diff --git a/DysonNetwork.Sphere/Wallet/PaymentHandlers/AfdianPaymentHandler.cs b/DysonNetwork.Sphere/Wallet/PaymentHandlers/AfdianPaymentHandler.cs
index 13d96fc..eb5d0e9 100644
--- a/DysonNetwork.Sphere/Wallet/PaymentHandlers/AfdianPaymentHandler.cs
+++ b/DysonNetwork.Sphere/Wallet/PaymentHandlers/AfdianPaymentHandler.cs
@@ -2,11 +2,13 @@ using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
+using Microsoft.EntityFrameworkCore;
 using NodaTime;
 
 namespace DysonNetwork.Sphere.Wallet.PaymentHandlers;
 
 public class AfdianPaymentHandler(
+    AppDatabase db,
     IHttpClientFactory httpClientFactory,
     ILogger<AfdianPaymentHandler> logger,
     IConfiguration configuration
@@ -86,7 +88,7 @@ public class AfdianPaymentHandler(
     /// </summary>
     /// <param name="orderId">The order ID to query</param>
     /// <returns>The order item if found, otherwise null</returns>
-    public async Task<OrderItem?> GetOrderAsync(string orderId)
+    public async Task<OrderItem?> GetOrderAsync(string orderId, Guid accountId)
     {
         if (string.IsNullOrEmpty(orderId))
         {
@@ -94,11 +96,16 @@ public class AfdianPaymentHandler(
             return null;
         }
 
+        var connection = await db.AccountConnections
+          .Where(c => c.AccountId == accountId && c.Provider == "afdian")
+          .FirstOrDefaultAsync();
+        if (connection is null) throw new InvalidOperationException("Account need to link an afdian account first.");
+
         try
         {
             var token = _configuration["Payment:Auth:Afdian"] ?? "_:_";
             var tokenParts = token.Split(':');
-            var userId = tokenParts[0];
+            var userId = connection.ProvidedIdentifier;
             token = tokenParts[1];
             var paramsJson = JsonSerializer.Serialize(new { out_trade_no = orderId }, JsonOptions);
             var ts = (long)(DateTime.UtcNow - new DateTime(1970, 1, 1))
@@ -442,4 +449,4 @@ public class SkuDetailItem
     [JsonPropertyName("album_id")] public string AlbumId { get; set; } = null!;
 
     [JsonPropertyName("pic")] public string Picture { get; set; } = null!;
-}
\ No newline at end of file
+}
diff --git a/DysonNetwork.Sphere/Wallet/SubscriptionController.cs b/DysonNetwork.Sphere/Wallet/SubscriptionController.cs
index c37c5a3..3892779 100644
--- a/DysonNetwork.Sphere/Wallet/SubscriptionController.cs
+++ b/DysonNetwork.Sphere/Wallet/SubscriptionController.cs
@@ -180,11 +180,14 @@ public class SubscriptionController(SubscriptionService subscriptions, AfdianPay
     }
 
     [HttpPost("order/restore/afdian")]
+    [Authorize]
     public async Task<IActionResult> RestorePurchaseFromAfdian([FromBody] RestorePurchaseRequest request)
     {
-        var order = await afdian.GetOrderAsync(request.OrderId);
+        if (HttpContext.Items["CurrentUser"] is not Account.Account currentUser) return Unauthorized();
+
+        var order = await afdian.GetOrderAsync(request.OrderId, currentUser.Id);
         if (order is null) return NotFound($"Order with ID {request.OrderId} was not found.");
-        
+
         var subscription = await subscriptions.CreateSubscriptionFromOrder(order);
         return Ok(subscription);
     }
@@ -200,4 +203,4 @@ public class SubscriptionController(SubscriptionService subscriptions, AfdianPay
 
         return Ok(response);
     }
-}
\ No newline at end of file
+}