feat: 增强钱包 API URL 验证与配置
- 在 AdminIntegrationSiteStoreRequest 和 AdminIntegrationSiteUpdateRequest 中引入 WalletApiUrlRule,确保 wallet_api_url 字段符合 HTTPS 公开域名要求。 - 更新 HttpMainSiteWalletBalanceClient 和 HttpMainSiteWalletGateway,使用 WalletApiUrlSanitizer 进行 URL 规范化与验证,防止 SSRF 攻击。 - 新增测试用例,验证 wallet_api_url 的有效性,确保系统安全性与稳定性。 - 更新 .env.example 文件,添加 LOTTERY_RISK_POOL_USE_REDIS_LUA 配置项以支持 Redis Lua 原子扣减功能。 - 修改 package-lock.json 中的项目名称,确保一致性。 - 在 API 路由中新增 integration/runtime-origins 路由,提供运行时白名单功能。
This commit is contained in:
@@ -323,3 +323,42 @@ test('player list is filtered by admin site binding', function (): void {
|
||||
$siteCodes = collect($response->json('data.items'))->pluck('site_code')->unique()->values()->all();
|
||||
expect($siteCodes)->toBe(['site-a']);
|
||||
});
|
||||
|
||||
test('wallet_api_url rejects non-https', function (): void {
|
||||
$token = integrationAdminToken();
|
||||
|
||||
$this->withHeader('Authorization', 'Bearer '.$token)
|
||||
->postJson('/api/v1/admin/integration-sites', [
|
||||
'code' => 'bad-https-1',
|
||||
'name' => 'Bad HTTPS 1',
|
||||
'wallet_api_url' => 'http://wallet.bad.test',
|
||||
])
|
||||
->assertStatus(422)
|
||||
->assertJsonPath('data.errors.wallet_api_url.0', 'wallet_api_url 必须是 https 的公开域名根地址,并拒绝 localhost/内网 IP 与带路径/查询的地址。');
|
||||
});
|
||||
|
||||
test('wallet_api_url rejects localhost', function (): void {
|
||||
$token = integrationAdminToken();
|
||||
|
||||
$this->withHeader('Authorization', 'Bearer '.$token)
|
||||
->postJson('/api/v1/admin/integration-sites', [
|
||||
'code' => 'bad-https-2',
|
||||
'name' => 'Bad HTTPS 2',
|
||||
'wallet_api_url' => 'https://localhost:8080',
|
||||
])
|
||||
->assertStatus(422)
|
||||
->assertJsonPath('data.errors.wallet_api_url.0', 'wallet_api_url 必须是 https 的公开域名根地址,并拒绝 localhost/内网 IP 与带路径/查询的地址。');
|
||||
});
|
||||
|
||||
test('wallet_api_url rejects private ip with path', function (): void {
|
||||
$token = integrationAdminToken();
|
||||
|
||||
$this->withHeader('Authorization', 'Bearer '.$token)
|
||||
->postJson('/api/v1/admin/integration-sites', [
|
||||
'code' => 'bad-https-3',
|
||||
'name' => 'Bad HTTPS 3',
|
||||
'wallet_api_url' => 'https://127.0.0.1/wallet',
|
||||
])
|
||||
->assertStatus(422)
|
||||
->assertJsonPath('data.errors.wallet_api_url.0', 'wallet_api_url 必须是 https 的公开域名根地址,并拒绝 localhost/内网 IP 与带路径/查询的地址。');
|
||||
});
|
||||
|
||||
38
tests/Feature/PublicIntegrationRuntimeOriginsTest.php
Normal file
38
tests/Feature/PublicIntegrationRuntimeOriginsTest.php
Normal file
@@ -0,0 +1,38 @@
|
||||
<?php
|
||||
|
||||
use App\Models\AdminSite;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
test('public runtime origins returns enabled integration site iframe origins only', function (): void {
|
||||
AdminSite::query()->create([
|
||||
'code' => 'enabled-a',
|
||||
'name' => 'Enabled A',
|
||||
'currency_code' => 'NPR',
|
||||
'status' => 1,
|
||||
'iframe_allowed_origins' => [
|
||||
'https://main.example.test',
|
||||
'https://main.example.test',
|
||||
' https://shell.example.test ',
|
||||
],
|
||||
]);
|
||||
|
||||
AdminSite::query()->create([
|
||||
'code' => 'disabled-a',
|
||||
'name' => 'Disabled A',
|
||||
'currency_code' => 'NPR',
|
||||
'status' => 0,
|
||||
'iframe_allowed_origins' => [
|
||||
'https://disabled.example.test',
|
||||
],
|
||||
]);
|
||||
|
||||
$this->getJson('/api/v1/integration/runtime-origins')
|
||||
->assertOk()
|
||||
->assertJsonPath('code', 0)
|
||||
->assertJsonPath('data.iframe_allowed_origins', [
|
||||
'https://main.example.test',
|
||||
'https://shell.example.test',
|
||||
]);
|
||||
});
|
||||
@@ -59,13 +59,13 @@ test('wallet balance rejects illegal currency query', function () {
|
||||
|
||||
test('wallet balance returns main_balance when main site wallet api is configured', function () {
|
||||
config([
|
||||
'lottery.main_site.wallet_api_url' => 'http://fake-main.test',
|
||||
'lottery.main_site.wallet_api_url' => 'https://fake-main.test',
|
||||
'lottery.main_site.wallet_balance_path' => '/wallet/balance',
|
||||
]);
|
||||
|
||||
Http::preventStrayRequests();
|
||||
Http::fake([
|
||||
'http://fake-main.test/wallet/balance*' => Http::response([
|
||||
'https://fake-main.test/wallet/balance*' => Http::response([
|
||||
'success' => true,
|
||||
'data' => [
|
||||
'main_balance' => 499_900,
|
||||
|
||||
@@ -111,7 +111,7 @@ test('transfer in main site explicit failure returns 1009 and marks order failed
|
||||
Http::fake([
|
||||
'reject-debit.test/*' => Http::response(['success' => false, 'message' => 'main_insufficient'], 200),
|
||||
]);
|
||||
config(['lottery.main_site.wallet_api_url' => 'http://reject-debit.test']);
|
||||
config(['lottery.main_site.wallet_api_url' => 'https://reject-debit.test']);
|
||||
config(['lottery.main_site.wallet_debit_path' => 'debit']);
|
||||
|
||||
$player = Player::query()->create([
|
||||
@@ -143,7 +143,7 @@ test('transfer in main site timeout returns 1002 and pending_reconcile', functio
|
||||
Http::fake([
|
||||
'timeout-debit.test/*' => Http::response([], 504),
|
||||
]);
|
||||
config(['lottery.main_site.wallet_api_url' => 'http://timeout-debit.test']);
|
||||
config(['lottery.main_site.wallet_api_url' => 'https://timeout-debit.test']);
|
||||
config(['lottery.main_site.wallet_debit_path' => 'debit']);
|
||||
|
||||
$player = Player::query()->create([
|
||||
@@ -210,7 +210,7 @@ test('transfer out main site failure refunds lottery and returns 1009', function
|
||||
Http::fake([
|
||||
'reject-credit.test/*' => Http::response(['success' => false, 'message' => 'credit_denied'], 200),
|
||||
]);
|
||||
config(['lottery.main_site.wallet_api_url' => 'http://reject-credit.test']);
|
||||
config(['lottery.main_site.wallet_api_url' => 'https://reject-credit.test']);
|
||||
config(['lottery.main_site.wallet_credit_path' => 'credit']);
|
||||
|
||||
$player = Player::query()->create([
|
||||
@@ -251,7 +251,7 @@ test('transfer out main site timeout returns 1002 and pending_reconcile on order
|
||||
Http::fake([
|
||||
'timeout-credit.test/*' => Http::response([], 504),
|
||||
]);
|
||||
config(['lottery.main_site.wallet_api_url' => 'http://timeout-credit.test']);
|
||||
config(['lottery.main_site.wallet_api_url' => 'https://timeout-credit.test']);
|
||||
config(['lottery.main_site.wallet_credit_path' => 'credit']);
|
||||
|
||||
$player = Player::query()->create([
|
||||
|
||||
@@ -256,7 +256,7 @@ test('transfer in http 504 marks order pending reconcile', function () {
|
||||
Http::fake([
|
||||
'fake-main.test/*' => Http::response([], 504),
|
||||
]);
|
||||
config(['lottery.main_site.wallet_api_url' => 'http://fake-main.test']);
|
||||
config(['lottery.main_site.wallet_api_url' => 'https://fake-main.test']);
|
||||
config(['lottery.main_site.wallet_debit_path' => 'debit']);
|
||||
|
||||
$player = Player::query()->create([
|
||||
|
||||
Reference in New Issue
Block a user