src/app/api/orders/%5Bid%5D/route.ts

import { NextRequest, NextResponse } from 'next/server';
import { prisma } from '@/lib/db';
import { verifyAdminToken } from '@/lib/admin-auth';
import { deriveOrderState } from '@/lib/order/status';
import { ORDER_STATUS_ACCESS_QUERY_KEY, verifyOrderStatusAccessToken } from '@/lib/order/status-access';

/**
 * 订单状态轮询接口。
 *
 * 返回最小必要信息供前端判断：
 * - 原始订单状态（status / expiresAt）
 * - 支付是否成功（paymentSuccess）
 * - 充值是否成功 / 当前充值阶段（rechargeSuccess / rechargeStatus）
 */
export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
  const { id } = await params;
  const accessToken = request.nextUrl.searchParams.get(ORDER_STATUS_ACCESS_QUERY_KEY);
  const isAuthorized = verifyOrderStatusAccessToken(id, accessToken) || (await verifyAdminToken(request));

  if (!isAuthorized) {
    return NextResponse.json({ error: '未授权访问该订单状态' }, { status: 401 });
  }

  const order = await prisma.order.findUnique({
    where: { id },
    select: {
      id: true,
      status: true,
      expiresAt: true,
      paidAt: true,
      completedAt: true,
      failedReason: true,
    },
  });

  if (!order) {
    return NextResponse.json({ error: '订单不存在' }, { status: 404 });
  }

  const derived = deriveOrderState(order);

  return NextResponse.json({
    id: order.id,
    status: order.status,
    expiresAt: order.expiresAt,
    paymentSuccess: derived.paymentSuccess,
    rechargeSuccess: derived.rechargeSuccess,
    rechargeStatus: derived.rechargeStatus,
    failedReason: order.failedReason ?? null,
  });
}
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								import { NextRequest, NextResponse } from 'next/server';
 								import { prisma } from '@/lib/db';
-												fix: harden alipay direct pay flow

											
										
										
											2026-03-10 11:52:37 +08:00
+								import { verifyAdminToken } from '@/lib/admin-auth';
 								import { deriveOrderState } from '@/lib/order/status';
 								import { ORDER_STATUS_ACCESS_QUERY_KEY, verifyOrderStatusAccessToken } from '@/lib/order/status-access';
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
-												fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举
- Admin token 支持 Authorization header
- /api/orders/my 区分认证失败和服务端错误
- Admin orders userId/date 参数校验
- Decimal 字段统一 Number() 转换
- 抽取 handleApiError/extractHeaders 工具函数
- Webhook 路由改用 Registry 获取 Provider
- PaymentRegistry lazy init 自动初始化

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-07 04:15:54 +08:00
+								/**
-												fix: harden alipay direct pay flow

											
										
										
											2026-03-10 11:52:37 +08:00
+								 * 订单状态轮询接口。
-												fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举
- Admin token 支持 Authorization header
- /api/orders/my 区分认证失败和服务端错误
- Admin orders userId/date 参数校验
- Decimal 字段统一 Number() 转换
- 抽取 handleApiError/extractHeaders 工具函数
- Webhook 路由改用 Registry 获取 Provider
- PaymentRegistry lazy init 自动初始化

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-07 04:15:54 +08:00
+								 *
-												fix: harden alipay direct pay flow

											
										
										
											2026-03-10 11:52:37 +08:00
+								 * 返回最小必要信息供前端判断：
 								 * - 原始订单状态（status / expiresAt）
 								 * - 支付是否成功（paymentSuccess）
 								 * - 充值是否成功 / 当前充值阶段（rechargeSuccess / rechargeStatus）
-												fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举
- Admin token 支持 Authorization header
- /api/orders/my 区分认证失败和服务端错误
- Admin orders userId/date 参数校验
- Decimal 字段统一 Number() 转换
- 抽取 handleApiError/extractHeaders 工具函数
- Webhook 路由改用 Registry 获取 Provider
- PaymentRegistry lazy init 自动初始化

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-07 04:15:54 +08:00
+								 */
-												feat: integrate Stripe payment with bugfixes and active timeout cancellation

- Add Stripe payment provider with Checkout Session flow
- Payment provider abstraction layer (EasyPay + Stripe unified interface)
- Stripe webhook with proper raw body handling and signature verification
- Frontend: Stripe button with URL validation, anti-duplicate click, noopener
- Active timeout cancellation: query platform before expiring, recover paid orders
- Singleton Stripe client, idempotency keys, Math.round for amounts
- Handle async_payment events, return null for unknown webhook events
- Set Checkout Session expires_at aligned with order timeout
- Add cancelPayment to provider interface (Stripe: sessions.expire, EasyPay: no-op)
- Enable stripe in frontend payment type list

											
										
										
											2026-03-01 17:58:08 +08:00
+								export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								  const { id } = await params;
-												fix: harden alipay direct pay flow

											
										
										
											2026-03-10 11:52:37 +08:00
+								  const accessToken = request.nextUrl.searchParams.get(ORDER_STATUS_ACCESS_QUERY_KEY);
 								  const isAuthorized = verifyOrderStatusAccessToken(id, accessToken) || (await verifyAdminToken(request));
 								  if (!isAuthorized) {
 								    return NextResponse.json({ error: '未授权访问该订单状态' }, { status: 401 });
 								  }
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
 								  const order = await prisma.order.findUnique({
 								    where: { id },
 								    select: {
 								      id: true,
 								      status: true,
 								      expiresAt: true,
-												fix: harden alipay direct pay flow

											
										
										
											2026-03-10 11:52:37 +08:00
+								      paidAt: true,
 								      completedAt: true,
-												feat: 渠道展示、订阅套餐、系统配置全功能

- 新增 Channel / SubscriptionPlan / SystemConfig 三个数据模型
- Order 模型扩展支持订阅订单（order_type, plan_id, subscription_group_id）
- Sub2API client 新增分组查询、订阅分配/续期、用户订阅查询
- 订单服务支持订阅履约流程（CAS 锁 + 分组消失安全处理）
- 管理后台：渠道管理、订阅套餐管理、系统配置、Sub2API 分组同步
- 用户页面：双 Tab UI（按量付费/包月订阅）、渠道卡片、充值弹窗、订阅确认
- PaymentForm 支持 fixedAmount 固定金额模式
- 订单状态 API 返回 failedReason 用于订阅异常展示
- 数据库迁移脚本

											
										
										
											2026-03-13 19:06:25 +08:00
+								      failedReason: true,
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								    },
 								  });
 								  if (!order) {
 								    return NextResponse.json({ error: '订单不存在' }, { status: 404 });
 								  }
-												fix: harden alipay direct pay flow

											
										
										
											2026-03-10 11:52:37 +08:00
+								  const derived = deriveOrderState(order);
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								  return NextResponse.json({
-												security: 隐私接口全面加固，统一 token 鉴权

- /api/orders/[id] 只返回 id/status/expiresAt，移除 user_name/pay_url 等隐私字段
- /api/orders/[id]/cancel 改为 token 鉴权，服务端验证用户身份后执行取消
- /api/orders (POST 响应) 过滤 userName/userBalance，不向客户端暴露
- /api/user 移除 username/email/balance，只返回 id/status 和 config
- /api/users/[id] 只返回 {id, exists}，不暴露任何隐私信息
- pay/page.tsx 恢复从服务端动态获取 config，无 token 时只显示用户 ID
- pay/orders/page.tsx 无 token 时不查询隐私接口，统一按钮样式
- PaymentQRCode 新增 token prop，无 token 时隐藏取消按钮
- 创建订单失败改为中文错误提示

											
										
										
											2026-03-01 19:25:14 +08:00
+								    id: order.id,
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								    status: order.status,
-												security: 隐私接口全面加固，统一 token 鉴权

- /api/orders/[id] 只返回 id/status/expiresAt，移除 user_name/pay_url 等隐私字段
- /api/orders/[id]/cancel 改为 token 鉴权，服务端验证用户身份后执行取消
- /api/orders (POST 响应) 过滤 userName/userBalance，不向客户端暴露
- /api/user 移除 username/email/balance，只返回 id/status 和 config
- /api/users/[id] 只返回 {id, exists}，不暴露任何隐私信息
- pay/page.tsx 恢复从服务端动态获取 config，无 token 时只显示用户 ID
- pay/orders/page.tsx 无 token 时不查询隐私接口，统一按钮样式
- PaymentQRCode 新增 token prop，无 token 时隐藏取消按钮
- 创建订单失败改为中文错误提示

											
										
										
											2026-03-01 19:25:14 +08:00
+								    expiresAt: order.expiresAt,
-												fix: harden alipay direct pay flow

											
										
										
											2026-03-10 11:52:37 +08:00
+								    paymentSuccess: derived.paymentSuccess,
 								    rechargeSuccess: derived.rechargeSuccess,
 								    rechargeStatus: derived.rechargeStatus,
-												feat: 渠道展示、订阅套餐、系统配置全功能

- 新增 Channel / SubscriptionPlan / SystemConfig 三个数据模型
- Order 模型扩展支持订阅订单（order_type, plan_id, subscription_group_id）
- Sub2API client 新增分组查询、订阅分配/续期、用户订阅查询
- 订单服务支持订阅履约流程（CAS 锁 + 分组消失安全处理）
- 管理后台：渠道管理、订阅套餐管理、系统配置、Sub2API 分组同步
- 用户页面：双 Tab UI（按量付费/包月订阅）、渠道卡片、充值弹窗、订阅确认
- PaymentForm 支持 fixedAmount 固定金额模式
- 订单状态 API 返回 failedReason 用于订阅异常展示
- 数据库迁移脚本

											
										
										
											2026-03-13 19:06:25 +08:00
+								    failedReason: order.failedReason ?? null,
-												feat: migrate payment provider to easy-pay, add order history and refund support

- Replace zpay with easy-pay payment provider (new lib/easy-pay/ module)
- Add order history page for users (pay/orders)
- Add GET /api/orders/my endpoint to list user's own orders
- Add GET /api/users/[id] endpoint for sub2api user lookup
- Add order status tracking module (lib/order/status.ts)
- Update config to support easy-pay credentials (merchant ID, key, gateway)
- Update PaymentForm and PaymentQRCode components for easy-pay flow
- Update pay page and admin page with new order management UI
- Update order service to support easy-pay, cancellation, and refund

											
										
										
											2026-03-01 03:04:24 +08:00
+								  });
 								}