 TradeMate Dev
|
3e39cf0170
|
refactor: replace direct WeChat/Alipay with unified pay-api gateway
Switch from direct WeChat Pay / Alipay integrations to the unified
宇之然 pay-api gateway (HMAC-SHA256 auth). Removes wechat_pay.py,
keeps PaymentGateway abstraction, adds UnifiedPayService. Simplifies
payment.py create_order to {plan, pay_type} params. Single webhook
endpoint replaces separate WeChat/Alipay notify handlers.
|
2026-05-29 18:36:50 +08:00 |
|
|
TradeMate Dev
|
c04fa2c19f
|
T-005: Security hardening - CORS, Rate Limit, CSRF
- CORS: Restrict allowed origins to specific frontend URLs, limit methods and headers
- Rate Limit: Add fine-grained endpoint-specific rate limits for sensitive operations
- Login: 5 requests/minute
- Register: 3 requests/hour
- Password change: 3 requests/5 minutes
- Payment: 20 requests/minute
- Admin: 30 requests/minute
- CSRF: Add CSRF protection middleware with double-submit cookie pattern
- New app/core/csrf.py module with CSRFMiddleware
- Require CSRF tokens on sensitive endpoints (auth, payment, profile)
- Skip webhook endpoints for CSRF validation
- Fix pydantic-settings import in config.py
|
2026-05-29 10:26:23 +08:00 |
|