src/app/api/orders/route.ts

import { NextRequest, NextResponse } from 'next/server';
import { z } from 'zod';
import { createOrder } from '@/lib/order/service';
import { getEnv } from '@/lib/config';
import { paymentRegistry } from '@/lib/payment';
import { getEnabledPaymentTypes } from '@/lib/payment/resolve-enabled-types';
import { getCurrentUserByToken } from '@/lib/sub2api/client';
import { handleApiError } from '@/lib/utils/api';

const createOrderSchema = z.object({
  token: z.string().min(1),
  amount: z.number().positive().max(99999999.99),
  payment_type: z.string().min(1),
  src_host: z.string().max(253).optional(),
  src_url: z
    .string()
    .max(2048)
    .refine((url) => {
      try {
        const protocol = new URL(url).protocol;
        return protocol === 'http:' || protocol === 'https:';
      } catch {
        return false;
      }
    }, 'src_url must be a valid HTTP/HTTPS URL')
    .optional(),
  is_mobile: z.boolean().optional(),
  order_type: z.enum(['balance', 'subscription']).optional(),
  plan_id: z.string().optional(),
});

export async function POST(request: NextRequest) {
  try {
    const env = getEnv();
    const body = await request.json();
    const parsed = createOrderSchema.safeParse(body);

    if (!parsed.success) {
      return NextResponse.json({ error: '参数错误', details: parsed.error.flatten().fieldErrors }, { status: 400 });
    }

    const { token, amount, payment_type, src_host, src_url, is_mobile, order_type, plan_id } = parsed.data;

    // 通过 token 解析用户身份
    let userId: number;
    try {
      const user = await getCurrentUserByToken(token);
      userId = user.id;
    } catch {
      return NextResponse.json({ error: '无效的 token，请重新登录', code: 'INVALID_TOKEN' }, { status: 401 });
    }

    // 订阅订单跳过金额范围校验（价格由服务端套餐决定）
    if (order_type !== 'subscription') {
      if (amount < env.MIN_RECHARGE_AMOUNT || amount > env.MAX_RECHARGE_AMOUNT) {
        return NextResponse.json(
          { error: `充值金额需在 ${env.MIN_RECHARGE_AMOUNT} - ${env.MAX_RECHARGE_AMOUNT} 之间` },
          { status: 400 },
        );
      }
    }

    // Validate payment type is enabled (registry + ENABLED_PAYMENT_TYPES config)
    const enabledTypes = await getEnabledPaymentTypes();
    if (!enabledTypes.includes(payment_type)) {
      return NextResponse.json({ error: `不支持的支付方式: ${payment_type}` }, { status: 400 });
    }

    const clientIp =
      request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() || request.headers.get('x-real-ip') || '127.0.0.1';

    const result = await createOrder({
      userId,
      amount,
      paymentType: payment_type,
      clientIp,
      isMobile: is_mobile,
      srcHost: src_host,
      srcUrl: src_url,
      orderType: order_type,
      planId: plan_id,
    });

    // 不向客户端暴露 userName / userBalance 等隐私字段
    const { userName: _u, userBalance: _b, ...safeResult } = result;
    return NextResponse.json(safeResult);
  } catch (error) {
    return handleApiError(error, '创建订单失败，请稍后重试');
  }
}
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								import { NextRequest, NextResponse } from 'next/server';
 								import { z } from 'zod';
-												fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举
- Admin token 支持 Authorization header
- /api/orders/my 区分认证失败和服务端错误
- Admin orders userId/date 参数校验
- Decimal 字段统一 Number() 转换
- 抽取 handleApiError/extractHeaders 工具函数
- Webhook 路由改用 Registry 获取 Provider
- PaymentRegistry lazy init 自动初始化

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-07 04:15:54 +08:00
+								import { createOrder } from '@/lib/order/service';
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								import { getEnv } from '@/lib/config';
-												fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举
- Admin token 支持 Authorization header
- /api/orders/my 区分认证失败和服务端错误
- Admin orders userId/date 参数校验
- Decimal 字段统一 Number() 转换
- 抽取 handleApiError/extractHeaders 工具函数
- Webhook 路由改用 Registry 获取 Provider
- PaymentRegistry lazy init 自动初始化

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-07 04:15:54 +08:00
+								import { paymentRegistry } from '@/lib/payment';
-												fix: 提取 resolveEnabledPaymentTypes 共享函数，下单接口同步校验 + 恢复并发

- 将 resolveEnabledPaymentTypes 提取到 src/lib/payment/resolve-enabled-types.ts
- /api/orders 下单时也校验 ENABLED_PAYMENT_TYPES 配置，防止绕过前端直接调用
- /api/user 恢复 queryMethodLimits 与 getUser 并发执行，避免性能退化

											
										
										
											2026-03-15 02:56:28 +08:00
+								import { getEnabledPaymentTypes } from '@/lib/payment/resolve-enabled-types';
-												feat: 创建订单必须通过 token 认证，移除 user_id 参数

- POST /api/orders 改为通过 token 解析用户身份，移除 user_id
- 前端不再从 URL 读取 user_id，完全依赖 token
- 前端提交前检查 pending 订单数量，超过 3 个禁止提交并提示
- 后端 createOrder 保留 MAX_PENDING_ORDERS=3 的服务端校验
- PaymentForm 增加 pendingBlocked 状态提示和按钮禁用

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-06 23:05:12 +08:00
+								import { getCurrentUserByToken } from '@/lib/sub2api/client';
-												fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举
- Admin token 支持 Authorization header
- /api/orders/my 区分认证失败和服务端错误
- Admin orders userId/date 参数校验
- Decimal 字段统一 Number() 转换
- 抽取 handleApiError/extractHeaders 工具函数
- Webhook 路由改用 Registry 获取 Provider
- PaymentRegistry lazy init 自动初始化

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-07 04:15:54 +08:00
+								import { handleApiError } from '@/lib/utils/api';
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
 								const createOrderSchema = z.object({
-												feat: 创建订单必须通过 token 认证，移除 user_id 参数

- POST /api/orders 改为通过 token 解析用户身份，移除 user_id
- 前端不再从 URL 读取 user_id，完全依赖 token
- 前端提交前检查 pending 订单数量，超过 3 个禁止提交并提示
- 后端 createOrder 保留 MAX_PENDING_ORDERS=3 的服务端校验
- PaymentForm 增加 pendingBlocked 状态提示和按钮禁用

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-06 23:05:12 +08:00
+								  token: z.string().min(1),
-												feat: 金额上限校验、订阅详情展示优化、支付商品名称区分

- 硬编码 MAX_AMOUNT=99999999.99，所有金额输入（API+前端）统一校验上限
- 管理后台订阅列表改为卡片布局，Sub2API 分组信息嵌套只读展示（平台/倍率/限额/模型）
- 用户端套餐卡片和确认页展示平台、倍率、用量限制
- 订阅订单支付商品名改为 "Sub2API 订阅 {分组名}"，余额充值保持原格式

											
										
										
											2026-03-13 23:40:23 +08:00
+								  amount: z.number().positive().max(99999999.99),
-												feat: 支持官方支付宝与易支付支付宝同时展示

- PaymentType 改为 string 类型，支持复合 key（如 alipay_direct）
- 官方支付宝注册为 alipay_direct，易支付保持 alipay/wxpay
- 前端按 PAYMENT_TYPE_META 展示标签区分（官方直连/易支付）
- 管理后台显示统一改为 getPaymentTypeLabel 通用映射
- 修复 admin/OrderTable 中 wechat 拼写错误

											
										
										
											2026-03-06 15:33:22 +08:00
+								  payment_type: z.string().min(1),
-												fix: 审查修复 — 来源字段长度限制、鉴权超时、支付配置启动校验

- src_host max 253, src_url max 2048
- Sub2API 鉴权请求加 5s AbortController 超时
- initPaymentProviders 启动时校验 ENABLED_PAYMENT_TYPES 与已注册 provider 一致性

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-03 01:56:22 +08:00
+								  src_host: z.string().max(253).optional(),
-												fix: 全面安全审计修复 — 支付验签、IDOR、竞态、token过期等

- H1: 支付宝响应验签 (verifyResponseSign + bracket-matching 提取签名内容)
- H2/H3: EasyPay queryOrder 从 GET 改 POST，PKEY 不再暴露于 URL
- H5: users/[id] IDOR 修复，校验当前用户只能查询自身信息
- H6: 限额校验移入 prisma.$transaction() 防止 TOCTOU 竞态
- C1: access_token 增加 24h 过期、userId 绑定、派生密钥分离
- M1: EasyPay 回调增加 pid 校验防跨商户注入
- M4: 充值码增加 crypto.randomBytes 随机后缀
- M5: 过期订单批量处理增加 BATCH_SIZE 限制
- M6: 退款失败增加 [CRITICAL] 日志和余额补偿标记
- M7: admin channels PUT 增加 Zod schema 校验
- M8: admin subscriptions 分页参数增加上限
- M9: orders src_url 限制 HTTP/HTTPS 协议
- L1: 微信支付回调时间戳 NaN 检查
- L9: WXPAY_API_V3_KEY 长度校验

											
										
										
											2026-03-14 04:36:33 +08:00
+								  src_url: z
 								    .string()
 								    .max(2048)
 								    .refine((url) => {
 								      try {
 								        const protocol = new URL(url).protocol;
 								        return protocol === 'http:' || protocol === 'https:';
 								      } catch {
 								        return false;
 								      }
 								    }, 'src_url must be a valid HTTP/HTTPS URL')
 								    .optional(),
-												feat: 支付宝直连 H5 端使用 wap.pay 唤起支付宝 APP

前端传递 is_mobile 参数，AlipayProvider 根据设备类型选择：
- PC: alipay.trade.page.pay (FAST_INSTANT_TRADE_PAY)
- H5: alipay.trade.wap.pay (QUICK_WAP_WAY)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-06 18:04:11 +08:00
+								  is_mobile: z.boolean().optional(),
-												feat: 渠道展示、订阅套餐、系统配置全功能

- 新增 Channel / SubscriptionPlan / SystemConfig 三个数据模型
- Order 模型扩展支持订阅订单（order_type, plan_id, subscription_group_id）
- Sub2API client 新增分组查询、订阅分配/续期、用户订阅查询
- 订单服务支持订阅履约流程（CAS 锁 + 分组消失安全处理）
- 管理后台：渠道管理、订阅套餐管理、系统配置、Sub2API 分组同步
- 用户页面：双 Tab UI（按量付费/包月订阅）、渠道卡片、充值弹窗、订阅确认
- PaymentForm 支持 fixedAmount 固定金额模式
- 订单状态 API 返回 failedReason 用于订阅异常展示
- 数据库迁移脚本

											
										
										
											2026-03-13 19:06:25 +08:00
+								  order_type: z.enum(['balance', 'subscription']).optional(),
 								  plan_id: z.string().optional(),
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								});
 								export async function POST(request: NextRequest) {
 								  try {
 								    const env = getEnv();
 								    const body = await request.json();
 								    const parsed = createOrderSchema.safeParse(body);
 								    if (!parsed.success) {
-												feat: integrate Stripe payment with bugfixes and active timeout cancellation

- Add Stripe payment provider with Checkout Session flow
- Payment provider abstraction layer (EasyPay + Stripe unified interface)
- Stripe webhook with proper raw body handling and signature verification
- Frontend: Stripe button with URL validation, anti-duplicate click, noopener
- Active timeout cancellation: query platform before expiring, recover paid orders
- Singleton Stripe client, idempotency keys, Math.round for amounts
- Handle async_payment events, return null for unknown webhook events
- Set Checkout Session expires_at aligned with order timeout
- Add cancelPayment to provider interface (Stripe: sessions.expire, EasyPay: no-op)
- Enable stripe in frontend payment type list

											
										
										
											2026-03-01 17:58:08 +08:00
+								      return NextResponse.json({ error: '参数错误', details: parsed.error.flatten().fieldErrors }, { status: 400 });
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								    }
-												feat: 渠道展示、订阅套餐、系统配置全功能

- 新增 Channel / SubscriptionPlan / SystemConfig 三个数据模型
- Order 模型扩展支持订阅订单（order_type, plan_id, subscription_group_id）
- Sub2API client 新增分组查询、订阅分配/续期、用户订阅查询
- 订单服务支持订阅履约流程（CAS 锁 + 分组消失安全处理）
- 管理后台：渠道管理、订阅套餐管理、系统配置、Sub2API 分组同步
- 用户页面：双 Tab UI（按量付费/包月订阅）、渠道卡片、充值弹窗、订阅确认
- PaymentForm 支持 fixedAmount 固定金额模式
- 订单状态 API 返回 failedReason 用于订阅异常展示
- 数据库迁移脚本

											
										
										
											2026-03-13 19:06:25 +08:00
+								    const { token, amount, payment_type, src_host, src_url, is_mobile, order_type, plan_id } = parsed.data;
-												feat: 创建订单必须通过 token 认证，移除 user_id 参数

- POST /api/orders 改为通过 token 解析用户身份，移除 user_id
- 前端不再从 URL 读取 user_id，完全依赖 token
- 前端提交前检查 pending 订单数量，超过 3 个禁止提交并提示
- 后端 createOrder 保留 MAX_PENDING_ORDERS=3 的服务端校验
- PaymentForm 增加 pendingBlocked 状态提示和按钮禁用

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-06 23:05:12 +08:00
 								    // 通过 token 解析用户身份
 								    let userId: number;
 								    try {
 								      const user = await getCurrentUserByToken(token);
 								      userId = user.id;
 								    } catch {
 								      return NextResponse.json({ error: '无效的 token，请重新登录', code: 'INVALID_TOKEN' }, { status: 401 });
 								    }
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
-												feat: 渠道展示、订阅套餐、系统配置全功能

- 新增 Channel / SubscriptionPlan / SystemConfig 三个数据模型
- Order 模型扩展支持订阅订单（order_type, plan_id, subscription_group_id）
- Sub2API client 新增分组查询、订阅分配/续期、用户订阅查询
- 订单服务支持订阅履约流程（CAS 锁 + 分组消失安全处理）
- 管理后台：渠道管理、订阅套餐管理、系统配置、Sub2API 分组同步
- 用户页面：双 Tab UI（按量付费/包月订阅）、渠道卡片、充值弹窗、订阅确认
- PaymentForm 支持 fixedAmount 固定金额模式
- 订单状态 API 返回 failedReason 用于订阅异常展示
- 数据库迁移脚本

											
										
										
											2026-03-13 19:06:25 +08:00
+								    // 订阅订单跳过金额范围校验（价格由服务端套餐决定）
 								    if (order_type !== 'subscription') {
 								      if (amount < env.MIN_RECHARGE_AMOUNT || amount > env.MAX_RECHARGE_AMOUNT) {
 								        return NextResponse.json(
 								          { error: `充值金额需在 ${env.MIN_RECHARGE_AMOUNT} - ${env.MAX_RECHARGE_AMOUNT} 之间` },
 								          { status: 400 },
 								        );
 								      }
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								    }
-												fix: 提取 resolveEnabledPaymentTypes 共享函数，下单接口同步校验 + 恢复并发

- 将 resolveEnabledPaymentTypes 提取到 src/lib/payment/resolve-enabled-types.ts
- /api/orders 下单时也校验 ENABLED_PAYMENT_TYPES 配置，防止绕过前端直接调用
- /api/user 恢复 queryMethodLimits 与 getUser 并发执行，避免性能退化

											
										
										
											2026-03-15 02:56:28 +08:00
+								    // Validate payment type is enabled (registry + ENABLED_PAYMENT_TYPES config)
 								    const enabledTypes = await getEnabledPaymentTypes();
 								    if (!enabledTypes.includes(payment_type)) {
-												feat: integrate Stripe payment with bugfixes and active timeout cancellation

- Add Stripe payment provider with Checkout Session flow
- Payment provider abstraction layer (EasyPay + Stripe unified interface)
- Stripe webhook with proper raw body handling and signature verification
- Frontend: Stripe button with URL validation, anti-duplicate click, noopener
- Active timeout cancellation: query platform before expiring, recover paid orders
- Singleton Stripe client, idempotency keys, Math.round for amounts
- Handle async_payment events, return null for unknown webhook events
- Set Checkout Session expires_at aligned with order timeout
- Add cancelPayment to provider interface (Stripe: sessions.expire, EasyPay: no-op)
- Enable stripe in frontend payment type list

											
										
										
											2026-03-01 17:58:08 +08:00
+								      return NextResponse.json({ error: `不支持的支付方式: ${payment_type}` }, { status: 400 });
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								    }
-												feat: integrate Stripe payment with bugfixes and active timeout cancellation

- Add Stripe payment provider with Checkout Session flow
- Payment provider abstraction layer (EasyPay + Stripe unified interface)
- Stripe webhook with proper raw body handling and signature verification
- Frontend: Stripe button with URL validation, anti-duplicate click, noopener
- Active timeout cancellation: query platform before expiring, recover paid orders
- Singleton Stripe client, idempotency keys, Math.round for amounts
- Handle async_payment events, return null for unknown webhook events
- Set Checkout Session expires_at aligned with order timeout
- Add cancelPayment to provider interface (Stripe: sessions.expire, EasyPay: no-op)
- Enable stripe in frontend payment type list

											
										
										
											2026-03-01 17:58:08 +08:00
+								    const clientIp =
 								      request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() || request.headers.get('x-real-ip') || '127.0.0.1';
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
 								    const result = await createOrder({
-												feat: 创建订单必须通过 token 认证，移除 user_id 参数

- POST /api/orders 改为通过 token 解析用户身份，移除 user_id
- 前端不再从 URL 读取 user_id，完全依赖 token
- 前端提交前检查 pending 订单数量，超过 3 个禁止提交并提示
- 后端 createOrder 保留 MAX_PENDING_ORDERS=3 的服务端校验
- PaymentForm 增加 pendingBlocked 状态提示和按钮禁用

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-06 23:05:12 +08:00
+								      userId,
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								      amount,
 								      paymentType: payment_type,
 								      clientIp,
-												fix: 修复微信支付 Native/H5 判断逻辑，改为前端设备检测驱动

- 修复 clientIp 始终存在导致永远走 H5 的 bug，改用 isMobile 判断
- 前端通过 detectDeviceIsMobile() 传 is_mobile 给后端
- ENABLED_PAYMENT_TYPES 默认改为空，必须显式配置才启用
- 补充 .env.example 配置说明

											
										
										
											2026-03-06 14:04:51 +08:00
+								      isMobile: is_mobile,
-												feat: 订单来源追踪，保存 src_host / src_url 到订单记录

iframe 嵌入充值页面时 URL 自动附带来源参数，写入数据库用于追踪分析。

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-02 20:40:16 +08:00
+								      srcHost: src_host,
 								      srcUrl: src_url,
-												feat: 渠道展示、订阅套餐、系统配置全功能

- 新增 Channel / SubscriptionPlan / SystemConfig 三个数据模型
- Order 模型扩展支持订阅订单（order_type, plan_id, subscription_group_id）
- Sub2API client 新增分组查询、订阅分配/续期、用户订阅查询
- 订单服务支持订阅履约流程（CAS 锁 + 分组消失安全处理）
- 管理后台：渠道管理、订阅套餐管理、系统配置、Sub2API 分组同步
- 用户页面：双 Tab UI（按量付费/包月订阅）、渠道卡片、充值弹窗、订阅确认
- PaymentForm 支持 fixedAmount 固定金额模式
- 订单状态 API 返回 failedReason 用于订阅异常展示
- 数据库迁移脚本

											
										
										
											2026-03-13 19:06:25 +08:00
+								      orderType: order_type,
 								      planId: plan_id,
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								    });
-												security: 隐私接口全面加固，统一 token 鉴权

- /api/orders/[id] 只返回 id/status/expiresAt，移除 user_name/pay_url 等隐私字段
- /api/orders/[id]/cancel 改为 token 鉴权，服务端验证用户身份后执行取消
- /api/orders (POST 响应) 过滤 userName/userBalance，不向客户端暴露
- /api/user 移除 username/email/balance，只返回 id/status 和 config
- /api/users/[id] 只返回 {id, exists}，不暴露任何隐私信息
- pay/page.tsx 恢复从服务端动态获取 config，无 token 时只显示用户 ID
- pay/orders/page.tsx 无 token 时不查询隐私接口，统一按钮样式
- PaymentQRCode 新增 token prop，无 token 时隐藏取消按钮
- 创建订单失败改为中文错误提示

											
										
										
											2026-03-01 19:25:14 +08:00
+								    // 不向客户端暴露 userName / userBalance 等隐私字段
 								    const { userName: _u, userBalance: _b, ...safeResult } = result;
 								    return NextResponse.json(safeResult);
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								  } catch (error) {
-												fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举
- Admin token 支持 Authorization header
- /api/orders/my 区分认证失败和服务端错误
- Admin orders userId/date 参数校验
- Decimal 字段统一 Number() 转换
- 抽取 handleApiError/extractHeaders 工具函数
- Webhook 路由改用 Registry 获取 Provider
- PaymentRegistry lazy init 自动初始化

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-07 04:15:54 +08:00
+								    return handleApiError(error, '创建订单失败，请稍后重试');
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								  }
 								}