fix(security): prevent payment gateway credentials leakage via OrderResource

xboard · xboard · commit 2efef9e8ee69 · 2026-04-23T10:26:35.000+08:00
diff --git a/app/Http/Controllers/V2/Admin/PaymentController.php b/app/Http/Controllers/V2/Admin/PaymentController.php
@@ -25,7 +25,7 @@ public function getPaymentMethods()
 
     public function fetch()
     {
-        $payments = Payment::orderBy('sort', 'ASC')->get();
+        $payments = Payment::orderBy('sort', 'ASC')->get()->makeVisible('config');
         foreach ($payments as $k => $v) {
             $notifyUrl = url("/api/v1/guest/payment/notify/{$v->payment}/{$v->uuid}");
             if ($v->notify_domain) {
diff --git a/app/Http/Resources/OrderResource.php b/app/Http/Resources/OrderResource.php
@@ -23,6 +23,12 @@ public function toArray(Request $request): array
             ...parent::toArray($request),
             'period' => PlanService::getLegacyPeriod((string)$this->period),
             'plan' => $this->whenLoaded('plan', fn() => PlanResource::make($this->plan)),
+            'payment' => $this->whenLoaded('payment', fn() => $this->payment ? [
+                'id' => $this->payment->id,
+                'name' => $this->payment->name,
+                'payment' => $this->payment->payment,
+                'icon' => $this->payment->icon,
+            ] : null),
         ];
     }
 }
diff --git a/app/Models/Payment.php b/app/Models/Payment.php
@@ -15,4 +15,8 @@ class Payment extends Model
         'config' => 'array',
         'enable' => 'boolean'
     ];
+
+    protected $hidden = [
+        'config',
+    ];
 }
diff --git a/app/Services/PaymentService.php b/app/Services/PaymentService.php
@@ -29,14 +29,14 @@ public function __construct($method, $id = NULL, $uuid = NULL)
             if (!$paymentModel) {
                 throw new ApiException('payment not found');
             }
-            $payment = $paymentModel->toArray();
+            $payment = $paymentModel->makeVisible('config')->toArray();
         }
         if ($uuid) {
             $paymentModel = Payment::where('uuid', $uuid)->first();
             if (!$paymentModel) {
                 throw new ApiException('payment not found');
             }
-            $payment = $paymentModel->toArray();
+            $payment = $paymentModel->makeVisible('config')->toArray();
         }
 
         $this->config = [];

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ public function getPaymentMethods()`
`25`	`25`
`26`	`26`	`public function fetch()`
`27`	`27`	`{`
`28`		`- $payments = Payment::orderBy('sort', 'ASC')->get();`
	`28`	`+ $payments = Payment::orderBy('sort', 'ASC')->get()->makeVisible('config');`
`29`	`29`	`foreach ($payments as $k => $v) {`
`30`	`30`	`$notifyUrl = url("/api/v1/guest/payment/notify/{$v->payment}/{$v->uuid}");`
`31`	`31`	`if ($v->notify_domain) {`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,12 @@ public function toArray(Request $request): array`
`23`	`23`	`...parent::toArray($request),`
`24`	`24`	`'period' => PlanService::getLegacyPeriod((string)$this->period),`
`25`	`25`	`'plan' => $this->whenLoaded('plan', fn() => PlanResource::make($this->plan)),`
	`26`	`+ 'payment' => $this->whenLoaded('payment', fn() => $this->payment ? [`
	`27`	`+ 'id' => $this->payment->id,`
	`28`	`+ 'name' => $this->payment->name,`
	`29`	`+ 'payment' => $this->payment->payment,`
	`30`	`+ 'icon' => $this->payment->icon,`
	`31`	`+ ] : null),`
`26`	`32`	`];`
`27`	`33`	`}`
`28`	`34`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,8 @@ class Payment extends Model`
`15`	`15`	`'config' => 'array',`
`16`	`16`	`'enable' => 'boolean'`
`17`	`17`	`];`
	`18`	`+`
	`19`	`+ protected $hidden = [`
	`20`	`+ 'config',`
	`21`	`+ ];`
`18`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,14 +29,14 @@ public function __construct($method, $id = NULL, $uuid = NULL)`
`29`	`29`	`if (!$paymentModel) {`
`30`	`30`	`throw new ApiException('payment not found');`
`31`	`31`	`}`
`32`		`- $payment = $paymentModel->toArray();`
	`32`	`+ $payment = $paymentModel->makeVisible('config')->toArray();`
`33`	`33`	`}`
`34`	`34`	`if ($uuid) {`
`35`	`35`	`$paymentModel = Payment::where('uuid', $uuid)->first();`
`36`	`36`	`if (!$paymentModel) {`
`37`	`37`	`throw new ApiException('payment not found');`
`38`	`38`	`}`
`39`		`- $payment = $paymentModel->toArray();`
	`39`	`+ $payment = $paymentModel->makeVisible('config')->toArray();`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`$this->config = [];`