feat: 更新环境配置并增强 iframe 安全处理机制

修改 .env.example，优化环境切换说明，并新增 API_BASE_URL 配置项，提升配置管理能力。更新 next.config.ts：使用 API_BASE_URL 代理 API 请求，增强开发与生产环境的灵活性。重构 iframe-bridge 与 use-token-refresh 组件，采用新的 iframe 来源校验方法，提升安全性检查能力。优化 csp-config.ts：动态注入允许的父级来源（parent origins）到 CSP 配置中，强化安全策略。调整 lottery-http：通过 Next.js 代理转发 API 请求，简化 API 调用流程。
2026-05-28 10:12:24 +08:00
parent 58afa8e844
commit 1316a62ce3
8 changed files with 203 additions and 54 deletions
--- a/middleware.ts
+++ b/middleware.ts
@@ -0,0 +1,47 @@
+import { NextResponse, type NextRequest } from "next/server";
+
+import { generateCSP, nonCspSecurityHeaders } from "./src/lib/csp-config";
+
+type RuntimeOriginsEnvelope = {
+  code?: number;
+  data?: {
+    iframe_allowed_origins?: unknown;
+  };
+};
+
+async function loadRuntimeOrigins(request: NextRequest): Promise<string[]> {
+  try {
+    const url = new URL("/api/v1/integration/runtime-origins", request.url);
+    const response = await fetch(url, {
+      headers: { Accept: "application/json" },
+      cache: "no-store",
+    });
+
+    if (!response.ok) return [];
+
+    const payload = (await response.json()) as RuntimeOriginsEnvelope;
+    const origins = payload.data?.iframe_allowed_origins;
+
+    if (!Array.isArray(origins)) return [];
+
+    return origins.filter((origin): origin is string => typeof origin === "string");
+  } catch {
+    return [];
+  }
+}
+
+export async function middleware(request: NextRequest): Promise<NextResponse> {
+  const response = NextResponse.next();
+  const runtimeOrigins = await loadRuntimeOrigins(request);
+
+  response.headers.set("Content-Security-Policy", generateCSP(runtimeOrigins));
+  for (const header of nonCspSecurityHeaders) {
+    response.headers.set(header.key, header.value);
+  }
+
+  return response;
+}
+
+export const config = {
+  matcher: ["/((?!api|_next/static|_next/image|favicon.ico|.*\\..*).*)"],
+};