From 930ce60fcc88c79b23d328273e48adab80767bbb Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Tue, 3 Mar 2026 01:56:22 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E5=AE=A1=E6=9F=A5=E4=BF=AE=E5=A4=8D=20?=
 =?UTF-8?q?=E2=80=94=20=E6=9D=A5=E6=BA=90=E5=AD=97=E6=AE=B5=E9=95=BF?=
 =?UTF-8?q?=E5=BA=A6=E9=99=90=E5=88=B6=E3=80=81=E9=89=B4=E6=9D=83=E8=B6=85?=
 =?UTF-8?q?=E6=97=B6=E3=80=81=E6=94=AF=E4=BB=98=E9=85=8D=E7=BD=AE=E5=90=AF?=
 =?UTF-8?q?=E5=8A=A8=E6=A0=A1=E9=AA=8C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- src_host max 253, src_url max 2048
- Sub2API 鉴权请求加 5s AbortController 超时
- initPaymentProviders 启动时校验 ENABLED_PAYMENT_TYPES 与已注册 provider 一致性

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/app/api/orders/route.ts |  4 ++--
 src/lib/admin-auth.ts       |  4 ++++
 src/lib/payment/index.ts    | 10 ++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/app/api/orders/route.ts b/src/app/api/orders/route.ts
index 4150c9f..b751cec 100644
--- a/src/app/api/orders/route.ts
+++ b/src/app/api/orders/route.ts
@@ -7,8 +7,8 @@ const createOrderSchema = z.object({
   user_id: z.number().int().positive(),
   amount: z.number().positive(),
   payment_type: z.enum(['alipay', 'wxpay', 'stripe']),
-  src_host: z.string().optional(),
-  src_url: z.string().optional(),
+  src_host: z.string().max(253).optional(),
+  src_url: z.string().max(2048).optional(),
 });
 
 export async function POST(request: NextRequest) {
diff --git a/src/lib/admin-auth.ts b/src/lib/admin-auth.ts
index 8fce9dd..e713ed3 100644
--- a/src/lib/admin-auth.ts
+++ b/src/lib/admin-auth.ts
@@ -14,9 +14,13 @@ function isLocalAdminToken(token: string): boolean {
 async function isSub2ApiAdmin(token: string): Promise<boolean> {
   try {
     const env = getEnv();
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 5000);
     const response = await fetch(`${env.SUB2API_BASE_URL}/api/v1/auth/me`, {
       headers: { Authorization: `Bearer ${token}` },
+      signal: controller.signal,
     });
+    clearTimeout(timeout);
     if (!response.ok) return false;
     const data = await response.json();
     return data.data?.role === 'admin';
diff --git a/src/lib/payment/index.ts b/src/lib/payment/index.ts
index d440d35..469ac64 100644
--- a/src/lib/payment/index.ts
+++ b/src/lib/payment/index.ts
@@ -1,4 +1,5 @@
 import { paymentRegistry } from './registry';
+import type { PaymentType } from './types';
 import { EasyPayProvider } from '@/lib/easy-pay/provider';
 import { StripeProvider } from '@/lib/stripe/provider';
 import { getEnv } from '@/lib/config';
@@ -37,5 +38,14 @@ export function initPaymentProviders(): void {
     paymentRegistry.register(new StripeProvider());
   }
 
+  // 校验 ENABLED_PAYMENT_TYPES 的每个渠道都有对应 provider 已注册
+  const unsupported = env.ENABLED_PAYMENT_TYPES.filter((t) => !paymentRegistry.hasProvider(t as PaymentType));
+  if (unsupported.length > 0) {
+    throw new Error(
+      `ENABLED_PAYMENT_TYPES 含 [${unsupported.join(', ')}]，但没有对应的 PAYMENT_PROVIDERS 注册。` +
+      `请检查 PAYMENT_PROVIDERS 配置`,
+    );
+  }
+
   initialized = true;
 }