security: 隐私接口全面加固,统一 token 鉴权
- /api/orders/[id] 只返回 id/status/expiresAt,移除 user_name/pay_url 等隐私字段
- /api/orders/[id]/cancel 改为 token 鉴权,服务端验证用户身份后执行取消
- /api/orders (POST 响应) 过滤 userName/userBalance,不向客户端暴露
- /api/user 移除 username/email/balance,只返回 id/status 和 config
- /api/users/[id] 只返回 {id, exists},不暴露任何隐私信息
- pay/page.tsx 恢复从服务端动态获取 config,无 token 时只显示用户 ID
- pay/orders/page.tsx 无 token 时不查询隐私接口,统一按钮样式
- PaymentQRCode 新增 token prop,无 token 时隐藏取消按钮
- 创建订单失败改为中文错误提示
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { prisma } from '@/lib/db';
|
||||
|
||||
// 仅返回订单状态相关字段,不暴露任何用户隐私信息
|
||||
export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
|
||||
const { id } = await params;
|
||||
|
||||
@@ -8,19 +9,8 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
|
||||
where: { id },
|
||||
select: {
|
||||
id: true,
|
||||
userId: true,
|
||||
userName: true,
|
||||
amount: true,
|
||||
status: true,
|
||||
paymentType: true,
|
||||
payUrl: true,
|
||||
qrCode: true,
|
||||
qrCodeImg: true,
|
||||
expiresAt: true,
|
||||
paidAt: true,
|
||||
completedAt: true,
|
||||
failedReason: true,
|
||||
createdAt: true,
|
||||
},
|
||||
});
|
||||
|
||||
@@ -29,19 +19,8 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
|
||||
}
|
||||
|
||||
return NextResponse.json({
|
||||
order_id: order.id,
|
||||
user_id: order.userId,
|
||||
user_name: order.userName,
|
||||
amount: Number(order.amount),
|
||||
id: order.id,
|
||||
status: order.status,
|
||||
payment_type: order.paymentType,
|
||||
pay_url: order.payUrl,
|
||||
qr_code: order.qrCode,
|
||||
qr_code_img: order.qrCodeImg,
|
||||
expires_at: order.expiresAt,
|
||||
paid_at: order.paidAt,
|
||||
completed_at: order.completedAt,
|
||||
failed_reason: order.failedReason,
|
||||
created_at: order.createdAt,
|
||||
expiresAt: order.expiresAt,
|
||||
});
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user