APP payment interface: alipay.trade.app.pay
Server-side usage framework: TP5
Log on to Ant Financial Open Platform-> Create application-> Add App payment function. See the official documents for details.
Download the official SDK (PHP version resource)-current SDK version: 106 Generation time: 2017-07-2511:46:10.
Put the SDK source code in Alipay folder under TP5 vendor directory (it can be adjusted according to the actual use of framework technology).
Payment interface calling principle
1, APP payment system architecture
APP payment system architecture diagram
2. Principles of data verification
Data checking principle
Application public key (RSA public key of the merchant itself): Alipay uses this public key to verify that the transaction is initiated by the merchant.
Alipay public key (RSA public key of Alipay): The merchant uses this public key to verify that the result is returned by Alipay.
3. System interaction process
System interaction flow chart
4. The specific implementation process of the payment scenario (the most detailed explanation)
When integrating the payment ability of the App, it is suggested to realize the following payment process, create an order and pay, determine the payment status according to the returned results, and handle the corresponding exceptions. The process is shown in the figure below.
The specific implementation process of payment scenario
The merchant APP is creating an order and calling Alipay APP to pay. The process is shown in the above figure. According to the payment results returned in steps 2.2 and 3, determine the payment status and make corresponding exception handling (close the order if necessary).
Code implementation
Step 1: the merchant APP side requests the merchant server interface and submits the order data.
Step 2: The merchant server receives the data, then signs the data and returns the requested parameters to the merchant APP.
Official interface file: /204/ 105465/
-The code is as follows:
//vendor()。 It is a method of TP5 framework, which is used to import the third-party framework class library.
Vendor ('Alipay.aop.aop client');
Supplier ('AliPay.aop.request.AlipayTradeAppPayRequest');
//Instantiate the payment interface
$ AOP = new \ AOP client();
$ AOP-& gt; gateway URL = "/gateway . do "; //Alipay Gateway
$ AOP-& gt; AppId = "application Id, fill in your AppId ";;
$ AOP-& gt; RSAPrivateKey = "merchant private key, your original RSA private key ()";
$ AOP-& gt; AlipayrsaPublicKey = "Alipay public key";
$ AOP-& gt; API version = ' 1.0 ';
$ AOP-& gt; SignType = "signature method, such as RSA 2 ";;
$ AOP-& gt; post charset = ' UTF-8 ';
$ AOP-& gt; format = " json
//Instantiate the request class corresponding to the specific API, and the class name corresponds to the interface name. The name of the current calling interface is alipay.trade.app.pay
$ appRequest = new \ AlipayTradeAppPayRequest();
//The //SDK has encapsulated public * * * parameters, and only business parameters need to be passed in here.
$bizcontent = json_encode([
Body' =>' Balance Recharge',//Order Description
Subject' =>' Top-up',//Order Title
Timeout _ express' = & gt30',
Out _ trade _ no' = & gt20170125test01',//Unique order number of merchant website.
Total _ amount' = & gt0.0 1',//total order amount.
Product _ code' =>' quick _ msecurity _ pay',//fixed value.
]);
$ appRequest-& gt; setNotifyUrl($ URL); //Set the asynchronous notification address
$ appRequest-& gt; setBizContent($ biz content);
//This is different from ordinary interface calls, and sdkExecute is used.
$ response = $ AOP-& gt; SDK execute($ appRequest);
//htmlspecialchars is to prevent the browser from escaping the key parameter html when outputting to the page and actually printing it to the log and/payment _ notify &; sign _ type = RSA 2×tamp = 20 16-08-25 20:26:3 1 & amp; Version = 1.0
2) Then sign the original string.
app _ id = 20 15052600090779 & amp; biz _ content = { " time out _ express ":" 30m "," product _ code ":" quick _ m security _ pay "," total _ amount": "0.0 1 "," subject": " 1 "," body ":。 charset = utf-8 & amp; Format = JSON & method = AliPay. trade.app.pay? ify_url=/payment_notify。 sign _ type = RSA 2×tamp = 20 16-08-25 20:26:3 1 & amp; Version =1.0&; sign = cymuunki 5 qdbsosozaebmxvmmrwjsuuj+y 48 a2 dvwavvbukibj 13 cfhu 2 vzqvmof kje 0 yqcuqe 04 QM 9 XG 3 tix 8 tpeigiftsiyp/m45w 1 zsdidubbdugfro 1x rsvayvav 2 hcrbllrdi 5 VI 7 uzz 77 lo 5j 0 ppuuwwyqgt 0 4c j8 g =
3) Finally, all the first-level values of the request string are encoded (biz _ content is a value), and the encoding format is subject to charset in the request string. If the character set is not transmitted, it will be treated as UTF-8 to obtain the final request string:
app _ id = 20 15052600090779 & amp; biz _ content = % 7B % 22 time out _ express % 22% 3A % 2230m % 22% 2C % 22 product _ code % 22% 3A % 22 quick _ m security _ PAY % 22% 2C % 22 total _ amount % 22% 3A % 220.0 1% 22% 2C % 22 subject % 22% 3A % 22 1% 22% 2C % 22 body % 22% 3A % 22% E6 %charset = utf-8 & amp; Format = JSON & method = AliPay. trade.app.pay? Ify _ url =% payment _ notification & sign _ type = rsa2× tamp = 2016-08-25% 2020% 3a26% 3a31&; Version =1.0&; sign = cymuunki 5 qdbsosozaebmxvmmrwjsuuj % 2 by 48 a 2 dvwavvbuykibj 1 3 cfhu 2 vzqvmof kje 0 yqcuqe 04 QM 9 XG 3 tix 8 tpeigiftsiyp % 2fm 45 w 1 zsdidubbdugfro 1 xrs vay VAV 2 hcrbllrdi 5 VI 7 uzz 7l 05j 0 ppuuwwyqgt 0 M4 gj 8g % 3D
Step 3: The merchant APP receives the request parameters returned by the merchant server, and then adjusts the Alipay payment panel.
If the user pays successfully, Alipay will synchronously return a payment result to the merchant APP. Correspondingly, Alipay will also return a payment result to the merchant server through asynchronous notification.
Note: Since both synchronous notification and asynchronous notification can be used as proof of payment completion, the asynchronous notification Alipay will definitely be sent to the merchant server. In order to simplify the integration process, merchants can only regard the synchronization result as a notice of the end of payment (ignoring the execution of verification), and whether the actual payment is successful depends entirely on the asynchronous notice of the server.
Step 4: Asynchronous notification processing mechanism of the server (Alipay initiates notification actively, and this method will be enabled).
Official interface file: /204/ 10530 1/
note:
1) You must ensure that the asynchronous notification page (notify_url) of the server has no spaces, HTML tags, abnormal message thrown by the development system and other characters.
2) Alipay sends notification information through POST, so the way to get parameters in this page, such as: $ _ post ['out _ trade _ no'];
3) After the program is executed, "Success" (without quotation marks) must be printed. If the characters fed back to Alipay by merchants are not seven successful characters, Alipay server will resend the notice continuously until it exceeds 24 hours and 22 minutes. Generally, eight notifications will be completed within 25 hours (notification frequency is generally 4m, 10m, 10m, 1h, 2h, 6h,15h);
4) When the merchant receives the asynchronous notification from the server and prints it successfully, the asynchronous notification parameter notify_id of the server will be invalid.
-The code is as follows:
$aop = new AopClient
$ AOP-& gt; AlipayrsaPublicKey =' Please fill in Alipay public key, a string';
$ flag = $ AOP-& gt; rsaCheckV 1($_POST,NULL,“RSA 2”); //Verify the signature
if($flag){
//Check the correctness of the notification data
$ out _ trade _ no = $ _ POST[' out _ trade _ no ']; //merchant order number
$ trade _ no = $ _ POST[' trade _ no ']; //Alipay transaction number
$ trade _ status = $ _ POST[' trade _ status ']; //transaction status trade_status
$ total _ amount = POST[' ' total _ amount ']; //The actual amount of the order
$ app _ id = $ _ POST[' app _ id '];
if($app_id! = $ this-& gt; Config['app_id']) exits ('fail'); //Verify that the app_id is the merchant itself.
//Only when the transaction notification status is TRADE_SUCCESS or TRADE_FINISHED, Alipay will consider the buyer's payment successful.
if($trade_status! = ' TRADE _ FINISHED ' & amp& amp$trade_status! = 'TRADE_SUCCESS ')
Exit ('fail');
//Verify the correctness of the order.
If (! empty($out_trade_no)){
// 1. The merchant needs to verify whether the out_trade_no in the notification data is the order number created in the merchant system;
//2. Judge whether the total_amount is really the actual amount of the order (that is, the amount when the merchant order is created);
//3. Check whether the seller_id (or seller_email) in the notice is the operator corresponding to the document out_trade_no (sometimes, a merchant may have more than one seller_id/seller_email).
//If any one of the above 1, 2, and 3 fails to verify, this notification is an abnormal notification and must be ignored. After the above verification is passed, the merchant must correctly handle different businesses according to different types of Alipay business notifications and filter the duplicate notification result data.
//If the verification is successful, the response will be successful, and if the verification fails, it will be failed.
}
Exit ('fail');
}
Echo "failed"; //Signature verification failed.
Step 5: When the merchant APP receives Alipay's synchronous return result as success, the merchant APP requests the merchant server API to judge the final payment result of the order again and make a final response.