wanwu/sub2apipay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 全面安全审计修复

Browse Source 
安全加固:
- 系统配置 API 增加写入 key 白名单,防止任意配置注入
- ADMIN_TOKEN 最小长度要求 16 字符
- 补充安全响应头(X-Content-Type-Options, X-Frame-Options, Referrer-Policy)
- /api/users/[id] 和 /api/limits 增加 token 鉴权
- console.error 敏感信息脱敏(config route)
- 敏感值 mask 修复短值完全隐藏

输入校验:
- admin 渠道接口校验 rate_multiplier > 0、sort_order >= 0、name 非空
- admin 订阅套餐接口校验 price > 0、validity_days > 0、sort_order >= 0

金额精度:
- feeRate 字段精度从 Decimal(5,2) 提升到 Decimal(5,4)
- calculatePayAmount 返回 string 避免 Number 中间转换精度丢失
- 支付宝查询订单增加金额有效性校验(isFinite && > 0)

UI 统一:
- 订阅管理「售卖」列改为 toggle switch 开关(与渠道管理一致)
- 表单中 checkbox 改为 toggle switch
- 列名统一为「启用售卖」,支持直接点击切换
This commit is contained in:
erio
2026-03-13 23:03:01 +08:00
parent 38156bd4ef
commit ca03a501f2
16 changed files with 157 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
src/app/admin/subscriptions/page.tsx
View File

@@ -168,7 +168,7 @@ function buildText(locale: Locale) {
colPrice: '价格',
colOriginalPrice: '原价',
colValidDays: '有效期',
colEnabled: '售卖',
colEnabled: '启用售卖',
colGroupStatus: '分组状态',
colActions: '操作',
edit: '编辑',
@@ -461,6 +461,25 @@ function SubscriptionsContent() {
}
};
/* --- toggle plan enabled --- */
const handleToggleEnabled = async (plan: SubscriptionPlan) => {
try {
const res = await fetch(`/api/admin/subscription-plans/${plan.id}`, {
method: 'PUT',
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${token}`,
},
body: JSON.stringify({ for_sale: !plan.enabled }),
});
if (res.ok) {
setPlans((prev) => prev.map((p) => (p.id === plan.id ? { ...p, enabled: !p.enabled } : p)));
}
} catch {
/* ignore */
}
};
/* --- fetch user subs --- */
const fetchSubs = async () => {
if (!token || !subsUserId.trim()) return;
@@ -705,20 +724,21 @@ function SubscriptionsContent() {
: t.unitDay}
</td>
<td className={tdCls}>
<span
<button
type="button"
onClick={() => handleToggleEnabled(plan)}
className={[
'inline-block rounded-full px-2 py-0.5 text-xs font-medium',
plan.enabled
? isDark
? 'bg-green-500/20 text-green-300'
: 'bg-green-50 text-green-700'
: isDark
? 'bg-slate-700 text-slate-400'
: 'bg-gray-100 text-gray-500',
'relative inline-flex h-5 w-9 items-center rounded-full transition-colors',
plan.enabled ? 'bg-emerald-500' : isDark ? 'bg-slate-600' : 'bg-slate-300',
].join(' ')}
>
{plan.enabled ? t.enabled : t.disabled}
</span>
<span
className={[
'inline-block h-3.5 w-3.5 rounded-full bg-white transition-transform',
plan.enabled ? 'translate-x-4.5' : 'translate-x-0.5',
].join(' ')}
/>
</button>
</td>
<td className={tdCls}>
<span
@@ -1083,19 +1103,24 @@ function SubscriptionsContent() {
{/* Enabled */}
<div className="flex items-center gap-2">
<input
id="form-enabled"
type="checkbox"
checked={formEnabled}
onChange={(e) => setFormEnabled(e.target.checked)}
className="h-4 w-4 rounded border-slate-300"
/>
<label
htmlFor="form-enabled"
className={['text-sm', isDark ? 'text-slate-300' : 'text-slate-700'].join(' ')}
<button
type="button"
onClick={() => setFormEnabled(!formEnabled)}
className={[
'relative inline-flex h-6 w-11 items-center rounded-full transition-colors',
formEnabled ? 'bg-emerald-500' : isDark ? 'bg-slate-600' : 'bg-slate-300',
].join(' ')}
>
<span
className={[
'inline-block h-4 w-4 rounded-full bg-white transition-transform',
formEnabled ? 'translate-x-6' : 'translate-x-1',
].join(' ')}
/>
</button>
<span className={['text-sm', isDark ? 'text-slate-300' : 'text-slate-700'].join(' ')}>
{t.fieldEnabled}
</label>
</span>
</div>
</div>

7
src/app/api/admin/channels/[id]/route.ts
View File

@@ -27,6 +27,13 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
}
}
if (body.rate_multiplier !== undefined && (typeof body.rate_multiplier !== 'number' || body.rate_multiplier <= 0)) {
return NextResponse.json({ error: 'rate_multiplier 必须是正数' }, { status: 400 });
}
if (body.sort_order !== undefined && (!Number.isInteger(body.sort_order) || body.sort_order < 0)) {
return NextResponse.json({ error: 'sort_order 必须是非负整数' }, { status: 400 });
}
const data: Record<string, unknown> = {};
if (body.group_id !== undefined) data.groupId = Number(body.group_id);
if (body.name !== undefined) data.name = body.name;

10
src/app/api/admin/channels/route.ts
View File

@@ -47,6 +47,16 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ error: '缺少必填字段: group_id, name, platform, rate_multiplier' }, { status: 400 });
}
if (typeof name !== 'string' || name.trim() === '') {
return NextResponse.json({ error: 'name 必须非空' }, { status: 400 });
}
if (typeof rate_multiplier !== 'number' || rate_multiplier <= 0) {
return NextResponse.json({ error: 'rate_multiplier 必须是正数' }, { status: 400 });
}
if (sort_order !== undefined && (!Number.isInteger(sort_order) || sort_order < 0)) {
return NextResponse.json({ error: 'sort_order 必须是非负整数' }, { status: 400 });
}
// 验证 group_id 唯一性
const existing = await prisma.channel.findUnique({
where: { groupId: Number(group_id) },

20
src/app/api/admin/config/route.ts
View File

@@ -6,7 +6,8 @@ const SENSITIVE_PATTERNS = ['KEY', 'SECRET', 'PASSWORD', 'PRIVATE'];
function maskSensitiveValue(key: string, value: string): string {
const isSensitive = SENSITIVE_PATTERNS.some((pattern) => key.toUpperCase().includes(pattern));
if (!isSensitive || value.length <= 4) return value;
if (!isSensitive) return value;
if (value.length <= 4) return '****';
return '*'.repeat(value.length - 4) + value.slice(-4);
}
@@ -23,7 +24,7 @@ export async function GET(request: NextRequest) {
return NextResponse.json({ configs: masked });
} catch (error) {
console.error('Failed to get system configs:', error);
console.error('Failed to get system configs:', error instanceof Error ? error.message : String(error));
return NextResponse.json({ error: '获取系统配置失败' }, { status: 500 });
}
}
@@ -39,11 +40,24 @@ export async function PUT(request: NextRequest) {
return NextResponse.json({ error: '缺少必填字段: configs 数组' }, { status: 400 });
}
const ALLOWED_CONFIG_KEYS = new Set([
'PRODUCT_NAME',
'ENABLED_PAYMENT_TYPES',
'RECHARGE_MIN_AMOUNT',
'RECHARGE_MAX_AMOUNT',
'DAILY_RECHARGE_LIMIT',
'ORDER_TIMEOUT_MINUTES',
'IFRAME_ALLOW_ORIGINS',
]);
// 校验每条配置
for (const config of configs) {
if (!config.key || config.value === undefined) {
return NextResponse.json({ error: '每条配置必须包含 key 和 value' }, { status: 400 });
}
if (!ALLOWED_CONFIG_KEYS.has(config.key)) {
return NextResponse.json({ error: `不允许修改配置项: ${config.key}` }, { status: 400 });
}
}
await setSystemConfigs(
@@ -57,7 +71,7 @@ export async function PUT(request: NextRequest) {
return NextResponse.json({ success: true, updated: configs.length });
} catch (error) {
console.error('Failed to update system configs:', error);
console.error('Failed to update system configs:', error instanceof Error ? error.message : String(error));
return NextResponse.json({ error: '更新系统配置失败' }, { status: 500 });
}
}

7
src/app/api/admin/subscription-plans/[id]/route.ts
View File

@@ -27,6 +27,13 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
}
}
if (body.price !== undefined && (typeof body.price !== 'number' || body.price <= 0)) {
return NextResponse.json({ error: 'price 必须是正数' }, { status: 400 });
}
if (body.validity_days !== undefined && (!Number.isInteger(body.validity_days) || body.validity_days <= 0)) {
return NextResponse.json({ error: 'validity_days 必须是正整数' }, { status: 400 });
}
const data: Record<string, unknown> = {};
if (body.group_id !== undefined) data.groupId = Number(body.group_id);
if (body.name !== undefined) data.name = body.name;

10
src/app/api/admin/subscription-plans/route.ts
View File

@@ -61,6 +61,16 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ error: '缺少必填字段: group_id, name, price' }, { status: 400 });
}
if (typeof price !== 'number' || price <= 0) {
return NextResponse.json({ error: 'price 必须是正数' }, { status: 400 });
}
if (validity_days !== undefined && (!Number.isInteger(validity_days) || validity_days <= 0)) {
return NextResponse.json({ error: 'validity_days 必须是正整数' }, { status: 400 });
}
if (sort_order !== undefined && (!Number.isInteger(sort_order) || sort_order < 0)) {
return NextResponse.json({ error: 'sort_order 必须是非负整数' }, { status: 400 });
}
// 验证 group_id 唯一性
const existing = await prisma.subscriptionPlan.findUnique({
where: { groupId: Number(group_id) },

20
src/app/api/limits/route.ts
View File

@@ -1,11 +1,12 @@
import { NextResponse } from 'next/server';
import { NextRequest, NextResponse } from 'next/server';
import { queryMethodLimits } from '@/lib/order/limits';
import { initPaymentProviders, paymentRegistry } from '@/lib/payment';
import { getNextBizDayStartUTC } from '@/lib/time/biz-day';
import { getCurrentUserByToken } from '@/lib/sub2api/client';
/**
* GET /api/limits
* 返回各支付渠道今日限额使用情况,公开接口(无需鉴权)
* GET /api/limits?token=xxx
* 返回各支付渠道今日限额使用情况。
*
* Response:
* {
@@ -17,7 +18,18 @@ import { getNextBizDayStartUTC } from '@/lib/time/biz-day';
* resetAt: "2026-03-02T16:00:00.000Z" // 业务时区Asia/Shanghai次日零点对应的 UTC 时间
* }
*/
export async function GET() {
export async function GET(request: NextRequest) {
const token = request.nextUrl.searchParams.get('token')?.trim();
if (!token) {
return NextResponse.json({ error: 'token is required' }, { status: 400 });
}
try {
await getCurrentUserByToken(token);
} catch {
return NextResponse.json({ error: 'unauthorized' }, { status: 401 });
}
initPaymentProviders();
const types = paymentRegistry.getSupportedTypes();
const methods = await queryMethodLimits(types);

16
src/app/api/users/[id]/route.ts
View File

@@ -1,8 +1,20 @@
import { NextResponse } from 'next/server';
import { getUser } from '@/lib/sub2api/client';
import { getUser, getCurrentUserByToken } from '@/lib/sub2api/client';
// 仅返回用户是否存在,不暴露私隐信息(用户名/邮箱/余额需 token 验证)
export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) {
export async function GET(request: Request, { params }: { params: Promise<{ id: string }> }) {
const { searchParams } = new URL(request.url);
const token = searchParams.get('token')?.trim();
if (!token) {
return NextResponse.json({ error: 'token is required' }, { status: 400 });
}
try {
await getCurrentUserByToken(token);
} catch {
return NextResponse.json({ error: 'unauthorized' }, { status: 401 });
}
const { id } = await params;
const userId = Number(id);