fix: restrict CORS origins, require payment env vars, replace raw SQL with Prisma findMany

- AI service: replace allow_origins=["*"] with env-configured AI_CORS_ORIGINS - Payment services (VNPay, MoMo, ZaloPay): use requireEnv() instead of empty string defaults for credentials - Search indexer: replace raw SQL template literals with Prisma findMany + parameterized PostGIS queries Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-08 06:11:59 +07:00
parent 271ad76e6f
commit 811417d77d
6 changed files with 136 additions and 155 deletions
--- a/apps/api/src/modules/payments/infrastructure/services/momo.service.ts
+++ b/apps/api/src/modules/payments/infrastructure/services/momo.service.ts
@@ -10,21 +10,29 @@ import {
  type RefundResult,
 } from './payment-gateway.interface';

+function requireEnv(key: string): string {
+  const value = process.env[key];
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${key}`);
+  }
+  return value;
+}
+
@Injectable()
 export class MomoService implements IPaymentGateway {
  private readonly logger = new Logger(MomoService.name);
  readonly provider: PaymentProvider = 'MOMO';

  private get partnerCode(): string {
-    return process.env['MOMO_PARTNER_CODE'] ?? '';
+    return requireEnv('MOMO_PARTNER_CODE');
  }

  private get accessKey(): string {
-    return process.env['MOMO_ACCESS_KEY'] ?? '';
+    return requireEnv('MOMO_ACCESS_KEY');
  }

  private get secretKey(): string {
-    return process.env['MOMO_SECRET_KEY'] ?? '';
+    return requireEnv('MOMO_SECRET_KEY');
  }

  private get endpoint(): string {
--- a/apps/api/src/modules/payments/infrastructure/services/vnpay.service.ts
+++ b/apps/api/src/modules/payments/infrastructure/services/vnpay.service.ts
@@ -10,17 +10,25 @@ import {
  type RefundResult,
 } from './payment-gateway.interface';

+function requireEnv(key: string): string {
+  const value = process.env[key];
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${key}`);
+  }
+  return value;
+}
+
@Injectable()
 export class VnpayService implements IPaymentGateway {
  private readonly logger = new Logger(VnpayService.name);
  readonly provider: PaymentProvider = 'VNPAY';

  private get tmnCode(): string {
-    return process.env['VNPAY_TMN_CODE'] ?? '';
+    return requireEnv('VNPAY_TMN_CODE');
  }

  private get hashSecret(): string {
-    return process.env['VNPAY_HASH_SECRET'] ?? '';
+    return requireEnv('VNPAY_HASH_SECRET');
  }

  private get baseUrl(): string {
--- a/apps/api/src/modules/payments/infrastructure/services/zalopay.service.ts
+++ b/apps/api/src/modules/payments/infrastructure/services/zalopay.service.ts
@@ -10,21 +10,29 @@ import {
  type RefundResult,
 } from './payment-gateway.interface';

+function requireEnv(key: string): string {
+  const value = process.env[key];
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${key}`);
+  }
+  return value;
+}
+
@Injectable()
 export class ZalopayService implements IPaymentGateway {
  private readonly logger = new Logger(ZalopayService.name);
  readonly provider: PaymentProvider = 'ZALOPAY';

  private get appId(): string {
-    return process.env['ZALOPAY_APP_ID'] ?? '';
+    return requireEnv('ZALOPAY_APP_ID');
  }

  private get key1(): string {
-    return process.env['ZALOPAY_KEY1'] ?? '';
+    return requireEnv('ZALOPAY_KEY1');
  }

  private get key2(): string {
-    return process.env['ZALOPAY_KEY2'] ?? '';
+    return requireEnv('ZALOPAY_KEY2');
  }

  private get endpoint(): string {