From 7012279a269e779b3c954cb5a4477c4b33f3c7c0 Mon Sep 17 00:00:00 2001
From: Seefs <i@seefs.me>
Date: Thu, 23 Apr 2026 10:24:39 +0800
Subject: [PATCH 1/6] fix(payment): secure Waffo Pancake webhook mapping

---
 controller/topup_waffo_pancake.go             |  50 +--
 controller/topup_waffo_pancake_test.go        |  35 ++-
 router/api-router.go                          |   6 +-
 service/waffo_pancake.go                      |  52 +++-
 service/waffo_pancake_test.go                 | 294 +++++++++++++++++-
 .../components/settings/PaymentSetting.jsx    |  17 +-
 6 files changed, 404 insertions(+), 50 deletions(-)

diff --git a/controller/topup_waffo_pancake.go b/controller/topup_waffo_pancake.go
index 81515a56ed3..678e3a5f7d3 100644
--- a/controller/topup_waffo_pancake.go
+++ b/controller/topup_waffo_pancake.go
@@ -53,9 +53,6 @@ func RequestWaffoPancakeAmount(c *gin.Context) {
 
 func getWaffoPancakePayMoney(amount int64, group string) float64 {
 	dAmount := decimal.NewFromInt(amount)
-	if operation_setting.GetQuotaDisplayType() == operation_setting.QuotaDisplayTypeTokens {
-		dAmount = dAmount.Div(decimal.NewFromFloat(common.QuotaPerUnit))
-	}
 
 	topupGroupRatio := common.GetTopupGroupRatio(group)
 	if topupGroupRatio == 0 {
@@ -75,20 +72,6 @@ func getWaffoPancakePayMoney(amount int64, group string) float64 {
 	return payMoney.InexactFloat64()
 }
 
-func normalizeWaffoPancakeTopUpAmount(amount int64) int64 {
-	if operation_setting.GetQuotaDisplayType() != operation_setting.QuotaDisplayTypeTokens {
-		return amount
-	}
-
-	normalized := decimal.NewFromInt(amount).
-		Div(decimal.NewFromFloat(common.QuotaPerUnit)).
-		IntPart()
-	if normalized < 1 {
-		return 1
-	}
-	return normalized
-}
-
 func formatWaffoPancakeAmount(payMoney float64) string {
 	return decimal.NewFromFloat(payMoney).StringFixed(2)
 }
@@ -158,9 +141,10 @@ func RequestWaffoPancakePay(c *gin.Context) {
 	}
 
 	tradeNo := fmt.Sprintf("WAFFO_PANCAKE-%d-%d-%s", id, time.Now().UnixMilli(), randstr.String(6))
+	currency := strings.ToUpper(strings.TrimSpace(setting.WaffoPancakeCurrency))
 	topUp := &model.TopUp{
 		UserId:        id,
-		Amount:        normalizeWaffoPancakeTopUpAmount(req.Amount),
+		Amount:        req.Amount,
 		Money:         payMoney,
 		TradeNo:       tradeNo,
 		PaymentMethod: model.PaymentMethodWaffoPancake,
@@ -178,7 +162,7 @@ func RequestWaffoPancakePay(c *gin.Context) {
 		StoreID:     setting.WaffoPancakeStoreID,
 		ProductID:   setting.WaffoPancakeProductID,
 		ProductType: "onetime",
-		Currency:    strings.ToUpper(strings.TrimSpace(setting.WaffoPancakeCurrency)),
+		Currency:    currency,
 		PriceSnapshot: &service.WaffoPancakePriceSnapshot{
 			Amount:      formatWaffoPancakeAmount(payMoney),
 			TaxIncluded: false,
@@ -187,6 +171,14 @@ func RequestWaffoPancakePay(c *gin.Context) {
 		BuyerEmail:       getWaffoPancakeBuyerEmail(user),
 		SuccessURL:       getWaffoPancakeReturnURL(),
 		ExpiresInSeconds: &expiresInSeconds,
+		Metadata: buildWaffoPancakeOrderMetadata(
+			id,
+			tradeNo,
+			req.Amount,
+			req.Amount,
+			payMoney,
+			currency,
+		),
 	})
 	if err != nil {
 		logger.LogError(c.Request.Context(), fmt.Sprintf("Waffo Pancake 创建结账会话失败 user_id=%d trade_no=%s error=%q", id, tradeNo, err.Error()))
@@ -208,6 +200,26 @@ func RequestWaffoPancakePay(c *gin.Context) {
 	})
 }
 
+func buildWaffoPancakeOrderMetadata(userID int, tradeNo string, requestedAmount int64, storedAmount int64, money float64, currency string) *service.WaffoPancakeOrderMetadata {
+	mode := "prod"
+	if setting.WaffoPancakeSandbox {
+		mode = "test"
+	}
+
+	return &service.WaffoPancakeOrderMetadata{
+		TradeNo:         tradeNo,
+		UserID:          userID,
+		PaymentMethod:   model.PaymentMethodWaffoPancake,
+		RequestedAmount: requestedAmount,
+		StoredAmount:    storedAmount,
+		Money:           formatWaffoPancakeAmount(money),
+		Currency:        currency,
+		StoreID:         setting.WaffoPancakeStoreID,
+		ProductID:       setting.WaffoPancakeProductID,
+		Mode:            mode,
+	}
+}
+
 func WaffoPancakeWebhook(c *gin.Context) {
 	if !isWaffoPancakeWebhookEnabled() {
 		logger.LogWarn(c.Request.Context(), fmt.Sprintf("Waffo Pancake webhook 被拒绝 reason=webhook_disabled path=%q client_ip=%s", c.Request.RequestURI, c.ClientIP()))
diff --git a/controller/topup_waffo_pancake_test.go b/controller/topup_waffo_pancake_test.go
index 483dd7b793f..71c5ae4ef97 100644
--- a/controller/topup_waffo_pancake_test.go
+++ b/controller/topup_waffo_pancake_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/QuantumNous/new-api/common"
+	"github.com/QuantumNous/new-api/model"
 	"github.com/QuantumNous/new-api/setting"
 	"github.com/QuantumNous/new-api/setting/operation_setting"
 	"github.com/stretchr/testify/require"
@@ -27,6 +28,34 @@ func TestFormatWaffoPancakeAmount_UsesDisplayPriceString(t *testing.T) {
 	}
 }
 
+func TestBuildWaffoPancakeOrderMetadata(t *testing.T) {
+	originalSandbox := setting.WaffoPancakeSandbox
+	originalStoreID := setting.WaffoPancakeStoreID
+	originalProductID := setting.WaffoPancakeProductID
+	t.Cleanup(func() {
+		setting.WaffoPancakeSandbox = originalSandbox
+		setting.WaffoPancakeStoreID = originalStoreID
+		setting.WaffoPancakeProductID = originalProductID
+	})
+
+	setting.WaffoPancakeSandbox = true
+	setting.WaffoPancakeStoreID = "store_123"
+	setting.WaffoPancakeProductID = "product_456"
+
+	metadata := buildWaffoPancakeOrderMetadata(42, "WAFFO_PANCAKE-42-123456-abc123", 1000, 10, 29, "USD")
+
+	require.Equal(t, "WAFFO_PANCAKE-42-123456-abc123", metadata.TradeNo)
+	require.Equal(t, 42, metadata.UserID)
+	require.Equal(t, model.PaymentMethodWaffoPancake, metadata.PaymentMethod)
+	require.Equal(t, int64(1000), metadata.RequestedAmount)
+	require.Equal(t, int64(10), metadata.StoredAmount)
+	require.Equal(t, "29.00", metadata.Money)
+	require.Equal(t, "USD", metadata.Currency)
+	require.Equal(t, "store_123", metadata.StoreID)
+	require.Equal(t, "product_456", metadata.ProductID)
+	require.Equal(t, "test", metadata.Mode)
+}
+
 func TestGetWaffoPancakePayMoney(t *testing.T) {
 	originalUnitPrice := setting.WaffoPancakeUnitPrice
 	originalQuotaDisplayType := operation_setting.GetGeneralSetting().QuotaDisplayType
@@ -66,11 +95,11 @@ func TestGetWaffoPancakePayMoney(t *testing.T) {
 			expected:         24,
 		},
 		{
-			name:             "tokens display converts quota to display units before pricing",
-			amount:           int64(common.QuotaPerUnit * 3),
+			name:             "quota display type does not affect Waffo Pancake pricing",
+			amount:           10,
 			group:            "vip",
 			quotaDisplayType: operation_setting.QuotaDisplayTypeTokens,
-			expected:         4.5,
+			expected:         24,
 		},
 		{
 			name:             "non-positive discount falls back to no discount",
diff --git a/router/api-router.go b/router/api-router.go
index 83f5e4ae9d9..4696dc6009a 100644
--- a/router/api-router.go
+++ b/router/api-router.go
@@ -49,7 +49,7 @@ func SetApiRouter(router *gin.Engine) {
 		apiRouter.POST("/stripe/webhook", controller.StripeWebhook)
 		apiRouter.POST("/creem/webhook", controller.CreemWebhook)
 		apiRouter.POST("/waffo/webhook", controller.WaffoWebhook)
-		//apiRouter.POST("/waffo-pancake/webhook", controller.WaffoPancakeWebhook)
+		apiRouter.POST("/waffo-pancake/webhook", controller.WaffoPancakeWebhook)
 
 		// Universal secure verification routes
 		apiRouter.POST("/verify", middleware.UserAuth(), middleware.CriticalRateLimit(), controller.UniversalVerify)
@@ -93,8 +93,8 @@ func SetApiRouter(router *gin.Engine) {
 				selfRoute.POST("/creem/pay", middleware.CriticalRateLimit(), controller.RequestCreemPay)
 				selfRoute.POST("/waffo/amount", controller.RequestWaffoAmount)
 				selfRoute.POST("/waffo/pay", middleware.CriticalRateLimit(), controller.RequestWaffoPay)
-				//selfRoute.POST("/waffo-pancake/amount", controller.RequestWaffoPancakeAmount)
-				//selfRoute.POST("/waffo-pancake/pay", middleware.CriticalRateLimit(), controller.RequestWaffoPancakePay)
+				selfRoute.POST("/waffo-pancake/amount", controller.RequestWaffoPancakeAmount)
+				selfRoute.POST("/waffo-pancake/pay", middleware.CriticalRateLimit(), controller.RequestWaffoPancakePay)
 				selfRoute.POST("/aff_transfer", controller.TransferAffQuota)
 				selfRoute.PUT("/setting", controller.UpdateUserSetting)
 
diff --git a/service/waffo_pancake.go b/service/waffo_pancake.go
index 9033c37f37d..6faf6101e89 100644
--- a/service/waffo_pancake.go
+++ b/service/waffo_pancake.go
@@ -35,6 +35,19 @@ type WaffoPancakePriceSnapshot struct {
 	TaxCategory string `json:"taxCategory"`
 }
 
+type WaffoPancakeOrderMetadata struct {
+	TradeNo         string `json:"trade_no"`
+	UserID          int    `json:"user_id"`
+	PaymentMethod   string `json:"payment_method"`
+	RequestedAmount int64  `json:"requested_amount"`
+	StoredAmount    int64  `json:"stored_amount"`
+	Money           string `json:"money"`
+	Currency        string `json:"currency"`
+	StoreID         string `json:"store_id"`
+	ProductID       string `json:"product_id"`
+	Mode            string `json:"mode"`
+}
+
 type WaffoPancakeCreateSessionParams struct {
 	StoreID          string                     `json:"storeId"`
 	ProductID        string                     `json:"productId"`
@@ -44,6 +57,7 @@ type WaffoPancakeCreateSessionParams struct {
 	BuyerEmail       string                     `json:"buyerEmail,omitempty"`
 	SuccessURL       string                     `json:"successUrl,omitempty"`
 	ExpiresInSeconds *int                       `json:"expiresInSeconds,omitempty"`
+	Metadata         *WaffoPancakeOrderMetadata `json:"metadata,omitempty"`
 }
 
 type WaffoPancakeCheckoutSession struct {
@@ -64,13 +78,14 @@ type waffoPancakeCreateSessionResponse struct {
 }
 
 type waffoPancakeWebhookData struct {
-	ID          string          `json:"id"`
-	OrderID     string          `json:"orderId"`
-	BuyerEmail  string          `json:"buyerEmail"`
-	Currency    string          `json:"currency"`
-	Amount      dto.StringValue `json:"amount"`
-	TaxAmount   dto.StringValue `json:"taxAmount"`
-	ProductName string          `json:"productName"`
+	ID            string                    `json:"id"`
+	OrderID       string                    `json:"orderId"`
+	BuyerEmail    string                    `json:"buyerEmail"`
+	Currency      string                    `json:"currency"`
+	Amount        dto.StringValue           `json:"amount"`
+	TaxAmount     dto.StringValue           `json:"taxAmount"`
+	ProductName   string                    `json:"productName"`
+	OrderMetadata WaffoPancakeOrderMetadata `json:"orderMetadata"`
 }
 
 type waffoPancakeWebhookEvent struct {
@@ -165,15 +180,24 @@ func ResolveWaffoPancakeTradeNo(event *waffoPancakeWebhookEvent) (string, error)
 		return "", fmt.Errorf("missing webhook event")
 	}
 
-	if tradeNo := strings.TrimSpace(event.Data.OrderID); tradeNo != "" {
-		topUp := model.GetTopUpByTradeNo(tradeNo)
-		if topUp != nil && topUp.PaymentMethod == model.PaymentMethodWaffoPancake {
-			return tradeNo, nil
-		}
-		return "", fmt.Errorf("waffo pancake order not found for webhook orderId=%s", tradeNo)
+	metadata := event.Data.OrderMetadata
+	tradeNo := strings.TrimSpace(metadata.TradeNo)
+	if tradeNo == "" {
+		return "", fmt.Errorf("missing webhook orderMetadata.trade_no")
+	}
+
+	topUp := model.GetTopUpByTradeNo(tradeNo)
+	if topUp == nil {
+		return "", fmt.Errorf("waffo pancake order not found for metadata trade_no=%s", tradeNo)
+	}
+	if topUp.PaymentMethod != model.PaymentMethodWaffoPancake {
+		return "", fmt.Errorf("waffo pancake payment method mismatch trade_no=%s", tradeNo)
+	}
+	if metadata.UserID != topUp.UserId {
+		return "", fmt.Errorf("webhook orderMetadata.user_id mismatch")
 	}
 
-	return "", fmt.Errorf("missing webhook orderId")
+	return tradeNo, nil
 }
 
 func normalizeRSAPrivateKey(raw string) (string, error) {
diff --git a/service/waffo_pancake_test.go b/service/waffo_pancake_test.go
index eeb1012b076..47e1007f389 100644
--- a/service/waffo_pancake_test.go
+++ b/service/waffo_pancake_test.go
@@ -1,7 +1,15 @@
 package service
 
 import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
 	"fmt"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -56,7 +64,7 @@ func TestWaffoPancakeCreateSessionResponseParsesDocumentedPayload(t *testing.T)
 	require.Empty(t, result.Data.OrderID)
 }
 
-func TestResolveWaffoPancakeTradeNo_UsesWebhookOrderIDWhenLocalOrderExists(t *testing.T) {
+func TestResolveWaffoPancakeTradeNo_RejectsWebhookOrderIDOnly(t *testing.T) {
 	db := setupWaffoPancakeTestDB(t)
 
 	topUp := &model.TopUp{
@@ -75,11 +83,116 @@ func TestResolveWaffoPancakeTradeNo_UsesWebhookOrderIDWhenLocalOrderExists(t *te
 			OrderID: "ORD_5dXBtmF2HLlHfbPNm0Wcnz",
 		},
 	})
+	require.Error(t, err)
+	require.Empty(t, tradeNo)
+}
+
+func TestResolveWaffoPancakeTradeNo_UsesOrderMetadataTradeNo(t *testing.T) {
+	db := setupWaffoPancakeTestDB(t)
+
+	topUp := &model.TopUp{
+		UserId:        42,
+		Amount:        10,
+		Money:         29,
+		TradeNo:       "WAFFO_PANCAKE-42-123456-abc123",
+		PaymentMethod: model.PaymentMethodWaffoPancake,
+		CreateTime:    time.Now().Unix(),
+		Status:        common.TopUpStatusPending,
+	}
+	require.NoError(t, db.Create(topUp).Error)
+
+	var event waffoPancakeWebhookEvent
+	require.NoError(t, common.Unmarshal([]byte(`{
+		"storeId": "store_123",
+		"mode": "test",
+		"data": {
+			"orderId": "ORD_remote_123",
+			"currency": "USD",
+			"amount": "29.00",
+			"orderMetadata": {
+				"trade_no": "WAFFO_PANCAKE-42-123456-abc123",
+				"user_id": 42,
+				"payment_method": "waffo_pancake",
+				"stored_amount": 10,
+				"money": "29.00",
+				"currency": "USD",
+				"store_id": "store_123",
+				"product_id": "product_456",
+				"mode": "test"
+			}
+		}
+	}`), &event))
+
+	tradeNo, err := ResolveWaffoPancakeTradeNo(&event)
 	require.NoError(t, err)
-	require.Equal(t, "ORD_5dXBtmF2HLlHfbPNm0Wcnz", tradeNo)
+	require.Equal(t, "WAFFO_PANCAKE-42-123456-abc123", tradeNo)
+}
+
+func TestResolveWaffoPancakeTradeNo_RejectsMetadataUserMismatch(t *testing.T) {
+	db := setupWaffoPancakeTestDB(t)
+
+	topUp := &model.TopUp{
+		UserId:        42,
+		Amount:        10,
+		Money:         29,
+		TradeNo:       "WAFFO_PANCAKE-42-123456-abc123",
+		PaymentMethod: model.PaymentMethodWaffoPancake,
+		CreateTime:    time.Now().Unix(),
+		Status:        common.TopUpStatusPending,
+	}
+	require.NoError(t, db.Create(topUp).Error)
+
+	var event waffoPancakeWebhookEvent
+	require.NoError(t, common.Unmarshal([]byte(`{
+		"storeId": "store_123",
+		"mode": "test",
+		"data": {
+			"orderId": "WAFFO_PANCAKE-42-123456-abc123",
+			"currency": "USD",
+			"amount": "29.00",
+			"orderMetadata": {
+				"trade_no": "WAFFO_PANCAKE-42-123456-abc123",
+				"user_id": 99,
+				"payment_method": "waffo_pancake",
+				"stored_amount": 10,
+				"money": "29.00",
+				"currency": "USD",
+				"store_id": "store_123",
+				"product_id": "product_456",
+				"mode": "test"
+			}
+		}
+	}`), &event))
+
+	tradeNo, err := ResolveWaffoPancakeTradeNo(&event)
+	require.Error(t, err)
+	require.Empty(t, tradeNo)
+}
+
+func TestResolveWaffoPancakeTradeNo_RejectsWebhookWithoutMetadata(t *testing.T) {
+	db := setupWaffoPancakeTestDB(t)
+
+	topUp := &model.TopUp{
+		UserId:        42,
+		Amount:        10,
+		Money:         29,
+		TradeNo:       "WAFFO_PANCAKE-42-123456-abc123",
+		PaymentMethod: model.PaymentMethodWaffoPancake,
+		CreateTime:    time.Now().Unix(),
+		Status:        common.TopUpStatusPending,
+	}
+	require.NoError(t, db.Create(topUp).Error)
+
+	tradeNo, err := ResolveWaffoPancakeTradeNo(&waffoPancakeWebhookEvent{
+		Data: waffoPancakeWebhookData{
+			OrderID: "WAFFO_PANCAKE-42-123456-abc123",
+		},
+	})
+	require.Error(t, err)
+	require.Empty(t, tradeNo)
 }
 
-func TestResolveWaffoPancakeTradeNo_FailsWhenWebhookOrderIDIsUnknown(t *testing.T) {
+func TestResolveWaffoPancakeTradeNo_FailsWhenMetadataTradeNoIsUnknown(t *testing.T) {
 	db := setupWaffoPancakeTestDB(t)
 
 	user := &model.User{
@@ -102,10 +215,24 @@ func TestResolveWaffoPancakeTradeNo_FailsWhenWebhookOrderIDIsUnknown(t *testing.
 	require.NoError(t, db.Create(topUp).Error)
 
 	tradeNo, err := ResolveWaffoPancakeTradeNo(&waffoPancakeWebhookEvent{
+		StoreID: "store_123",
+		Mode:    "test",
 		Data: waffoPancakeWebhookData{
-			OrderID:    "ORD_unknown",
+			OrderID:    "ORD_remote_123",
 			BuyerEmail: user.Email,
+			Currency:   "USD",
 			Amount:     "29.00",
+			OrderMetadata: WaffoPancakeOrderMetadata{
+				TradeNo:       "WAFFO_PANCAKE-42-unknown",
+				UserID:        42,
+				PaymentMethod: model.PaymentMethodWaffoPancake,
+				StoredAmount:  int64(10),
+				Money:         "29.00",
+				Currency:      "USD",
+				StoreID:       "store_123",
+				ProductID:     "product_456",
+				Mode:          "test",
+			},
 		},
 	})
 	require.Error(t, err)
@@ -155,3 +282,162 @@ func TestResolveWaffoPancakeWebhookEnvironment(t *testing.T) {
 		})
 	}
 }
+
+func TestVerifyConfiguredWaffoPancakeWebhook_VerifiesXWaffoSignature(t *testing.T) {
+	privateKey, publicKey := generateWaffoPancakeWebhookKeyPair(t)
+	restoreWaffoPancakeWebhookSettings(t)
+	setting.WaffoPancakeSandbox = false
+	setting.WaffoPancakeWebhookPublicKey = publicKey
+
+	payload := testWaffoPancakeWebhookPayload()
+	signature := signWaffoPancakeWebhookPayload(t, payload, privateKey, strconv.FormatInt(time.Now().UnixMilli(), 10))
+
+	event, err := VerifyConfiguredWaffoPancakeWebhook(payload, signature)
+	require.NoError(t, err)
+	require.NotNil(t, event)
+	require.Equal(t, "order.completed", event.EventType)
+	require.Equal(t, "WAFFO_PANCAKE-42-123456-abc123", event.Data.OrderMetadata.TradeNo)
+}
+
+func TestVerifyConfiguredWaffoPancakeWebhook_RejectsMissingSignature(t *testing.T) {
+	_, publicKey := generateWaffoPancakeWebhookKeyPair(t)
+	restoreWaffoPancakeWebhookSettings(t)
+	setting.WaffoPancakeSandbox = false
+	setting.WaffoPancakeWebhookPublicKey = publicKey
+
+	event, err := VerifyConfiguredWaffoPancakeWebhook(testWaffoPancakeWebhookPayload(), "")
+	require.Error(t, err)
+	require.Nil(t, event)
+	require.Contains(t, err.Error(), "missing X-Waffo-Signature header")
+}
+
+func TestVerifyConfiguredWaffoPancakeWebhook_RejectsTamperedPayload(t *testing.T) {
+	privateKey, publicKey := generateWaffoPancakeWebhookKeyPair(t)
+	restoreWaffoPancakeWebhookSettings(t)
+	setting.WaffoPancakeSandbox = false
+	setting.WaffoPancakeWebhookPublicKey = publicKey
+
+	payload := testWaffoPancakeWebhookPayload()
+	signature := signWaffoPancakeWebhookPayload(t, payload, privateKey, strconv.FormatInt(time.Now().UnixMilli(), 10))
+	tamperedPayload := strings.Replace(payload, "WAFFO_PANCAKE-42-123456-abc123", "WAFFO_PANCAKE-42-tampered", 1)
+
+	event, err := VerifyConfiguredWaffoPancakeWebhook(tamperedPayload, signature)
+	require.Error(t, err)
+	require.Nil(t, event)
+	require.Contains(t, err.Error(), "invalid webhook signature")
+}
+
+func TestVerifyConfiguredWaffoPancakeWebhook_RejectsWrongWebhookPublicKey(t *testing.T) {
+	privateKey, _ := generateWaffoPancakeWebhookKeyPair(t)
+	_, wrongPublicKey := generateWaffoPancakeWebhookKeyPair(t)
+	restoreWaffoPancakeWebhookSettings(t)
+	setting.WaffoPancakeSandbox = false
+	setting.WaffoPancakeWebhookPublicKey = wrongPublicKey
+
+	payload := testWaffoPancakeWebhookPayload()
+	signature := signWaffoPancakeWebhookPayload(t, payload, privateKey, strconv.FormatInt(time.Now().UnixMilli(), 10))
+
+	event, err := VerifyConfiguredWaffoPancakeWebhook(payload, signature)
+	require.Error(t, err)
+	require.Nil(t, event)
+	require.Contains(t, err.Error(), "invalid webhook signature")
+}
+
+func TestVerifyConfiguredWaffoPancakeWebhook_RejectsInvalidWebhookPublicKey(t *testing.T) {
+	privateKey, _ := generateWaffoPancakeWebhookKeyPair(t)
+	restoreWaffoPancakeWebhookSettings(t)
+	setting.WaffoPancakeSandbox = false
+	setting.WaffoPancakeWebhookPublicKey = "not-a-public-key"
+
+	payload := testWaffoPancakeWebhookPayload()
+	signature := signWaffoPancakeWebhookPayload(t, payload, privateKey, strconv.FormatInt(time.Now().UnixMilli(), 10))
+
+	event, err := VerifyConfiguredWaffoPancakeWebhook(payload, signature)
+	require.Error(t, err)
+	require.Nil(t, event)
+	require.Contains(t, err.Error(), "invalid webhook signature")
+}
+
+func TestVerifyConfiguredWaffoPancakeWebhook_RejectsExpiredTimestamp(t *testing.T) {
+	privateKey, publicKey := generateWaffoPancakeWebhookKeyPair(t)
+	restoreWaffoPancakeWebhookSettings(t)
+	setting.WaffoPancakeSandbox = false
+	setting.WaffoPancakeWebhookPublicKey = publicKey
+
+	payload := testWaffoPancakeWebhookPayload()
+	oldTimestamp := strconv.FormatInt(time.Now().Add(-waffoPancakeDefaultTolerance-time.Minute).UnixMilli(), 10)
+	signature := signWaffoPancakeWebhookPayload(t, payload, privateKey, oldTimestamp)
+
+	event, err := VerifyConfiguredWaffoPancakeWebhook(payload, signature)
+	require.Error(t, err)
+	require.Nil(t, event)
+	require.Contains(t, err.Error(), "webhook timestamp outside tolerance window")
+}
+
+func generateWaffoPancakeWebhookKeyPair(t *testing.T) (*rsa.PrivateKey, string) {
+	t.Helper()
+
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	publicKeyDER, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
+	require.NoError(t, err)
+
+	publicKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: publicKeyDER,
+	})
+	require.NotEmpty(t, publicKeyPEM)
+
+	return privateKey, string(publicKeyPEM)
+}
+
+func signWaffoPancakeWebhookPayload(t *testing.T, payload string, privateKey *rsa.PrivateKey, timestamp string) string {
+	t.Helper()
+
+	signatureInput := fmt.Sprintf("%s.%s", timestamp, payload)
+	digest := sha256.Sum256([]byte(signatureInput))
+	signature, err := rsa.SignPKCS1v15(rand.Reader, privateKey, crypto.SHA256, digest[:])
+	require.NoError(t, err)
+
+	return fmt.Sprintf("t=%s,v1=%s", timestamp, base64.StdEncoding.EncodeToString(signature))
+}
+
+func restoreWaffoPancakeWebhookSettings(t *testing.T) {
+	t.Helper()
+
+	originalSandbox := setting.WaffoPancakeSandbox
+	originalWebhookPublicKey := setting.WaffoPancakeWebhookPublicKey
+	originalWebhookTestKey := setting.WaffoPancakeWebhookTestKey
+	t.Cleanup(func() {
+		setting.WaffoPancakeSandbox = originalSandbox
+		setting.WaffoPancakeWebhookPublicKey = originalWebhookPublicKey
+		setting.WaffoPancakeWebhookTestKey = originalWebhookTestKey
+	})
+}
+
+func testWaffoPancakeWebhookPayload() string {
+	return `{
+		"id": "evt_123",
+		"eventType": "order.completed",
+		"storeId": "store_123",
+		"mode": "prod",
+		"data": {
+			"orderId": "ORD_remote_123",
+			"currency": "USD",
+			"amount": "29.00",
+			"orderMetadata": {
+				"trade_no": "WAFFO_PANCAKE-42-123456-abc123",
+				"user_id": 42,
+				"payment_method": "waffo_pancake",
+				"requested_amount": 10,
+				"stored_amount": 10,
+				"money": "29.00",
+				"currency": "USD",
+				"store_id": "store_123",
+				"product_id": "product_456",
+				"mode": "prod"
+			}
+		}
+	}`
+}
diff --git a/web/src/components/settings/PaymentSetting.jsx b/web/src/components/settings/PaymentSetting.jsx
index 080c3e6e0ba..10db23f2945 100644
--- a/web/src/components/settings/PaymentSetting.jsx
+++ b/web/src/components/settings/PaymentSetting.jsx
@@ -198,13 +198,16 @@ const PaymentSetting = () => {
                 hideSectionTitle
               />
             </Tabs.TabPane>
-            {/*<Tabs.TabPane tab={t('Waffo Pancake 设置')} itemKey='waffo-pancake'>*/}
-            {/*  <SettingsPaymentGatewayWaffoPancake*/}
-            {/*    options={inputs}*/}
-            {/*    refresh={onRefresh}*/}
-            {/*    hideSectionTitle*/}
-            {/*  />*/}
-            {/*</Tabs.TabPane>*/}
+            <Tabs.TabPane
+              tab={t('Waffo Pancake 设置')}
+              itemKey='waffo-pancake'
+            >
+              <SettingsPaymentGatewayWaffoPancake
+                options={inputs}
+                refresh={onRefresh}
+                hideSectionTitle
+              />
+            </Tabs.TabPane>
           </Tabs>
         </Card>
       </Spin>

From 728c9376fa01ca1a4d1bd5e66b0a51be08835c4a Mon Sep 17 00:00:00 2001
From: Seefs <i@seefs.me>
Date: Thu, 23 Apr 2026 10:49:33 +0800
Subject: [PATCH 2/6] fix(payment): add audit info for Waffo Pancake topups

---
 controller/topup_waffo_pancake.go  |  2 +-
 model/payment_method_guard_test.go | 27 ++++++++++++++++++++++++++-
 model/topup.go                     |  4 ++--
 3 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/controller/topup_waffo_pancake.go b/controller/topup_waffo_pancake.go
index 678e3a5f7d3..6a6165c3950 100644
--- a/controller/topup_waffo_pancake.go
+++ b/controller/topup_waffo_pancake.go
@@ -260,7 +260,7 @@ func WaffoPancakeWebhook(c *gin.Context) {
 	LockOrder(tradeNo)
 	defer UnlockOrder(tradeNo)
 
-	if err := model.RechargeWaffoPancake(tradeNo); err != nil {
+	if err := model.RechargeWaffoPancake(tradeNo, c.ClientIP()); err != nil {
 		logger.LogError(c.Request.Context(), fmt.Sprintf("Waffo Pancake 充值处理失败 trade_no=%s event_id=%s order_id=%s client_ip=%s error=%q", tradeNo, event.ID, event.Data.OrderID, c.ClientIP(), err.Error()))
 		c.String(http.StatusInternalServerError, "retry")
 		return
diff --git a/model/payment_method_guard_test.go b/model/payment_method_guard_test.go
index 9bc292444fe..8824298c287 100644
--- a/model/payment_method_guard_test.go
+++ b/model/payment_method_guard_test.go
@@ -91,7 +91,7 @@ func TestRechargeWaffoPancake_RejectsMismatchedPaymentMethod(t *testing.T) {
 	insertUserForPaymentGuardTest(t, 101, 0)
 	insertTopUpForPaymentGuardTest(t, "waffo-pancake-guard", 101, PaymentMethodStripe)
 
-	err := RechargeWaffoPancake("waffo-pancake-guard")
+	err := RechargeWaffoPancake("waffo-pancake-guard", "203.0.113.10")
 	require.Error(t, err)
 
 	topUp := GetTopUpByTradeNo("waffo-pancake-guard")
@@ -100,6 +100,31 @@ func TestRechargeWaffoPancake_RejectsMismatchedPaymentMethod(t *testing.T) {
 	assert.Equal(t, 0, getUserQuotaForPaymentGuardTest(t, 101))
 }
 
+func TestRechargeWaffoPancake_RecordsTopupAuditInfo(t *testing.T) {
+	truncateTables(t)
+
+	insertUserForPaymentGuardTest(t, 102, 0)
+	insertTopUpForPaymentGuardTest(t, "waffo-pancake-audit", 102, PaymentMethodWaffoPancake)
+
+	err := RechargeWaffoPancake("waffo-pancake-audit", "203.0.113.11")
+	require.NoError(t, err)
+
+	var log Log
+	require.NoError(t, LOG_DB.Where("user_id = ? AND type = ?", 102, LogTypeTopup).First(&log).Error)
+	assert.Equal(t, "203.0.113.11", log.Ip)
+
+	var other map[string]any
+	require.NoError(t, common.Unmarshal([]byte(log.Other), &other))
+	adminInfo, ok := other["admin_info"].(map[string]any)
+	require.True(t, ok)
+	assert.Equal(t, "203.0.113.11", adminInfo["caller_ip"])
+	assert.Equal(t, PaymentMethodWaffoPancake, adminInfo["payment_method"])
+	assert.Equal(t, PaymentMethodWaffoPancake, adminInfo["callback_payment_method"])
+	assert.NotEmpty(t, adminInfo["server_ip"])
+	assert.NotNil(t, adminInfo["node_name"])
+	assert.NotEmpty(t, adminInfo["version"])
+}
+
 func TestUpdatePendingTopUpStatus_RejectsMismatchedPaymentMethod(t *testing.T) {
 	testCases := []struct {
 		name                  string
diff --git a/model/topup.go b/model/topup.go
index c1ac663f759..669d739eb5e 100644
--- a/model/topup.go
+++ b/model/topup.go
@@ -516,7 +516,7 @@ func RechargeWaffo(tradeNo string, callerIp string) (err error) {
 	return nil
 }
 
-func RechargeWaffoPancake(tradeNo string) (err error) {
+func RechargeWaffoPancake(tradeNo string, callerIp string) (err error) {
 	if tradeNo == "" {
 		return errors.New("未提供支付单号")
 	}
@@ -571,7 +571,7 @@ func RechargeWaffoPancake(tradeNo string) (err error) {
 	}
 
 	if quotaToAdd > 0 {
-		RecordLog(topUp.UserId, LogTypeTopup, fmt.Sprintf("Waffo Pancake充值成功，充值额度: %v，支付金额: %.2f", logger.FormatQuota(quotaToAdd), topUp.Money))
+		RecordTopupLog(topUp.UserId, fmt.Sprintf("Waffo Pancake充值成功，充值额度: %v，支付金额: %.2f", logger.FormatQuota(quotaToAdd), topUp.Money), callerIp, topUp.PaymentMethod, PaymentMethodWaffoPancake)
 	}
 
 	return nil

From b2eeb0e85ad7418ab389b37a6b275db73d11541c Mon Sep 17 00:00:00 2001
From: Seefs <i@seefs.me>
Date: Thu, 23 Apr 2026 10:51:57 +0800
Subject: [PATCH 3/6] chore(ui): use Waffo Pancake logo for topup option

---
 web/public/waffo-pancake-logo.svg         | 21 +++++++++++++++++++++
 web/src/components/topup/RechargeCard.jsx | 16 +++++++++++-----
 2 files changed, 32 insertions(+), 5 deletions(-)
 create mode 100644 web/public/waffo-pancake-logo.svg

diff --git a/web/public/waffo-pancake-logo.svg b/web/public/waffo-pancake-logo.svg
new file mode 100644
index 00000000000..3d26e1114fa
--- /dev/null
+++ b/web/public/waffo-pancake-logo.svg
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" width="109" height="32" viewBox="0 0 109 32" fill="none">
+<path d="M103.656 29.1768C100.642 29.1768 98.5134 27.1728 98.5134 24.1934V24.158C98.5134 21.3559 100.517 19.1391 103.355 19.1391C106.671 19.1391 108.196 21.5687 108.196 24.3885C108.196 24.6013 108.196 24.8496 108.179 25.0802H101.759C102.025 26.1265 102.787 26.6585 103.834 26.6585C104.304 26.6585 104.719 26.5538 105.122 26.3297C105.651 26.036 106.315 25.9756 106.78 26.3611L107.824 27.226C106.902 28.3965 105.572 29.1768 103.656 29.1768ZM101.706 23.3599H105.04C104.916 22.2958 104.295 21.6219 103.373 21.6219C102.486 21.6219 101.883 22.3136 101.706 23.3599Z" fill="white"/>
+<path d="M89.937 28.9462C89.284 28.9462 88.7547 28.4169 88.7547 27.7639V16H92.1243V22.5618L94.7313 19.3518H98.5442L95.2101 23.2002L98.6329 28.9462H94.9263L92.9933 25.6831L92.1243 26.694V28.9462H89.937Z" fill="white"/>
+<path d="M72.6697 29.1767C69.779 29.1767 67.6508 26.9067 67.6508 24.1933V24.1578C67.6508 21.4444 69.7612 19.1566 72.7938 19.1566C74.7624 19.1566 76.0747 20.0079 76.8905 21.3025L74.6028 23.0051C74.1417 22.3666 73.6274 21.9942 72.8116 21.9942C71.7298 21.9942 70.9317 22.9518 70.9317 24.1223V24.1578C70.9317 25.3992 71.712 26.3392 72.8471 26.3392C73.2519 26.3392 73.5838 26.2433 73.882 26.0678C74.4125 25.7555 75.0752 25.624 75.5737 25.9851L76.9437 26.9776C76.057 28.29 74.7801 29.1767 72.6697 29.1767Z" fill="white"/>
+<path d="M57.9836 28.9463C57.3307 28.9463 56.8013 28.417 56.8013 27.764V19.3519H60.1709V20.6997C60.7916 19.9017 61.6783 19.1391 63.0439 19.1391C65.0834 19.1391 66.3071 20.4869 66.3071 22.6683V28.9463H64.1198C63.4668 28.9463 62.9375 28.417 62.9375 27.764V23.7501C62.9375 22.7037 62.3877 22.1362 61.5897 22.1362C60.7739 22.1362 60.1709 22.7037 60.1709 23.7501V28.9463H57.9836Z" fill="white"/>
+<path d="M35.38 31.7838C34.7283 31.7838 34.2 31.2555 34.2 30.6038V19.3519H37.5696V20.6288C38.2258 19.8307 39.0416 19.1391 40.4781 19.1391C42.7658 19.1391 44.7344 21.0367 44.7344 24.1048V24.1402C44.7344 27.2615 42.7658 29.1591 40.4958 29.1591C39.0416 29.1591 38.1903 28.5029 37.5696 27.7758V31.7838H35.38ZM39.4494 26.3393C40.549 26.3393 41.418 25.4526 41.418 24.158V24.1225C41.418 22.8633 40.549 21.9589 39.4494 21.9589C38.3676 21.9589 37.4986 22.8633 37.4986 24.1225V24.158C37.4986 25.4348 38.3676 26.3393 39.4494 26.3393Z" fill="white"/>
+<path d="M43.1937 12.7064L41.6413 7.58816L40.5088 3.85839C40.3538 3.34878 39.8833 3.00042 39.3497 3.00042H34.9525C34.448 3.00042 34.0874 3.48541 34.2325 3.96548L36.5556 11.6232C36.8588 12.6209 37.7813 13.3034 38.8267 13.3034H42.7497C43.0609 13.3028 43.2838 13.0037 43.1937 12.7064ZM37.9227 5.6605C37.5695 5.75774 37.1805 5.47032 37.0545 5.01794C36.9285 4.56557 37.1138 4.11874 37.467 4.02149C37.8202 3.92425 38.208 4.21167 38.3333 4.66405C38.4593 5.11765 38.2759 5.56325 37.9227 5.6605Z" fill="white"/>
+<path d="M43.3207 13.0869C43.1747 13.2212 42.9823 13.3027 42.7739 13.3027H42.7485C43.0602 13.3026 43.2838 13.0038 43.1938 12.706L41.6411 7.58788L41.6469 7.56738L43.3207 13.0869ZM46.4995 2.99999L44.767 8.71386V8.71484L43.5893 12.5928L41.8559 6.8789L42.7719 3.85839C42.9269 3.34889 43.3977 3.00014 43.9311 2.99999H46.4995Z" fill="white"/>
+<path d="M52.7499 3.00145L49.6249 13.3042H47.0576C46.5241 13.3042 46.0534 12.956 45.8984 12.4458L44.9736 9.39793L46.7021 3.66942L47.8925 7.58934L49.2841 3.00145H52.7499Z" fill="white"/>
+<path d="M68.7692 2.44829C69.2954 2.44113 69.7154 2.51391 70.1372 2.64277V0.267259C69.5869 0.107381 68.9261 0 67.8613 0C66.6854 0 65.8782 0.248766 65.2717 0.833993C64.6844 1.40132 64.4287 2.21682 64.4287 3.31688V3.52985H63.2725V5.22946C63.2725 5.74966 63.7086 6.17203 64.2483 6.17203H64.4287V12.1275C64.4287 12.6477 64.8647 13.0701 65.4045 13.0701H67.8978V6.17262H70.1187V3.58295H67.8416V3.35268C67.8434 2.85693 68.2579 2.45425 68.7692 2.44829Z" fill="white"/>
+<path d="M76.1855 2.44829C76.7117 2.44113 77.1335 2.51391 77.5535 2.64277V0.267259C77.0032 0.107381 76.3424 0 75.2776 0C74.1017 0 73.2945 0.248766 72.6898 0.833993C72.1013 1.40132 71.8456 2.21682 71.8456 3.31688V3.52985H70.6876V5.22946C70.6876 5.74966 71.1254 6.17203 71.6634 6.17203H71.8456V12.1275C71.8456 12.6477 72.2816 13.0701 72.8202 13.0701H75.3147V6.17262H77.5362V3.58295H75.2603V3.35268C75.2597 2.85693 75.6741 2.45425 76.1855 2.44829Z" fill="white"/>
+<path d="M83.2633 3.26431C80.069 3.26431 77.7548 5.55153 77.7548 8.28259V8.31838C77.7548 11.0494 80.0499 13.3009 83.2268 13.3009C86.4211 13.3009 88.734 11.0136 88.734 8.28259V8.2468C88.734 5.51514 86.4384 3.26431 83.2633 3.26431ZM85.3366 8.31779C85.3366 9.47034 84.5294 10.4445 83.2633 10.4445C82.033 10.4445 81.1517 9.45185 81.1517 8.28199V8.2462C81.1517 7.09364 81.9589 6.11767 83.2262 6.11767C84.4565 6.11767 85.3366 7.11035 85.3366 8.28199V8.31779Z" fill="white"/>
+<path d="M61.3503 4.47833C60.5604 3.71533 59.3493 3.30847 57.5675 3.30847C55.861 3.30847 54.6672 3.60854 53.5481 4.05298L53.9798 5.48592C54.1292 5.98584 54.669 6.26324 55.1897 6.12603C55.7486 5.97868 56.3242 5.89755 56.9999 5.89755C58.3395 5.89755 58.983 6.46607 58.983 7.45756V7.61923C58.4136 7.42236 57.5131 7.24637 56.596 7.24637C54.2639 7.24637 52.7038 8.27485 52.7038 10.2602V10.296C52.7038 12.2116 54.1533 13.2573 56.0444 13.2573C57.3488 13.2573 58.2851 12.7789 58.9639 12.0517V12.1018C58.9639 12.6232 59.4018 13.0444 59.9397 13.0444H62.4151V7.52914C62.4151 6.18092 62.1032 5.18824 61.3503 4.47833ZM58.0937 10.9904C58.0195 11.0059 57.943 11.0131 57.8627 11.0131C57.2241 11.0131 56.7065 10.5131 56.7065 9.89749C56.7065 9.45484 56.9758 9.07185 57.3618 8.89169C57.5143 8.8201 57.6842 8.78013 57.8633 8.78013C58.0998 8.78013 58.3216 8.84993 58.5038 8.96865C58.7761 9.14463 58.9651 9.4274 59.0083 9.75551C59.0145 9.80264 59.0188 9.84858 59.0188 9.8969C59.0182 10.438 58.6217 10.8878 58.0937 10.9904Z" fill="white"/>
+<path d="M54.3562 20.4212C53.5663 19.6582 52.3551 19.2513 50.5733 19.2513C48.8669 19.2513 47.673 19.5514 46.5539 19.9958L46.9856 21.4288C47.1351 21.9287 47.6749 22.2061 48.1955 22.0689C48.7545 21.9215 49.3301 21.8404 50.0057 21.8404C51.3453 21.8404 51.9889 22.4089 51.9889 23.4004V23.5621C51.4194 23.3652 50.519 23.1892 49.6018 23.1892C47.2697 23.1892 45.7097 24.2177 45.7097 26.203V26.2388C45.7097 28.1544 47.1592 29.2002 49.0503 29.2002C50.3547 29.2002 51.291 28.7217 51.9697 27.9945V28.0446C51.9697 28.566 52.4076 28.9872 52.9456 28.9872H55.4209V23.472C55.4209 22.1238 55.109 21.1311 54.3562 20.4212ZM51.0995 26.9332C51.0254 26.9487 50.9488 26.9559 50.8685 26.9559C50.2299 26.9559 49.7124 26.456 49.7124 25.8403C49.7124 25.3977 49.9817 25.0147 50.3677 24.8345C50.5202 24.7629 50.69 24.723 50.8692 24.723C51.1057 24.723 51.3274 24.7928 51.5096 24.9115C51.782 25.0875 51.971 25.3702 52.0142 25.6984C52.0204 25.7455 52.0247 25.7914 52.0247 25.8397C52.0241 26.3808 51.6276 26.8306 51.0995 26.9332Z" fill="white"/>
+<path d="M86.2783 20.4212C85.4884 19.6582 84.2772 19.2513 82.4954 19.2513C80.789 19.2513 79.5952 19.5514 78.476 19.9958L78.9078 21.4288C79.0572 21.9287 79.597 22.2061 80.1176 22.0689C80.6766 21.9215 81.2522 21.8404 81.9279 21.8404C83.2674 21.8404 83.911 22.4089 83.911 23.4004V23.5621C83.3416 23.3652 82.4411 23.1892 81.5239 23.1892C79.1919 23.1892 77.6318 24.2177 77.6318 26.203V26.2388C77.6318 28.1544 79.0813 29.2002 80.9724 29.2002C82.2768 29.2002 83.2131 28.7217 83.8919 27.9945V28.0446C83.8919 28.566 84.3297 28.9872 84.8677 28.9872H87.343V23.472C87.343 22.1238 87.0312 21.1311 86.2783 20.4212ZM83.0216 26.9332C82.9475 26.9487 82.8709 26.9559 82.7907 26.9559C82.152 26.9559 81.6345 26.456 81.6345 25.8403C81.6345 25.3977 81.9038 25.0147 82.2898 24.8345C82.4423 24.7629 82.6122 24.723 82.7913 24.723C83.0278 24.723 83.2495 24.7928 83.4317 24.9115C83.7041 25.0875 83.8931 25.3702 83.9363 25.6984C83.9425 25.7455 83.9468 25.7914 83.9468 25.8397C83.9462 26.3808 83.5497 26.8306 83.0216 26.9332Z" fill="white"/>
+<rect y="3" width="26.2" height="26.2" rx="6.04615" fill="white"/>
+<path d="M12.8096 20.7582L11.2233 15.5283L10.0661 11.7171C9.90774 11.1964 9.42695 10.8405 8.88179 10.8405H4.38868C3.87318 10.8405 3.50469 11.336 3.65297 11.8266L6.02667 19.6513C6.33647 20.6707 7.27913 21.3682 8.34736 21.3682H12.3559C12.6739 21.3676 12.9017 21.0619 12.8096 20.7582ZM7.42363 13.5586C7.06271 13.6579 6.6652 13.3642 6.53649 12.902C6.40777 12.4397 6.59706 11.9832 6.95797 11.8838C7.31889 11.7844 7.71513 12.0781 7.84322 12.5404C7.97194 13.0039 7.78454 13.4592 7.42363 13.5586Z" fill="black"/>
+<path d="M12.9399 21.1467C12.7905 21.2842 12.5936 21.3674 12.3803 21.3674H12.3549C12.6733 21.3671 12.901 21.0622 12.809 20.758L11.2231 15.5276L11.2289 15.5071L12.9399 21.1467ZM16.1879 10.8401L14.4174 16.6789V16.6799L13.1723 20.7824C13.151 20.8523 13.1178 20.9159 13.0805 20.9758L11.3256 15.1887L12.3793 11.717C12.5377 11.1964 13.018 10.8403 13.5629 10.8401H16.1879Z" fill="black"/>
+<path d="M22.575 10.8415L19.3816 21.3689H16.7576C16.2124 21.3689 15.7314 21.0132 15.573 20.4919L14.5115 16.9919L16.2771 11.1394L17.6111 15.529L19.033 10.8415H22.575Z" fill="black"/>
+</svg>
\ No newline at end of file
diff --git a/web/src/components/topup/RechargeCard.jsx b/web/src/components/topup/RechargeCard.jsx
index 1e2923cafc1..04928567aff 100644
--- a/web/src/components/topup/RechargeCard.jsx
+++ b/web/src/components/topup/RechargeCard.jsx
@@ -51,6 +51,7 @@ import { getCurrencyConfig } from '../../helpers/render';
 import SubscriptionPlansCard from './SubscriptionPlansCard';
 
 const { Text } = Typography;
+const WAFFO_PANCAKE_LOGO = '/waffo-pancake-logo.svg';
 
 const RechargeCard = ({
   t,
@@ -343,6 +344,16 @@ const RechargeCard = ({
                                     <SiWechat size={18} color='#07C160' />
                                   ) : payMethod.type === 'stripe' ? (
                                     <SiStripe size={18} color='#635BFF' />
+                                  ) : payMethod.type === 'waffo_pancake' ? (
+                                    <img
+                                      src={WAFFO_PANCAKE_LOGO}
+                                      alt='Waffo Pancake'
+                                      style={{
+                                        width: 18,
+                                        height: 18,
+                                        objectFit: 'contain',
+                                      }}
+                                    />
                                   ) : payMethod.icon ? (
                                     <img
                                       src={payMethod.icon}
@@ -353,11 +364,6 @@ const RechargeCard = ({
                                         objectFit: 'contain',
                                       }}
                                     />
-                                  ) : payMethod.type === 'waffo_pancake' ? (
-                                    <CreditCard
-                                      size={18}
-                                      color='var(--semi-color-primary)'
-                                    />
                                   ) : (
                                     <CreditCard
                                       size={18}

From 5518562bad3707267201c9353b7a684b5e06bb2f Mon Sep 17 00:00:00 2001
From: Seefs <i@seefs.me>
Date: Thu, 23 Apr 2026 11:01:41 +0800
Subject: [PATCH 4/6] fix(ui): enlarge Waffo Pancake topup icon

---
 web/src/components/topup/RechargeCard.jsx | 35 +++++++++++++++++------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/web/src/components/topup/RechargeCard.jsx b/web/src/components/topup/RechargeCard.jsx
index 04928567aff..8cfa2047b94 100644
--- a/web/src/components/topup/RechargeCard.jsx
+++ b/web/src/components/topup/RechargeCard.jsx
@@ -52,6 +52,22 @@ import SubscriptionPlansCard from './SubscriptionPlansCard';
 
 const { Text } = Typography;
 const WAFFO_PANCAKE_LOGO = '/waffo-pancake-logo.svg';
+const WAFFO_PANCAKE_ICON_BOX_STYLE = {
+  display: 'inline-flex',
+  width: 18,
+  height: 18,
+  overflow: 'hidden',
+  alignItems: 'center',
+  justifyContent: 'flex-start',
+  flex: '0 0 18px',
+};
+const WAFFO_PANCAKE_ICON_IMAGE_STYLE = {
+  display: 'block',
+  height: 22,
+  width: 'auto',
+  maxWidth: 'none',
+  transform: 'translateY(-2px)',
+};
 
 const RechargeCard = ({
   t,
@@ -345,15 +361,16 @@ const RechargeCard = ({
                                   ) : payMethod.type === 'stripe' ? (
                                     <SiStripe size={18} color='#635BFF' />
                                   ) : payMethod.type === 'waffo_pancake' ? (
-                                    <img
-                                      src={WAFFO_PANCAKE_LOGO}
-                                      alt='Waffo Pancake'
-                                      style={{
-                                        width: 18,
-                                        height: 18,
-                                        objectFit: 'contain',
-                                      }}
-                                    />
+                                    <span style={WAFFO_PANCAKE_ICON_BOX_STYLE}>
+                                      <img
+                                        src={WAFFO_PANCAKE_LOGO}
+                                        alt=''
+                                        aria-hidden='true'
+                                        style={
+                                          WAFFO_PANCAKE_ICON_IMAGE_STYLE
+                                        }
+                                      />
+                                    </span>
                                   ) : payMethod.icon ? (
                                     <img
                                       src={payMethod.icon}

From ea93c4dcfacc621f3bf5cc7420e9829a061f3764 Mon Sep 17 00:00:00 2001
From: Seefs <i@seefs.me>
Date: Thu, 23 Apr 2026 11:04:18 +0800
Subject: [PATCH 5/6] fix(payment): enforce Waffo Pancake webhook mode

---
 service/waffo_pancake.go      | 10 ++++++++++
 service/waffo_pancake_test.go | 15 +++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/service/waffo_pancake.go b/service/waffo_pancake.go
index 6faf6101e89..6e189274059 100644
--- a/service/waffo_pancake.go
+++ b/service/waffo_pancake.go
@@ -172,6 +172,9 @@ func CreateWaffoPancakeCheckoutSession(ctx context.Context, params *WaffoPancake
 
 func VerifyConfiguredWaffoPancakeWebhook(payload string, signatureHeader string) (*waffoPancakeWebhookEvent, error) {
 	environment := resolveWaffoPancakeWebhookEnvironment(payload)
+	if !isWaffoPancakeWebhookEnvironmentAllowed(environment) {
+		return nil, fmt.Errorf("webhook environment mismatch")
+	}
 	return verifyWaffoPancakeWebhook(payload, signatureHeader, environment)
 }
 
@@ -376,6 +379,13 @@ func resolveWaffoPancakeWebhookPublicKey(environment string) string {
 	return strings.TrimSpace(setting.WaffoPancakeWebhookTestKey)
 }
 
+func isWaffoPancakeWebhookEnvironmentAllowed(environment string) bool {
+	if setting.WaffoPancakeSandbox {
+		return environment == "test"
+	}
+	return environment == "prod"
+}
+
 func verifyWaffoPancakeWebhookWithKey(signatureInput string, signaturePart string, rawPublicKey string) error {
 	publicKeyPEM, err := normalizeRSAPublicKey(rawPublicKey)
 	if err != nil {
diff --git a/service/waffo_pancake_test.go b/service/waffo_pancake_test.go
index 47e1007f389..6f798ef2662 100644
--- a/service/waffo_pancake_test.go
+++ b/service/waffo_pancake_test.go
@@ -374,6 +374,21 @@ func TestVerifyConfiguredWaffoPancakeWebhook_RejectsExpiredTimestamp(t *testing.
 	require.Contains(t, err.Error(), "webhook timestamp outside tolerance window")
 }
 
+func TestVerifyConfiguredWaffoPancakeWebhook_RejectsSandboxModeMismatch(t *testing.T) {
+	privateKey, publicKey := generateWaffoPancakeWebhookKeyPair(t)
+	restoreWaffoPancakeWebhookSettings(t)
+	setting.WaffoPancakeSandbox = false
+	setting.WaffoPancakeWebhookTestKey = publicKey
+
+	payload := strings.Replace(testWaffoPancakeWebhookPayload(), `"mode": "prod"`, `"mode": "test"`, 2)
+	signature := signWaffoPancakeWebhookPayload(t, payload, privateKey, strconv.FormatInt(time.Now().UnixMilli(), 10))
+
+	event, err := VerifyConfiguredWaffoPancakeWebhook(payload, signature)
+	require.Error(t, err)
+	require.Nil(t, event)
+	require.Contains(t, err.Error(), "webhook environment mismatch")
+}
+
 func generateWaffoPancakeWebhookKeyPair(t *testing.T) (*rsa.PrivateKey, string) {
 	t.Helper()
 

From 14fa7cd0b8f20208593b58491f933d77105afac6 Mon Sep 17 00:00:00 2001
From: Seefs <i@seefs.me>
Date: Sat, 16 May 2026 15:22:25 +0800
Subject: [PATCH 6/6] fix(web): lock Waffo settings behind compliance
 confirmation

---
 .../integrations/payment-settings-section.tsx   | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/web/default/src/features/system-settings/integrations/payment-settings-section.tsx b/web/default/src/features/system-settings/integrations/payment-settings-section.tsx
index e53721f0657..1e1636491f7 100644
--- a/web/default/src/features/system-settings/integrations/payment-settings-section.tsx
+++ b/web/default/src/features/system-settings/integrations/payment-settings-section.tsx
@@ -1468,11 +1468,18 @@ export function PaymentSettingsSection({
 
       <Separator />
 
-      <WaffoSettingsSection defaultValues={waffoDefaultValues} />
-
-      <Separator />
-
-      <WaffoPancakeSettingsSection defaultValues={waffoPancakeDefaultValues} />
+      <div
+        className={cn(!complianceConfirmed && 'pointer-events-none opacity-40')}
+        aria-disabled={!complianceConfirmed}
+      >
+        <WaffoSettingsSection defaultValues={waffoDefaultValues} />
+
+        <Separator />
+
+        <WaffoPancakeSettingsSection
+          defaultValues={waffoPancakeDefaultValues}
+        />
+      </div>
       {/* eslint-enable react-hooks/refs */}
     </SettingsSection>
   )