oadmin/sub2api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(payment): restore public resume and result flows

Browse Source
This commit is contained in:
IanShaw027
2026-04-22 11:17:23 +08:00
parent c229f33e9e
commit dd314c41e3
15 changed files with 435 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
backend/internal/service/payment_resume_service.go
View File

@@ -209,7 +209,7 @@ func visibleMethodSourceSettingKey(method string) string {
}
}
func CanonicalizeReturnURL(raw string, srcHost string) (string, error) {
func CanonicalizeReturnURL(raw string, srcHost string, srcURL string) (string, error) {
raw = strings.TrimSpace(raw)
if raw == "" {
return "", nil
@@ -228,13 +228,29 @@ func CanonicalizeReturnURL(raw string, srcHost string) (string, error) {
if parsed.Path != paymentResultReturnPath {
return "", infraerrors.BadRequest("INVALID_RETURN_URL", "return_url must target the canonical internal payment result page")
}
if !sameOriginHost(parsed.Host, srcHost) {
return "", infraerrors.BadRequest("INVALID_RETURN_URL", "return_url must use the same host as the current site")
if !allowedReturnURLHost(parsed.Host, srcHost, srcURL) {
return "", infraerrors.BadRequest("INVALID_RETURN_URL", "return_url must use the same host as the current site or browser origin")
}
return parsed.String(), nil
}
func buildPaymentReturnURL(base string, orderID int64, resumeToken string) (string, error) {
func allowedReturnURLHost(returnURLHost string, requestHost string, refererURL string) bool {
if sameOriginHost(returnURLHost, requestHost) {
return true
}
refererURL = strings.TrimSpace(refererURL)
if refererURL == "" {
return false
}
parsedReferer, err := url.Parse(refererURL)
if err != nil || parsedReferer.Host == "" {
return false
}
return sameOriginHost(returnURLHost, parsedReferer.Host)
}
func buildPaymentReturnURL(base string, orderID int64, outTradeNo string, resumeToken string) (string, error) {
canonical := strings.TrimSpace(base)
if canonical == "" {
return "", nil
@@ -253,6 +269,9 @@ func buildPaymentReturnURL(base string, orderID int64, resumeToken string) (stri
if orderID > 0 {
query.Set("order_id", strconv.FormatInt(orderID, 10))
}
if strings.TrimSpace(outTradeNo) != "" {
query.Set("out_trade_no", strings.TrimSpace(outTradeNo))
}
if strings.TrimSpace(resumeToken) != "" {
query.Set("resume_token", strings.TrimSpace(resumeToken))
}