From 2efef9e8ee69db9445eae59411c1e685533d566a Mon Sep 17 00:00:00 2001
From: xboard <xboard@xboard.one>
Date: Thu, 23 Apr 2026 10:25:32 +0800
Subject: [PATCH] fix(security): prevent payment gateway credentials leakage
 via OrderResource

---
 app/Http/Controllers/V2/Admin/PaymentController.php | 2 +-
 app/Http/Resources/OrderResource.php                | 6 ++++++
 app/Models/Payment.php                              | 4 ++++
 app/Services/PaymentService.php                     | 4 ++--
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/V2/Admin/PaymentController.php b/app/Http/Controllers/V2/Admin/PaymentController.php
index 6649aaa..74b17cb 100644
--- a/app/Http/Controllers/V2/Admin/PaymentController.php
+++ b/app/Http/Controllers/V2/Admin/PaymentController.php
@@ -25,7 +25,7 @@ class PaymentController extends Controller
 
     public function fetch()
     {
-        $payments = Payment::orderBy('sort', 'ASC')->get();
+        $payments = Payment::orderBy('sort', 'ASC')->get()->makeVisible('config');
         foreach ($payments as $k => $v) {
             $notifyUrl = url("/api/v1/guest/payment/notify/{$v->payment}/{$v->uuid}");
             if ($v->notify_domain) {
diff --git a/app/Http/Resources/OrderResource.php b/app/Http/Resources/OrderResource.php
index ae3e6e4..eee3fad 100644
--- a/app/Http/Resources/OrderResource.php
+++ b/app/Http/Resources/OrderResource.php
@@ -23,6 +23,12 @@ class OrderResource extends JsonResource
             ...parent::toArray($request),
             'period' => PlanService::getLegacyPeriod((string)$this->period),
             'plan' => $this->whenLoaded('plan', fn() => PlanResource::make($this->plan)),
+            'payment' => $this->whenLoaded('payment', fn() => $this->payment ? [
+                'id' => $this->payment->id,
+                'name' => $this->payment->name,
+                'payment' => $this->payment->payment,
+                'icon' => $this->payment->icon,
+            ] : null),
         ];
     }
 }
diff --git a/app/Models/Payment.php b/app/Models/Payment.php
index fec8b00..8c21f35 100644
--- a/app/Models/Payment.php
+++ b/app/Models/Payment.php
@@ -15,4 +15,8 @@ class Payment extends Model
         'config' => 'array',
         'enable' => 'boolean'
     ];
+
+    protected $hidden = [
+        'config',
+    ];
 }
diff --git a/app/Services/PaymentService.php b/app/Services/PaymentService.php
index c496d38..835fc99 100644
--- a/app/Services/PaymentService.php
+++ b/app/Services/PaymentService.php
@@ -29,14 +29,14 @@ class PaymentService
             if (!$paymentModel) {
                 throw new ApiException('payment not found');
             }
-            $payment = $paymentModel->toArray();
+            $payment = $paymentModel->makeVisible('config')->toArray();
         }
         if ($uuid) {
             $paymentModel = Payment::where('uuid', $uuid)->first();
             if (!$paymentModel) {
                 throw new ApiException('payment not found');
             }
-            $payment = $paymentModel->toArray();
+            $payment = $paymentModel->makeVisible('config')->toArray();
         }
 
         $this->config = [];