fix: 전반적인 코드 개선 2차

MU-Software · MU-Software · commit 5a8e94331b7b · 2026-05-12T01:11:51.000+09:00
diff --git a/app/admin_api/serializers/shop/products.py b/app/admin_api/serializers/shop/products.py
@@ -81,6 +81,18 @@ class Meta:
             ),
         }
 
+    def validate(self, attrs: dict) -> dict:
+        # is_custom_response=True 면 패턴이 admin 계약 — 빈 답변 허용은 ".*", 비공란 강제는 ".+" 등으로 명시.
+        is_custom_response = attrs.get("is_custom_response", getattr(self.instance, "is_custom_response", False))
+        custom_response_pattern = attrs.get(
+            "custom_response_pattern", getattr(self.instance, "custom_response_pattern", None)
+        )
+        if is_custom_response and not custom_response_pattern:
+            raise serializers.ValidationError(
+                {"custom_response_pattern": "is_custom_response=True 일 때 custom_response_pattern 은 필수입니다."}
+            )
+        return attrs
+
 
 class ProductAdminSerializer(BaseAbstractSerializer, JsonSchemaSerializer, serializers.ModelSerializer):
     option_groups = OptionGroupAdminSerializer(many=True, read_only=True)
diff --git a/app/core/const/shop_error_messages.py b/app/core/const/shop_error_messages.py
@@ -12,14 +12,6 @@ class PermissionErrorMessages:
     OTP_REQUIRED = "환불 승인자의 OTP 코드가 필요합니다."
 
 
-class DonationNotOrderableErrorMessages:
-    NOT_FOUND = (
-        "개인 후원을 시도해주셔서 감사해요! 죄송하지만 개인 후원이 아직 준비되지 않았어요...\n"
-        "준비되면 SNS에 공지 예정이에요, 그때까지 조금만 기다려주세요!\n"
-        "후원을 통해 PyCon 한국 준비 위원회와 함께해주셔서 정말 감사합니다!"
-    )
-
-
 class ProductNotOrderableErrorMessages:
     ALREADY_ORDERED = "이미 결제한 상품입니다. 다시 장바구니에 담아주세요."
     NOT_ORDERABLE_TIME = "{} 상품은 현재 구매하실 수 없습니다."
@@ -98,3 +90,5 @@ class PortOneWebhookFailureMessages:
     UNEXPECTED_RETRIEVED_ORDER_ID = "결제 ID가 일치하지 않습니다."
     UNEXPECTED_PAID_PRICE = "결제 금액이 일치하지 않습니다."
     UNSUPPORTED_CURRENCY = "지원하지 않는 통화입니다."
+    ILLEGAL_STATUS_TRANSITION = "이미 처리된 결제이거나 허용되지 않는 상태 전환입니다."
+    CANCELLED_NOT_SUPPORTED = "관리자 콘솔에서 결제 취소된 webhook 의 자동 처리는 아직 지원하지 않습니다."
diff --git a/app/core/external_apis/portone/client.py b/app/core/external_apis/portone/client.py
@@ -155,7 +155,7 @@ def req_cancel_payment(
         return self._request(
             method="POST",
             route="/payments/cancel",
-            json={k: v for k, v in request_dto.items() if v},
+            json={k: v for k, v in request_dto.items() if v is not None},
             action_desc="환불 요청",
         )
 
diff --git a/app/shop/payment_history/models.py b/app/shop/payment_history/models.py
@@ -14,6 +14,16 @@ class PaymentHistoryStatus(models.TextChoices):
     PaymentHistoryStatus.partial_refunded,
 }
 PURCHASED_STATUSES: set[PaymentHistoryStatus] = REFUNDABLE_STATUSES | {PaymentHistoryStatus.refunded}
+LEGAL_PAYMENT_STATUS_TRANSITIONS: dict[PaymentHistoryStatus, set[PaymentHistoryStatus]] = {
+    PaymentHistoryStatus.pending: {PaymentHistoryStatus.completed},
+    PaymentHistoryStatus.completed: {PaymentHistoryStatus.partial_refunded, PaymentHistoryStatus.refunded},
+    PaymentHistoryStatus.partial_refunded: {PaymentHistoryStatus.partial_refunded, PaymentHistoryStatus.refunded},
+    PaymentHistoryStatus.refunded: set(),  # terminal
+}
+
+
+def is_legal_payment_status_transition(current: PaymentHistoryStatus, next_: PaymentHistoryStatus) -> bool:
+    return next_ in LEGAL_PAYMENT_STATUS_TRANSITIONS.get(current, set())
 
 
 class PaymentHistoryQuerySet(BaseAbstractModelQuerySet):
diff --git a/app/shop/payment_history/serializers.py b/app/shop/payment_history/serializers.py
@@ -2,10 +2,10 @@
 
 from core.const.shop_error_messages import PortOneWebhookFailureMessages
 from core.external_apis.portone.client import PortOneException, PortOneExceptionGroup, portone_client
-from django.db import models
+from django.db import models, transaction
 from rest_framework import serializers
 from shop.order.models import Order, OrderProductRelation, SingleProductCart
-from shop.payment_history.models import PaymentHistory, PaymentHistoryStatus
+from shop.payment_history.models import PaymentHistory, PaymentHistoryStatus, is_legal_payment_status_transition
 
 
 class PortOneV1PaymentStatus(models.TextChoices):
@@ -83,6 +83,11 @@ def validate_status(self, value: str) -> str:
             )
         elif value == PortOneV1WebhookRequestStatus.FAILED:
             raise serializers.ValidationError(detail=PortOneWebhookFailureMessages.PURCHASE_FAILED, code="forgery")
+        elif value == PortOneV1WebhookRequestStatus.CANCELLED:
+            # TODO: 관리자 콘솔 취소 자동 처리는 미구현 — 우선 거부하고 운영자가 수동으로 환불 처리.
+            raise serializers.ValidationError(
+                detail=PortOneWebhookFailureMessages.CANCELLED_NOT_SUPPORTED, code="unsupported"
+            )
         return value
 
     def validate(self, data: dict) -> dict:
@@ -98,7 +103,7 @@ def validate(self, data: dict) -> dict:
         except (PortOneException, PortOneExceptionGroup) as e:
             raise serializers.ValidationError(detail=str(e), code="portone_error") from e
 
-        if retrieved_order_data["status"] not in (PortOneV1PaymentStatus.PAID, PortOneV1PaymentStatus.CANCELLED):
+        if retrieved_order_data["status"] != PortOneV1PaymentStatus.PAID:
             raise serializers.ValidationError(
                 detail=PortOneWebhookFailureMessages.UNEXPECTED_RETRIEVED_ORDER_STATUS, code="forgery"
             )
@@ -121,13 +126,18 @@ def validate(self, data: dict) -> dict:
 
         return data
 
+    @transaction.atomic
     def create(self, validated_data: dict) -> PaymentHistory:
-        # TODO: 결제 취소 (payment_serializer.validated_data["status"] == PortOneV1PaymentStatus.CANCELLED)인 경우,
-        #       cancellation_id를 확인하고 환불 내역을 저장하는 로직을 추가해야 합니다.
+        # CANCELLED webhook (관리자 콘솔 취소) 자동 처리는 미구현 — validate_status 에서 거부됨.
         payment_info = PortOneV1PaymentDetailSerializer(instance=self.portone_payment_info).data
+        order = self._lock_or_promote_order(validated_data["merchant_uid"])
 
-        assert (order_or_cart := self.cart_or_order)  # nosec: B101
-        order = order_or_cart.to_order() if isinstance(order_or_cart, SingleProductCart) else order_or_cart
+        # State machine — webhook retry 등 중복/불법 전이는 거부.
+        next_status = PaymentHistoryStatus.completed
+        if not is_legal_payment_status_transition(order.current_status, next_status):
+            raise serializers.ValidationError(
+                detail=PortOneWebhookFailureMessages.ILLEGAL_STATUS_TRANSITION, code="illegal_transition"
+            )
 
         for product_rel in order.products.all():
             product_rel.status = OrderProductRelation.OrderProductStatus.paid
@@ -136,10 +146,26 @@ def create(self, validated_data: dict) -> PaymentHistory:
         return PaymentHistory.objects.create(
             order=order,
             imp_id=validated_data["imp_uid"],
-            status=PaymentHistoryStatus.completed,
+            status=next_status,
             price=payment_info["amount"],
         )
 
+    @staticmethod
+    def _lock_or_promote_order(obj_id: str) -> Order:
+        """Order 가 있으면 lock 하여 반환. SingleProductCart 만 있으면 lock + to_order() 로 승격.
+
+        동시 webhook race 시: 첫 호출이 cart lock + to_order() commit 후, 두 번째 호출은
+        cart 가 hard_delete 된 상태로 lock 해제됨 → Order 재조회에서 승격된 Order 발견.
+        """
+        if order := Order.objects.select_for_update().filter_active().filter(id=obj_id).first():
+            return order
+        if cart := SingleProductCart.objects.select_for_update().filter_active().filter(id=obj_id).first():
+            return cart.to_order()
+        # 첫 lock 시 cart 가 다른 webhook 에 의해 promote 된 경우 — Order 재조회.
+        if order := Order.objects.select_for_update().filter_active().filter(id=obj_id).first():
+            return order
+        raise serializers.ValidationError(detail=PortOneWebhookFailureMessages.ORDER_NOT_FOUND, code="forgery")
+
 
 class PortOneV1WebhookResponseSerializer(serializers.Serializer):
     status = serializers.CharField(default="success", read_only=True)
diff --git a/app/shop/product/models.py b/app/shop/product/models.py
@@ -5,6 +5,7 @@
 import typing
 
 from core.models import BaseAbstractModel
+from django.core.exceptions import ValidationError
 from django.db import models
 from django.db.models.manager import BaseManager
 from simple_history.models import HistoricalRecords
@@ -219,6 +220,14 @@ class Meta:
     def __str__(self) -> str:
         return f"[{self.product.name}] {self.name}"
 
+    def clean(self) -> None:
+        # is_custom_response=True 시 패턴이 admin 계약 — 빈 답변 허용은 ".*", 비공란 강제는 ".+" 등으로 명시.
+        if self.is_custom_response and not self.custom_response_pattern:
+            raise ValidationError(
+                {"custom_response_pattern": "is_custom_response=True 일 때 custom_response_pattern 은 필수입니다."}
+            )
+        super().clean()
+
     def is_group_stock_available(self) -> bool:
         """해당 옵션 그룹의 재고가 있는지 확인합니다."""
         if (
diff --git a/app/shop/serializers/cart_validation.py b/app/shop/serializers/cart_validation.py
@@ -79,7 +79,7 @@ def validate(self, data: dict) -> dict:
         if tag.leftover_stock is not None and tag.leftover_stock <= 0:
             raise serializers.ValidationError(TagNotOrderableErrorMessages.SOLDOUT.format(tag.name))
 
-        if tag.max_quantity_per_user:
+        if tag.max_quantity_per_user > 0:  # 0 = 무제한 sentinel
             match self.validation_mode:
                 case OrderableCheckSerializerMode.ADD_SINGLE_PRODUCT_TO_CART:
                     user_tagproduct_taken_count = (
@@ -221,7 +221,7 @@ def validate_product_option(self, option: Option | None) -> Option | None:
                 )
 
         # 옵션의 최대 구매 수량이 정해져있으면, 해당 사용자가 이미 구매한 수량이 최대 구매 수량을 초과하는 경우 주문 불가능
-        if option.max_quantity_per_user:
+        if option.max_quantity_per_user > 0:  # 0 = 무제한 sentinel
             match self.validation_mode:
                 case OrderableCheckSerializerMode.ADD_SINGLE_PRODUCT_TO_CART:
                     user_option_taken_count = (
@@ -375,7 +375,7 @@ def validate_product(self, product: Product) -> Product:
                 )
 
         # 상품의 최대 구매 수량이 정해져있으면, 해당 사용자가 이미 담거나 구매한 수량이 최대 구매 수량을 초과하는 경우 주문 불가능
-        if product.max_quantity_per_user:
+        if product.max_quantity_per_user > 0:  # 0 = 무제한 sentinel
             match self.validation_mode:
                 case OrderableCheckSerializerMode.ADD_SINGLE_PRODUCT_TO_CART:
                     user_product_taken_count = (
@@ -556,15 +556,7 @@ def create(  # type: ignore[override]
         order_product_rel = super().create(validated_data)
         assert (single_product_cart := order_product_rel.single_product_cart)  # nosec: B101
 
-        # 단일 상품 장바구니에 고객 정보를 저장합니다.
-        if customer_info := CustomerInfo.objects.filter(single_product_cart=single_product_cart).first():
-            customer_info_serializer = CustomerInfoCheckSerializer(
-                instance=customer_info, data=validated_data["customer_info"]
-            )
-            customer_info_serializer.is_valid(raise_exception=True)
-            customer_info_serializer.save()
-        else:
-            CustomerInfo.objects.create(**validated_data["customer_info"], single_product_cart=single_product_cart)
+        CustomerInfo.objects.create(**validated_data["customer_info"], single_product_cart=single_product_cart)
 
         return order_product_rel
 
@@ -583,6 +575,17 @@ class CartOrderableCheckSerializer(serializers.Serializer):
     class Meta:
         fields = ("cart",)
 
+    def __init__(self, *args: typing.Any, **kwargs: typing.Any) -> None:
+        super().__init__(*args, **kwargs)
+        # 타인의 미결제 cart 로 결제 흐름 트리거를 방어 — request.user 의 cart 로만 lookup 한정.
+        request = self.context.get("request")
+        user = request.user if request is not None else None
+        self.fields["cart"].queryset = (
+            Order.objects.filter_has_no_payment_histories().filter(user=user)
+            if isinstance(user, UserExt)
+            else Order.objects.none()
+        )
+
     def validate(self, data: dict) -> dict:
         cart: Order = data["cart"]
 

Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,7 @@ def req_cancel_payment(`
`155`	`155`	`return self._request(`
`156`	`156`	`method="POST",`
`157`	`157`	`route="/payments/cancel",`
`158`		`- json={k: v for k, v in request_dto.items() if v},`
	`158`	`+ json={k: v for k, v in request_dto.items() if v is not None},`
`159`	`159`	`action_desc="환불 요청",`
`160`	`160`	`)`
`161`	`161`