fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一
- /api/user 添加 token 认证,防止用户枚举 - Admin token 支持 Authorization header - /api/orders/my 区分认证失败和服务端错误 - Admin orders userId/date 参数校验 - Decimal 字段统一 Number() 转换 - 抽取 handleApiError/extractHeaders 工具函数 - Webhook 路由改用 Registry 获取 Provider - PaymentRegistry lazy init 自动初始化 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
erio
@@ -16,11 +16,38 @@ export async function GET(request: NextRequest) {
|
||||
|
||||
const where: Prisma.OrderWhereInput = {};
|
||||
if (status && status in OrderStatus) where.status = status as OrderStatus;
|
||||
if (userId) where.userId = Number(userId);
|
||||
|
||||
// userId 校验:忽略无效值(NaN)
|
||||
if (userId) {
|
||||
const parsedUserId = Number(userId);
|
||||
if (Number.isFinite(parsedUserId)) {
|
||||
where.userId = parsedUserId;
|
||||
}
|
||||
}
|
||||
|
||||
// 日期校验:忽略无效日期
|
||||
if (dateFrom || dateTo) {
|
||||
where.createdAt = {};
|
||||
if (dateFrom) where.createdAt.gte = new Date(dateFrom);
|
||||
if (dateTo) where.createdAt.lte = new Date(dateTo);
|
||||
const createdAt: Prisma.DateTimeFilter = {};
|
||||
let hasValidDate = false;
|
||||
|
||||
if (dateFrom) {
|
||||
const d = new Date(dateFrom);
|
||||
if (!isNaN(d.getTime())) {
|
||||
createdAt.gte = d;
|
||||
hasValidDate = true;
|
||||
}
|
||||
}
|
||||
if (dateTo) {
|
||||
const d = new Date(dateTo);
|
||||
if (!isNaN(d.getTime())) {
|
||||
createdAt.lte = d;
|
||||
hasValidDate = true;
|
||||
}
|
||||
}
|
||||
|
||||
if (hasValidDate) {
|
||||
where.createdAt = createdAt;
|
||||
}
|
||||
}
|
||||
|
||||
const [orders, total] = await Promise.all([
|
||||
|
||||
Reference in New Issue
Block a user