src/middleware.ts

import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
  const response = NextResponse.next();

  // 自动从 SUB2API_BASE_URL 提取 origin，允许 Sub2API 主站 iframe 嵌入
  const sub2apiUrl = process.env.SUB2API_BASE_URL || '';
  const extraOrigins = process.env.IFRAME_ALLOW_ORIGINS || '';

  const origins = new Set<string>();

  if (sub2apiUrl) {
    try {
      origins.add(new URL(sub2apiUrl).origin);
    } catch {
      // ignore invalid URL
    }
  }

  for (const s of extraOrigins.split(',')) {
    const trimmed = s.trim();
    if (trimmed) origins.add(trimmed);
  }

  if (origins.size > 0) {
    response.headers.set('Content-Security-Policy', `frame-ancestors 'self' ${[...origins].join(' ')}`);
  }

  return response;
}

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
};
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								import { NextResponse } from 'next/server';
 								import type { NextRequest } from 'next/server';
 								export function middleware(request: NextRequest) {
 								  const response = NextResponse.next();
-												fix: frame-ancestors 自动从 SUB2API_BASE_URL 推导，无需手动配置

不再依赖 IFRAME_ALLOW_ORIGINS 手动配置 Sub2API 域名，
自动从 SUB2API_BASE_URL 提取 origin 加入 CSP frame-ancestors。

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-03 01:36:22 +08:00
+								  // 自动从 SUB2API_BASE_URL 提取 origin，允许 Sub2API 主站 iframe 嵌入
 								  const sub2apiUrl = process.env.SUB2API_BASE_URL || '';
 								  const extraOrigins = process.env.IFRAME_ALLOW_ORIGINS || '';
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
-												fix: frame-ancestors 自动从 SUB2API_BASE_URL 推导，无需手动配置

不再依赖 IFRAME_ALLOW_ORIGINS 手动配置 Sub2API 域名，
自动从 SUB2API_BASE_URL 提取 origin 加入 CSP frame-ancestors。

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-03 01:36:22 +08:00
+								  const origins = new Set<string>();
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
-												fix: frame-ancestors 自动从 SUB2API_BASE_URL 推导，无需手动配置

不再依赖 IFRAME_ALLOW_ORIGINS 手动配置 Sub2API 域名，
自动从 SUB2API_BASE_URL 提取 origin 加入 CSP frame-ancestors。

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-03 01:36:22 +08:00
+								  if (sub2apiUrl) {
 								    try {
 								      origins.add(new URL(sub2apiUrl).origin);
 								    } catch {
 								      // ignore invalid URL
 								    }
 								  }
 								  for (const s of extraOrigins.split(',')) {
 								    const trimmed = s.trim();
 								    if (trimmed) origins.add(trimmed);
 								  }
 								  if (origins.size > 0) {
 								    response.headers.set('Content-Security-Policy', `frame-ancestors 'self' ${[...origins].join(' ')}`);
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								  }
 								  return response;
 								}
 								export const config = {
 								  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
 								};