From 470abee0920b8bbc2108b32c8cda7e5ea0f78fde Mon Sep 17 00:00:00 2001
From: yangjianbo <yangjianbo@leagsoft.com>
Date: Fri, 9 Jan 2026 09:57:42 +0800
Subject: [PATCH] =?UTF-8?q?fix(auth):=20=E4=BF=AE=E5=A4=8D=E9=82=AE?=
 =?UTF-8?q?=E4=BB=B6=E9=AA=8C=E8=AF=81=E6=9C=8D=E5=8A=A1=E6=9C=AA=E9=85=8D?=
 =?UTF-8?q?=E7=BD=AE=E6=97=B6=E5=8F=AF=E7=BB=95=E8=BF=87=E9=AA=8C=E8=AF=81?=
 =?UTF-8?q?=E7=9A=84=E5=AE=89=E5=85=A8=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

当邮件验证开启但 emailService 未配置时，原逻辑允许用户绕过验证直接注册。
现在会返回 ErrServiceUnavailable 拒绝注册，确保配置错误不会导致安全问题。

- 在验证码检查前先检查 emailService 是否配置
- 添加日志记录帮助发现配置问题
- 新增单元测试覆盖该场景

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 backend/internal/service/auth_service.go         | 12 ++++++++----
 .../service/auth_service_register_test.go        | 16 +++++++++++++++-
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/backend/internal/service/auth_service.go b/backend/internal/service/auth_service.go
index 104a3262..5a5ca03d 100644
--- a/backend/internal/service/auth_service.go
+++ b/backend/internal/service/auth_service.go
@@ -82,14 +82,18 @@ func (s *AuthService) RegisterWithVerification(ctx context.Context, email, passw
 
 	// 检查是否需要邮件验证
 	if s.settingService != nil && s.settingService.IsEmailVerifyEnabled(ctx) {
+		// 如果邮件验证已开启但邮件服务未配置，拒绝注册
+		// 这是一个配置错误，不应该允许绕过验证
+		if s.emailService == nil {
+			log.Println("[Auth] Email verification enabled but email service not configured, rejecting registration")
+			return "", nil, ErrServiceUnavailable
+		}
 		if verifyCode == "" {
 			return "", nil, ErrEmailVerifyRequired
 		}
 		// 验证邮箱验证码
-		if s.emailService != nil {
-			if err := s.emailService.VerifyCode(ctx, email, verifyCode); err != nil {
-				return "", nil, fmt.Errorf("verify code: %w", err)
-			}
+		if err := s.emailService.VerifyCode(ctx, email, verifyCode); err != nil {
+			return "", nil, fmt.Errorf("verify code: %w", err)
 		}
 	}
 
diff --git a/backend/internal/service/auth_service_register_test.go b/backend/internal/service/auth_service_register_test.go
index 940baae5..a31267ab 100644
--- a/backend/internal/service/auth_service_register_test.go
+++ b/backend/internal/service/auth_service_register_test.go
@@ -113,13 +113,27 @@ func TestAuthService_Register_Disabled(t *testing.T) {
 	require.ErrorIs(t, err, ErrRegDisabled)
 }
 
-func TestAuthService_Register_EmailVerifyRequired(t *testing.T) {
+func TestAuthService_Register_EmailVerifyEnabledButServiceNotConfigured(t *testing.T) {
 	repo := &userRepoStub{}
+	// 邮件验证开启但 emailCache 为 nil（emailService 未配置）
 	service := newAuthService(repo, map[string]string{
 		SettingKeyRegistrationEnabled: "true",
 		SettingKeyEmailVerifyEnabled:  "true",
 	}, nil)
 
+	// 应返回服务不可用错误，而不是允许绕过验证
+	_, _, err := service.RegisterWithVerification(context.Background(), "user@test.com", "password", "any-code")
+	require.ErrorIs(t, err, ErrServiceUnavailable)
+}
+
+func TestAuthService_Register_EmailVerifyRequired(t *testing.T) {
+	repo := &userRepoStub{}
+	cache := &emailCacheStub{} // 配置 emailService
+	service := newAuthService(repo, map[string]string{
+		SettingKeyRegistrationEnabled: "true",
+		SettingKeyEmailVerifyEnabled:  "true",
+	}, cache)
+
 	_, _, err := service.RegisterWithVerification(context.Background(), "user@test.com", "password", "")
 	require.ErrorIs(t, err, ErrEmailVerifyRequired)
 }