refactor(P0): JWT 认证、并发安全、错误日志三项安全加固
- 新增 JWT httpOnly cookie 认证链路 (jose),登录/注册签发 token, 所有用户和盲盒 API 改为从 cookie 提取 userId,不再信任客户端传值 - 新增 /api/auth/logout 端点清除认证 cookie - GET /api/user 区分 owner/非 owner,非 owner 不暴露 email - atomicUpdateRoom 新增 per-room 应用层互斥锁,防止 SQLite 下并发 lost update - 修复 getRoomData 中 fire-and-forget delete 改为 await - 37 个静默 catch 块跨 17 个文件添加 console.error 日志 - 新增 REFACTOR_PLAN.md 全景分析文档
This commit is contained in:
@@ -1,7 +1,8 @@
|
||||
import { NextResponse } from "next/server";
|
||||
import { requireMembership } from "@/lib/blindbox";
|
||||
import { apiHandler, ApiError, requireUserId } from "@/lib/api";
|
||||
import { apiHandler, ApiError } from "@/lib/api";
|
||||
import { runPlanGeneration } from "@/lib/blindboxPlanGen";
|
||||
import { getAuthUserId } from "@/lib/auth";
|
||||
|
||||
interface AvailableTime {
|
||||
date: string;
|
||||
@@ -10,9 +11,9 @@ interface AvailableTime {
|
||||
}
|
||||
|
||||
export const POST = apiHandler(async (req) => {
|
||||
const { roomId, userId, availableTime } = await req.json();
|
||||
const userId = await getAuthUserId(req);
|
||||
const { roomId, availableTime } = await req.json();
|
||||
|
||||
requireUserId(userId);
|
||||
if (!roomId) throw new ApiError("roomId 不能为空");
|
||||
|
||||
await requireMembership(roomId, userId);
|
||||
@@ -27,7 +28,7 @@ export const POST = apiHandler(async (req) => {
|
||||
throw new ApiError("请选择有效的可用时间");
|
||||
}
|
||||
|
||||
const result = await runPlanGeneration(roomId, userId!, at);
|
||||
const result = await runPlanGeneration(roomId, userId, at);
|
||||
|
||||
return NextResponse.json({
|
||||
id: result.id,
|
||||
@@ -69,14 +70,15 @@ function computeEndTime(planData: string, now: Date): Date | null {
|
||||
}
|
||||
|
||||
return base;
|
||||
} catch {
|
||||
} catch (e) {
|
||||
console.error("computeEndTime failed:", e);
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
export const PATCH = apiHandler(async (req) => {
|
||||
const { planId, userId, action, days } = await req.json();
|
||||
requireUserId(userId);
|
||||
const userId = await getAuthUserId(req);
|
||||
const { planId, action, days } = await req.json();
|
||||
if (!planId) throw new ApiError("planId 不能为空");
|
||||
|
||||
const { prisma } = await import("@/lib/prisma");
|
||||
@@ -129,10 +131,9 @@ export const PATCH = apiHandler(async (req) => {
|
||||
});
|
||||
|
||||
export const GET = apiHandler(async (req) => {
|
||||
const userId = await getAuthUserId(req);
|
||||
const { searchParams } = new URL(req.url);
|
||||
const mode = searchParams.get("mode") || "latest";
|
||||
const userId = searchParams.get("userId");
|
||||
requireUserId(userId);
|
||||
|
||||
const { prisma } = await import("@/lib/prisma");
|
||||
|
||||
@@ -141,7 +142,7 @@ export const GET = apiHandler(async (req) => {
|
||||
if (!roomId) throw new ApiError("roomId 不能为空");
|
||||
|
||||
const plan = await prisma.weekendPlan.findFirst({
|
||||
where: { roomId, userId: userId!, status: "accepted" },
|
||||
where: { roomId, userId, status: "accepted" },
|
||||
orderBy: { createdAt: "desc" },
|
||||
select: { id: true, planData: true, endTime: true, createdAt: true },
|
||||
});
|
||||
@@ -156,7 +157,7 @@ export const GET = apiHandler(async (req) => {
|
||||
if (mode === "pending") {
|
||||
const plans = await prisma.weekendPlan.findMany({
|
||||
where: {
|
||||
userId: userId!,
|
||||
userId,
|
||||
status: "accepted",
|
||||
endTime: { not: null, lt: new Date() },
|
||||
},
|
||||
@@ -190,7 +191,7 @@ export const GET = apiHandler(async (req) => {
|
||||
if (mode === "history") {
|
||||
const plans = await prisma.weekendPlan.findMany({
|
||||
where: {
|
||||
userId: userId!,
|
||||
userId,
|
||||
status: { in: ["completed", "expired"] },
|
||||
},
|
||||
orderBy: { createdAt: "desc" },
|
||||
|
||||
Reference in New Issue
Block a user