xiaokang/lotteryLaravel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(admin): 统一后台 API 资源鉴权并完善投注风控快照与回补

Browse Source
This commit is contained in:
kang
2026-05-19 09:11:50 +08:00
parent 6ef41cee76
commit 4cf561cd57
26 changed files with 1079 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
tests/Feature/AdminApiResourcePermissionMiddlewareTest.php Normal file
View File

@@ -0,0 +1,115 @@
<?php
use App\Models\AdminRole;
use App\Models\AdminUser;
use App\Lottery\ErrorCode;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use App\Support\AdminPermissionBridge;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
function mintAdminTokenWithLegacySlugs(string $username, array $permissionSlugs): string
{
$admin = AdminUser::query()->create([
'username' => $username,
'name' => 'Admin '.$username,
'email' => null,
'password' => Hash::make('secret-strong'),
'status' => 0,
]);
if ($permissionSlugs !== []) {
$role = AdminRole::query()->create([
'slug' => 'role_'.$username,
'name' => 'Role '.$username,
]);
$codes = [];
foreach ($permissionSlugs as $slug) {
$codes = array_merge($codes, AdminPermissionBridge::menuActionCodesForLegacy($slug));
}
$codes = array_values(array_unique($codes));
$ids = DB::table('admin_menu_actions')
->whereIn('permission_code', $codes)
->where('status', 1)
->pluck('id')
->all();
foreach ($ids as $mid) {
DB::table('admin_role_menu_actions')->insert([
'role_id' => $role->id,
'menu_action_id' => (int) $mid,
]);
}
$siteId = AdminUser::defaultAdminSiteId();
$admin->roles()->sync([
(int) $role->id => [
'site_id' => $siteId,
'granted_at' => now(),
],
]);
}
return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
}
test('admin api resource middleware allows login only resource for signed in admin', function (): void {
$token = mintAdminTokenWithLegacySlugs('resource_ping', []);
$this->withHeader('Authorization', 'Bearer '.$token)
->getJson('/api/v1/admin/ping')
->assertOk()
->assertJsonPath('code', ErrorCode::Success->value)
->assertJsonPath('data.scope', 'admin');
});
test('admin api resource middleware denies protected report resource without permission', function (): void {
$token = mintAdminTokenWithLegacySlugs('resource_denied', []);
$this->withHeader('Authorization', 'Bearer '.$token)
->getJson('/api/v1/admin/report-jobs')
->assertForbidden()
->assertJsonPath('code', ErrorCode::AdminForbidden->value);
});
test('admin api resource middleware allows protected report resource with mapped permission', function (): void {
$token = mintAdminTokenWithLegacySlugs('resource_reporter', ['prd.report.player']);
$this->withHeader('Authorization', 'Bearer '.$token)
->getJson('/api/v1/admin/report-jobs')
->assertOk()
->assertJsonPath('code', ErrorCode::Success->value)
->assertJsonPath('data.meta.total', 0);
});
test('admin api resource middleware denies wallet reconcile resource without permission', function (): void {
$token = mintAdminTokenWithLegacySlugs('resource_wallet_denied', []);
$this->withHeader('Authorization', 'Bearer '.$token)
->getJson('/api/v1/admin/wallet/transactions')
->assertForbidden()
->assertJsonPath('code', ErrorCode::AdminForbidden->value);
});
test('admin api resource middleware allows wallet reconcile resource with mapped permission', function (): void {
$token = mintAdminTokenWithLegacySlugs('resource_wallet_viewer', ['prd.wallet_reconcile.view']);
$this->withHeader('Authorization', 'Bearer '.$token)
->getJson('/api/v1/admin/wallet/transactions')
->assertOk()
->assertJsonPath('code', ErrorCode::Success->value)
->assertJsonPath('data.total', 0);
});
test('admin api resource middleware denies jackpot resource without permission', function (): void {
$token = mintAdminTokenWithLegacySlugs('resource_jackpot_denied', []);
$this->withHeader('Authorization', 'Bearer '.$token)
->getJson('/api/v1/admin/jackpot/pools')
->assertForbidden()
->assertJsonPath('code', ErrorCode::AdminForbidden->value);
});

48
tests/Feature/AdminAuthorizationAuditCommandTest.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
use Database\Seeders\AdminRbacAndUserSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB;
uses(RefreshDatabase::class);
test('admin authorization audit reports missing api resources for protected routes', function (): void {
DB::table('admin_api_resources')
->where('code', 'admin.config.play-versions.index')
->delete();
$this->artisan('lottery:admin-auth-audit')
->expectsOutputToContain('Admin authorization audit found')
->expectsOutputToContain('[route_coverage]')
->assertExitCode(1);
});
test('admin authorization audit passes on the default authorization catalog', function (): void {
$this->artisan('lottery:admin-auth-audit')
->expectsOutputToContain('Admin authorization audit passed.')
->assertExitCode(0);
});
test('admin authorization audit detects role api resource drift', function (): void {
$this->seed(AdminRbacAndUserSeeder::class);
$resourceId = DB::table('admin_api_resources')
->where('code', 'admin.audit.index')
->value('id');
$roleId = DB::table('admin_roles')
->where('slug', 'finance')
->value('id');
expect($resourceId)->not->toBeNull();
expect($roleId)->not->toBeNull();
DB::table('admin_role_api_resources')
->where('role_id', (int) $roleId)
->where('api_resource_id', (int) $resourceId)
->delete();
$this->artisan('lottery:admin-auth-audit --skip-route-coverage')
->expectsOutputToContain('Missing role-resource grant')
->assertExitCode(1);
});

23
tests/Feature/RiskPoolLuaScriptTest.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
use App\Services\Ticket\RiskPoolService;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
test('risk pool lua acquire script returns structured status and pool counters', function (): void {
$service = app(RiskPoolService::class);
$method = new ReflectionMethod($service, 'acquireLua');
$method->setAccessible(true);
$lua = (string) $method->invoke($service);
expect($lua)->toContain("return {'OK'")
->and($lua)->toContain('INVALID_ARGUMENT')
->and($lua)->toContain('POOL_NOT_INITIALIZED')
->and($lua)->toContain('VERSION_CONFLICT')
->and($lua)->toContain('INSUFFICIENT_CAP')
->and($lua)->toContain('remaining')
->and($lua)->toContain('locked')
->and($lua)->toContain('version');
});

96
tests/Feature/TicketBettingApiTest.php
View File

@@ -9,11 +9,13 @@ use App\Models\TicketItem;
use App\Lottery\DrawStatus;
use App\Models\OddsVersion;
use App\Models\TicketOrder;
use App\Models\JackpotPool;
use App\Models\PlayerWallet;
use App\Models\TicketCombination;
use App\Models\PlayConfigItem;
use App\Models\PlayConfigVersion;
use App\Lottery\ConfigVersionStatus;
use Illuminate\Support\Facades\DB;
use Database\Seeders\CurrencySeeder;
use Database\Seeders\PlayTypeSeeder;
use Database\Seeders\LotterySettingsSeeder;
@@ -226,6 +228,59 @@ test('ticket place deducts wallet and persists order items combinations and logs
expect((int) $wallet->balance)->toBe(200_000 - 12_400);
});
test('ticket place is idempotent by player draw and client trace id', function (): void {
$player = ticketPlayerWithWallet();
ticketOpenDraw();
$payload = array_merge(ticketPreviewPayload(), ['client_trace_id' => 'same-submit-once']);
$first = $this->withHeader('Authorization', 'Bearer dev:'.$player->id)
->postJson('/api/v1/ticket/place', $payload)
->assertOk()
->assertJsonPath('code', ErrorCode::Success->value)
->json('data');
$second = $this->withHeader('Authorization', 'Bearer dev:'.$player->id)
->postJson('/api/v1/ticket/place', $payload)
->assertOk()
->assertJsonPath('code', ErrorCode::Success->value)
->json('data');
expect($second['order_no'])->toBe($first['order_no'])
->and(TicketOrder::query()->count())->toBe(1)
->and(TicketItem::query()->count())->toBe(2)
->and(WalletTxn::query()->where('biz_type', 'bet_deduct')->count())->toBe(1);
$wallet = PlayerWallet::query()->where('player_id', $player->id)->firstOrFail();
expect((int) $wallet->balance)->toBe(200_000 - 12_400);
});
test('box family estimated max payout is the sum of every expanded combination payout', function (): void {
$player = ticketPlayerWithWallet(500_000);
ticketOpenDraw();
$response = $this->withHeader('Authorization', 'Bearer dev:'.$player->id)
->postJson('/api/v1/ticket/place', [
'draw_id' => '20260511-001',
'currency_code' => 'NPR',
'client_trace_id' => 'combo-payout-sum',
'lines' => [
['number' => '1122', 'play_code' => 'ibox', 'amount' => 100],
],
])
->assertOk()
->json('data');
$item = TicketItem::query()->firstOrFail();
$combinationSum = TicketCombination::query()
->where('ticket_item_id', $item->id)
->sum('estimated_payout');
expect((int) $response['summary']['total_estimated_payout'])->toBe((int) $combinationSum)
->and((int) $item->estimated_max_payout)->toBe((int) $combinationSum)
->and((int) $item->risk_locked_amount)->toBe((int) $combinationSum);
});
test('ticket place rejects closed draw', function (): void {
$player = ticketPlayerWithWallet();
$draw = ticketOpenDraw();
@@ -285,6 +340,10 @@ test('ticket place succeeds when expected_config_versions matches preview', func
->assertJsonPath('code', ErrorCode::Success->value);
expect(TicketOrder::query()->count())->toBe(1);
$order = TicketOrder::query()->firstOrFail();
expect((int) $order->play_config_version_no)->toBe((int) $versions['play_config_version_no'])
->and((int) $order->odds_version_no)->toBe((int) $versions['odds_version_no'])
->and((int) $order->risk_cap_version_no)->toBe((int) $versions['risk_cap_version_no']);
});
test('ticket place rejects stale expected_config_versions', function (): void {
@@ -769,3 +828,40 @@ test('ticket pending confirmation reconcile confirms order when wallet deduction
->and($item->fresh()->status)->toBe('success')
->and((int) RiskPool::query()->where('draw_id', $draw->id)->where('normalized_number', '1234')->value('locked_amount'))->toBe(3000);
});
test('ticket place reverses wallet and releases risk when post deduction confirmation fails', function (): void {
$player = ticketPlayerWithWallet(20_000);
$draw = ticketOpenDraw();
JackpotPool::query()->create([
'currency_code' => 'NPR',
'current_amount' => 0,
'contribution_rate' => 1,
'trigger_threshold' => 0,
'payout_rate' => 0,
'force_trigger_draw_gap' => 0,
'min_bet_amount' => 0,
'status' => 1,
]);
DB::statement("CREATE TRIGGER fail_jackpot_contribution_insert BEFORE INSERT ON jackpot_contributions BEGIN SELECT RAISE(ABORT, 'forced_confirmation_failure'); END");
$this->withHeader('Authorization', 'Bearer dev:'.$player->id)
->postJson('/api/v1/ticket/place', [
'draw_id' => '20260511-001',
'currency_code' => 'NPR',
'client_trace_id' => 'wallet-reverse-on-confirm-fail',
'lines' => [
['number' => '1234', 'play_code' => 'big', 'amount' => 120],
],
])
->assertStatus(500);
$wallet = PlayerWallet::query()->where('player_id', $player->id)->firstOrFail();
$order = TicketOrder::query()->where('client_trace_id', 'wallet-reverse-on-confirm-fail')->firstOrFail();
expect((int) $wallet->balance)->toBe(20_000)
->and($order->status)->toBe('refunded')
->and(WalletTxn::query()->where('biz_no', $order->order_no)->where('biz_type', 'bet_deduct')->count())->toBe(1)
->and(WalletTxn::query()->where('biz_no', $order->order_no)->where('biz_type', 'bet_reverse')->count())->toBe(1)
->and((int) RiskPool::query()->where('draw_id', $draw->id)->where('normalized_number', '1234')->value('locked_amount'))->toBe(0);
});