fix：prevent other team members from resuming enterprise auth tasks

Author: shortlight5980

packages/global/support/user/team/enterpriseAuth/type.ts

@@ -5,6 +5,8 @@ import { TeamEnterpriseAuthTaskStatusEnum } from './constant';
 export const EnterpriseAuthTaskSchema = z.object({
   _id: ObjectIdSchema,
   teamId: ObjectIdSchema,
+  userId: ObjectIdSchema.optional(),
+  tmbId: ObjectIdSchema.optional(),
   taskId: z.string(),
   status: z.enum(TeamEnterpriseAuthTaskStatusEnum),
   enterpriseName: z.string(),

packages/service/support/user/team/enterpriseAuth/common.ts

@@ -74,3 +74,29 @@ export const isEnterpriseAuthTimesExhausted = (usedTimes?: number) =>
 
 export const buildVerifiedEnterpriseName = (auth?: TeamEnterpriseAuthType | null) =>
   auth?.enterpriseName;
+
+/**
+ * 判断当前操作者是否为企业认证任务发起人。
+ *
+ * 历史任务可能没有操作者字段，为避免已在流程中的团队被升级阻断，缺失 tmbId 时保留旧任务可继续处理。
+ * 新任务都会写入 tmbId，其他团队成员访问时会被拦截为 processing。
+ */
+export const isEnterpriseAuthTaskOperator = ({
+  task,
+  operator
+}: {
+  task?: EnterpriseAuthTaskType | null;
+  operator: AuthOperator;
+}) => !task?.tmbId || task.tmbId.toString() === operator.tmbId;
+
+export const assertEnterpriseAuthTaskOperator = ({
+  task,
+  operator
+}: {
+  task?: EnterpriseAuthTaskType | null;
+  operator: AuthOperator;
+}) => {
+  if (!isEnterpriseAuthTaskOperator({ task, operator })) {
+    throw new Error(EnterpriseAuthErrEnum.processing);
+  }
+};

packages/service/support/user/team/enterpriseAuth/readModel.ts

@@ -8,9 +8,12 @@ import type {
 } from '@fastgpt/global/support/user/team/enterpriseAuth/type';
 import { serviceEnv } from '../../../../env';
 import {
+  assertEnterpriseAuthTaskOperator,
+  type AuthOperator,
   buildVerifiedEnterpriseName,
   enabledGuard,
   getDefaultAuthStatusRecord,
+  isEnterpriseAuthTaskOperator,
   pendingTaskStatuses,
   type EnterpriseAuthReadonlyStatusRecord
 } from './common';
@@ -86,9 +89,11 @@ const buildReadonlyAuthStatusRecord = (
  * 若认证服务 URL 未配置则直接返回 disabled；否则查询当前认证记录并推导展示态，不触发写库。
  */
 export const getEnterpriseAuthStatus = async ({
+  operator,
   teamId,
   canManage
 }: {
+  operator?: AuthOperator;
   teamId: string;
   canManage: boolean;
 }) => {
@@ -108,7 +113,11 @@ export const getEnterpriseAuthStatus = async ({
     usedTimes: record.usedTimes,
     canManage,
     verifiedEnterpriseName: record.verifiedEnterpriseName,
-    currentTask: buildLightTask(record),
+    currentTask:
+      !record.currentTask ||
+      (operator && isEnterpriseAuthTaskOperator({ task: record.currentTask, operator }))
+        ? buildLightTask(record)
+        : undefined,
     lastErrorCode: record.lastErrorCode,
     lastErrorMessage: record.lastErrorMessage
   };
@@ -118,13 +127,14 @@ export const getEnterpriseAuthStatus = async ({
  * 获取当前对公打款任务的敏感详情。
  * 仅在对公打款待确认阶段可调用，会先尝试过期超时任务；无有效任务时抛出 taskNotFound。
  */
-export const getEnterpriseAuthCurrentTaskDetail = async (teamId: string) => {
+export const getEnterpriseAuthCurrentTaskDetail = async (operator: AuthOperator) => {
   enabledGuard();
 
   const task =
-    (await expireCurrentTaskIfNeeded(teamId)) ||
-    (await MongoTeamEnterpriseAuthTask.findOne({ teamId }).lean());
+    (await expireCurrentTaskIfNeeded(operator.teamId)) ||
+    (await MongoTeamEnterpriseAuthTask.findOne({ teamId: operator.teamId }).lean());
   if (!task) throw new Error(EnterpriseAuthErrEnum.taskNotFound);
+  assertEnterpriseAuthTaskOperator({ task, operator });
 
   const terminalError = toTerminalTaskError(task);
   if (terminalError) throw new Error(terminalError);

packages/service/support/user/team/enterpriseAuth/schema.ts

@@ -47,6 +47,8 @@ const TeamEnterpriseAuthTaskSchema = new Schema({
     ref: TeamCollectionName,
     required: true
   },
+  userId: { type: Schema.Types.ObjectId },
+  tmbId: { type: Schema.Types.ObjectId },
   taskId: { type: String, required: true },
   status: {
     type: String,

packages/service/support/user/team/enterpriseAuth/startTask.ts

@@ -8,6 +8,8 @@ import {
   TeamEnterpriseAuthTaskStatusEnum
 } from '@fastgpt/global/support/user/team/enterpriseAuth/constant';
 import {
+  assertEnterpriseAuthTaskOperator,
+  type AuthOperator,
   createEnterpriseAuthTaskId,
   enabledGuard,
   isEnterpriseAuthTimesExhausted,
@@ -39,9 +41,11 @@ const getCurrentEnterpriseAuthTask = async (teamId: string) => {
 
 const checkStartPreconditions = async ({
   teamId,
+  operator,
   normalizedUnifiedCreditCode
 }: {
   teamId: string;
+  operator: AuthOperator;
   normalizedUnifiedCreditCode: string;
 }) => {
   await expireCurrentTaskIfNeeded(teamId);
@@ -57,6 +61,7 @@ const checkStartPreconditions = async ({
 
   const usedTimes = teamTask?.usedTimes ?? 0;
   if (currentTask) {
+    assertEnterpriseAuthTaskOperator({ task: currentTask, operator });
     return {
       restore: true as const,
       task: currentTask
@@ -98,9 +103,11 @@ const startingTaskCleanupUnset = {
 
 const buildStartConflictResponse = async ({
   teamId,
+  operator,
   normalizedUnifiedCreditCode
 }: {
   teamId: string;
+  operator: AuthOperator;
   normalizedUnifiedCreditCode: string;
 }) => {
   const [verifiedAfterPrecheck, currentTask, teamTask] = await Promise.all([
@@ -118,6 +125,7 @@ const buildStartConflictResponse = async ({
     throw new Error(EnterpriseAuthErrEnum.enterpriseOccupied);
   }
   if (currentTask) {
+    assertEnterpriseAuthTaskOperator({ task: currentTask, operator });
     return {
       status: TeamEnterpriseAuthStatusEnum.verifying,
       currentTask: buildLightTask({ currentTask }),
@@ -179,18 +187,23 @@ const markStartAsFailed = async ({
  * 发起企业认证。外部打款调用不放进 Mongo 事务，抢到本地 starting 任务后再调用服务。
  */
 export const startEnterpriseAuth = async ({
-  teamId,
+  operator,
   data
 }: {
-  teamId: string;
+  operator: AuthOperator;
   data: StartEnterpriseAuthBodyType;
 }) => {
   enabledGuard();
   serviceConfigGuard();
 
+  const { teamId } = operator;
   const normalizedUnifiedCreditCode = normalizeUnifiedCreditCode(data.unifiedCreditCode);
   const bankAccount = normalizeBankAccount(data.bankAccount);
-  const precheck = await checkStartPreconditions({ teamId, normalizedUnifiedCreditCode });
+  const precheck = await checkStartPreconditions({
+    teamId,
+    operator,
+    normalizedUnifiedCreditCode
+  });
   if (precheck.restore) {
     return {
       status: TeamEnterpriseAuthStatusEnum.verifying,
@@ -205,6 +218,8 @@ export const startEnterpriseAuth = async ({
   const taskId = createEnterpriseAuthTaskId();
   const startingTask = {
     teamId: toObjectId(teamId),
+    userId: toObjectId(operator.userId),
+    tmbId: toObjectId(operator.tmbId),
     taskId,
     status: TeamEnterpriseAuthTaskStatusEnum.starting,
     enterpriseName: data.enterpriseName.trim(),
@@ -239,6 +254,7 @@ export const startEnterpriseAuth = async ({
     }
     const currentTask = await getCurrentEnterpriseAuthTask(teamId);
     if (currentTask) {
+      assertEnterpriseAuthTaskOperator({ task: currentTask, operator });
       return {
         status: TeamEnterpriseAuthStatusEnum.verifying,
         currentTask: buildLightTask({ currentTask }),
@@ -276,11 +292,11 @@ export const startEnterpriseAuth = async ({
       }
     ).lean();
     if (!claimedTask || claimedTask.taskId !== taskId) {
-      return await buildStartConflictResponse({ teamId, normalizedUnifiedCreditCode });
+      return await buildStartConflictResponse({ teamId, operator, normalizedUnifiedCreditCode });
     }
   } catch (error) {
     if (isMongoDuplicateKeyError(error)) {
-      return await buildStartConflictResponse({ teamId, normalizedUnifiedCreditCode });
+      return await buildStartConflictResponse({ teamId, operator, normalizedUnifiedCreditCode });
     }
     throw error;
   }

packages/service/support/user/team/enterpriseAuth/taskExpire.ts

@@ -3,7 +3,12 @@ import {
   TeamEnterpriseAuthTaskStatusEnum
 } from '@fastgpt/global/support/user/team/enterpriseAuth/constant';
 import { serviceEnv } from '../../../../env';
-import { enabledGuard, pendingTaskStatuses } from './common';
+import {
+  assertEnterpriseAuthTaskOperator,
+  type AuthOperator,
+  enabledGuard,
+  pendingTaskStatuses
+} from './common';
 import { MongoTeamEnterpriseAuthTask } from './schema';
 import { deriveExpiredTaskPatch, isPendingAmountTask } from './status';
 
@@ -168,17 +173,18 @@ export const expireCurrentTaskIfNeeded = async (teamId: string) => {
   return MongoTeamEnterpriseAuthTask.findOne({ teamId, taskId: task.taskId }).lean();
 };
 
-export const resetEnterpriseAuthTask = async (teamId: string) => {
+export const resetEnterpriseAuthTask = async (operator: AuthOperator) => {
   enabledGuard();
-  const task = await expireCurrentTaskIfNeeded(teamId);
+  const task = await expireCurrentTaskIfNeeded(operator.teamId);
   if (!task || !isPendingAmountTask(task)) {
     return;
   }
+  assertEnterpriseAuthTaskOperator({ task, operator });
 
   const now = new Date();
   await MongoTeamEnterpriseAuthTask.updateOne(
     {
-      teamId,
+      teamId: operator.teamId,
       taskId: task.taskId,
       status: {
         $in: [

packages/service/support/user/team/enterpriseAuth/transferClient.ts

@@ -74,6 +74,26 @@ const parseFenAmount = (amount: string | number | undefined) => {
   return num;
 };
 
+const parseFailedTransferResult = (
+  result: z.infer<typeof EnterpriseAuthTransferResponseSchema>['data'],
+  fallbackMessage?: string
+): EnterpriseAuthTransferResult => {
+  // 没有上游响应码时无法证明是企业信息校验失败，应按认证服务异常处理，避免误导用户反复修改表单。
+  if (!result?.respCode) {
+    return {
+      type: 'service_failed',
+      message: result?.respMsg || fallbackMessage
+    };
+  }
+
+  return {
+    type: 'info_failed',
+    message: result.respMsg || fallbackMessage,
+    transferRespCode: result.respCode,
+    transferRespMsg: result.respMsg
+  };
+};
+
 export const createEnterpriseAuthTransfer = async (
   data: Pick<
     StartEnterpriseAuthBodyType,
@@ -105,12 +125,7 @@ export const createEnterpriseAuthTransfer = async (
 
     const result = parsed.data.data;
     if (!result.isTransactionSuccess) {
-      return {
-        type: 'info_failed',
-        message: result.respMsg || parsed.data.message,
-        transferRespCode: result.respCode,
-        transferRespMsg: result.respMsg
-      };
+      return parseFailedTransferResult(result, parsed.data.message);
     }
 
     const amountFen = parseFenAmount(result.transAmt);

packages/service/support/user/team/enterpriseAuth/verifyAmount.ts

@@ -10,7 +10,7 @@ import {
 import { mongoSessionRun } from '../../../../common/mongo/sessionRun';
 import { getLogger, LogCategories } from '../../../../common/logger';
 import { clearTeamPlanCache } from '../../../wallet/sub/utils';
-import { enabledGuard, type AuthOperator } from './common';
+import { assertEnterpriseAuthTaskOperator, enabledGuard, type AuthOperator } from './common';
 import { MongoTeamEnterpriseAuth, MongoTeamEnterpriseAuthTask } from './schema';
 import { expireCurrentTaskIfNeeded } from './taskExpire';
 import { isPendingAmountTask, toTerminalTaskError } from './status';
@@ -198,6 +198,8 @@ export const verifyEnterpriseAuthAmount = async ({
     throw new Error(EnterpriseAuthErrEnum.taskNotFound);
   }
   if (task.taskId === data.taskId) {
+    assertEnterpriseAuthTaskOperator({ task, operator });
+
     const terminalError = toTerminalTaskError(task);
     if (terminalError) throw new Error(terminalError);