fix: 全面安全审计修复

安全加固： - 系统配置 API 增加写入 key 白名单，防止任意配置注入 - ADMIN_TOKEN 最小长度要求 16 字符 - 补充安全响应头（X-Content-Type-Options, X-Frame-Options, Referrer-Policy） - /api/users/[id] 和 /api/limits 增加 token 鉴权 - console.error 敏感信息脱敏（config route） - 敏感值 mask 修复短值完全隐藏输入校验： - admin 渠道接口校验 rate_multiplier > 0、sort_order >= 0、name 非空 - admin 订阅套餐接口校验 price > 0、validity_days > 0、sort_order >= 0 金额精度： - feeRate 字段精度从 Decimal(5,2) 提升到 Decimal(5,4) - calculatePayAmount 返回 string 避免 Number 中间转换精度丢失 - 支付宝查询订单增加金额有效性校验（isFinite && > 0） UI 统一： - 订阅管理「售卖」列改为 toggle switch 开关（与渠道管理一致） - 表单中 checkbox 改为 toggle switch - 列名统一为「启用售卖」，支持直接点击切换
2026-03-13 23:03:01 +08:00
parent 38156bd4ef
commit ca03a501f2
16 changed files with 157 additions and 44 deletions
--- a/src/lib/alipay/client.ts
+++ b/src/lib/alipay/client.ts
@@ -92,6 +92,10 @@ export async function execute<T extends AlipayResponse>(
  const data = await parseAlipayJsonResponse<Record<string, unknown>>(response);

  // 支付宝响应格式：{ "alipay_trade_query_response": { ... }, "sign": "..." }
+  // TODO: 实现响应验签 — 需要从原始响应文本中提取 responseKey 对应的 JSON 子串，
+  // 使用 verifySign 配合 ALIPAY_PUBLIC_KEY 验证 data.sign。
+  // 当前未验签是因为需要保留原始响应文本（不能 JSON.parse 后再 stringify），
+  // 需要改造 parseAlipayJsonResponse 同时返回原始文本。
  const responseKey = method.replace(/\./g, '_') + '_response';
  const result = data[responseKey] as T | undefined;

--- a/src/lib/alipay/provider.ts
+++ b/src/lib/alipay/provider.ts
@@ -120,10 +120,15 @@ export class AlipayProvider implements PaymentProvider {
        status = 'pending';
    }

+    const amount = parseFloat(result.total_amount || '0');
+    if (!Number.isFinite(amount) || amount <= 0) {
+      throw new Error(`Alipay queryOrder: invalid total_amount "${result.total_amount}" for trade ${tradeNo}`);
+    }
+
    return {
      tradeNo: result.trade_no || tradeNo,
      status,
-      amount: Math.round(parseFloat(result.total_amount || '0') * 100) / 100,
+      amount: Math.round(amount * 100) / 100,
      paidAt: result.send_pay_date ? new Date(result.send_pay_date) : undefined,
    };
  }
--- a/src/lib/config.ts
+++ b/src/lib/config.ts
@@ -87,7 +87,7 @@ const envSchema = z.object({
    .pipe(z.number().min(0).optional()),
  PRODUCT_NAME: z.string().default('Sub2API Balance Recharge'),

-  ADMIN_TOKEN: z.string().min(1),
+  ADMIN_TOKEN: z.string().min(16),

  NEXT_PUBLIC_APP_URL: z.string().url(),
  PAY_HELP_IMAGE_URL: optionalTrimmedString,
--- a/src/lib/order/fee.ts
+++ b/src/lib/order/fee.ts
@@ -35,10 +35,10 @@ const ROUND_UP = 0;
 * feeAmount = ceil(rechargeAmount * feeRate / 100, 保留2位小数)
 * payAmount = rechargeAmount + feeAmount
 */
-export function calculatePayAmount(rechargeAmount: number, feeRate: number): number {
-  if (feeRate <= 0) return rechargeAmount;
+export function calculatePayAmount(rechargeAmount: number, feeRate: number): string {
+  if (feeRate <= 0) return rechargeAmount.toFixed(2);
  const amount = new Prisma.Decimal(rechargeAmount);
  const rate = new Prisma.Decimal(feeRate.toString());
  const feeAmount = amount.mul(rate).div(100).toDecimalPlaces(2, ROUND_UP);
-  return amount.plus(feeAmount).toNumber();
+  return amount.plus(feeAmount).toFixed(2);
 }
--- a/src/lib/order/service.ts
+++ b/src/lib/order/service.ts
@@ -158,7 +158,8 @@ export async function createOrder(input: CreateOrderInput): Promise<CreateOrderR
  }

  const feeRate = getMethodFeeRate(input.paymentType);
-  const payAmount = calculatePayAmount(input.amount, feeRate);
+  const payAmountStr = calculatePayAmount(input.amount, feeRate);
+  const payAmountNum = Number(payAmountStr);

  const expiresAt = new Date(Date.now() + env.ORDER_TIMEOUT_MINUTES * 60 * 1000);
  const order = await prisma.$transaction(async (tx) => {
@@ -169,8 +170,8 @@ export async function createOrder(input: CreateOrderInput): Promise<CreateOrderR
        userName: user.username,
        userNotes: user.notes || null,
        amount: new Prisma.Decimal(input.amount.toFixed(2)),
-        payAmount: new Prisma.Decimal(payAmount.toFixed(2)),
-        feeRate: feeRate > 0 ? new Prisma.Decimal(feeRate.toFixed(2)) : null,
+        payAmount: new Prisma.Decimal(payAmountStr),
+        feeRate: feeRate > 0 ? new Prisma.Decimal(feeRate.toFixed(4)) : null,
        rechargeCode: '',
        status: 'PENDING',
        paymentType: input.paymentType,
@@ -213,9 +214,9 @@ export async function createOrder(input: CreateOrderInput): Promise<CreateOrderR

    const paymentResult = await provider.createPayment({
      orderId: order.id,
-      amount: payAmount,
+      amount: payAmountNum,
      paymentType: input.paymentType,
-      subject: `${env.PRODUCT_NAME} ${payAmount.toFixed(2)} CNY`,
+      subject: `${env.PRODUCT_NAME} ${payAmountStr} CNY`,
      notifyUrl,
      returnUrl,
      clientIp: input.clientIp,
@@ -249,7 +250,7 @@ export async function createOrder(input: CreateOrderInput): Promise<CreateOrderR
    return {
      orderId: order.id,
      amount: input.amount,
-      payAmount,
+      payAmount: payAmountNum,
      feeRate,
      status: ORDER_STATUS.PENDING,
      paymentType: input.paymentType,