fix: v6 code review P0 auth/IDOR fixes + frontend regression patches

Backend fixes: - auth_handler: P0 认证逻辑修复 - ratelimit: 限速中间件增强 + 新增单元测试 - auth_service: 认证服务逻辑完善 + 新增测试 - server: server 配置增强 + 新增测试 - handler_test: 新增 handler 层集成测试 - auth_bootstrap_test: bootstrap 路径测试 Frontend patches: - LoginPage/RegisterPage: CSRF + 表单交互修复 - BootstrapAdminPage: 引导流程修复 - DevicesPage: 设备管理页修复 - auth/social-accounts/users/webhooks services: 类型修正 - csrf.ts: CSRF token 处理修正 - E2E 脚本: CDP smoke + auth e2e 增强 Docs: - FULL_CODE_REVIEW_REPORT_2026-04-20 - report-v6 执行计划 - REAL_PROJECT_STATUS 更新 - .gitignore: 新增 .gocache-*/config.yaml 排除验证: go build/vet 0错误, go test 42/42 PASS, 0 FAIL
2026-04-23 07:14:12 +08:00
parent 82109ec216
commit 3f3bb82f1d
41 changed files with 2681 additions and 283 deletions
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -7,6 +7,8 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"strconv"
+	"strings"
 	"syscall"
 	"time"

@@ -43,10 +45,12 @@ func Serve(cfg *config.Config) error {
 	// P1-3：Argon2id 启动时自适应校准
 	auth.CalibrateArgon2id(500 * time.Millisecond)

+	accessTokenExpire := resolveJWTAccessTokenExpire(cfg)
+
 	// 初始化 JWT 管理器
 	jwtManager, err := auth.NewJWTWithOptions(auth.JWTOptions{
 		HS256Secret:        cfg.JWT.Secret,
-		AccessTokenExpire:  time.Duration(cfg.JWT.AccessTokenExpireMinutes) * time.Minute,
+		AccessTokenExpire:  accessTokenExpire,
 		RefreshTokenExpire: time.Duration(cfg.JWT.RefreshTokenExpireDays) * 24 * time.Hour,
 	})
 	if err != nil {
@@ -125,6 +129,9 @@ func Serve(cfg *config.Config) error {
 	totpService := service.NewTOTPService(userRepo)

 	passwordResetConfig := service.DefaultPasswordResetConfig()
+	if err := configureAuthEmailServices(cfg, cacheManager, authService, passwordResetConfig); err != nil {
+		return fmt.Errorf("configure auth email services failed: %w", err)
+	}
 	passwordResetService := service.NewPasswordResetService(userRepo, cacheManager, passwordResetConfig).
 		WithPasswordHistoryRepo(passwordHistoryRepo)

@@ -259,3 +266,100 @@ func resolveGinMode(mode string) string {
 		return gin.ReleaseMode
 	}
 }
+
+func configureAuthEmailServices(
+	cfg *config.Config,
+	cacheManager *cache.CacheManager,
+	authService *service.AuthService,
+	passwordResetConfig *service.PasswordResetConfig,
+) error {
+	smtpConfig, enabled, err := resolveSMTPEmailConfigFromEnv()
+	if err != nil {
+		return err
+	}
+	if !enabled || cacheManager == nil || authService == nil {
+		return nil
+	}
+
+	siteURL := resolveAuthEmailSiteURL(cfg)
+	siteName := resolveAuthEmailSiteName(cfg)
+	provider := service.NewSMTPEmailProvider(smtpConfig)
+
+	authService.SetEmailActivationService(
+		service.NewEmailActivationService(provider, cacheManager, siteURL, siteName),
+	)
+
+	emailCodeConfig := service.DefaultEmailCodeConfig()
+	emailCodeConfig.SiteURL = siteURL
+	emailCodeConfig.SiteName = siteName
+	authService.SetEmailCodeService(service.NewEmailCodeService(provider, cacheManager, emailCodeConfig))
+
+	if passwordResetConfig != nil {
+		passwordResetConfig.SMTPHost = smtpConfig.Host
+		passwordResetConfig.SMTPPort = smtpConfig.Port
+		passwordResetConfig.SMTPUser = smtpConfig.Username
+		passwordResetConfig.SMTPPass = smtpConfig.Password
+		passwordResetConfig.FromEmail = smtpConfig.FromEmail
+		passwordResetConfig.SiteURL = siteURL
+	}
+
+	return nil
+}
+
+func resolveSMTPEmailConfigFromEnv() (service.SMTPEmailConfig, bool, error) {
+	host := strings.TrimSpace(os.Getenv("EMAIL_HOST"))
+	if host == "" {
+		return service.SMTPEmailConfig{}, false, nil
+	}
+
+	port := 587
+	if rawPort := strings.TrimSpace(os.Getenv("EMAIL_PORT")); rawPort != "" {
+		parsedPort, err := strconv.Atoi(rawPort)
+		if err != nil || parsedPort <= 0 {
+			return service.SMTPEmailConfig{}, false, fmt.Errorf("invalid EMAIL_PORT %q", rawPort)
+		}
+		port = parsedPort
+	}
+
+	fromEmail := strings.TrimSpace(os.Getenv("EMAIL_FROM_EMAIL"))
+	if fromEmail == "" {
+		fromEmail = service.DefaultPasswordResetConfig().FromEmail
+	}
+
+	return service.SMTPEmailConfig{
+		Host:      host,
+		Port:      port,
+		Username:  strings.TrimSpace(os.Getenv("EMAIL_USER")),
+		Password:  os.Getenv("EMAIL_PASS"),
+		FromEmail: fromEmail,
+		FromName:  strings.TrimSpace(os.Getenv("EMAIL_FROM_NAME")),
+	}, true, nil
+}
+
+func resolveAuthEmailSiteURL(cfg *config.Config) string {
+	if cfg != nil {
+		if siteURL := strings.TrimSpace(cfg.Server.FrontendURL); siteURL != "" {
+			return siteURL
+		}
+	}
+	return service.DefaultEmailCodeConfig().SiteURL
+}
+
+func resolveAuthEmailSiteName(cfg *config.Config) string {
+	if cfg != nil {
+		if siteName := strings.TrimSpace(cfg.Log.ServiceName); siteName != "" {
+			return siteName
+		}
+	}
+	return service.DefaultEmailCodeConfig().SiteName
+}
+
+func resolveJWTAccessTokenExpire(cfg *config.Config) time.Duration {
+	if cfg == nil {
+		return 0
+	}
+	if cfg.JWT.AccessTokenExpireMinutes > 0 {
+		return time.Duration(cfg.JWT.AccessTokenExpireMinutes) * time.Minute
+	}
+	return time.Duration(cfg.JWT.ExpireHour) * time.Hour
+}
--- a/internal/server/server_test.go
+++ b/internal/server/server_test.go
@@ -0,0 +1,73 @@
+package server
+
+import (
+	"testing"
+	"time"
+
+	"github.com/user-management-system/internal/cache"
+	"github.com/user-management-system/internal/config"
+	"github.com/user-management-system/internal/service"
+)
+
+func TestResolveJWTAccessTokenExpire_UsesExpireHourFallback(t *testing.T) {
+	cfg := &config.Config{}
+	cfg.JWT.ExpireHour = 24
+	cfg.JWT.AccessTokenExpireMinutes = 0
+
+	expire := resolveJWTAccessTokenExpire(cfg)
+
+	if expire != 24*time.Hour {
+		t.Fatalf("resolveJWTAccessTokenExpire() = %v, want %v", expire, 24*time.Hour)
+	}
+}
+
+func TestResolveJWTAccessTokenExpire_PrefersMinuteOverride(t *testing.T) {
+	cfg := &config.Config{}
+	cfg.JWT.ExpireHour = 24
+	cfg.JWT.AccessTokenExpireMinutes = 90
+
+	expire := resolveJWTAccessTokenExpire(cfg)
+
+	if expire != 90*time.Minute {
+		t.Fatalf("resolveJWTAccessTokenExpire() = %v, want %v", expire, 90*time.Minute)
+	}
+}
+
+func TestConfigureAuthEmailServices_UsesSMTPEnvironment(t *testing.T) {
+	t.Setenv("EMAIL_HOST", "127.0.0.1")
+	t.Setenv("EMAIL_PORT", "2525")
+	t.Setenv("EMAIL_FROM_EMAIL", "noreply@test.local")
+	t.Setenv("EMAIL_FROM_NAME", "UMS E2E")
+	t.Setenv("EMAIL_USER", "smtp-user")
+	t.Setenv("EMAIL_PASS", "smtp-pass")
+
+	cfg := &config.Config{}
+	cfg.Server.FrontendURL = "http://127.0.0.1:3000"
+	cfg.Log.ServiceName = "UMS E2E"
+
+	cacheManager := cache.NewCacheManager(cache.NewL1Cache(), cache.NewRedisCache(false))
+	authService := service.NewAuthService(nil, nil, nil, cacheManager, 8, 5, time.Minute)
+	passwordResetConfig := service.DefaultPasswordResetConfig()
+
+	if err := configureAuthEmailServices(cfg, cacheManager, authService, passwordResetConfig); err != nil {
+		t.Fatalf("configureAuthEmailServices() error = %v", err)
+	}
+	if !authService.SupportsEmailActivation() {
+		t.Fatal("SupportsEmailActivation() = false, want true")
+	}
+	if !authService.HasEmailCodeService() {
+		t.Fatal("HasEmailCodeService() = false, want true")
+	}
+	if passwordResetConfig.SMTPHost != "127.0.0.1" {
+		t.Fatalf("password reset SMTP host = %q, want %q", passwordResetConfig.SMTPHost, "127.0.0.1")
+	}
+	if passwordResetConfig.SMTPPort != 2525 {
+		t.Fatalf("password reset SMTP port = %d, want %d", passwordResetConfig.SMTPPort, 2525)
+	}
+	if passwordResetConfig.FromEmail != "noreply@test.local" {
+		t.Fatalf("password reset FromEmail = %q, want %q", passwordResetConfig.FromEmail, "noreply@test.local")
+	}
+	if passwordResetConfig.SiteURL != "http://127.0.0.1:3000" {
+		t.Fatalf("password reset SiteURL = %q, want %q", passwordResetConfig.SiteURL, "http://127.0.0.1:3000")
+	}
+}