EPay allows users to switch payment methods (e.g. wxpay→alipay) during
checkout, causing callback rejection. Replace fragile blocklist guard
with a PaymentProvider field on TopUp and SubscriptionOrder that
identifies which gateway created the order.
- quota.go: add missing SettleBilling call in PostWssConsumeQuota
- text_quota.go: gate InjectTieredBillingInfo on tieredBillingApplied bool
instead of tieredResult != nil, so fallback billing still logs metadata
- price.go: remove quotaBeforeGroup == 0 from freeModel condition to avoid
bypassing settlement for output-only expressions
- tiered_settle.go: split cc/cc1h subtraction using UsageSemantic to
distinguish OpenAI vs Claude cache creation token formats
- pricing.go: only set BillingMode when a non-empty expression exists
- useModelPricingEditorState.js: only write billing_mode when
finalBillingExpr is non-empty
- render.jsx: change const destructuring of completionRatio/audioRatio to
use raw names with ?? 0 defaults, preventing "Assignment to constant
variable" errors in renderModelPrice, renderAudioModelPrice, and
renderClaudeModelPrice
- TieredPricingEditor.jsx: add missing MATCH_GTE import, remove misleading
alias help text, preserve conditions for single-tier configs
Remove the intermediate branch that recomputed quota from
EstimatedQuotaBeforeGroup when tieredResult is nil. This discarded the
FinalPreConsumedQuota fallback that TryTieredSettle already selected.
Now the error path simply adds tool surcharges to the passed-in
tieredQuota, preserving the existing fallback semantics.
Also removes unrelated mise.toml and adds a test covering the error
fallback with a pre-consumed quota that differs from the estimate.
Enable Redis requirepass in the compose template and embed the matching
credential in REDIS_CONN_STRING, aligning with the existing PostgreSQL
default password pattern so out-of-the-box deployments are not left with
an unauthenticated Redis instance.
Introduce NODE_NAME environment variable to identify node identity in top-up
audit logs, improving readability over auto-detected container internal IPs
in Docker/K8s deployments. Surface node_name in admin expanded log rows and
add it as a commented example to docker-compose.yml.
Top-up logs written by pre-upgrade instances have no admin_info, which
made the expanded row empty and the row un-expandable. For admins, always
emit an entry: either the audit fields from admin_info when present, or a
warning prompting the operator to upgrade the instance so audit fields
(server IP, callback IP, payment method, system version) are recorded.
Admin username/ID was embedded directly into the log Content for
quota changes and forced 2FA disable, leaking the operator's
identity to the target user via their own usage log page.
Move operator info into Other.admin_info so formatUserLogs strips
it for non-admin viewers, and render it in the expand panel only
for admins as "操作管理员".
Closes#4301
Apply the same LIKE sanitization used for token search to SearchUserTopUps
and SearchAllTopUps (reject %%, cap % count, require >=2 stripped chars,
use ESCAPE '!') and bound COUNT with a 10000-row hard limit to avoid
unbounded full-table scans.
Also restrict user-facing list and search (GetUserTopUps, SearchUserTopUps)
to records within the last 30 days via create_time. Admin endpoints
(GetAllTopUps, SearchAllTopUps) remain unrestricted.
When an admin disables/deletes/promotes/demotes a user via ManageUser,
explicitly evict the user cache and all of the user's token caches from
Redis. This prevents a disabled user from continuing to make successful
API requests until the user cache TTL expires, and ensures subsequent
requests reload fresh status from the database.
Thread caller IP from webhook/admin controllers through model recharge
functions and record a new RecordTopupLog entry with admin_info (server
IP, caller IP, order payment method, callback payment method, system
version). Frontend shows these fields in the expanded log row and the
IP column for admins on top-up logs, while non-admins continue to see
admin_info stripped by formatUserLogs.
Seefs