fix: harden uploads downloads and deployment config

2026-03-08 19:40:22 +08:00
parent aa2e6bbe95
commit c23c4ac1e3
7 changed files with 133 additions and 46 deletions
--- a/backend/app/api/orders.py
+++ b/backend/app/api/orders.py
@@ -12,6 +12,26 @@ from app.schemas.order import OrderCreate, OrderResponse, PaymentResponse

 router = APIRouter(prefix="/orders", tags=["订单"])

+
+def _generate_order_no(db: Session) -> str:
+    """生成带随机后缀的唯一订单号，避免同秒冲突。"""
+    now = datetime.now()
+    six_months_ago = now - timedelta(days=180)
+    date_part = six_months_ago.strftime('%Y%m%d')
+    time_part = now.strftime('%H%M%S')
+
+    for _ in range(5):
+        suffix = secrets.token_hex(3).upper()
+        order_no = f"ORD{date_part}{time_part}{suffix}"
+        exists = db.query(Order.id).filter(Order.order_no == order_no).first()
+        if not exists:
+            return order_no
+
+    raise HTTPException(
+        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        detail="生成订单号失败，请稍后重试",
+    )
+
 def get_current_user(authorization: str = Header(None), db: Session = Depends(get_db)):
    """获取当前登录用户"""
    if not authorization or not authorization.startswith("Bearer "):
@@ -66,12 +86,8 @@ def create_order(
            detail="您已购买过此作品"
        )
    
-    # 生成订单号：前缀 + (当前时间-6个月)的年月日 + 当前时间的时分秒
-    now = datetime.now()
-    six_months_ago = now - timedelta(days=180)  # 半年前
-    date_part = six_months_ago.strftime('%Y%m%d')  # 半年前的年月日
-    time_part = now.strftime('%H%M%S')  # 当前时间的时分秒
-    order_no = f"ORD{date_part}{time_part}"
+    # 生成唯一订单号：半年前日期 + 当前时分秒 + 随机后缀
+    order_no = _generate_order_no(db)
    
    # 创建订单
    new_order = Order(