fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举
- Admin token 支持 Authorization header
- /api/orders/my 区分认证失败和服务端错误
- Admin orders userId/date 参数校验
- Decimal 字段统一 Number() 转换
- 抽取 handleApiError/extractHeaders 工具函数
- Webhook 路由改用 Registry 获取 Provider
- PaymentRegistry lazy init 自动初始化

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/lib/admin-auth.ts

@@ -30,7 +30,23 @@ async function isSub2ApiAdmin(token: string): Promise<boolean> {
 }
 
 export async function verifyAdminToken(request: NextRequest): Promise<boolean> {
-  const token = request.nextUrl.searchParams.get('token');
+  // 优先从 Authorization: Bearer <token> header 获取
+  let token: string | null = null;
+  const authHeader = request.headers.get('authorization');
+  if (authHeader?.startsWith('Bearer ')) {
+    token = authHeader.slice(7).trim();
+  }
+
+  // Fallback: query parameter（向后兼容，已弃用）
+  if (!token) {
+    token = request.nextUrl.searchParams.get('token');
+    if (token) {
+      console.warn(
+        '[DEPRECATED] Admin token passed via query parameter. Use "Authorization: Bearer <token>" header instead.',
+      );
+    }
+  }
+
   if (!token) return false;
 
   // 1. 本地 admin token

src/lib/payment/index.ts

@@ -69,3 +69,6 @@ export function initPaymentProviders(): void {
 
   initialized = true;
 }
+
+// 注入 lazy init：Registry 方法会自动调用 initPaymentProviders()
+paymentRegistry.setInitializer(initPaymentProviders);

src/lib/payment/registry.ts

@@ -2,6 +2,18 @@ import type { PaymentProvider, PaymentType, MethodDefaultLimits } from './types'
 
 export class PaymentProviderRegistry {
   private providers = new Map<PaymentType, PaymentProvider>();
+  private _ensureInitialized: (() => void) | null = null;
+
+  /** 设置 lazy init 回调，由 initPaymentProviders 注入 */
+  setInitializer(fn: () => void): void {
+    this._ensureInitialized = fn;
+  }
+
+  private autoInit(): void {
+    if (this._ensureInitialized) {
+      this._ensureInitialized();
+    }
+  }
 
   register(provider: PaymentProvider): void {
     for (const type of provider.supportedTypes) {
@@ -10,6 +22,7 @@ export class PaymentProviderRegistry {
   }
 
   getProvider(type: PaymentType): PaymentProvider {
+    this.autoInit();
     const provider = this.providers.get(type);
     if (!provider) {
       throw new Error(`No payment provider registered for type: ${type}`);
@@ -18,21 +31,25 @@ export class PaymentProviderRegistry {
   }
 
   hasProvider(type: PaymentType): boolean {
+    this.autoInit();
     return this.providers.has(type);
   }
 
   getSupportedTypes(): PaymentType[] {
+    this.autoInit();
     return Array.from(this.providers.keys());
   }
 
   /** 获取指定渠道的提供商默认限额（未注册时返回 undefined） */
   getDefaultLimit(type: string): MethodDefaultLimits | undefined {
+    this.autoInit();
     const provider = this.providers.get(type as PaymentType);
     return provider?.defaultLimits?.[type];
   }
 
   /** 获取指定渠道对应的提供商 key（如 'easypay'、'stripe'） */
   getProviderKey(type: string): string | undefined {
+    this.autoInit();
     const provider = this.providers.get(type as PaymentType);
     return provider?.providerKey;
   }

src/lib/utils/api.ts

@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { OrderError } from '@/lib/order/service';
+
+/** 统一处理 OrderError 和未知错误 */
+export function handleApiError(error: unknown, fallbackMessage: string): NextResponse {
+  if (error instanceof OrderError) {
+    return NextResponse.json({ error: error.message, code: error.code }, { status: error.statusCode });
+  }
+  console.error(`${fallbackMessage}:`, error);
+  return NextResponse.json({ error: fallbackMessage }, { status: 500 });
+}
+
+/** 从 NextRequest 提取 headers 为普通对象 */
+export function extractHeaders(request: NextRequest): Record<string, string> {
+  const headers: Record<string, string> = {};
+  request.headers.forEach((value, key) => {
+    headers[key] = value;
+  });
+  return headers;
+}