fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举 - Admin token 支持 Authorization header - /api/orders/my 区分认证失败和服务端错误 - Admin orders userId/date 参数校验 - Decimal 字段统一 Number() 转换 - 抽取 handleApiError/extractHeaders 工具函数 - Webhook 路由改用 Registry 获取 Provider - PaymentRegistry lazy init 自动初始化 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 04:15:54 +08:00
parent a5e07edda6
commit ac0772b0f4
19 changed files with 176 additions and 75 deletions
--- a/src/app/api/wxpay/notify/route.ts
+++ b/src/app/api/wxpay/notify/route.ts
@@ -1,9 +1,9 @@
 import { NextRequest } from 'next/server';
 import { handlePaymentNotify } from '@/lib/order/service';
-import { WxpayProvider } from '@/lib/wxpay';
+import { paymentRegistry } from '@/lib/payment';
+import type { PaymentType } from '@/lib/payment';
 import { getEnv } from '@/lib/config';
-
-const wxpayProvider = new WxpayProvider();
+import { extractHeaders } from '@/lib/utils/api';

 export async function POST(request: NextRequest) {
  try {
@@ -13,17 +13,15 @@ export async function POST(request: NextRequest) {
      return Response.json({ code: 'SUCCESS', message: '成功' });
    }

+    const provider = paymentRegistry.getProvider('wxpay_direct' as PaymentType);
    const rawBody = await request.text();
-    const headers: Record<string, string> = {};
-    request.headers.forEach((value, key) => {
-      headers[key] = value;
-    });
+    const headers = extractHeaders(request);

-    const notification = await wxpayProvider.verifyNotification(rawBody, headers);
+    const notification = await provider.verifyNotification(rawBody, headers);
    if (!notification) {
      return Response.json({ code: 'SUCCESS', message: '成功' });
    }
-    const success = await handlePaymentNotify(notification, wxpayProvider.name);
+    const success = await handlePaymentNotify(notification, provider.name);
    return Response.json(
      success ? { code: 'SUCCESS', message: '成功' } : { code: 'FAIL', message: '处理失败' },
      { status: success ? 200 : 500 },