.page.pay&notify_url=https%3A%2F%2F705e2j2074.imdo.co%2Fpay_ali%2Fnotify&return_url=https%3A%2F%2Fwww.hgcm.com.cn&sign_type=RSA2&timestamp=2023-03-29+15%3A51%3A28&version=1.0&sign=Vz5bivXZZZeeu5CUk1sDLvIwdLAsAISoywIbn4HJC6RJzGwSb3t%2FsHpzoeS%2Fex42kY2dgBQ8405MXzY3kiEc2NMPPB892hIJrhPaKmTx93rkPuDhQjzPnZR1RoLUG0hv4Siht43lebe2AgfEu%2Ff3Zj4n%2FLJC7eCy7UExND8NuZ7mqaGzMX54uryVoIR%2FNaSrQWEgyhASkWqO59wulTf28LgFzoD7mzN4Wu677AZzRFE8kTSfjimY3ttTwXqCy24A%2BpwEWYQXUQXVmgasAnZnAEWpbjuUjcQlt8y8kUrUoqP%2Brpq2mmJDEsbKOZEM9m%2B2OfTmkpZxDm18m8wvZwjGdA%3D%3D

fzlee commented 1 year ago

这个不是可以用么, 前面加https://openapi.alipay.com/gateway.do? 就好了, 网页打开

beimusky commented 1 year ago

是啊,这是正常的,网址没问题,我的意思是参数请求参数随便写,都会返回 一个网址 但是无法知道网址能不能用。比如 { "make_type": "alipay.trade.page.pay", "total_amount": 0.000001, "subject": "an order", "product_code":"FAST_INSTANT_TRADE_PAY" } 返回为: https://openapi.alipay.com/gateway.do?alipay_root_cert_sn=687b59193f3f462dd5336e5abf83c5d8_02941eef3187dddf3d3b83462e1dfcf6&app_cert_sn=db21f9215810f8815836311021f617e5&app_id=2021003183690727&biz_content=%7B%22make_type%22%3A%22alipay.trade.page.pay%22%2C%22total_amount%22%3A1e-06%2C%22subject%22%3A%22an+order%22%2C%22product_code%22%3A%22FAST_INSTANT_TRADE_PAY%22%2C%22out_trade_no%22%3A%2220230329_155805_458613_VocCShxI%22%7D&charset=utf-8&method=alipay.trade.page.pay&notify_url=https%3A%2F%2F705e2j2074.imdo.co%2Fpay_ali%2Fnotify&return_url=https%3A%2F%2Fwww.hgcm.com.cn&sign_type=RSA2&timestamp=2023-03-29+15%3A58%3A05&version=1.0&sign=cFKtjGC0vFRotZ4RR1X6vwokIBpQG635K%2Fg%2FiV%2FuFVkOdGxXK3ASZ0E5C%2Fq1VXBBcpI23KNCD%2FYYqos8ZBeINX3T0ncntOLk1FkVwjJSqJ8tiHE7gYMVegnirnL0rF8u%2F1a7BFe8LpPGxBwBw6N3Fq5ajus7t0E%2FxMpJEFFxMt91aRFh%2BvH7hSo5NKBPF0OymvUHWF0dbImd1VBScajKHpFxbiaTzc%2F8FLGWe0Jad1mINGoTXJMXJKCuKkQpIun6SNoYjV5CeKOzhlBsjCZbs%2BbS43Mi0IiI10y0OQoFqhupJ63DLUgh0ritO8lG5KgIqS%2BXuR6MywJDrTrDoNxy1g%3D%3D

但是这个网址是错误的

fzlee commented 1 year ago

这是本地生成的请求,在发送给支付宝之前,支付宝是不会验证的。 目前似乎无解

beimusky commented 1 year ago

那就是无脑转发了呗,无法验证前端传来的参数。 主要问题是,因为无法验证,所以所有请求都要提前入库,哪怕如果被攻击发垃圾请求,不入库后面就不能通过订单验证了

fzlee commented 1 year ago

理论上一个订单的所有请求参数应该是后端组织好的。 哪怕就是前端传来的, 也需要做一遍合法性验证

beimusky commented 1 year ago

是的,我会验证一次,但是接口参数太多了,如果每一个都会验证。。那就N倍了,而且有时候官方也没有给出详细规则。 比如说,生成订单金额,最大金额是多少,官方没有给出,类似这种没有规则的情况。都不好判断。