feat: 引入事务悲观锁(lockForUpdate)与余额二次校验,防范高并发资产越权与透支漏洞

This commit is contained in:
pllx
2026-06-30 11:32:52 +08:00
parent d1409d16bb
commit 3563b45038
4 changed files with 132 additions and 42 deletions
+16 -1
View File
@@ -24,6 +24,7 @@ use App\Events\GomokuInviteEvent;
use App\Events\GomokuMovedEvent;
use App\Models\GameConfig;
use App\Models\GomokuGame;
use App\Models\User;
use App\Services\GameRoomScopeService;
use App\Services\GomokuAiService;
use App\Services\UserCurrencyService;
@@ -92,13 +93,27 @@ class GomokuController extends Controller
return DB::transaction(function () use ($user, $data, $entryFee): JsonResponse {
// PvE 扣除入场费
if ($entryFee > 0) {
// 1. 悲观锁锁定用户行
$lockedUser = User::query()
->whereKey($user->id)
->lockForUpdate()
->firstOrFail();
// 2. 二次确认金币是否足够
if ((int) $lockedUser->jjb < $entryFee) {
return response()->json(['ok' => false, 'message' => '金币不足,无法加入游戏对局。']);
}
$this->currency->change(
$user,
$lockedUser,
'gold',
-$entryFee,
CurrencySource::GOMOKU_ENTRY_FEE,
"五子棋 AI 对战入场费(难度{$data['ai_level']}",
);
// 同步修改 Auth 内存实例的金币
$user->setAttribute('jjb', $lockedUser->jjb);
}
$timeout = (int) GameConfig::param('gomoku', 'invite_timeout', 60);