kurihada/no-whatever
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(P0): JWT 认证、并发安全、错误日志三项安全加固

Browse Source 
- 新增 JWT httpOnly cookie 认证链路 (jose),登录/注册签发 token,
  所有用户和盲盒 API 改为从 cookie 提取 userId,不再信任客户端传值
- 新增 /api/auth/logout 端点清除认证 cookie
- GET /api/user 区分 owner/非 owner,非 owner 不暴露 email
- atomicUpdateRoom 新增 per-room 应用层互斥锁,防止 SQLite 下并发 lost update
- 修复 getRoomData 中 fire-and-forget delete 改为 await
- 37 个静默 catch 块跨 17 个文件添加 console.error 日志
- 新增 REFACTOR_PLAN.md 全景分析文档
This commit is contained in:
kurihada
2026-03-02 17:24:26 +08:00
parent 99120a7042
commit ce76980fe5
41 changed files with 528 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/app/api/blindbox/plan/refine/route.ts
+4 -3
View File
@@ -1,10 +1,11 @@
import { NextResponse } from "next/server";
import { apiHandler, ApiError, requireUserId } from "@/lib/api";
import { apiHandler, ApiError } from "@/lib/api";
import { refinePlan } from "@/lib/ai";
import { getAuthUserId } from "@/lib/auth";
export const POST = apiHandler(async (req) => {
const { userId, instruction, days } = await req.json();
requireUserId(userId);
await getAuthUserId(req);
const { instruction, days } = await req.json();
if (!instruction?.trim()) throw new ApiError("指令不能为空", 400);
if (!Array.isArray(days) || days.length === 0) throw new ApiError("days 无效", 400);