fix: 审查修复 — 来源字段长度限制、鉴权超时、支付配置启动校验

- src_host max 253, src_url max 2048 - Sub2API 鉴权请求加 5s AbortController 超时 - initPaymentProviders 启动时校验 ENABLED_PAYMENT_TYPES 与已注册 provider 一致性 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 01:56:22 +08:00
parent 8cf78dc295
commit 930ce60fcc
3 changed files with 16 additions and 2 deletions
--- a/src/lib/admin-auth.ts
+++ b/src/lib/admin-auth.ts
@@ -14,9 +14,13 @@ function isLocalAdminToken(token: string): boolean {
 async function isSub2ApiAdmin(token: string): Promise<boolean> {
  try {
    const env = getEnv();
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 5000);
    const response = await fetch(`${env.SUB2API_BASE_URL}/api/v1/auth/me`, {
      headers: { Authorization: `Bearer ${token}` },
+      signal: controller.signal,
    });
+    clearTimeout(timeout);
    if (!response.ok) return false;
    const data = await response.json();
    return data.data?.role === 'admin';