security: 隐私接口全面加固,统一 token 鉴权
- /api/orders/[id] 只返回 id/status/expiresAt,移除 user_name/pay_url 等隐私字段
- /api/orders/[id]/cancel 改为 token 鉴权,服务端验证用户身份后执行取消
- /api/orders (POST 响应) 过滤 userName/userBalance,不向客户端暴露
- /api/user 移除 username/email/balance,只返回 id/status 和 config
- /api/users/[id] 只返回 {id, exists},不暴露任何隐私信息
- pay/page.tsx 恢复从服务端动态获取 config,无 token 时只显示用户 ID
- pay/orders/page.tsx 无 token 时不查询隐私接口,统一按钮样式
- PaymentQRCode 新增 token prop,无 token 时隐藏取消按钮
- 创建订单失败改为中文错误提示
This commit is contained in:
erio
@@ -1,9 +1,10 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { z } from 'zod';
|
||||
import { cancelOrder, OrderError } from '@/lib/order/service';
|
||||
import { getCurrentUserByToken } from '@/lib/sub2api/client';
|
||||
|
||||
const cancelSchema = z.object({
|
||||
user_id: z.number().int().positive(),
|
||||
token: z.string().min(1),
|
||||
});
|
||||
|
||||
export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
|
||||
@@ -13,10 +14,18 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
|
||||
const parsed = cancelSchema.safeParse(body);
|
||||
|
||||
if (!parsed.success) {
|
||||
return NextResponse.json({ error: '参数错误', details: parsed.error.flatten().fieldErrors }, { status: 400 });
|
||||
return NextResponse.json({ error: '缺少 token 参数' }, { status: 400 });
|
||||
}
|
||||
|
||||
const outcome = await cancelOrder(id, parsed.data.user_id);
|
||||
let userId: number;
|
||||
try {
|
||||
const user = await getCurrentUserByToken(parsed.data.token);
|
||||
userId = user.id;
|
||||
} catch {
|
||||
return NextResponse.json({ error: '登录态已失效,无法取消订单' }, { status: 401 });
|
||||
}
|
||||
|
||||
const outcome = await cancelOrder(id, userId);
|
||||
if (outcome === 'already_paid') {
|
||||
return NextResponse.json({ success: true, status: 'PAID', message: '订单已支付完成' });
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { prisma } from '@/lib/db';
|
||||
|
||||
// 仅返回订单状态相关字段,不暴露任何用户隐私信息
|
||||
export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
|
||||
const { id } = await params;
|
||||
|
||||
@@ -8,19 +9,8 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
|
||||
where: { id },
|
||||
select: {
|
||||
id: true,
|
||||
userId: true,
|
||||
userName: true,
|
||||
amount: true,
|
||||
status: true,
|
||||
paymentType: true,
|
||||
payUrl: true,
|
||||
qrCode: true,
|
||||
qrCodeImg: true,
|
||||
expiresAt: true,
|
||||
paidAt: true,
|
||||
completedAt: true,
|
||||
failedReason: true,
|
||||
createdAt: true,
|
||||
},
|
||||
});
|
||||
|
||||
@@ -29,19 +19,8 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
|
||||
}
|
||||
|
||||
return NextResponse.json({
|
||||
order_id: order.id,
|
||||
user_id: order.userId,
|
||||
user_name: order.userName,
|
||||
amount: Number(order.amount),
|
||||
id: order.id,
|
||||
status: order.status,
|
||||
payment_type: order.paymentType,
|
||||
pay_url: order.payUrl,
|
||||
qr_code: order.qrCode,
|
||||
qr_code_img: order.qrCodeImg,
|
||||
expires_at: order.expiresAt,
|
||||
paid_at: order.paidAt,
|
||||
completed_at: order.completedAt,
|
||||
failed_reason: order.failedReason,
|
||||
created_at: order.createdAt,
|
||||
expiresAt: order.expiresAt,
|
||||
});
|
||||
}
|
||||
|
||||
@@ -44,7 +44,9 @@ export async function POST(request: NextRequest) {
|
||||
clientIp,
|
||||
});
|
||||
|
||||
return NextResponse.json(result);
|
||||
// 不向客户端暴露 userName / userBalance 等隐私字段
|
||||
const { userName: _u, userBalance: _b, ...safeResult } = result;
|
||||
return NextResponse.json(safeResult);
|
||||
} catch (error) {
|
||||
if (error instanceof OrderError) {
|
||||
return NextResponse.json({ error: error.message, code: error.code }, { status: error.statusCode });
|
||||
|
||||
@@ -15,10 +15,7 @@ export async function GET(request: NextRequest) {
|
||||
return NextResponse.json({
|
||||
user: {
|
||||
id: user.id,
|
||||
username: user.username,
|
||||
email: user.email,
|
||||
status: user.status,
|
||||
balance: user.balance,
|
||||
},
|
||||
config: {
|
||||
enabledPaymentTypes: env.ENABLED_PAYMENT_TYPES,
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import { NextResponse } from 'next/server';
|
||||
import { getUser } from '@/lib/sub2api/client';
|
||||
|
||||
// 仅返回用户是否存在,不暴露私隐信息(用户名/邮箱/余额需 token 验证)
|
||||
export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) {
|
||||
const { id } = await params;
|
||||
const userId = Number(id);
|
||||
@@ -11,16 +12,7 @@ export async function GET(_request: Request, { params }: { params: Promise<{ id:
|
||||
|
||||
try {
|
||||
const user = await getUser(userId);
|
||||
const displayName = user.username || user.email || `User #${user.id}`;
|
||||
|
||||
return NextResponse.json({
|
||||
id: user.id,
|
||||
username: user.username,
|
||||
email: user.email,
|
||||
displayName,
|
||||
balance: user.balance,
|
||||
status: user.status,
|
||||
});
|
||||
return NextResponse.json({ id: user.id, exists: true });
|
||||
} catch (error) {
|
||||
if (error instanceof Error && error.message === 'USER_NOT_FOUND') {
|
||||
return NextResponse.json({ error: 'User not found' }, { status: 404 });
|
||||
|
||||
Reference in New Issue
Block a user