fix: 后端资金安全修复 — 金额覆盖、过期订单、退款原子性等 9 项

- confirmPayment 不再覆盖 amount，实付金额写入 payAmount - EXPIRED 订单增加 5 分钟宽限窗口 - 退款流程先扣余额再退款，失败可回滚 - 支付宝签名过滤 sign_type - executeRecharge 使用 CAS 更新 - createOrder rechargeCode 事务保护 - EasyPay/Sub2API client 添加 10s 超时 - db.ts 统一从 getEnv() 获取 DATABASE_URL - 添加 paymentType+paidAt 复合索引 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 04:15:48 +08:00
parent a5e07edda6
commit 4b013370b9
6 changed files with 114 additions and 42 deletions
--- a/src/lib/db.ts
+++ b/src/lib/db.ts
@@ -1,10 +1,11 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
+import { getEnv } from '@/lib/config';

 const globalForPrisma = globalThis as unknown as { prisma: PrismaClient };

 function createPrismaClient() {
-  const connectionString = process.env.DATABASE_URL ?? 'postgresql://localhost:5432/sub2apipay';
+  const connectionString = getEnv().DATABASE_URL;
  const adapter = new PrismaPg({ connectionString });
  return new PrismaClient({ adapter });
 }