fix: harden secrets and session checks

src/lib/require-auth.ts

@@ -1,9 +1,29 @@
 import { getServerSession } from "next-auth";
 import { authOptions } from "./auth";
+import { prisma } from "./prisma";
 import { getActiveSubscriptionRiskRestriction } from "@/services/subscription-risk-review";
 
-export async function requireAdmin() {
+export async function getActiveSession() {
   const session = await getServerSession(authOptions);
+  if (!session?.user?.id) return null;
+
+  const user = await prisma.user.findUnique({
+    where: { id: session.user.id },
+    select: { id: true, email: true, name: true, role: true, status: true },
+  });
+
+  if (!user || user.status !== "ACTIVE") return null;
+
+  session.user.id = user.id;
+  session.user.email = user.email;
+  session.user.name = user.name;
+  session.user.role = user.role;
+
+  return session;
+}
+
+export async function requireAdmin() {
+  const session = await getActiveSession();
   if (!session || session.user.role !== "ADMIN") {
     throw new Error("无权限");
   }
@@ -11,7 +31,7 @@ export async function requireAdmin() {
 }
 
 export async function requireAuth(options: { allowDuringRiskRestriction?: boolean } = {}) {
-  const session = await getServerSession(authOptions);
+  const session = await getActiveSession();
   if (!session) {
     throw new Error("未登录");
   }