实现支付系统的商业闭环。

app.py

@@ -8,6 +8,7 @@ from huggingface_hub import hf_hub_download, HfApi
 import hashlib
 import urllib.parse
 import urllib.request
+import urllib.error  # 【新增】：用于捕获 HTTPError 以判断私有库状态
 import os
 import 数据库连接 as db
 
@@ -16,7 +17,7 @@ from router_items import router as items_router
 from router_comments import router as comments_router
 from router_messages import router as messages_router
 from router_wallet import router as wallet_router
-from router_proxy import router as proxy_router # 【新增】：导入新的代理路由
+from router_proxy import router as proxy_router # 导入代理路由
 
 from database_sql import init_sql_db, get_db
 from models_sql import Ownership
@@ -41,7 +42,7 @@ app.include_router(items_router)
 app.include_router(comments_router)
 app.include_router(messages_router)
 app.include_router(wallet_router)
-app.include_router(proxy_router) # 【新增】：挂载私有库 ZIP 下载路由
+app.include_router(proxy_router) 
 
 @app.get("/")
 def read_root(): 
@@ -92,8 +93,35 @@ async def validate_resource(req: ValidateRequest):
     itype = item.get("type", "")
     
     if itype.startswith("tool"):
+        headers = {'User-Agent': 'Mozilla/5.0'}
+        # 【核心升级】：提取该资源绑定的私有库密匙，如果没有则用全局兜底
+        github_token = item.get("github_token") or os.environ.get("GITHUB_PAT")
+        
+        if github_token and link.startswith("https://github.com/"):
+            # 针对私有库：调用 GitHub API 带着 Token 进行身份核验探测
+            repo_parts = link.rstrip("/").split("/")
+            if len(repo_parts) >= 2:
+                owner, repo = repo_parts[-2], repo_parts[-1]
+                api_link = f"https://api.github.com/repos/{owner}/{repo}"
+                headers["Authorization"] = f"Bearer {github_token}"
+                headers["Accept"] = "application/vnd.github.v3+json"
+                try:
+                    req_obj = urllib.request.Request(api_link, method="GET", headers=headers)
+                    with urllib.request.urlopen(req_obj, timeout=5) as response:
+                        if response.status >= 400:
+                            return JSONResponse(content={"error": "私有仓库访问失败，可能密匙已失效"}, status_code=400)
+                except urllib.error.HTTPError as e:
+                    # 如果抛出 HTTPError (如 401 Unauthorized 或 404 Not Found)，说明 Token 假了或库被删了
+                    return JSONResponse(content={"error": f"该私有库的访问密匙已失效或仓库已被原作者删除 (HTTP {e.code})"}, status_code=400)
+                except Exception:
+                    return JSONResponse(content={"error": "无法连接到 GitHub 验证仓库有效性"}, status_code=400)
+                
+                # 走到这里说明私有库和密匙都是 100% 有效的，放行！
+                return {"status": "success"}
+
+        # 针对普通公开库的无感探测
         try:
-            req_obj = urllib.request.Request(link, method="HEAD", headers={'User-Agent': 'Mozilla/5.0'})
+            req_obj = urllib.request.Request(link, method="HEAD", headers=headers)
             with urllib.request.urlopen(req_obj, timeout=5) as response:
                 if response.status >= 400:
                     return JSONResponse(content={"error": "原作者的 Git 仓库已失效或设为私有"}, status_code=400)

requirements.txt

@@ -6,4 +6,5 @@ datasets
 python-multipart
 alibabacloud_dysmsapi20170525==2.0.24
 sqlalchemy
-httpx
+httpx
+python-alipay-sdk

router_wallet.py

@@ -1,9 +1,10 @@
 # router_wallet.py
-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Depends, HTTPException, Request
 from sqlalchemy.orm import Session
 import time
 import uuid
 import hashlib
+import os
 from database_sql import get_db
 from models_sql import Wallet, Transaction, Ownership
 from models import RechargeRequest, WithdrawRequest, PurchaseRequest
@@ -12,6 +13,26 @@ from router_users import VERIFY_CODES
 
 router = APIRouter()
 
+# =======================================================
+# 🏦 支付宝 SDK 初始化 (带防崩溃保护)
+# =======================================================
+try:
+    from alipay import AliPay
+    from alipay.utils import AliPayConfig
+    alipay = AliPay(
+        appid=os.environ.get("ALIPAY_APPID", ""),
+        app_notify_url="https://zhiwei666-comfyui-ranking-api.hf.space/api/wallet/alipay_notify",
+        app_private_key_string=os.environ.get("ALIPAY_PRIVATE_KEY", "").replace("\\n", "\n"),
+        alipay_public_key_string=os.environ.get("ALIPAY_PUBLIC_KEY", "").replace("\\n", "\n"),
+        sign_type="RSA2",
+        debug=False, # 生产环境设为 False
+        config=AliPayConfig(timeout=15)
+    )
+except Exception as e:
+    alipay = None
+    print("⚠️ 支付宝 SDK 初始化跳过 (环境变量未配置，处于开发模式):", e)
+
+
 def calculate_tx_hash(tx_id, account, tx_type, amount, prev_hash):
     """计算哈希值：依赖前一笔订单的哈希，实现链式防篡改"""
     data = f"{tx_id}{account}{tx_type}{amount}{prev_hash}"
@@ -29,20 +50,83 @@ def record_transaction(db: Session, account: str, tx_type: str, amount: int, tar
     db.add(new_tx)
     return new_tx
 
-@router.post("/api/wallet/recharge")
-async def recharge_points(req: RechargeRequest, db: Session = Depends(get_db)):
-    """充值接口"""
-    wallet = db.query(Wallet).filter(Wallet.account == req.account).first()
-    if not wallet:
-        wallet = Wallet(account=req.account)
-        db.add(wallet)
-    
-    # 模拟支付成功后直接给用户加钱
-    wallet.balance += req.amount
-    record_transaction(db, req.account, "RECHARGE", req.amount, "MOCK_ALIPAY_ORDER")
-    
+# =======================================================
+# 💰 充值入金链路 (真实预下单 -> 扫码 -> 异步回调 -> 查单)
+# =======================================================
+
+@router.post("/api/wallet/create_recharge_order")
+async def create_recharge_order(req: RechargeRequest, db: Session = Depends(get_db)):
+    """生成真实的支付宝当面付二维码"""
+    if not alipay:
+        raise HTTPException(status_code=500, detail="后台未配置支付密钥，暂不支持真实付款")
+
+    # 1. 使用 target_id 存储订单状态 "PENDING"，不影响哈希校验
+    tx = record_transaction(db, req.account, "RECHARGE", req.amount, "PENDING")
+    out_trade_no = tx.tx_id
     db.commit()
-    return {"status": "success", "balance": wallet.balance}
+
+    try:
+        # 2. 向支付宝发起真实预下单
+        result = alipay.api_alipay_trade_precreate(
+            subject=f"ComfyUI社区精选 - 充值 {req.amount} 积分",
+            out_trade_no=out_trade_no,
+            total_amount=str(req.amount),
+        )
+        if result.get("code") == "10000":
+            return {"status": "success", "order_id": out_trade_no, "qr_code_url": result.get("qr_code")}
+        else:
+            raise HTTPException(status_code=500, detail=f"生成支付码失败: {result.get('msg')}")
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"支付接口异常: {str(e)}")
+
+@router.post("/api/wallet/alipay_notify")
+async def alipay_notify(request: Request, db: Session = Depends(get_db)):
+    """🚨 核心：接收支付宝付款成功的异步回调，验签并加钱"""
+    data = dict(await request.form())
+    signature = data.pop("sign", None)
+
+    if not alipay or not signature:
+        return "fail"
+
+    # 1. 严格验签，防伪造
+    success = alipay.verify(data, signature)
+    if success and data.get("trade_status") in ("TRADE_SUCCESS", "TRADE_FINISHED"):
+        out_trade_no = data.get("out_trade_no")
+        total_amount = float(data.get("total_amount", 0))
+
+        # 2. 悲观锁查询该笔 PENDING 订单，防并发重复加款
+        tx = db.query(Transaction).filter(Transaction.tx_id == out_trade_no).with_for_update().first()
+        if not tx or tx.target_id == "SUCCESS":
+            return "success" # 已经处理过，直接返回成功让支付宝停止轰炸
+
+        if tx.amount != int(total_amount):
+            return "fail" # 金额对不上，拦截黑客攻击
+
+        # 3. 安全加款
+        wallet = db.query(Wallet).filter(Wallet.account == tx.account).with_for_update().first()
+        if not wallet:
+            wallet = Wallet(account=tx.account)
+            db.add(wallet)
+
+        wallet.balance += tx.amount
+        tx.target_id = "SUCCESS" # 将流水标记为已完成
+        db.commit()
+
+        return "success" # 必须返回纯文本 success 给支付宝
+    return "fail"
+
+@router.get("/api/wallet/check_order/{order_id}")
+async def check_order(order_id: str, db: Session = Depends(get_db)):
+    """前端轮询查单接口"""
+    tx = db.query(Transaction).filter(Transaction.tx_id == order_id).first()
+    if not tx:
+        raise HTTPException(status_code=404, detail="订单不存在")
+    return {"status": tx.target_id} # 返回 PENDING 或 SUCCESS
+
+
+# =======================================================
+# 🛒 消费闭环链路
+# =======================================================
 
 @router.post("/api/wallet/purchase")
 async def purchase_item(req: PurchaseRequest, db: Session = Depends(get_db)):
@@ -54,36 +138,27 @@ async def purchase_item(req: PurchaseRequest, db: Session = Depends(get_db)):
     price = int(item.get("price", 0))
     author = item.get("author")
     
-    # 1. 优先检查是否已经购买或获取过 (核心：无论后续怎么改价，只要所有权表里有你，直接放行)
     owned = db.query(Ownership).filter(Ownership.account == req.account, Ownership.item_id == req.item_id).first()
-    if owned: return {"status": "success", "message": "已永久授权，无需重复扣费"}
+    if owned: 
+        return {"status": "success", "message": "已永久授权，无需重复扣费", "already_owned": True}
     
-    # ==========================================
-    # 2. 【核心修改】免费商品或创作者本人的“0元购”固化
-    # ==========================================
     if price <= 0 or req.account == author:
-        # 直接写入所有权表，赋予永久权限
         new_owner = Ownership(account=req.account, item_id=req.item_id)
         db.add(new_owner)
-        # 记录一笔金额为 0 的流水，保证账本的完整溯源
         record_transaction(db, req.account, "CONSUME", 0, req.item_id)
         db.commit()
-        return {"status": "success", "message": "免费商品或创作者本人，已永久授权"}
+        return {"status": "success", "message": "免费商品或创作者本人，已永久授权", "already_owned": True}
         
-    # 3. 开启数据库锁防止并发重复扣款 (排他锁)
     buyer_wallet = db.query(Wallet).filter(Wallet.account == req.account).with_for_update().first()
     if not buyer_wallet or buyer_wallet.balance < price:
-        raise HTTPException(status_code=400, detail="余额不足，请先充值")
+        raise HTTPException(status_code=400, detail="余额不足")
         
-    # 4. 执行扣费
     buyer_wallet.balance -= price
     record_transaction(db, req.account, "CONSUME", -price, req.item_id)
     
-    # 5. 记录所有权
     new_owner = Ownership(account=req.account, item_id=req.item_id)
     db.add(new_owner)
     
-    # 6. 卖家获得收益
     author_wallet = db.query(Wallet).filter(Wallet.account == author).with_for_update().first()
     if not author_wallet:
         author_wallet = Wallet(account=author)
@@ -93,7 +168,12 @@ async def purchase_item(req: PurchaseRequest, db: Session = Depends(get_db)):
     record_transaction(db, author, "EARN", price, req.item_id)
     
     db.commit()
-    return {"status": "success"}
+    return {"status": "success", "already_owned": False}
+
+
+# =======================================================
+# 💸 提现出金链路 (引入支付宝自动单笔打款)
+# =======================================================
 
 @router.post("/api/wallet/withdraw")
 async def withdraw_earnings(req: WithdrawRequest, db: Session = Depends(get_db)):
@@ -114,11 +194,35 @@ async def withdraw_earnings(req: WithdrawRequest, db: Session = Depends(get_db))
     if req.amount < 100:
         raise HTTPException(status_code=400, detail="最低提现金额为 100 积分")
         
-    wallet.earn_balance -= req.amount
-    wallet.frozen_balance += req.amount
-    record_transaction(db, req.account, "WITHDRAW_FREEZE", -req.amount, req.alipay_account)
-    
-    VERIFY_CODES.pop(cache_key, None)
-    
-    db.commit()
-    return {"status": "success", "earn_balance": wallet.earn_balance}
+    if not alipay:
+        # 降级模式：如果没配置真实支付，仅记录冻结流水，需人工审核打款
+        wallet.earn_balance -= req.amount
+        wallet.frozen_balance += req.amount
+        record_transaction(db, req.account, "WITHDRAW_FREEZE", -req.amount, req.alipay_account)
+        VERIFY_CODES.pop(cache_key, None)
+        db.commit()
+        return {"status": "success", "earn_balance": wallet.earn_balance, "message": "提现申请已提交 (暂为开发模式，已冻结)"}
+
+    # 真实企业级模式：直接调用支付宝单笔转账接口打款到用户余额
+    out_biz_no = f"WD_{int(time.time())}_{uuid.uuid4().hex[:6]}"
+    try:
+        result = alipay.api_alipay_fund_trans_toaccount_transfer(
+            out_biz_no=out_biz_no,
+            payee_type="ALIPAY_LOGONID",
+            payee_account=req.alipay_account,
+            amount=str(req.amount),
+            payee_real_name=req.real_name,
+            remark="ComfyUI社区精选创作者收益提现"
+        )
+        
+        if result.get("code") == "10000":
+            # 打款秒成功，彻底扣除可提现收益
+            wallet.earn_balance -= req.amount
+            record_transaction(db, req.account, "WITHDRAW", -req.amount, req.alipay_account)
+            VERIFY_CODES.pop(cache_key, None)
+            db.commit()
+            return {"status": "success", "earn_balance": wallet.earn_balance, "message": "打款已秒到账您的支付宝！"}
+        else:
+            raise HTTPException(status_code=400, detail=f"打款风控拦截: {result.get('sub_msg')}")
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"提现接口异常: {str(e)}")