soul/lib/wechat-transfer.ts

/**
 * 微信支付 V3 - 商家转账到零钱
 * 文档: 开发文档/提现功能完整技术文档.md
 */

import crypto from 'crypto'
import fs from 'fs'
import path from 'path'

const BASE_URL = 'https://api.mch.weixin.qq.com'

export interface WechatTransferConfig {
  mchId: string
  appId: string
  apiV3Key: string
  privateKeyPath?: string
  privateKeyContent?: string
  certSerialNo: string
}

function getConfig(): WechatTransferConfig {
  const mchId = process.env.WECHAT_MCH_ID || process.env.WECHAT_MCHID || ''
  const appId = process.env.WECHAT_APP_ID || process.env.WECHAT_APPID || 'wxb8bbb2b10dec74aa'
  const apiV3Key = process.env.WECHAT_API_V3_KEY || process.env.WECHAT_MCH_KEY || ''
  const keyPath = process.env.WECHAT_KEY_PATH || process.env.WECHAT_MCH_PRIVATE_KEY_PATH || ''
  const keyContent = process.env.WECHAT_MCH_PRIVATE_KEY || ''
  const certSerialNo = process.env.WECHAT_MCH_CERT_SERIAL_NO || ''
  return {
    mchId,
    appId,
    apiV3Key,
    privateKeyPath: keyPath,
    privateKeyContent: keyContent,
    certSerialNo,
  }
}

function getPrivateKey(): string {
  const cfg = getConfig()
  if (cfg.privateKeyContent) {
    const key = cfg.privateKeyContent.replace(/\\n/g, '\n')
    if (!key.includes('BEGIN')) {
      return `-----BEGIN PRIVATE KEY-----\n${key}\n-----END PRIVATE KEY-----`
    }
    return key
  }
  if (cfg.privateKeyPath) {
    const p = path.isAbsolute(cfg.privateKeyPath) ? cfg.privateKeyPath : path.join(process.cwd(), cfg.privateKeyPath)
    return fs.readFileSync(p, 'utf8')
  }
  throw new Error('微信商户私钥未配置: WECHAT_MCH_PRIVATE_KEY 或 WECHAT_KEY_PATH')
}

function generateNonce(length = 32): string {
  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
  let s = ''
  for (let i = 0; i < length; i++) {
    s += chars.charAt(Math.floor(Math.random() * chars.length))
  }
  return s
}

/** 生成请求签名 */
function buildSignature(method: string, urlPath: string, timestamp: string, nonce: string, body: string): string {
  const message = `${method}\n${urlPath}\n${timestamp}\n${nonce}\n${body}\n`
  const key = getPrivateKey()
  const sign = crypto.createSign('RSA-SHA256')
  sign.update(message)
  return sign.sign(key, 'base64')
}

/** 构建 Authorization 头 */
function buildAuthorization(timestamp: string, nonce: string, signature: string): string {
  const cfg = getConfig()
  return `WECHATPAY2-SHA256-RSA2048 mchid="${cfg.mchId}",nonce_str="${nonce}",signature="${signature}",timestamp="${timestamp}",serial_no="${cfg.certSerialNo}"`
}

export interface CreateTransferParams {
  openid: string
  amountFen: number
  outDetailNo: string
  outBatchNo?: string
  transferRemark?: string
}

export interface CreateTransferResult {
  success: boolean
  outBatchNo?: string
  batchId?: string
  createTime?: string
  batchStatus?: string
  errorCode?: string
  errorMessage?: string
}

/**
 * 发起商家转账到零钱
 */
export async function createTransfer(params: CreateTransferParams): Promise<CreateTransferResult> {
  const cfg = getConfig()
  if (!cfg.mchId || !cfg.appId || !cfg.apiV3Key || !cfg.certSerialNo) {
    return { success: false, errorCode: 'CONFIG_ERROR', errorMessage: '微信转账配置不完整' }
  }

  const urlPath = '/v3/transfer/batches'
  const outBatchNo = params.outBatchNo || `B${Date.now()}${Math.random().toString(36).slice(2, 8)}`
  const body = {
    appid: cfg.appId,
    out_batch_no: outBatchNo,
    batch_name: '提现',
    batch_remark: params.transferRemark || '用户提现',
    total_amount: params.amountFen,
    total_num: 1,
    transfer_detail_list: [
      {
        out_detail_no: params.outDetailNo,
        transfer_amount: params.amountFen,
        transfer_remark: params.transferRemark || '提现',
        openid: params.openid,
      },
    ],
    transfer_scene_id: '1005',
    transfer_scene_report_infos: [
      { info_type: '岗位类型', info_content: '兼职人员' },
      { info_type: '报酬说明', info_content: '当日兼职费' },
    ],
  }
  const bodyStr = JSON.stringify(body)
  const timestamp = Math.floor(Date.now() / 1000).toString()
  const nonce = generateNonce()
  const signature = buildSignature('POST', urlPath, timestamp, nonce, bodyStr)
  const authorization = buildAuthorization(timestamp, nonce, signature)

  const res = await fetch(`${BASE_URL}${urlPath}`, {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      Accept: 'application/json',
      Authorization: authorization,
      'User-Agent': 'Soul-Withdraw/1.0',
    },
    body: bodyStr,
  })
  const data = (await res.json()) as Record<string, unknown>
  if (res.ok && res.status >= 200 && res.status < 300) {
    return {
      success: true,
      outBatchNo: data.out_batch_no as string,
      batchId: data.batch_id as string,
      createTime: data.create_time as string,
      batchStatus: data.batch_status as string,
    }
  }
  return {
    success: false,
    errorCode: (data.code as string) || 'UNKNOWN',
    errorMessage: (data.message as string) || (data.error as string) as string || '请求失败',
  }
}

/**
 * 解密回调 resource（AEAD_AES_256_GCM）
 */
export function decryptResource(
  ciphertext: string,
  nonce: string,
  associatedData: string,
  apiV3Key: string
): Record<string, unknown> {
  if (apiV3Key.length !== 32) {
    throw new Error('APIv3密钥必须为32字节')
  }
  const key = Buffer.from(apiV3Key, 'utf8')
  const ct = Buffer.from(ciphertext, 'base64')
  const authTag = ct.subarray(ct.length - 16)
  const data = ct.subarray(0, ct.length - 16)
  const decipher = crypto.createDecipheriv('aes-256-gcm', key, Buffer.from(nonce, 'utf8'))
  decipher.setAuthTag(authTag)
  decipher.setAAD(Buffer.from(associatedData, 'utf8'))
  const dec = decipher.update(data) as Buffer
  const final = decipher.final() as Buffer
  const json = Buffer.concat([dec, final]).toString('utf8')
  return JSON.parse(json) as Record<string, unknown>
}

/**
 * 验证回调签名（需平台公钥，可选）
 */
export function verifyCallbackSignature(
  timestamp: string,
  nonce: string,
  body: string,
  signature: string,
  publicKeyPem: string
): boolean {
  const message = `${timestamp}\n${nonce}\n${body}\n`
  const sigBuf = Buffer.from(signature, 'base64')
  const verify = crypto.createVerify('RSA-SHA256')
  verify.update(message)
  return verify.verify(publicKeyPem, sigBuf)
}

export interface TransferNotifyDecrypted {
  mch_id: string
  out_bill_no: string
  transfer_bill_no?: string
  transfer_amount?: number
  state: string
  openid?: string
  create_time?: string
  update_time?: string
}