fix: 全面安全审计修复

安全加固：
- 系统配置 API 增加写入 key 白名单，防止任意配置注入
- ADMIN_TOKEN 最小长度要求 16 字符
- 补充安全响应头（X-Content-Type-Options, X-Frame-Options, Referrer-Policy）
- /api/users/[id] 和 /api/limits 增加 token 鉴权
- console.error 敏感信息脱敏（config route）
- 敏感值 mask 修复短值完全隐藏

输入校验：
- admin 渠道接口校验 rate_multiplier > 0、sort_order >= 0、name 非空
- admin 订阅套餐接口校验 price > 0、validity_days > 0、sort_order >= 0

金额精度：
- feeRate 字段精度从 Decimal(5,2) 提升到 Decimal(5,4)
- calculatePayAmount 返回 string 避免 Number 中间转换精度丢失
- 支付宝查询订单增加金额有效性校验（isFinite && > 0）

UI 统一：
- 订阅管理「售卖」列改为 toggle switch 开关（与渠道管理一致）
- 表单中 checkbox 改为 toggle switch
- 列名统一为「启用售卖」，支持直接点击切换

src/app/api/admin/channels/[id]/route.ts

@@ -27,6 +27,13 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
       }
     }
 
+    if (body.rate_multiplier !== undefined && (typeof body.rate_multiplier !== 'number' || body.rate_multiplier <= 0)) {
+      return NextResponse.json({ error: 'rate_multiplier 必须是正数' }, { status: 400 });
+    }
+    if (body.sort_order !== undefined && (!Number.isInteger(body.sort_order) || body.sort_order < 0)) {
+      return NextResponse.json({ error: 'sort_order 必须是非负整数' }, { status: 400 });
+    }
+
     const data: Record<string, unknown> = {};
     if (body.group_id !== undefined) data.groupId = Number(body.group_id);
     if (body.name !== undefined) data.name = body.name;

src/app/api/admin/channels/route.ts

@@ -47,6 +47,16 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: '缺少必填字段: group_id, name, platform, rate_multiplier' }, { status: 400 });
     }
 
+    if (typeof name !== 'string' || name.trim() === '') {
+      return NextResponse.json({ error: 'name 必须非空' }, { status: 400 });
+    }
+    if (typeof rate_multiplier !== 'number' || rate_multiplier <= 0) {
+      return NextResponse.json({ error: 'rate_multiplier 必须是正数' }, { status: 400 });
+    }
+    if (sort_order !== undefined && (!Number.isInteger(sort_order) || sort_order < 0)) {
+      return NextResponse.json({ error: 'sort_order 必须是非负整数' }, { status: 400 });
+    }
+
     // 验证 group_id 唯一性
     const existing = await prisma.channel.findUnique({
       where: { groupId: Number(group_id) },

src/app/api/admin/config/route.ts

@@ -6,7 +6,8 @@ const SENSITIVE_PATTERNS = ['KEY', 'SECRET', 'PASSWORD', 'PRIVATE'];
 
 function maskSensitiveValue(key: string, value: string): string {
   const isSensitive = SENSITIVE_PATTERNS.some((pattern) => key.toUpperCase().includes(pattern));
-  if (!isSensitive || value.length <= 4) return value;
+  if (!isSensitive) return value;
+  if (value.length <= 4) return '****';
   return '*'.repeat(value.length - 4) + value.slice(-4);
 }
 
@@ -23,7 +24,7 @@ export async function GET(request: NextRequest) {
 
     return NextResponse.json({ configs: masked });
   } catch (error) {
-    console.error('Failed to get system configs:', error);
+    console.error('Failed to get system configs:', error instanceof Error ? error.message : String(error));
     return NextResponse.json({ error: '获取系统配置失败' }, { status: 500 });
   }
 }
@@ -39,11 +40,24 @@ export async function PUT(request: NextRequest) {
       return NextResponse.json({ error: '缺少必填字段: configs 数组' }, { status: 400 });
     }
 
+    const ALLOWED_CONFIG_KEYS = new Set([
+      'PRODUCT_NAME',
+      'ENABLED_PAYMENT_TYPES',
+      'RECHARGE_MIN_AMOUNT',
+      'RECHARGE_MAX_AMOUNT',
+      'DAILY_RECHARGE_LIMIT',
+      'ORDER_TIMEOUT_MINUTES',
+      'IFRAME_ALLOW_ORIGINS',
+    ]);
+
     // 校验每条配置
     for (const config of configs) {
       if (!config.key || config.value === undefined) {
         return NextResponse.json({ error: '每条配置必须包含 key 和 value' }, { status: 400 });
       }
+      if (!ALLOWED_CONFIG_KEYS.has(config.key)) {
+        return NextResponse.json({ error: `不允许修改配置项: ${config.key}` }, { status: 400 });
+      }
     }
 
     await setSystemConfigs(
@@ -57,7 +71,7 @@ export async function PUT(request: NextRequest) {
 
     return NextResponse.json({ success: true, updated: configs.length });
   } catch (error) {
-    console.error('Failed to update system configs:', error);
+    console.error('Failed to update system configs:', error instanceof Error ? error.message : String(error));
     return NextResponse.json({ error: '更新系统配置失败' }, { status: 500 });
   }
 }

src/app/api/admin/subscription-plans/[id]/route.ts

@@ -27,6 +27,13 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
       }
     }
 
+    if (body.price !== undefined && (typeof body.price !== 'number' || body.price <= 0)) {
+      return NextResponse.json({ error: 'price 必须是正数' }, { status: 400 });
+    }
+    if (body.validity_days !== undefined && (!Number.isInteger(body.validity_days) || body.validity_days <= 0)) {
+      return NextResponse.json({ error: 'validity_days 必须是正整数' }, { status: 400 });
+    }
+
     const data: Record<string, unknown> = {};
     if (body.group_id !== undefined) data.groupId = Number(body.group_id);
     if (body.name !== undefined) data.name = body.name;

src/app/api/admin/subscription-plans/route.ts

@@ -61,6 +61,16 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: '缺少必填字段: group_id, name, price' }, { status: 400 });
     }
 
+    if (typeof price !== 'number' || price <= 0) {
+      return NextResponse.json({ error: 'price 必须是正数' }, { status: 400 });
+    }
+    if (validity_days !== undefined && (!Number.isInteger(validity_days) || validity_days <= 0)) {
+      return NextResponse.json({ error: 'validity_days 必须是正整数' }, { status: 400 });
+    }
+    if (sort_order !== undefined && (!Number.isInteger(sort_order) || sort_order < 0)) {
+      return NextResponse.json({ error: 'sort_order 必须是非负整数' }, { status: 400 });
+    }
+
     // 验证 group_id 唯一性
     const existing = await prisma.subscriptionPlan.findUnique({
       where: { groupId: Number(group_id) },