fix(server/pay): promo 限购 settle 侧幂等复查 + 000027 部分唯一索引(TOCTOU)
ci-pangolin / Lint — shellcheck (pull_request) Successful in 11s
ci-pangolin / Redline Scan — 脱敏 (UI 文案) (pull_request) Successful in 25s
ci-pangolin / Cleartext Scan — Android 禁明文 (pull_request) Successful in 19s
ci-pangolin / OpenAPI Sync Check (pull_request) Successful in 41s
ci-pangolin / Portable SQL — 可移植性 (mysql/sqlite) (pull_request) Successful in 20s
ci-pangolin / Codegen Drift — token 生成物未漂移 (pull_request) Successful in 4s
ci-pangolin / DS-flow — 原型/跨端同源/代码色单源闸 (pull_request) Successful in 5s
ci-pangolin / Go — build + test (pull_request) Failing after 14s
ci-pangolin / E2E Smoke — L4 进程级端到端 (pull_request) Failing after 11s
ci-pangolin / Go — integration (mysql/redis testcontainers) (pull_request) Failing after 4m44s
ci-pangolin / Golden — 视觉回归 (全量:components/auth/desktop/tablet) (pull_request) Failing after 20s
ci-pangolin / Flutter — analyze + test (pull_request) Failing after 11m55s

CreateOrder 下单时的 HasPaidPurchase 只是裸 SELECT 无锁,并发/多挂起单可绕过
promo SKU「每账号限购一次」。两层修:
① webhook.go settle 在锁行、开通前对 item.Promo 的 SKU 复查一次(排除本单),
   命中说明另一笔同 user+SKU 订单已抢先 settle,跳过发放(不二次 +N 天)、
   仍 ack(否则 pay 无限重投)。新增 store.HasPaidPurchaseExcludingTx /
   MarkDuplicatePromoTx——重复单标记 canceled 而非 paid,避免自撞下面的
   唯一索引、也避免整笔 500 触发死循环重投。
② migration 000027(sqlite):部分唯一索引 ux_pay_promo_paid ON
   pay_purchases(user_id, sku) WHERE status='paid' AND sku='pro_month_promo',
   兜底防止任何路径把同一用户的 promo 单二次写成 paid。mysql 8 不支持部分
   索引,000027 mysql 侧是 no-op 占位(仅对齐编号),该场景 mysql 只靠①的
   应用层复查兜底——两库防线强度不同,已在迁移文件与代码注释中记录。

副作用:新增迁移把 sqlite 迁移顶点从 26 推到 27,同步更新
internal/store/sqlite_migrate_test.go 的版本断言,以及
internal/store/codes_lib_migrate_test.go 手动 Steps(-1) 序列(补一步跳过
000027,才能精确落在 000022 边界,这条测试是硬编码步数的)。

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
wangjia
2026-07-13 15:53:56 +08:00
parent ec4b3e0f22
commit a62a2b1797
9 changed files with 232 additions and 11 deletions
+36
View File
@@ -171,6 +171,42 @@ func (s *Store) HasPaidPurchase(ctx context.Context, userID int64, sku string) (
return n > 0, nil
}
// HasPaidPurchaseExcludingTx 是 HasPaidPurchase 的事务内(锁行后)复查版本,供
// webhook.go settle 在开通前对 Promo SKU 再查一次——CreateOrder 那次下单时的
// 检查是裸 SELECT 无锁,并发/多挂起单可绕过(TOCTOU)。excludeID 排除本单自己
// (本单尚未 MarkPaidTx,通常不会自匹配,但显式排除更稳妥、也便于未来复用)。
func (s *Store) HasPaidPurchaseExcludingTx(ctx context.Context, tx *sql.Tx, userID int64, sku string, excludeID int64) (bool, error) {
var n int
err := tx.QueryRowContext(ctx,
`SELECT COUNT(*) FROM pay_purchases WHERE user_id = ? AND sku = ? AND status = 'paid' AND id <> ?`,
userID, sku, excludeID).Scan(&n)
if err != nil {
return false, fmt.Errorf("pay.Store.HasPaidPurchaseExcludingTx: %w", err)
}
return n > 0, nil
}
// MarkDuplicatePromoTx 收口一笔在 TOCTOU 竞争中"输"掉的 Promo SKU 重复单——
// 另一笔同 user+SKU 的订单已先一步 settle 为 paid(见 webhook.go settle 的
// promo 复查)。刻意标记为 'canceled' 而非 'paid':(user_id, sku) WHERE
// status='paid' 是部分唯一索引(migration 000027,仅 sqlite)本就不允许同一
// user+promo-SKU 出现第二条 paid 行,这里若也写 paid 会在 sqlite 上直接撞
// 约束报错、把整个 webhook 打成 500 引发 pay 无限重投——与"吞掉重复单,不
// 再重投"的目标相反。仍落一次结算回执字段(amount/currency/channel/paid_at)
// 供人工核对"钱是否真收到过、为何没有二次开通",不同于用户主动取消未付
// 单的语义(MarkCanceled 的原生用途),但复用同一 status 取值。
func (s *Store) MarkDuplicatePromoTx(ctx context.Context, tx *sql.Tx, id int64, amountMinor int64, currency, channel string, paidAt time.Time) error {
_, err := tx.ExecContext(ctx,
`UPDATE pay_purchases SET status = 'canceled', amount_minor = ?, currency = ?,
channel = ?, paid_at = ?, updated_at = ?
WHERE id = ?`,
amountMinor, currency, channel, paidAt, time.Now().UTC(), id)
if err != nil {
return fmt.Errorf("pay.Store.MarkDuplicatePromoTx: %w", err)
}
return nil
}
// SubscriptionExpiry 查开通行的到期时间(查单响应回带给客户端)。
func (s *Store) SubscriptionExpiry(ctx context.Context, subID int64) (time.Time, error) {
var exp time.Time
+27 -4
View File
@@ -178,15 +178,38 @@ func (h *WebhookHandler) settle(ctx context.Context, ev *webhookEvent) error {
purchaseID, userID = row.ID, row.UserID
}
paidAt, perr := time.Parse(time.RFC3339, ev.PaidAt)
if perr != nil {
paidAt = h.now().UTC()
}
// C2 安全修复(promo 限购 TOCTOU):CreateOrder 下单时的 HasPaidPurchase 只在
// 下单一刻查、裸 SELECT 无锁——并发/多笔挂起单可绕过"每账号限购一次"。这里
// 在锁行、开通前对 Promo SKU 再复查一次:命中说明另一笔同 user+SKU 的订单
// 已抢先 settle 为 paid,本单跳过发放(不二次 +N 天),仍需 ACK 200,否则 pay
// 会把 500 当失败无限重投。sqlite 侧另有 migration 000027 的部分唯一索引
// (user_id, sku) WHERE status='paid' 兜底;mysql 不支持部分索引,本检查是
// mysql 侧唯一防线(见该迁移文件注释)。
if item.Promo {
dup, err := h.store.HasPaidPurchaseExcludingTx(ctx, tx, userID, ev.ProductBizCode, purchaseID)
if err != nil {
return err
}
if dup {
slog.Warn("pay webhook: promo 限购 TOCTOU 命中,跳过发放并吞掉重复单",
"order_no", ev.OutTradeNo, "user_id", userID, "sku", ev.ProductBizCode)
if err := h.store.MarkDuplicatePromoTx(ctx, tx, purchaseID, ev.AmountMinor, ev.Currency, ev.Channel, paidAt); err != nil {
return err
}
return tx.Commit()
}
}
subID, _, err := h.granter.GrantPaidSubscriptionTx(ctx, tx, userID,
codes.PlanCode(item.Plan), item.Days, "pay:"+ev.OutTradeNo)
if err != nil {
return err
}
paidAt, perr := time.Parse(time.RFC3339, ev.PaidAt)
if perr != nil {
paidAt = h.now().UTC()
}
if err := h.store.MarkPaidTx(ctx, tx, purchaseID, ev.AmountMinor, ev.Currency, ev.Channel, subID, paidAt); err != nil {
return err
}
@@ -0,0 +1,140 @@
package pay
import (
"context"
"net/http"
"strings"
"testing"
"time"
)
// --------------------------------------------------------------------------
// C2 · promo 限购 TOCTOU: CreateOrder's HasPaidPurchase check is a bare,
// unlocked SELECT at order-creation time — concurrent/multi-pending orders
// for the same promo SKU can both reach 'created' before either settles.
// webhook.go's settle must re-check inside the locked transaction, before
// granting, and swallow the duplicate (skip the grant, still ACK so pay
// doesn't retry forever) rather than double-granting +31 days per order.
// --------------------------------------------------------------------------
// seedPromoDuplicateOrders inserts two 'created' orders for the SAME user +
// promo SKU (pro_month_promo) — simulating the TOCTOU window where both
// orders were created before either was paid.
func seedPromoDuplicateOrders(t *testing.T, st *Store) {
t.Helper()
ctx := context.Background()
if err := st.Insert(ctx, 1, "uuid-1", "pro_month_promo", "pay-promo-1", "alipay", 600, "CNY"); err != nil {
t.Fatalf("insert promo order 1: %v", err)
}
if err := st.Insert(ctx, 1, "uuid-1", "pro_month_promo", "pay-promo-2", "wxpay", 600, "CNY"); err != nil {
t.Fatalf("insert promo order 2: %v", err)
}
}
func TestWebhook_PromoDuplicateSettleSkipsGrantButAcks(t *testing.T) {
h, db, st := newWebhookRig(t)
seedPromoDuplicateOrders(t, st)
// First promo order settles normally: paid + granted.
w1 := deliver(t, h, succeededPayload("pay-promo-1", "pro_month_promo"))
if w1.Code != http.StatusOK || !strings.Contains(w1.Body.String(), "SUCCESS") {
t.Fatalf("第一单应正常开通: %d %q", w1.Code, w1.Body.String())
}
var expiresAfterFirst time.Time
if err := db.QueryRow(`SELECT expires_at FROM subscriptions WHERE user_id = 1`).Scan(&expiresAfterFirst); err != nil {
t.Fatalf("第一单未开通订阅: %v", err)
}
// Second promo order for the SAME user+SKU settles (TOCTOU duplicate):
// must still ACK 200 SUCCESS (else pay retries this webhook forever),
// but must NOT grant a second +31 days.
w2 := deliver(t, h, succeededPayload("pay-promo-2", "pro_month_promo"))
if w2.Code != http.StatusOK || !strings.Contains(w2.Body.String(), "SUCCESS") {
t.Fatalf("重复 promo 单应仍 ACK(否则 pay 会无限重投): %d %q", w2.Code, w2.Body.String())
}
var n int
if err := db.QueryRow(`SELECT COUNT(*) FROM subscriptions WHERE user_id = 1`).Scan(&n); err != nil {
t.Fatal(err)
}
if n != 1 {
t.Fatalf("不得为重复 promo 单二次开通: subscriptions rows = %d, want 1", n)
}
var expiresAfterSecond time.Time
if err := db.QueryRow(`SELECT expires_at FROM subscriptions WHERE user_id = 1`).Scan(&expiresAfterSecond); err != nil {
t.Fatal(err)
}
if !expiresAfterFirst.Equal(expiresAfterSecond) {
t.Errorf("到期被重复叠加: %v → %v(应保持不变,promo 限购一次)", expiresAfterFirst, expiresAfterSecond)
}
// The duplicate order's own ledger row must not become a second 'paid'
// row for the same (user_id, sku) — that's exactly what migration 000027's
// partial unique index forbids on sqlite, and what the settle-side
// re-check must avoid ever attempting.
row2, err := st.GetForUser(context.Background(), 1, "pay-promo-2")
if err != nil {
t.Fatalf("重复单台账未找到: %v", err)
}
if row2.Status == "paid" {
t.Errorf("重复 promo 单不应被标记为二条 paid(会撞 (user_id,sku) 唯一索引): status = %q", row2.Status)
}
if row2.SubID.Valid {
t.Errorf("重复 promo 单不应挂 sub_id: %+v", row2.SubID)
}
// Redelivery of the SAME duplicate webhook (new nonce, same out_trade_no)
// must remain idempotent — no further side effects, still ACK.
w3 := deliver(t, h, succeededPayload("pay-promo-2", "pro_month_promo"))
if w3.Code != http.StatusOK || !strings.Contains(w3.Body.String(), "SUCCESS") {
t.Fatalf("重复单再次重投应仍 ACK: %d %q", w3.Code, w3.Body.String())
}
if err := db.QueryRow(`SELECT COUNT(*) FROM subscriptions WHERE user_id = 1`).Scan(&n); err != nil {
t.Fatal(err)
}
if n != 1 {
t.Fatalf("重投重复单不得二次开通: subscriptions rows = %d, want 1", n)
}
}
// --------------------------------------------------------------------------
// Defense-in-depth: migration 000027's sqlite partial unique index directly
// forbids two 'paid' rows for the same (user_id, sku='pro_month_promo'),
// independent of the application-layer settle check above. This guards
// against any other write path (bug, manual SQL, future code) accidentally
// double-marking a promo purchase 'paid'.
// --------------------------------------------------------------------------
func TestPayPurchases_PromoPaidUniqueIndex_SQLite(t *testing.T) {
db := openMigratedSQLite(t)
seedUser(t, db, 1, "uuid-1")
now := time.Now().UTC()
if _, err := db.Exec(
`INSERT INTO pay_purchases (user_id, biz_ref, sku, out_trade_no, method, status, amount_minor, currency, created_at, updated_at)
VALUES (1, 'uuid-1', 'pro_month_promo', 'ux-1', 'alipay', 'paid', 600, 'CNY', ?, ?)`,
now, now); err != nil {
t.Fatalf("first paid promo row should insert cleanly: %v", err)
}
_, err := db.Exec(
`INSERT INTO pay_purchases (user_id, biz_ref, sku, out_trade_no, method, status, amount_minor, currency, created_at, updated_at)
VALUES (1, 'uuid-1', 'pro_month_promo', 'ux-2', 'wxpay', 'paid', 600, 'CNY', ?, ?)`,
now, now)
if err == nil {
t.Fatal("第二条同 user+promo-sku 的 paid 行应被部分唯一索引拒绝,却插入成功")
}
if !strings.Contains(err.Error(), "UNIQUE") {
t.Errorf("err = %v, want a UNIQUE constraint violation", err)
}
// A non-promo SKU (or a 'created'/'canceled' status row) must be
// unaffected by the partial index — sanity check it isn't over-broad.
if _, err := db.Exec(
`INSERT INTO pay_purchases (user_id, biz_ref, sku, out_trade_no, method, status, amount_minor, currency, created_at, updated_at)
VALUES (1, 'uuid-1', 'pro_month', 'ux-3', 'alipay', 'paid', 4990000, 'USDT', ?, ?)`,
now, now); err != nil {
t.Errorf("非 promo SKU 的 paid 行不应受此索引影响: %v", err)
}
}
@@ -104,11 +104,15 @@ func TestCodesLibMigrateRoundTrip(t *testing.T) {
// the reviewer's repro hit: the lib's `codes` table collides with the
// name 000022's down script renames legacy_codes back to.
m := newSQLiteStepper(t, db)
// 000026 (notices), 000025 (user_device_limit_override), 000024
// (invite_rewards) and 000023 (pay_purchases/source-enum) now sit on top
// of 000022 (codes_lib_legacy_rename) and are unrelated to this
// collision — step them back down first so we land exactly on the
// 000022 boundary the test targets.
// 000027 (pay_promo_paid_unique), 000026 (notices), 000025
// (user_device_limit_override), 000024 (invite_rewards) and 000023
// (pay_purchases/source-enum) now sit on top of 000022
// (codes_lib_legacy_rename) and are unrelated to this collision — step
// them back down first so we land exactly on the 000022 boundary the
// test targets.
if err := m.Steps(-1); err != nil {
t.Fatalf("step 000027 down: %v", err)
}
if err := m.Steps(-1); err != nil {
t.Fatalf("step 000026 down: %v", err)
}
+2 -2
View File
@@ -29,8 +29,8 @@ func TestSQLiteMigrateUpDown(t *testing.T) {
if dirty {
t.Fatalf("schema dirty after MigrateUp")
}
if v != 26 {
t.Errorf("version = %d, want 26", v)
if v != 27 {
t.Errorf("version = %d, want 27", v)
}
// 2. Core tables exist.
@@ -0,0 +1 @@
-- no-op(与 up 对称,无 DDL 可回滚)
@@ -0,0 +1,7 @@
-- no-opMySQL 8):MySQL 不支持部分唯一索引(WHERE 子句),无法照搬 sqlite 版
-- 的 (user_id, sku) WHERE status='paid' AND sku='pro_month_promo' 约束——建全表
-- 唯一索引 (user_id, sku, status) 会连带拦掉 created/canceled 状态下的正常
-- 复购/重试流程,不可行。mysql 侧的 promo 限购 TOCTOU 防线仅落在应用层:
-- webhook.go settle 在锁行开通前对 item.Promo 的 SKU 复查一次 HasPaidPurchase
-- 命中则跳过发放、吞掉重复单(详见该函数注释)。此文件仅占位对齐 sqlite 的
-- 000027 编号,不执行任何 DDL。
@@ -0,0 +1 @@
DROP INDEX IF EXISTS ux_pay_promo_paid;
@@ -0,0 +1,9 @@
-- C2 安全修复(promo 限购 TOCTOU):CreateOrder 下单时的 HasPaidPurchase 只是裸
-- SELECT(无锁),并发/多挂起单可绕过「每账号限购一次」。这里加部分唯一索引兜底:
-- 同一 user_id 的 pro_month_promo 至多一条 status='paid'。sqlite 支持部分索引
-- (WHERE 子句),精确限定 sku='pro_month_promo'(目前唯一的 Promo=true 档位),
-- 不影响其余 SKU 正常复购。webhook.go settle 侧另有应用层复查作为第一道防线
-- (mysql 侧 000027 是 no-op,不支持部分索引——见 mysql 版本注释)。
CREATE UNIQUE INDEX ux_pay_promo_paid
ON pay_purchases (user_id, sku)
WHERE status = 'paid' AND sku = 'pro_month_promo';