chore(prod): real leaderboard, prod guards, payment hardening
Production-readiness pass — remove mock-in-prod and harden the server: - leaderboard: new DB-backed LeaderboardService + /api/leaderboard (ranked by rating, 30s cache, bounded scan); client now calls it instead of mock fake data. - online count: client uses real /api/stats/online (dropped the fabricated ≥50 floor). - boot guards (Production): refuse to start if Sms:ApiKey is missing (OTP would run in dev mode = fixed code for any phone) or Iab:AllowUnverified is true (forged tokens could mint coins). - payments: ZarinPal + IAB HttpClients get 15s timeouts; ZarinPal/FlatPay gateway failures are now logged instead of silently swallowed. - OTP: periodic prune of expired codes + stale rate-limit logs (was an unbounded in-memory leak over a long-running process). - DB: EnableRetryOnFailure for Postgres (transient-fault resilience). - docker-compose: ZarinPal sandbox now defaults to false (real payments). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
+1
-1
@@ -53,7 +53,7 @@ services:
|
||||
# Comma-separated origins the browser uses to reach the web app.
|
||||
Cors__Origins: ${CORS_ORIGINS:-http://localhost:1500}
|
||||
Zarinpal__MerchantId: ${ZARINPAL_MERCHANT_ID:-299685fb-cadf-4dfc-98e2-d4af5d81528d}
|
||||
Zarinpal__Sandbox: ${ZARINPAL_SANDBOX:-true}
|
||||
Zarinpal__Sandbox: ${ZARINPAL_SANDBOX:-false}
|
||||
Zarinpal__CallbackUrl: ${ZARINPAL_CALLBACK_URL:-http://localhost:1505/api/coins/pay/callback}
|
||||
Zarinpal__ClientReturnUrl: ${ZARINPAL_CLIENT_RETURN_URL:-http://localhost:1500}
|
||||
# FlatRender Pay broker (pay.flatrender.ir): shared ZarinPal via the single
|
||||
|
||||
Reference in New Issue
Block a user