fix auth completion and payment resume hardening

2026-04-21 08:23:26 +08:00
parent f11b7d5105
commit 09351e9459
8 changed files with 199 additions and 47 deletions
--- a/frontend/src/views/user/PaymentResultView.vue
+++ b/frontend/src/views/user/PaymentResultView.vue
@@ -219,7 +219,6 @@ onMounted(async () => {
  const routeOrderId = Number(route.query.order_id) || 0
  const outTradeNo = String(route.query.out_trade_no || '')
  let orderId = 0
-  let canUseLegacyPublicVerify = false

  if (resumeToken && typeof window !== 'undefined') {
    const restored = readPaymentRecoverySnapshot(
@@ -264,23 +263,12 @@ onMounted(async () => {
  const hasLegacyFallbackContext = typeof route.query.trade_status === 'string'
    && route.query.trade_status.trim() !== ''
  if (!order.value && !resumeToken && !orderId && outTradeNo && hasLegacyFallbackContext) {
-    canUseLegacyPublicVerify = true
    returnInfo.value = {
      outTradeNo,
      money: String(route.query.money || ''),
      type: String(route.query.type || ''),
      tradeStatus: String(route.query.trade_status || ''),
    }
-
-    try {
-      const result = await paymentAPI.verifyOrderPublic(outTradeNo)
-      order.value = result.data
-    } catch (_err: unknown) {
-      try {
-        const result = await paymentAPI.verifyOrder(outTradeNo)
-        order.value = result.data
-      } catch (_e: unknown) { /* fall through */ }
-    }
  }

  const refreshOrder = async (): Promise<PaymentOrder | null> => {
@@ -292,20 +280,6 @@ onMounted(async () => {
      return await paymentStore.pollOrderStatus(orderId)
    }

-    if (canUseLegacyPublicVerify && outTradeNo) {
-      try {
-        const result = await paymentAPI.verifyOrderPublic(outTradeNo)
-        return result.data
-      } catch (_err: unknown) {
-        try {
-          const result = await paymentAPI.verifyOrder(outTradeNo)
-          return result.data
-        } catch (_e: unknown) {
-          return null
-        }
-      }
-    }
-
    return null
  }

--- a/frontend/src/views/user/tests/PaymentResultView.spec.ts
+++ b/frontend/src/views/user/tests/PaymentResultView.spec.ts
@@ -225,16 +225,13 @@ describe('PaymentResultView', () => {
    expect(verifyOrder).not.toHaveBeenCalled()
  })

-  it('keeps legacy out_trade_no verification as a fallback when no order context is available', async () => {
+  it('does not use anonymous out_trade_no verification when no signed resume context is available', async () => {
    routeState.query = {
      out_trade_no: 'legacy-123',
      trade_status: 'TRADE_SUCCESS',
    }
-    verifyOrderPublic.mockResolvedValue({
-      data: orderFactory('PAID'),
-    })

-    const wrapper = mount(PaymentResultView, {
+    mount(PaymentResultView, {
      global: {
        stubs: {
          OrderStatusBadge: true,
@@ -244,8 +241,8 @@ describe('PaymentResultView', () => {

    await flushPromises()

-    expect(verifyOrderPublic).toHaveBeenCalledWith('legacy-123')
-    expect(wrapper.text()).toContain('payment.result.success')
+    expect(verifyOrderPublic).not.toHaveBeenCalled()
+    expect(verifyOrder).not.toHaveBeenCalled()
  })

  it('does not use public out_trade_no verification for bare order numbers without legacy return markers', async () => {