feat: 更新环境配置并增强 iframe 安全处理机制

修改 .env.example，优化环境切换说明，并新增 API_BASE_URL 配置项，提升配置管理能力。更新 next.config.ts：使用 API_BASE_URL 代理 API 请求，增强开发与生产环境的灵活性。重构 iframe-bridge 与 use-token-refresh 组件，采用新的 iframe 来源校验方法，提升安全性检查能力。优化 csp-config.ts：动态注入允许的父级来源（parent origins）到 CSP 配置中，强化安全策略。调整 lottery-http：通过 Next.js 代理转发 API 请求，简化 API 调用流程。
2026-05-28 10:12:24 +08:00
parent 58afa8e844
commit 1316a62ce3
8 changed files with 203 additions and 54 deletions
--- a/src/components/iframe-bridge.tsx
+++ b/src/components/iframe-bridge.tsx
@@ -4,6 +4,10 @@ import { useEffect, useCallback, type ReactNode } from "react";

 import { usePlayerSessionStore } from "@/stores/player-session-store";
 import { setPlayerBearerToken } from "@/lib/lottery-auth";
+import {
+  isIframeOriginAllowed,
+  loadIframeAllowedOrigins,
+} from "@/lib/iframe-origins";

 /**
 * iframe 通信桥接组件
@@ -87,21 +91,13 @@ export function IframeBridge({ children }: { children: ReactNode }): ReactNode {

    console.log("[IframeBridge] Setting up iframe communication");

-    const handleMessage = (event: MessageEvent): void => {
-      // 安全：验证来源域名
-      const allowedOrigins = [
-        process.env.NEXT_PUBLIC_MAIN_SITE_URL,
-        process.env.NEXT_PUBLIC_PARENT_ORIGIN,
-        "http://localhost:3800",
-        "http://127.0.0.1:3800",
-      ].filter(Boolean);
-
-      if (
-        allowedOrigins.length > 0 &&
-        !allowedOrigins.includes(event.origin)
-      ) {
-        console.warn("[IframeBridge] Rejected message from:", event.origin);
-        return;
+    const handleMessage = async (event: MessageEvent): Promise<void> => {
+      if (!isIframeOriginAllowed(event.origin)) {
+        await loadIframeAllowedOrigins();
+        if (!isIframeOriginAllowed(event.origin)) {
+          console.warn("[IframeBridge] Rejected message from:", event.origin);
+          return;
+        }
      }

      const { data } = event;
@@ -158,8 +154,10 @@ export function IframeBridge({ children }: { children: ReactNode }): ReactNode {

    window.addEventListener("message", handleMessage);

-    // 发送就绪通知
-    notifyReady();
+    // 先加载后台白名单，再发送 READY，避免父站立即回 Token 时被本端误拒。
+    void loadIframeAllowedOrigins().finally(() => {
+      notifyReady();
+    });

    // 定期发送心跳
    const heartbeat = setInterval(() => {