fix: 用户名唯一性竞态处理 + 密码长度上限 + JSON.parse 安全

- #6: register/user PUT 捕获 P2002 返回 409，apiHandler 全局兜底 - #8: GET /api/user 的 JSON.parse(preferences) 加 try/catch 防崩溃 - #12: 密码校验加 128 字符上限防 DoS - #29: ApiError.name 设为 "ApiError" 便于调试
2026-02-26 20:14:02 +08:00
parent 6488c19172
commit 9c7f18e0fa
4 changed files with 57 additions and 27 deletions
@@ -1,5 +1,6 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
+import { Prisma } from "@prisma/client";
 import bcrypt from "bcryptjs";
 import { apiHandler, ApiError } from "@/lib/api";
 import { validateUsername, validatePassword } from "@/lib/validation";
@@ -12,22 +13,26 @@ export const POST = apiHandler(async (req) => {
  const trimmedUsername = validateUsername(username);
  validatePassword(password);

-  const existing = await prisma.user.findUnique({ where: { username: trimmedUsername } });
-  if (existing) throw new ApiError("用户名已被注册", 409);
-
  const passwordHash = await bcrypt.hash(password, 10);

-  const user = await prisma.user.create({
-    data: {
-      username: trimmedUsername,
-      passwordHash,
-      avatar: avatar || "🐱",
-    },
-  });
+  try {
+    const user = await prisma.user.create({
+      data: {
+        username: trimmedUsername,
+        passwordHash,
+        avatar: avatar || "🐱",
+      },
+    });

-  return NextResponse.json({
-    id: user.id,
-    username: user.username,
-    avatar: user.avatar,
-  });
+    return NextResponse.json({
+      id: user.id,
+      username: user.username,
+      avatar: user.avatar,
+    });
+  } catch (e) {
+    if (e instanceof Prisma.PrismaClientKnownRequestError && e.code === "P2002") {
+      throw new ApiError("用户名已被注册", 409);
+    }
+    throw e;
+  }
 });
@@ -1,5 +1,6 @@
 import { NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
+import { Prisma } from "@prisma/client";
 import bcrypt from "bcryptjs";
 import { apiHandler, ApiError, requireUserId, requireUser } from "@/lib/api";
 import { validateUsername, validatePassword, validateEmail } from "@/lib/validation";
@@ -13,12 +14,15 @@ export const GET = apiHandler(async (req) => {

  const decisionCount = await prisma.decision.count({ where: { userId } });

+  let preferences = {};
+  try { preferences = JSON.parse(user.preferences); } catch { /* fallback */ }
+
  return NextResponse.json({
    id: user.id,
    username: user.username,
    avatar: user.avatar,
    email: user.email,
-    preferences: JSON.parse(user.preferences),
+    preferences,
    createdAt: user.createdAt.toISOString(),
    decisionCount,
  });
@@ -63,16 +67,23 @@ export const PUT = apiHandler(async (req) => {
    updateData.preferences = JSON.stringify(body.preferences);
  }

-  const user = await prisma.user.update({
-    where: { id: userId },
-    data: updateData,
-  });
+  try {
+    const user = await prisma.user.update({
+      where: { id: userId },
+      data: updateData,
+    });

-  return NextResponse.json({
-    id: user.id,
-    username: user.username,
-    avatar: user.avatar,
-    email: user.email,
-    preferences: JSON.parse(user.preferences),
-  });
+    return NextResponse.json({
+      id: user.id,
+      username: user.username,
+      avatar: user.avatar,
+      email: user.email,
+      preferences: JSON.parse(user.preferences),
+    });
+  } catch (e) {
+    if (e instanceof Prisma.PrismaClientKnownRequestError && e.code === "P2002") {
+      throw new ApiError("用户名已被占用", 409);
+    }
+    throw e;
+  }
 });