fix: 提取 resolveEnabledPaymentTypes 共享函数，下单接口同步校验 + 恢复并发

- 将 resolveEnabledPaymentTypes 提取到 src/lib/payment/resolve-enabled-types.ts
- /api/orders 下单时也校验 ENABLED_PAYMENT_TYPES 配置，防止绕过前端直接调用
- /api/user 恢复 queryMethodLimits 与 getUser 并发执行，避免性能退化

src/app/api/orders/route.ts

@@ -3,6 +3,7 @@ import { z } from 'zod';
 import { createOrder } from '@/lib/order/service';
 import { getEnv } from '@/lib/config';
 import { paymentRegistry } from '@/lib/payment';
+import { getEnabledPaymentTypes } from '@/lib/payment/resolve-enabled-types';
 import { getCurrentUserByToken } from '@/lib/sub2api/client';
 import { handleApiError } from '@/lib/utils/api';
 
@@ -59,8 +60,9 @@ export async function POST(request: NextRequest) {
       }
     }
 
-    // Validate payment type is enabled
+    // Validate payment type is enabled (registry + ENABLED_PAYMENT_TYPES config)
-    if (!paymentRegistry.getSupportedTypes().includes(payment_type)) {
+    const enabledTypes = await getEnabledPaymentTypes();
+    if (!enabledTypes.includes(payment_type)) {
       return NextResponse.json({ error: `不支持的支付方式: ${payment_type}` }, { status: 400 });
     }
 

src/app/api/user/route.ts

@@ -6,20 +6,8 @@ import { initPaymentProviders, paymentRegistry } from '@/lib/payment';
 import { getPaymentDisplayInfo } from '@/lib/pay-utils';
 import { resolveLocale } from '@/lib/locale';
 import { getSystemConfig } from '@/lib/system-config';
+import { resolveEnabledPaymentTypes } from '@/lib/payment/resolve-enabled-types';
 
-function resolveEnabledPaymentTypes(supportedTypes: string[], configuredTypes: string | undefined): string[] {
-  if (configuredTypes === undefined) return supportedTypes;
-
-  const configuredTypeSet = new Set(
-    configuredTypes
-      .split(',')
-      .map((type) => type.trim())
-      .filter(Boolean),
-  );
-  if (configuredTypeSet.size === 0) return supportedTypes;
-
-  return supportedTypes.filter((type) => configuredTypeSet.has(type));
-}
 
 export async function GET(request: NextRequest) {
   const locale = resolveLocale(request.nextUrl.searchParams.get('lang'));
@@ -55,14 +43,21 @@ export async function GET(request: NextRequest) {
     const env = getEnv();
     initPaymentProviders();
     const supportedTypes = paymentRegistry.getSupportedTypes();
-    const [user, configuredPaymentTypesRaw, balanceDisabledVal] = await Promise.all([
+
-      getUser(userId),
+    // getUser 与 config 查询并行；config 完成后立即启动 queryMethodLimits
+    const configPromise = Promise.all([
       getSystemConfig('ENABLED_PAYMENT_TYPES'),
       getSystemConfig('BALANCE_PAYMENT_DISABLED'),
-    ]);
+    ]).then(async ([configuredPaymentTypesRaw, balanceDisabledVal]) => {
       const enabledTypes = resolveEnabledPaymentTypes(supportedTypes, configuredPaymentTypesRaw);
       const methodLimits = await queryMethodLimits(enabledTypes);
-    const balanceDisabled = balanceDisabledVal === 'true';
+      return { enabledTypes, methodLimits, balanceDisabled: balanceDisabledVal === 'true' };
+    });
+
+    const [user, { enabledTypes, methodLimits, balanceDisabled }] = await Promise.all([
+      getUser(userId),
+      configPromise,
+    ]);
 
     // 收集 sublabel 覆盖
     const sublabelOverrides: Record<string, string> = {};

src/lib/payment/resolve-enabled-types.ts

@@ -0,0 +1,30 @@
+import { getSystemConfig } from '@/lib/system-config';
+import { initPaymentProviders, paymentRegistry } from '@/lib/payment';
+
+/**
+ * 根据 ENABLED_PAYMENT_TYPES 配置过滤支持的支付类型。
+ * configuredTypes 为 undefined 或空字符串时回退到全部支持类型。
+ */
+export function resolveEnabledPaymentTypes(supportedTypes: string[], configuredTypes: string | undefined): string[] {
+  if (configuredTypes === undefined) return supportedTypes;
+
+  const configuredTypeSet = new Set(
+    configuredTypes
+      .split(',')
+      .map((type) => type.trim())
+      .filter(Boolean),
+  );
+  if (configuredTypeSet.size === 0) return supportedTypes;
+
+  return supportedTypes.filter((type) => configuredTypeSet.has(type));
+}
+
+/**
+ * 获取当前启用的支付类型（结合 registry 支持类型 + 数据库 ENABLED_PAYMENT_TYPES 配置）。
+ */
+export async function getEnabledPaymentTypes(): Promise<string[]> {
+  initPaymentProviders();
+  const supportedTypes = paymentRegistry.getSupportedTypes();
+  const configuredTypes = await getSystemConfig('ENABLED_PAYMENT_TYPES');
+  return resolveEnabledPaymentTypes(supportedTypes, configuredTypes);
+}