feat: 引入事务悲观锁(lockForUpdate)与余额二次校验,防范高并发资产越权与透支漏洞
This commit is contained in:
@@ -24,6 +24,7 @@ use App\Events\GomokuInviteEvent;
|
||||
use App\Events\GomokuMovedEvent;
|
||||
use App\Models\GameConfig;
|
||||
use App\Models\GomokuGame;
|
||||
use App\Models\User;
|
||||
use App\Services\GameRoomScopeService;
|
||||
use App\Services\GomokuAiService;
|
||||
use App\Services\UserCurrencyService;
|
||||
@@ -92,13 +93,27 @@ class GomokuController extends Controller
|
||||
return DB::transaction(function () use ($user, $data, $entryFee): JsonResponse {
|
||||
// PvE 扣除入场费
|
||||
if ($entryFee > 0) {
|
||||
// 1. 悲观锁锁定用户行
|
||||
$lockedUser = User::query()
|
||||
->whereKey($user->id)
|
||||
->lockForUpdate()
|
||||
->firstOrFail();
|
||||
|
||||
// 2. 二次确认金币是否足够
|
||||
if ((int) $lockedUser->jjb < $entryFee) {
|
||||
return response()->json(['ok' => false, 'message' => '金币不足,无法加入游戏对局。']);
|
||||
}
|
||||
|
||||
$this->currency->change(
|
||||
$user,
|
||||
$lockedUser,
|
||||
'gold',
|
||||
-$entryFee,
|
||||
CurrencySource::GOMOKU_ENTRY_FEE,
|
||||
"五子棋 AI 对战入场费(难度{$data['ai_level']})",
|
||||
);
|
||||
|
||||
// 同步修改 Auth 内存实例的金币
|
||||
$user->setAttribute('jjb', $lockedUser->jjb);
|
||||
}
|
||||
|
||||
$timeout = (int) GameConfig::param('gomoku', 'invite_timeout', 60);
|
||||
|
||||
Reference in New Issue
Block a user