fix: 审查修复 — 来源字段长度限制、鉴权超时、支付配置启动校验

- src_host max 253, src_url max 2048 - Sub2API 鉴权请求加 5s AbortController 超时 - initPaymentProviders 启动时校验 ENABLED_PAYMENT_TYPES 与已注册 provider 一致性 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 01:56:22 +08:00
parent 8cf78dc295
commit 930ce60fcc
3 changed files with 16 additions and 2 deletions
--- a/src/app/api/orders/route.ts
+++ b/src/app/api/orders/route.ts
@@ -7,8 +7,8 @@ const createOrderSchema = z.object({
  user_id: z.number().int().positive(),
  amount: z.number().positive(),
  payment_type: z.enum(['alipay', 'wxpay', 'stripe']),
-  src_host: z.string().optional(),
+  src_host: z.string().max(253).optional(),
-  src_url: z.string().optional(),
+  src_url: z.string().max(2048).optional(),
 });
 export async function POST(request: NextRequest) {
--- a/src/lib/admin-auth.ts
+++ b/src/lib/admin-auth.ts
@@ -14,9 +14,13 @@ function isLocalAdminToken(token: string): boolean {
 async function isSub2ApiAdmin(token: string): Promise<boolean> {
  try {
    const env = getEnv();
    const controller = new AbortController();
    const timeout = setTimeout(() => controller.abort(), 5000);
    const response = await fetch(`${env.SUB2API_BASE_URL}/api/v1/auth/me`, {
      headers: { Authorization: `Bearer ${token}` },
      signal: controller.signal,
    });
    clearTimeout(timeout);
    if (!response.ok) return false;
    const data = await response.json();
    return data.data?.role === 'admin';
--- a/src/lib/payment/index.ts
+++ b/src/lib/payment/index.ts
@@ -1,4 +1,5 @@
 import { paymentRegistry } from './registry';
 import type { PaymentType } from './types';
 import { EasyPayProvider } from '@/lib/easy-pay/provider';
 import { StripeProvider } from '@/lib/stripe/provider';
 import { getEnv } from '@/lib/config';
@@ -37,5 +38,14 @@ export function initPaymentProviders(): void {
    paymentRegistry.register(new StripeProvider());
  }
  // 校验 ENABLED_PAYMENT_TYPES 的每个渠道都有对应 provider 已注册
  const unsupported = env.ENABLED_PAYMENT_TYPES.filter((t) => !paymentRegistry.hasProvider(t as PaymentType));
  if (unsupported.length > 0) {
    throw new Error(
      `ENABLED_PAYMENT_TYPES 含 [${unsupported.join(', ')}]，但没有对应的 PAYMENT_PROVIDERS 注册。` +
      `请检查 PAYMENT_PROVIDERS 配置`,
    );
  }
  initialized = true;
 }