fix(auth): 注册接口安全加固 - 默认关闭注册

2026-01-09 14:49:20 +08:00
parent 0a9c17b9d1
commit 43f104bdf7
4 changed files with 52 additions and 15 deletions
--- a/backend/internal/service/auth_service_register_test.go
+++ b/backend/internal/service/auth_service_register_test.go
@@ -113,6 +113,15 @@ func TestAuthService_Register_Disabled(t *testing.T) {
 	require.ErrorIs(t, err, ErrRegDisabled)
 }

+func TestAuthService_Register_DisabledByDefault(t *testing.T) {
+	// 当 settings 为 nil（设置项不存在）时，注册应该默认关闭
+	repo := &userRepoStub{}
+	service := newAuthService(repo, nil, nil)
+
+	_, _, err := service.Register(context.Background(), "user@test.com", "password")
+	require.ErrorIs(t, err, ErrRegDisabled)
+}
+
 func TestAuthService_Register_EmailVerifyEnabledButServiceNotConfigured(t *testing.T) {
 	repo := &userRepoStub{}
 	// 邮件验证开启但 emailCache 为 nil（emailService 未配置）
@@ -155,7 +164,9 @@ func TestAuthService_Register_EmailVerifyInvalid(t *testing.T) {

 func TestAuthService_Register_EmailExists(t *testing.T) {
 	repo := &userRepoStub{exists: true}
-	service := newAuthService(repo, nil, nil)
+	service := newAuthService(repo, map[string]string{
+		SettingKeyRegistrationEnabled: "true",
+	}, nil)

 	_, _, err := service.Register(context.Background(), "user@test.com", "password")
 	require.ErrorIs(t, err, ErrEmailExists)
@@ -163,7 +174,9 @@ func TestAuthService_Register_EmailExists(t *testing.T) {

 func TestAuthService_Register_CheckEmailError(t *testing.T) {
 	repo := &userRepoStub{existsErr: errors.New("db down")}
-	service := newAuthService(repo, nil, nil)
+	service := newAuthService(repo, map[string]string{
+		SettingKeyRegistrationEnabled: "true",
+	}, nil)

 	_, _, err := service.Register(context.Background(), "user@test.com", "password")
 	require.ErrorIs(t, err, ErrServiceUnavailable)
@@ -171,15 +184,30 @@ func TestAuthService_Register_CheckEmailError(t *testing.T) {

 func TestAuthService_Register_CreateError(t *testing.T) {
 	repo := &userRepoStub{createErr: errors.New("create failed")}
-	service := newAuthService(repo, nil, nil)
+	service := newAuthService(repo, map[string]string{
+		SettingKeyRegistrationEnabled: "true",
+	}, nil)

 	_, _, err := service.Register(context.Background(), "user@test.com", "password")
 	require.ErrorIs(t, err, ErrServiceUnavailable)
 }

+func TestAuthService_Register_CreateEmailExistsRace(t *testing.T) {
+	// 模拟竞态条件：ExistsByEmail 返回 false，但 Create 时因唯一约束失败
+	repo := &userRepoStub{createErr: ErrEmailExists}
+	service := newAuthService(repo, map[string]string{
+		SettingKeyRegistrationEnabled: "true",
+	}, nil)
+
+	_, _, err := service.Register(context.Background(), "user@test.com", "password")
+	require.ErrorIs(t, err, ErrEmailExists)
+}
+
 func TestAuthService_Register_Success(t *testing.T) {
 	repo := &userRepoStub{nextID: 5}
-	service := newAuthService(repo, nil, nil)
+	service := newAuthService(repo, map[string]string{
+		SettingKeyRegistrationEnabled: "true",
+	}, nil)

 	token, user, err := service.Register(context.Background(), "user@test.com", "password")
 	require.NoError(t, err)