Tighten WeChat payment resume flow

2026-04-21 00:33:23 +08:00
parent 1521d50399
commit 55e8dd550a
15 changed files with 514 additions and 98 deletions
--- a/frontend/src/views/user/tests/PaymentResultView.spec.ts
+++ b/frontend/src/views/user/tests/PaymentResultView.spec.ts
@ -157,6 +157,25 @@ describe('PaymentResultView', () => {
    expect(wrapper.text()).toContain('payment.result.success')
  })

+  it('does not use public out_trade_no verification for bare order numbers without legacy return markers', async () => {
+    routeState.query = {
+      out_trade_no: 'legacy-bare',
+    }
+
+    mount(PaymentResultView, {
+      global: {
+        stubs: {
+          OrderStatusBadge: true,
+        },
+      },
+    })
+
+    await flushPromises()
+
+    expect(verifyOrderPublic).not.toHaveBeenCalled()
+    expect(verifyOrder).not.toHaveBeenCalled()
+  })
+
  it('resolves order by resume token when local recovery snapshot is missing', async () => {
    routeState.query = {
      resume_token: 'resume-77',
--- a/frontend/src/views/user/tests/paymentWechatResume.spec.ts
+++ b/frontend/src/views/user/tests/paymentWechatResume.spec.ts
@ -0,0 +1,56 @@
+import { describe, expect, it } from 'vitest'
+import { parseWechatResumeRoute, stripWechatResumeQuery } from '../paymentWechatResume'
+
+describe('parseWechatResumeRoute', () => {
+  it('prefers the opaque resume token over legacy openid query params', () => {
+    expect(parseWechatResumeRoute({
+      wechat_resume: '1',
+      wechat_resume_token: 'resume-token-123',
+      openid: 'openid-123',
+      payment_type: 'wxpay',
+      amount: '12.5',
+      order_type: 'subscription',
+      plan_id: '7',
+    }, [], 88)).toEqual({
+      wechatResumeToken: 'resume-token-123',
+      paymentType: 'wxpay',
+      orderType: 'balance',
+      orderAmount: 0,
+    })
+  })
+
+  it('falls back to legacy openid-based resume when opaque token is absent', () => {
+    expect(parseWechatResumeRoute({
+      wechat_resume: '1',
+      openid: 'openid-123',
+      payment_type: 'wxpay',
+      amount: '12.5',
+      order_type: 'balance',
+    }, [], 88)).toEqual({
+      openid: 'openid-123',
+      paymentType: 'wxpay',
+      orderType: 'balance',
+      orderAmount: 12.5,
+      planId: undefined,
+    })
+  })
+})
+
+describe('stripWechatResumeQuery', () => {
+  it('removes both opaque-token and legacy resume params from the route query', () => {
+    expect(stripWechatResumeQuery({
+      foo: 'bar',
+      wechat_resume: '1',
+      wechat_resume_token: 'resume-token-123',
+      openid: 'openid-123',
+      payment_type: 'wxpay',
+      amount: '12.5',
+      order_type: 'subscription',
+      plan_id: '7',
+      state: 'state-123',
+      scope: 'snsapi_base',
+    })).toEqual({
+      foo: 'bar',
+    })
+  })
+})