Order and Shopping Cart

First, copy the service code framework of srv from the inventory service, then find and replace the corresponding name (order_srv)

Fundamentals of Encryption Technology

Symmetric Encryption

Principle:

• Uses the same key for encryption and decryption
• Like a single key that can both lock and unlock a door
• Fast encryption speed, suitable for large data transfers

Use Cases:

• Local file encryption
• Database content encryption
• Content encryption during large data transfers
• Fast communication between internal systems

Pros and Cons:

• ✅ Fast speed, high efficiency
• ❌ Difficult key distribution, easily intercepted

Asymmetric Encryption

Principle:

• Uses a pair of keys: public key and private key
• Content encrypted with the public key can only be decrypted with the private key
• Content signed with the private key can be verified with the public key
• Like an email address (public key) and password (private key)

Use Cases:

• Digital signature for identity verification
• Secure transmission of symmetric encryption keys
• HTTPS certificate verification
• Blockchain transaction signing

Pros and Cons:

• ✅ High security, secure key distribution
• ❌ Slow speed, not suitable for large amounts of data

Detailed Analysis of Alipay Payment Process

Payment Flowchart

graph TD
    A[用户浏览器] -->|1. 下订单| B[慕学生鲜商户系统]
    B -->|2. 返回支付URL| A
    A -->|3. 跳转支付宝支付| C[支付宝支付平台]
    B -->|发起支付请求| C

    subgraph "商户端密钥管理"
        D[商户私钥<br/>自己留着]
        E[商户公钥<br/>给支付宝]
    end

    subgraph "支付宝端密钥管理"
        F[支付宝私钥<br/>严格保密]
        G[支付宝公钥<br/>给商户]
    end

    subgraph "安全验证机制"
        H[数字签名验证]
        I[请求可信度检查]
        J[通知真实性验证]
    end

    B -.->|使用私钥签名| D
    C -.->|使用公钥验证| E
    C -.->|使用私钥签名| F
    B -.->|使用公钥验证| G

    C -->|4. 支付结果通知| B

    style A fill:#e1f5fe
    style B fill:#f3e5f5
    style C fill:#e8f5e8
    style D fill:#ffebee
    style E fill:#fff3e0
    style F fill:#ffebee
    style G fill:#fff3e0
    style H fill:#f1f8e9
    style I fill:#f1f8e9
    style J fill:#f1f8e9

System Architecture and Participants

Three Core Roles:

• Browser: User-side, responsible for user interaction
• MuXueShengXian (Merchant System): E-commerce platform's backend service
• Alipay: Third-party payment platform

Key Management System (Core of Asymmetric Encryption)

Merchant-side Key Management

• Private Key (Secret Key - Keep for yourself):

• Strictly confidential to the merchant, never disclosed

• Used to digitally sign requests sent to Alipay

• Proves that the request indeed originates from the merchant

• Public Key (Public Key - To Alipay):

• Provided to the Alipay platform
• Alipay uses it to verify the merchant's request signature
• Ensures the authenticity and integrity of the request

Alipay-side Key Management

• Private Key (Secret Key):

• Strictly confidential to Alipay

• Used to digitally sign payment notifications

• Proves that the notification indeed originates from Alipay official

• Public Key (Public Key - For yourself):

• Provided to the merchant system
• The merchant uses it to verify Alipay's notification signature
• Ensures the authenticity of the payment result notification

Detailed Payment Process Steps

Step 1: User Places Order

• User browses products in the browser
• Selects products and submits the order
• The browser sends an order request to the merchant system

Step 2: Generate Payment Request (Critical Security Step)

Merchant System Processing:

1. Receives user order information
2. Constructs payment parameters (order number, amount, product information, etc.)
3. Digitally signs the payment request using the merchant's private key
4. Sends the signed request to Alipay

Alipay Verification:

1. Receives the merchant's payment request
2. Verifies the request signature using the merchant's public key
3. Checks "whether this request is trustworthy"
4. After successful verification, generates a payment URL
5. Returns the payment URL to the merchant system

Security Mechanism Explanation:

• Digital signature ensures the request comes from a legitimate merchant
• Prevents malicious third parties from forging payment requests
• Ensures that request data has not been tampered with during transmission

Step 3: User Payment

• The merchant system returns the payment URL to the browser
• The browser automatically redirects to the Alipay payment page
• The user completes payment operations on the Alipay page (entering password, selecting payment method, etc.)

Step 4: Payment Result Notification (Critical Security Step)

Alipay Processing:

1. Processes user payment operations
2. Generates a payment result notification
3. Digitally signs the notification using Alipay's private key
4. Sends the signed notification to the merchant system

Merchant System Verification:

1. Receives Alipay's payment notification
2. Verifies the notification signature using Alipay's public key
3. Confirms that the notification is from Alipay official
4. Verifies payment results and order information
5. Updates order status and completes the transaction

Security Mechanism Explanation:

• Digital signature ensures the notification comes from Alipay official
• Prevents malicious third parties from forging successful payment notifications
• Ensures the authenticity and integrity of payment result data

How Digital Signatures Work

The Essence of Digital Signatures:

• Uses a private key to encrypt data, generating a "signature"
• Uses the corresponding public key to verify the signature, confirming data source and integrity
• Like a handwritten signature in real life, but more secure and unforgeable

Application in the Payment Process:

1. Merchant Signature: Merchant signs with private key → Alipay verifies with merchant's public key
2. Alipay Signature: Alipay signs with private key → Merchant verifies with Alipay's public key

Security Protection Mechanisms

Anti-forgery Attacks:

• Without the private key, an effective signature cannot be generated
• The public key can only verify, not forge a signature

Anti-tampering Attacks:

• If data is modified, signature verification will fail
• Ensures data integrity during transmission

Anti-replay Attacks:

• Usually used in conjunction with timestamps and nonces
• Prevents malicious repeated submission of the same payment request

Encryption Technology Applications

• Symmetric Encryption: Used for fast encrypted transmission of large amounts of payment data
• Asymmetric Encryption: Used for digital signatures and identity verification
• Public Key Verification: Ensures the authenticity and data integrity of communicating parties

Alipay Developer Platform

Environment Configuration

Sandbox Environment (Testing)

• Use Alipay Sandbox Environment for testing
• Configure Sandbox App ID and keys
• Set callback notification URL

Production Environment

• Apply for official application and get it approved
• Configure production environment keys
• Set HTTPS callback URL

Integration Notes

1. Key Management

2. Properly keep the application private key, do not disclose it

3. Regularly change keys

4. Use environment variables to store sensitive information

5. Communication Security

6. All API calls must use HTTPS

7. Verify the authenticity of Alipay's public key

8. Encrypt sensitive data during transmission

9. Data Verification

10. Verify the signature of payment notifications
11. Check order amount and status
12. Prevent duplicate processing of notifications

Public and private keys for the sandbox environment