From bd0f33bb7cbcca5eec92325c350bc7fbc366b609 Mon Sep 17 00:00:00 2001
From: Administrator <15274802129@163.com>
Date: Tue, 23 Jun 2026 21:04:10 +0800
Subject: [PATCH] refactor(pay): 优化LWPAY签名逻辑，使用字段白名单确保安全

---
 src/main/java/cc/mrbird/febs/pay/service/LwPayService.java |   20 ++++++++++++++++++--
 1 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/main/java/cc/mrbird/febs/pay/service/LwPayService.java b/src/main/java/cc/mrbird/febs/pay/service/LwPayService.java
index 792d011..4930908 100644
--- a/src/main/java/cc/mrbird/febs/pay/service/LwPayService.java
+++ b/src/main/java/cc/mrbird/febs/pay/service/LwPayService.java
@@ -46,6 +46,15 @@
     /** LWPAY API 基础地址 */
     private static final String LWPAY_BASE_URL = "https://lwpay.live";
 
+    /**
+     * 参与签名的字段白名单
+     * 签名只包含这 7 个业务必传字段，pay_productname / pay_attach / pay_md5sign 不参与签名
+     */
+    private static final String[] SIGN_FIELD_KEYS = {
+            "pay_memberid", "pay_orderid", "pay_applydate",
+            "pay_bankcode", "pay_notifyurl", "pay_callbackurl", "pay_amount"
+    };
+
     // ==================== 代收接口 ====================
 
     /**
@@ -78,8 +87,15 @@
             params.put("pay_attach", "network:" + network);
         }
 
-        // 生成签名
-        String sign = generateSign(params, secretKey);
+        // 签名：仅使用白名单中的 7 个业务必传字段
+        TreeMap<String, String> signParams = new TreeMap<>();
+        for (String key : SIGN_FIELD_KEYS) {
+            String val = params.get(key);
+            if (StrUtil.isNotBlank(val)) {
+                signParams.put(key, val);
+            }
+        }
+        String sign = generateSign(signParams, secretKey);
         params.put("pay_md5sign", sign);
 
         log.info("LWPAY 代收请求: memberId={}, orderNo={}, amount={}, bankCode={}",

--
Gitblit v1.9.1