long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: project docs, scripts, deployment configs, and evidence

Browse Source
This commit is contained in:
long-agent
2026-04-02 11:22:17 +08:00
parent 4718980ab5
commit bbeeb63dfa
396 changed files with 165018 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/evidence/ops/2026-03-26/e2e/ACCOUNT_BINDING_CLOSURE_20260326-224700.md Normal file
View File

@@ -0,0 +1,40 @@
# ACCOUNT_BINDING_CLOSURE_20260326-224700
## Scope
- PRD `1.5 用户信息管理 -> 账号绑定与解绑`
- email bind / replace / unbind
- phone bind / replace / unbind
- self-service security page closure
## Implemented Closure
- Backend:
- added protected self-service endpoints:
- `POST /api/v1/users/me/bind-email/code`
- `POST /api/v1/users/me/bind-email`
- `DELETE /api/v1/users/me/bind-email`
- `POST /api/v1/users/me/bind-phone/code`
- `POST /api/v1/users/me/bind-phone`
- `DELETE /api/v1/users/me/bind-phone`
- bind now requires both target-channel verification code and current-account sensitive verification when password or TOTP is configured.
- unbind now requires current-account sensitive verification when password or TOTP is configured, and blocks removal if no login method would remain.
- direct self-update of `email` / `phone` through `PUT /api/v1/users/:id` is now blocked for non-admin self-service usage.
- Frontend:
- `/profile/security` now contains a real email/phone binding management section.
- `/profile` no longer exposes direct editable email/phone fields; users are redirected to security settings for verified binding flows.
## Validation
- `go test ./... -count=1`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run test:run`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
## Boundary
- Email bind/replace is only available when SMTP-backed email code capability is enabled.
- Phone bind/replace is only available when Aliyun or Tencent SMS capability is enabled.
- This closure is product-complete and regression-verified, but it does not change the previously stated boundary that live third-party OAuth provider proof and external production delivery evidence remain separate gaps.