In WeChat, when using Alipay to pay online, you need to jump to the system browser, the solution to the lost user login status

1. The existing implementation, an interface, is to obtain Alipay’s payment link in WeChat (requires login), and there is a callback interface (requires a signature), and a query interface (requires login). Now that payment online payment can only be made in the system browser, the query interface needs to be set to visitor accessible. In order to ensure security, it is decided to do a signature authentication

2. In the interface for obtaining the payment link, the following is realized

<?php

namespace API\Helpers;

Class AlipayQuerySignerHelper
{
/**
* Get signature
;
* @param array $data to be signed data (key-value pair)
* @param string $secret signed key
* @Return String returns the signature string
*/
public static function sign(array $data, string $secret): String
{
// Make sure that the signature is in ascending order, the signature is the same
ksort($data);

// Splicing into the format of key=value&key2=value2
$QueryString = http_build_query($data,,&, php_query_rfc3986);

// generate signature
return hash_hmac(sha256, $querystring, $secret);
}

/**
* Verify signature
;
* @param array $data to verify data (must contain query_sign field)
* @param string $secret signed key
* @param int $timeout signature timeout (default 600 seconds)
* @return bool
*/
public static function verify(array $data, string $secret, int $timeout = 6000): BOOL
{
if (!isSet($data)['query_sign'], $data['query_timestamp'])) {
return false;
}

// Determine if the time is outside the tolerance range (default ±5 minutes)
if (abs(time() - $data)['query_timestamp']) > $timeout) {
return false;
}

$providedsign = $data['query_sign'];
unset($data['query_sign']);

$expectedsign = self::sign($data, $secret);

return hash_equals($expectedsign, $providedsign);
}
}

$payload =[
query_order_id=> $order->id,
query_user_id=> $order->user_id,
query_timestamp=> time(),
]#atfp_close_translate_span#;

$secret = yii::$app->params['alipayQuerySignatureKey'];

$sign = alipayQuerySignerHelper::sign($payload, $secret);

$query = array_merge($payload,['query_sign' => $sign]);

$querystring = http_build_query($query);

$returnURL = yii::$app->params['frontendDomainHttps']./convention/#/pages/ticket_payment_result/ticket_payment_result?convention_id=. $TicketOrder->convention_id .&ticket_id=. $TicketOrder->id .&_version=2&. $querystring;

3. In the query interface as follows, the interface responds, as shown in Figure 1

Figure 1

$params = yii::$app->request->post();
$secret = yii::$app->params['alipayQuerySignatureKey'];

if (!alipayQuerySignerHelper::verify($params, $secret)) {
return[
code=> 10010,
Message=>Signature verification failed,
]#atfp_close_translate_span#;
}

// if (strcmp($order->user_id, yii::$app->user->id) != 0) {
// return[
//code=> 10008,
//Message=>you do not have permission to do this,
// ]#atfp_close_translate_span#;
// }