wanwu/sub2apipay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 管理后台支持 Sub2API 管理员 token 认证

Browse Source 
保留原有 ADMIN_TOKEN 认证,同时支持传入 Sub2API 用户 token,
通过 /api/v1/auth/me 验证 role=admin 身份。

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
erio
2026-03-03 00:41:27 +08:00
parent c9462f4f14
commit 21cc90a71f
6 changed files with 31 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/app/api/admin/orders/[id]/cancel/route.ts
View File

@@ -3,7 +3,7 @@ import { verifyAdminToken, unauthorizedResponse } from '@/lib/admin-auth';
import { adminCancelOrder, OrderError } from '@/lib/order/service'; import { adminCancelOrder, OrderError } from '@/lib/order/service';
export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) { export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
if (!verifyAdminToken(request)) return unauthorizedResponse(); if (!await verifyAdminToken(request)) return unauthorizedResponse();
try { try {
const { id } = await params; const { id } = await params;

2
src/app/api/admin/orders/[id]/retry/route.ts
View File

@@ -3,7 +3,7 @@ import { verifyAdminToken, unauthorizedResponse } from '@/lib/admin-auth';
import { retryRecharge, OrderError } from '@/lib/order/service'; import { retryRecharge, OrderError } from '@/lib/order/service';
export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) { export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
if (!verifyAdminToken(request)) return unauthorizedResponse(); if (!await verifyAdminToken(request)) return unauthorizedResponse();
try { try {
const { id } = await params; const { id } = await params;

2
src/app/api/admin/orders/[id]/route.ts
View File

@@ -3,7 +3,7 @@ import { prisma } from '@/lib/db';
import { verifyAdminToken, unauthorizedResponse } from '@/lib/admin-auth'; import { verifyAdminToken, unauthorizedResponse } from '@/lib/admin-auth';
export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) { export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
if (!verifyAdminToken(request)) return unauthorizedResponse(); if (!await verifyAdminToken(request)) return unauthorizedResponse();
const { id } = await params; const { id } = await params;

2
src/app/api/admin/orders/route.ts
View File

@@ -4,7 +4,7 @@ import { verifyAdminToken, unauthorizedResponse } from '@/lib/admin-auth';
import { Prisma, OrderStatus } from '@prisma/client'; import { Prisma, OrderStatus } from '@prisma/client';
export async function GET(request: NextRequest) { export async function GET(request: NextRequest) {
if (!verifyAdminToken(request)) return unauthorizedResponse(); if (!await verifyAdminToken(request)) return unauthorizedResponse();
const searchParams = request.nextUrl.searchParams; const searchParams = request.nextUrl.searchParams;
const page = Math.max(1, Number(searchParams.get('page') || '1')); const page = Math.max(1, Number(searchParams.get('page') || '1'));

2
src/app/api/admin/refund/route.ts
View File

@@ -10,7 +10,7 @@ const refundSchema = z.object({
}); });
export async function POST(request: NextRequest) { export async function POST(request: NextRequest) {
if (!verifyAdminToken(request)) return unauthorizedResponse(); if (!await verifyAdminToken(request)) return unauthorizedResponse();
try { try {
const body = await request.json(); const body = await request.json();

30
src/lib/admin-auth.ts
View File

@@ -2,10 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
import { getEnv } from '@/lib/config'; import { getEnv } from '@/lib/config';
import crypto from 'crypto'; import crypto from 'crypto';
export function verifyAdminToken(request: NextRequest): boolean { function isLocalAdminToken(token: string): boolean {
const token = request.nextUrl.searchParams.get('token');
if (!token) return false;
const env = getEnv(); const env = getEnv();
const expected = Buffer.from(env.ADMIN_TOKEN); const expected = Buffer.from(env.ADMIN_TOKEN);
const received = Buffer.from(token); const received = Buffer.from(token);
@@ -14,6 +11,31 @@ export function verifyAdminToken(request: NextRequest): boolean {
return crypto.timingSafeEqual(expected, received); return crypto.timingSafeEqual(expected, received);
} }
async function isSub2ApiAdmin(token: string): Promise<boolean> {
try {
const env = getEnv();
const response = await fetch(`${env.SUB2API_BASE_URL}/api/v1/auth/me`, {
headers: { Authorization: `Bearer ${token}` },
});
if (!response.ok) return false;
const data = await response.json();
return data.data?.role === 'admin';
} catch {
return false;
}
}
export async function verifyAdminToken(request: NextRequest): Promise<boolean> {
const token = request.nextUrl.searchParams.get('token');
if (!token) return false;
// 1. 本地 admin token
if (isLocalAdminToken(token)) return true;
// 2. Sub2API 管理员 token
return isSub2ApiAdmin(token);
}
export function unauthorizedResponse() { export function unauthorizedResponse() {
return NextResponse.json({ error: '未授权' }, { status: 401 }); return NextResponse.json({ error: '未授权' }, { status: 401 });
} }