wanwu/sub2apipay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 全面安全审计修复

Browse Source 
安全加固:
- 系统配置 API 增加写入 key 白名单,防止任意配置注入
- ADMIN_TOKEN 最小长度要求 16 字符
- 补充安全响应头(X-Content-Type-Options, X-Frame-Options, Referrer-Policy)
- /api/users/[id] 和 /api/limits 增加 token 鉴权
- console.error 敏感信息脱敏(config route)
- 敏感值 mask 修复短值完全隐藏

输入校验:
- admin 渠道接口校验 rate_multiplier > 0、sort_order >= 0、name 非空
- admin 订阅套餐接口校验 price > 0、validity_days > 0、sort_order >= 0

金额精度:
- feeRate 字段精度从 Decimal(5,2) 提升到 Decimal(5,4)
- calculatePayAmount 返回 string 避免 Number 中间转换精度丢失
- 支付宝查询订单增加金额有效性校验(isFinite && > 0)

UI 统一:
- 订阅管理「售卖」列改为 toggle switch 开关(与渠道管理一致)
- 表单中 checkbox 改为 toggle switch
- 列名统一为「启用售卖」,支持直接点击切换
This commit is contained in:
erio
2026-03-13 23:03:01 +08:00
parent 38156bd4ef
commit ca03a501f2
16 changed files with 157 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
prisma/migrations/20260313200000_fee_rate_precision/migration.sql Normal file
View File

@@ -0,0 +1,2 @@
-- AlterTable: increase fee_rate precision from Decimal(5,2) to Decimal(5,4)
ALTER TABLE "orders" ALTER COLUMN "fee_rate" TYPE DECIMAL(5,4);

2
prisma/schema.prisma
View File

@@ -14,7 +14,7 @@ model Order {
userNotes String? @map("user_notes")
amount Decimal @db.Decimal(10, 2)
payAmount Decimal? @db.Decimal(10, 2) @map("pay_amount")
feeRate Decimal? @db.Decimal(5, 2) @map("fee_rate")
feeRate Decimal? @db.Decimal(5, 4) @map("fee_rate")
rechargeCode String @unique @map("recharge_code")
status OrderStatus @default(PENDING)
paymentType String @map("payment_type")

71
src/app/admin/subscriptions/page.tsx
View File

@@ -168,7 +168,7 @@ function buildText(locale: Locale) {
colPrice: '价格',
colOriginalPrice: '原价',
colValidDays: '有效期',
colEnabled: '售卖',
colEnabled: '启用售卖',
colGroupStatus: '分组状态',
colActions: '操作',
edit: '编辑',
@@ -461,6 +461,25 @@ function SubscriptionsContent() {
}
};
/* --- toggle plan enabled --- */
const handleToggleEnabled = async (plan: SubscriptionPlan) => {
try {
const res = await fetch(`/api/admin/subscription-plans/${plan.id}`, {
method: 'PUT',
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${token}`,
},
body: JSON.stringify({ for_sale: !plan.enabled }),
});
if (res.ok) {
setPlans((prev) => prev.map((p) => (p.id === plan.id ? { ...p, enabled: !p.enabled } : p)));
}
} catch {
/* ignore */
}
};
/* --- fetch user subs --- */
const fetchSubs = async () => {
if (!token || !subsUserId.trim()) return;
@@ -705,20 +724,21 @@ function SubscriptionsContent() {
: t.unitDay}
</td>
<td className={tdCls}>
<span
<button
type="button"
onClick={() => handleToggleEnabled(plan)}
className={[
'inline-block rounded-full px-2 py-0.5 text-xs font-medium',
plan.enabled
? isDark
? 'bg-green-500/20 text-green-300'
: 'bg-green-50 text-green-700'
: isDark
? 'bg-slate-700 text-slate-400'
: 'bg-gray-100 text-gray-500',
'relative inline-flex h-5 w-9 items-center rounded-full transition-colors',
plan.enabled ? 'bg-emerald-500' : isDark ? 'bg-slate-600' : 'bg-slate-300',
].join(' ')}
>
{plan.enabled ? t.enabled : t.disabled}
</span>
<span
className={[
'inline-block h-3.5 w-3.5 rounded-full bg-white transition-transform',
plan.enabled ? 'translate-x-4.5' : 'translate-x-0.5',
].join(' ')}
/>
</button>
</td>
<td className={tdCls}>
<span
@@ -1083,19 +1103,24 @@ function SubscriptionsContent() {
{/* Enabled */}
<div className="flex items-center gap-2">
<input
id="form-enabled"
type="checkbox"
checked={formEnabled}
onChange={(e) => setFormEnabled(e.target.checked)}
className="h-4 w-4 rounded border-slate-300"
/>
<label
htmlFor="form-enabled"
className={['text-sm', isDark ? 'text-slate-300' : 'text-slate-700'].join(' ')}
<button
type="button"
onClick={() => setFormEnabled(!formEnabled)}
className={[
'relative inline-flex h-6 w-11 items-center rounded-full transition-colors',
formEnabled ? 'bg-emerald-500' : isDark ? 'bg-slate-600' : 'bg-slate-300',
].join(' ')}
>
<span
className={[
'inline-block h-4 w-4 rounded-full bg-white transition-transform',
formEnabled ? 'translate-x-6' : 'translate-x-1',
].join(' ')}
/>
</button>
<span className={['text-sm', isDark ? 'text-slate-300' : 'text-slate-700'].join(' ')}>
{t.fieldEnabled}
</label>
</span>
</div>
</div>

7
src/app/api/admin/channels/[id]/route.ts
View File

@@ -27,6 +27,13 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
}
}
if (body.rate_multiplier !== undefined && (typeof body.rate_multiplier !== 'number' || body.rate_multiplier <= 0)) {
return NextResponse.json({ error: 'rate_multiplier 必须是正数' }, { status: 400 });
}
if (body.sort_order !== undefined && (!Number.isInteger(body.sort_order) || body.sort_order < 0)) {
return NextResponse.json({ error: 'sort_order 必须是非负整数' }, { status: 400 });
}
const data: Record<string, unknown> = {};
if (body.group_id !== undefined) data.groupId = Number(body.group_id);
if (body.name !== undefined) data.name = body.name;

10
src/app/api/admin/channels/route.ts
View File

@@ -47,6 +47,16 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ error: '缺少必填字段: group_id, name, platform, rate_multiplier' }, { status: 400 });
}
if (typeof name !== 'string' || name.trim() === '') {
return NextResponse.json({ error: 'name 必须非空' }, { status: 400 });
}
if (typeof rate_multiplier !== 'number' || rate_multiplier <= 0) {
return NextResponse.json({ error: 'rate_multiplier 必须是正数' }, { status: 400 });
}
if (sort_order !== undefined && (!Number.isInteger(sort_order) || sort_order < 0)) {
return NextResponse.json({ error: 'sort_order 必须是非负整数' }, { status: 400 });
}
// 验证 group_id 唯一性
const existing = await prisma.channel.findUnique({
where: { groupId: Number(group_id) },

20
src/app/api/admin/config/route.ts
View File

@@ -6,7 +6,8 @@ const SENSITIVE_PATTERNS = ['KEY', 'SECRET', 'PASSWORD', 'PRIVATE'];
function maskSensitiveValue(key: string, value: string): string {
const isSensitive = SENSITIVE_PATTERNS.some((pattern) => key.toUpperCase().includes(pattern));
if (!isSensitive || value.length <= 4) return value;
if (!isSensitive) return value;
if (value.length <= 4) return '****';
return '*'.repeat(value.length - 4) + value.slice(-4);
}
@@ -23,7 +24,7 @@ export async function GET(request: NextRequest) {
return NextResponse.json({ configs: masked });
} catch (error) {
console.error('Failed to get system configs:', error);
console.error('Failed to get system configs:', error instanceof Error ? error.message : String(error));
return NextResponse.json({ error: '获取系统配置失败' }, { status: 500 });
}
}
@@ -39,11 +40,24 @@ export async function PUT(request: NextRequest) {
return NextResponse.json({ error: '缺少必填字段: configs 数组' }, { status: 400 });
}
const ALLOWED_CONFIG_KEYS = new Set([
'PRODUCT_NAME',
'ENABLED_PAYMENT_TYPES',
'RECHARGE_MIN_AMOUNT',
'RECHARGE_MAX_AMOUNT',
'DAILY_RECHARGE_LIMIT',
'ORDER_TIMEOUT_MINUTES',
'IFRAME_ALLOW_ORIGINS',
]);
// 校验每条配置
for (const config of configs) {
if (!config.key || config.value === undefined) {
return NextResponse.json({ error: '每条配置必须包含 key 和 value' }, { status: 400 });
}
if (!ALLOWED_CONFIG_KEYS.has(config.key)) {
return NextResponse.json({ error: `不允许修改配置项: ${config.key}` }, { status: 400 });
}
}
await setSystemConfigs(
@@ -57,7 +71,7 @@ export async function PUT(request: NextRequest) {
return NextResponse.json({ success: true, updated: configs.length });
} catch (error) {
console.error('Failed to update system configs:', error);
console.error('Failed to update system configs:', error instanceof Error ? error.message : String(error));
return NextResponse.json({ error: '更新系统配置失败' }, { status: 500 });
}
}

7
src/app/api/admin/subscription-plans/[id]/route.ts
View File

@@ -27,6 +27,13 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
}
}
if (body.price !== undefined && (typeof body.price !== 'number' || body.price <= 0)) {
return NextResponse.json({ error: 'price 必须是正数' }, { status: 400 });
}
if (body.validity_days !== undefined && (!Number.isInteger(body.validity_days) || body.validity_days <= 0)) {
return NextResponse.json({ error: 'validity_days 必须是正整数' }, { status: 400 });
}
const data: Record<string, unknown> = {};
if (body.group_id !== undefined) data.groupId = Number(body.group_id);
if (body.name !== undefined) data.name = body.name;

10
src/app/api/admin/subscription-plans/route.ts
View File

@@ -61,6 +61,16 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ error: '缺少必填字段: group_id, name, price' }, { status: 400 });
}
if (typeof price !== 'number' || price <= 0) {
return NextResponse.json({ error: 'price 必须是正数' }, { status: 400 });
}
if (validity_days !== undefined && (!Number.isInteger(validity_days) || validity_days <= 0)) {
return NextResponse.json({ error: 'validity_days 必须是正整数' }, { status: 400 });
}
if (sort_order !== undefined && (!Number.isInteger(sort_order) || sort_order < 0)) {
return NextResponse.json({ error: 'sort_order 必须是非负整数' }, { status: 400 });
}
// 验证 group_id 唯一性
const existing = await prisma.subscriptionPlan.findUnique({
where: { groupId: Number(group_id) },

20
src/app/api/limits/route.ts
View File

@@ -1,11 +1,12 @@
import { NextResponse } from 'next/server';
import { NextRequest, NextResponse } from 'next/server';
import { queryMethodLimits } from '@/lib/order/limits';
import { initPaymentProviders, paymentRegistry } from '@/lib/payment';
import { getNextBizDayStartUTC } from '@/lib/time/biz-day';
import { getCurrentUserByToken } from '@/lib/sub2api/client';
/**
* GET /api/limits
* 返回各支付渠道今日限额使用情况,公开接口(无需鉴权)
* GET /api/limits?token=xxx
* 返回各支付渠道今日限额使用情况。
*
* Response:
* {
@@ -17,7 +18,18 @@ import { getNextBizDayStartUTC } from '@/lib/time/biz-day';
* resetAt: "2026-03-02T16:00:00.000Z" // 业务时区Asia/Shanghai次日零点对应的 UTC 时间
* }
*/
export async function GET() {
export async function GET(request: NextRequest) {
const token = request.nextUrl.searchParams.get('token')?.trim();
if (!token) {
return NextResponse.json({ error: 'token is required' }, { status: 400 });
}
try {
await getCurrentUserByToken(token);
} catch {
return NextResponse.json({ error: 'unauthorized' }, { status: 401 });
}
initPaymentProviders();
const types = paymentRegistry.getSupportedTypes();
const methods = await queryMethodLimits(types);

16
src/app/api/users/[id]/route.ts
View File

@@ -1,8 +1,20 @@
import { NextResponse } from 'next/server';
import { getUser } from '@/lib/sub2api/client';
import { getUser, getCurrentUserByToken } from '@/lib/sub2api/client';
// 仅返回用户是否存在,不暴露私隐信息(用户名/邮箱/余额需 token 验证)
export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) {
export async function GET(request: Request, { params }: { params: Promise<{ id: string }> }) {
const { searchParams } = new URL(request.url);
const token = searchParams.get('token')?.trim();
if (!token) {
return NextResponse.json({ error: 'token is required' }, { status: 400 });
}
try {
await getCurrentUserByToken(token);
} catch {
return NextResponse.json({ error: 'unauthorized' }, { status: 401 });
}
const { id } = await params;
const userId = Number(id);

4
src/lib/alipay/client.ts
View File

@@ -92,6 +92,10 @@ export async function execute<T extends AlipayResponse>(
const data = await parseAlipayJsonResponse<Record<string, unknown>>(response);
// 支付宝响应格式:{ "alipay_trade_query_response": { ... }, "sign": "..." }
// TODO: 实现响应验签 — 需要从原始响应文本中提取 responseKey 对应的 JSON 子串,
// 使用 verifySign 配合 ALIPAY_PUBLIC_KEY 验证 data.sign。
// 当前未验签是因为需要保留原始响应文本(不能 JSON.parse 后再 stringify
// 需要改造 parseAlipayJsonResponse 同时返回原始文本。
const responseKey = method.replace(/\./g, '_') + '_response';
const result = data[responseKey] as T | undefined;

7
src/lib/alipay/provider.ts
View File

@@ -120,10 +120,15 @@ export class AlipayProvider implements PaymentProvider {
status = 'pending';
}
const amount = parseFloat(result.total_amount || '0');
if (!Number.isFinite(amount) || amount <= 0) {
throw new Error(`Alipay queryOrder: invalid total_amount "${result.total_amount}" for trade ${tradeNo}`);
}
return {
tradeNo: result.trade_no || tradeNo,
status,
amount: Math.round(parseFloat(result.total_amount || '0') * 100) / 100,
amount: Math.round(amount * 100) / 100,
paidAt: result.send_pay_date ? new Date(result.send_pay_date) : undefined,
};
}

2
src/lib/config.ts
View File

@@ -87,7 +87,7 @@ const envSchema = z.object({
.pipe(z.number().min(0).optional()),
PRODUCT_NAME: z.string().default('Sub2API Balance Recharge'),
ADMIN_TOKEN: z.string().min(1),
ADMIN_TOKEN: z.string().min(16),
NEXT_PUBLIC_APP_URL: z.string().url(),
PAY_HELP_IMAGE_URL: optionalTrimmedString,

6
src/lib/order/fee.ts
View File

@@ -35,10 +35,10 @@ const ROUND_UP = 0;
* feeAmount = ceil(rechargeAmount * feeRate / 100, 保留2位小数)
* payAmount = rechargeAmount + feeAmount
*/
export function calculatePayAmount(rechargeAmount: number, feeRate: number): number {
if (feeRate <= 0) return rechargeAmount;
export function calculatePayAmount(rechargeAmount: number, feeRate: number): string {
if (feeRate <= 0) return rechargeAmount.toFixed(2);
const amount = new Prisma.Decimal(rechargeAmount);
const rate = new Prisma.Decimal(feeRate.toString());
const feeAmount = amount.mul(rate).div(100).toDecimalPlaces(2, ROUND_UP);
return amount.plus(feeAmount).toNumber();
return amount.plus(feeAmount).toFixed(2);
}

13
src/lib/order/service.ts
View File

@@ -158,7 +158,8 @@ export async function createOrder(input: CreateOrderInput): Promise<CreateOrderR
}
const feeRate = getMethodFeeRate(input.paymentType);
const payAmount = calculatePayAmount(input.amount, feeRate);
const payAmountStr = calculatePayAmount(input.amount, feeRate);
const payAmountNum = Number(payAmountStr);
const expiresAt = new Date(Date.now() + env.ORDER_TIMEOUT_MINUTES * 60 * 1000);
const order = await prisma.$transaction(async (tx) => {
@@ -169,8 +170,8 @@ export async function createOrder(input: CreateOrderInput): Promise<CreateOrderR
userName: user.username,
userNotes: user.notes || null,
amount: new Prisma.Decimal(input.amount.toFixed(2)),
payAmount: new Prisma.Decimal(payAmount.toFixed(2)),
feeRate: feeRate > 0 ? new Prisma.Decimal(feeRate.toFixed(2)) : null,
payAmount: new Prisma.Decimal(payAmountStr),
feeRate: feeRate > 0 ? new Prisma.Decimal(feeRate.toFixed(4)) : null,
rechargeCode: '',
status: 'PENDING',
paymentType: input.paymentType,
@@ -213,9 +214,9 @@ export async function createOrder(input: CreateOrderInput): Promise<CreateOrderR
const paymentResult = await provider.createPayment({
orderId: order.id,
amount: payAmount,
amount: payAmountNum,
paymentType: input.paymentType,
subject: `${env.PRODUCT_NAME} ${payAmount.toFixed(2)} CNY`,
subject: `${env.PRODUCT_NAME} ${payAmountStr} CNY`,
notifyUrl,
returnUrl,
clientIp: input.clientIp,
@@ -249,7 +250,7 @@ export async function createOrder(input: CreateOrderInput): Promise<CreateOrderR
return {
orderId: order.id,
amount: input.amount,
payAmount,
payAmount: payAmountNum,
feeRate,
status: ORDER_STATUS.PENDING,
paymentType: input.paymentType,

4
src/middleware.ts
View File

@@ -27,6 +27,10 @@ export function middleware(request: NextRequest) {
response.headers.set('Content-Security-Policy', `frame-ancestors 'self' ${[...origins].join(' ')}`);
}
response.headers.set('X-Content-Type-Options', 'nosniff');
response.headers.set('X-Frame-Options', 'SAMEORIGIN');
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
return response;
}