目前国内比较流行的第三方支付主要有支付宝和微信支付,博主最近研究了下如何用Python接入支付宝支付,这里我以Tornado作为web框架,接入支付宝构造支付接口。
使用Tornado异步接入支付宝支付流程:
1. 进入蚂蚁金服开放平台填写开发者信息、应用信息
2. 配置RSA256密钥,生成支付宝和应用的密钥
3. 构造订单接口API,生成订单
4. 构造支付接口
1. 进入蚂蚁金服开放平台填写开发者信息、应用信息
这里通过沙箱环境开发测试接口,蚂蚁金服开放平台-->开发者中心-->研发者服务-->沙箱应用,配置沙箱应用信息:
设置授权回调地址,注意:这个地址一定要是外网IP地址(我这里是我的阿里云服务器地址),回调地址是自己支付完回调的api地址,可通过扫码下载沙箱板支付宝钱包进行支付测试:
设置沙箱账号,设置买家和买家的测试账号,支付宝会默认给买家账户99999元,可用来测试支付接口是否成功:
2. 配置RSA256密钥,生成支付宝和应用的密钥
支付宝默认有两种加密算法生成密钥:RSA(SHA1)和RSA2(SHA256),鉴于安全性支付宝推荐使用RSA2(SHA256)密钥。通过查看密钥生成文档https://docs.open.alipay.com/291/105971得知密钥生成方法,按文档提示下载密钥生成工具,解压后打开生成工具,选择密码格式(Python当然就是选择PKCS1了)和密码长度,生成公钥和私钥:
生成后可在RSA密钥文件夹下查看应用的公钥和私钥,并将应用公钥上传到开放平台的开发者环境中:
3. 构造订单接口API,生成订单
查看支付接口文档:https://docs.open.alipay.com/270/alipay.trade.page.pay/可知:
支付接口的必填参数有out_trade_no(订单号)、total_amount(订单金额)、subject(订单标题),所以先构造订单接口,生成订单:
1 class OrderSnHandler(BaseHandler): 2 @authenticated 3 async def post(self, *args, **kwargs): 4 """
5 创建订单信息 6 :param request: 7 :return: 8 """
9 res_data = {} 10 req_data = self.request.body.decode("utf8") 11 req_data = json.loads(req_data) 12 post_script = req_data.get("post_script") 13 order_form = TradeOrderSnForm.from_json(req_data) 14 if order_form.validate(): 15 try: 16 order_mount = order_form.order_mount.data 17 orders_object = await self.application.objects.create( 18 OrderInfo, 19 pay_status=OrderInfo.ORDER_STATUS[4][0], 20 pay_time=datetime.now(), 21 order_sn=OrderInfo.generate_order_sn(), 22 user=self.current_user, 23 order_mount=order_mount, 24 post_script=post_script 25 ) 26 res_data["id"] = orders_object.id 27 except Exception: 28 self.set_status(400) 29 res_data["content"] = "订单创建失败"
30 else: 31 res_data["content"] = order_form.errors 32
33 self.finish(res_data)
4. 构造支付接口
(1) 构造支付接口类
流程:RSA导入公钥和私钥-->构造请求参数biz_content-->构造支付宝公共请求参数-->排序并拼接参数为规范字符串-->生成签名后的字符串-->请求支付宝接口-->对支付宝接口返回的数据进行签名比对
1 class AliPay(object): 2 """
3 支付宝支付接口 4 """
5
6 def __init__(self, appid, app_notify_url, app_private_key_path, 7 alipay_public_key_path, return_url, debug=False): 8 self.appid = appid 9 self.app_notify_url = app_notify_url 10 self.app_private_key_path = app_private_key_path 11 self.app_private_key = None 12 self.return_url = return_url 13 with open(self.app_private_key_path) as fp: 14 self.app_private_key = RSA.importKey(fp.read()) 15
16 self.alipay_public_key_path = alipay_public_key_path 17 with open(self.alipay_public_key_path) as fp: 18 self.alipay_public_key = RSA.import_key(fp.read()) 19
20 if debug is True: 21 self.__gateway = "https://openapi.alipaydev.com/gateway.do"
22 else: 23 self.__gateway = "https://openapi.alipay.com/gateway.do"
24
25 def direct_pay(self, subject, out_trade_no, total_amount, **kwargs): # NOQA
26 """
27 构造请求参数biz_content, 28 并将其放入公共请求参数中, 29 返回签名sign的data 30 :param subject: 31 :param out_trade_no: 32 :param total_amount: 33 :param kwargs: 34 :return: 35 """
36 biz_content = { 37 "subject": subject, 38 "out_trade_no": out_trade_no, 39 "total_amount": total_amount, 40 "product_code": "FAST_INSTANT_TRADE_PAY", 41 } 42
43 biz_content.update(kwargs) 44 data = self.build_body( 45 "alipay.trade.page.pay", 46 biz_content, 47 self.return_url 48 ) 49 return self.sign_data(data) 50
51 def build_body(self, method, biz_content, return_url=None): 52 """
53 构造公共请求参数 54 :param method: 55 :param biz_content: 56 :param return_url: 57 :return: 58 """
59 data = { 60 "app_id": self.appid, 61 "method": method, 62 "charset": "utf-8", 63 "sign_type": "RSA2", 64 "timestamp": datetime.now().strftime("%Y-%m-%d %H:%M:%S"), 65 "version": "1.0", 66 "biz_content": biz_content 67 } 68
69 if return_url: 70 data["notify_url"] = self.app_notify_url 71 data["return_url"] = self.return_url 72
73 return data 74
75 def sign_data(self, data): 76 """
77 拼接排序后的data,以&连接成符合规范的字符串,并对字符串签名, 78 将签名后的字符串通过quote_plus格式化, 79 将请求参数中的url格式化为safe的,获得最终的订单信息字符串 80 :param data: 81 :return: 82 """
83 # 签名中不能有sign字段
84 if "sign" in data: 85 data.pop("sign") 86
87 unsigned_items = self.ordered_data(data) 88 unsigned_string = "&".join("{0}={1}".format(k, v) for k, v in unsigned_items) 89 sign = self.sign_string(unsigned_string.encode("utf-8")) 90 quoted_string = "&".join("{0}={1}".format(k, quote_plus(v)) for k, v in unsigned_items) 91
92 signed_string = quoted_string + "&sign=" + quote_plus(sign) 93 return signed_string 94
95 def ordered_data(self, data): 96 """
97 将请求参数字典排序, 98 支付宝接口要求是拼接的有序参数字符串 99 :param data: 100 :return: 101 """
102 complex_keys = [] 103 for key, value in data.items(): 104 if isinstance(value, dict): 105 complex_keys.append(key) 106
107 for key in complex_keys: 108 data[key] = json.dumps(data[key], separators=(',', ':')) 109
110 return sorted([(k, v) for k, v in data.items()]) 111
112 def sign_string(self, unsigned_string): 113 """
114 生成签名,并进行base64 编码, 115 转换为unicode表示并去掉换行符 116 :param unsigned_string: 117 :return: 118 """
119 key = self.app_private_key 120 signer = PKCS1_v1_5.new(key) 121 signature = signer.sign(SHA256.new(unsigned_string)) 122 sign = encodebytes(signature).decode("utf8").replace("\n", "") 123 return sign 124
125 def _verify(self, raw_content, signature): 126 """
127 对支付宝接口返回的数据进行签名比对, 128 验证是否来源于支付宝 129 :param raw_content: 130 :param signature: 131 :return: 132 """
133 key = self.alipay_public_key 134 signer = PKCS1_v1_5.new(key) 135 digest = SHA256.new() 136 digest.update(raw_content.encode("utf8")) 137 if signer.verify(digest, decodebytes(signature.encode("utf8"))): 138 return True 139 return False 140
141 def verify(self, data, signature): 142 """
143 验证支付宝返回的数据,防止是伪造信息 144 :param data: 145 :param signature: 146 :return: 147 """
148 if "sign_type" in data: 149 data.pop("sign_type") 150 unsigned_items = self.ordered_data(data) 151 message = "&".join(u"{}={}".format(k, v) for k, v in unsigned_items) 152 return self._verify(message, signature)
(2) 构造支付链接接口
通过步骤3创建的订单信息生成支付链接,这里接口我采用协程+异步的方式,authenticated是自定义的JWT验证装饰器,private_key_path和ali_pub_key_path是前面生成的应用私钥和支付宝公钥文件地址
1 class GenPayLinkHandler(BaseHandler): 2 @authenticated 3 async def get(self, *args, **kwargs): 4 """
5 通过订单生成支付链接 6 :param args: 7 :param kwargs: 8 :return: 9 """
10 res_data = {} 11 order_id = get_int_or_none(self.get_argument("id", None)) 12 if not order_id: 13 self.set_status(400) 14 self.write({"content": "缺少order_id参数"}) 15
16 try: 17 order_obj = await self.application.objects.get( 18 OrderInfo, id=order_id, 19 pay_status=OrderInfo.ORDER_STATUS[4][0] 20 ) 21 out_trade_no = order_obj.order_sn 22 order_mount = order_obj.order_mount 23 subject = order_obj.post_script 24 alipay = AliPay( 25 appid=settings["ALI_APPID"], 26 app_notify_url="{}/alipay/return/".format(settings["SITE_URL"]), 27 app_private_key_path=settings["private_key_path"], 28 alipay_public_key_path=settings["ali_pub_key_path"], 29 debug=True, 30 return_url="{}/alipay/return/".format(settings["SITE_URL"]) 31 ) 32 url = alipay.direct_pay( 33 subject=subject, 34 out_trade_no=out_trade_no, 35 total_amount=order_mount, 36 return_url="{}/alipay/return/".format(settings["SITE_URL"]) 37 ) 38 re_url = settings["RETURN_URI"].format(data=url) 39 res_data["re_url"] = re_url 40 except OrderInfo.DoesNotExist: 41 self.set_status(400) 42 res_data["content"] = "订单不存在"
43
44 self.finish(res_data)
返回结果:
打开支付链接可以看到:
(3) 构造支付的回调接口
在支付完成后,支付宝会调用在开发者信息中配置的回调url,通过GET方法回调return_ul,通过POST方法发送notify主动通知商户返回服务器里指定的页面,这里分别实现return_ul和notify_url对应的接口,支付宝返回的notify_url是个异步的所以我这里也以异步的方式实现这个接口:
1 class AlipayHandler(BaseHandler): 2 def get(self, *args, **kwargs): 3 """
4 处理支付宝的return_url返回 5 :param request: 6 :return: 7 """
8 res_data = {} 9 processed_dict = {} 10 req_data = self.request.arguments 11 req_data = format_arguments(req_data) 12 for key, value in req_data.items(): 13 processed_dict[key] = value[0] 14
15 sign = processed_dict.pop("sign", None) 16 alipay = AliPay( 17 appid=settings["ALI_APPID"], 18 app_notify_url="{}/alipay/return/".format(settings["SITE_URL"]), 19 app_private_key_path=settings["private_key_path"], 20 alipay_public_key_path=settings["ali_pub_key_path"], 21 debug=True, 22 return_url="{}/alipay/return/".format(settings["SITE_URL"]) 23 ) 24
25 verify_re = alipay.verify(processed_dict, sign) 26
27 if verify_re is True: 28 res_data["content"] = "success"
29 else: 30 res_data["content"] = "Failed"
31
32 self.finish(res_data) 33
34 async def post(self, *args, **kwargs): 35 """
36 处理支付宝的notify_url 37 :param request: 38 :return: 39 """
40 processed_dict = {} 41 req_data = self.request.body_arguments 42 req_data = format_arguments(req_data) 43 for key, value in req_data.items(): 44 processed_dict[key] = value[0] 45
46 sign = processed_dict.pop("sign", None) 47 alipay = AliPay( 48 appid=settings["ALI_APPID"], 49 app_notify_url="{}/alipay/return/".format(settings["SITE_URL"]), 50 app_private_key_path=settings["private_key_path"], 51 alipay_public_key_path=settings["ali_pub_key_path"], 52 debug=True, 53 return_url="{}/alipay/return/".format(settings["SITE_URL"]) 54 ) 55
56 verify_re = alipay.verify(processed_dict, sign) 57
58 if verify_re is True: 59 order_sn = processed_dict.get('out_trade_no') 60 trade_no = processed_dict.get('trade_no') 61 trade_status = processed_dict.get('trade_status') 62
63 orders_query = OrderInfo.update( 64 pay_status=trade_status, 65 trade_no=trade_no, 66 pay_time=datetime.now() 67 ).where( 68 OrderInfo.order_sn == order_sn 69 ) 70 await self.application.objects.execute( 71 orders_query 72 ) 73
74 self.finish("success")
测试支付结果:
