fix(profile): stabilize binding compatibility and frontend checks

frontend/src/api/__tests__/admin.users.spec.ts

@@ -0,0 +1,117 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { post } = vi.hoisted(() => ({
+  post: vi.fn(),
+}))
+
+vi.mock('@/api/client', () => ({
+  apiClient: {
+    post,
+  },
+}))
+
+import {
+  bindUserAuthIdentity,
+  type AdminBindAuthIdentityRequest,
+  type AdminBoundAuthIdentity,
+} from '@/api/admin/users'
+
+type Assert<T extends true> = T
+type IsExact<T, U> = (
+  (<G>() => G extends T ? 1 : 2) extends (<G>() => G extends U ? 1 : 2)
+    ? ((<G>() => G extends U ? 1 : 2) extends (<G>() => G extends T ? 1 : 2) ? true : false)
+    : false
+)
+
+type ExpectedAdminBindAuthIdentityRequest = {
+  provider_type: string
+  provider_key: string
+  provider_subject: string
+  issuer?: string
+  metadata?: Record<string, unknown>
+  channel?: {
+    channel: string
+    channel_app_id: string
+    channel_subject: string
+    metadata?: Record<string, unknown>
+  }
+}
+
+type ExpectedAdminBoundAuthIdentity = {
+  user_id: number
+  provider_type: string
+  provider_key: string
+  provider_subject: string
+  verified_at?: string | null
+  issuer?: string | null
+  metadata: Record<string, unknown> | null
+  created_at: string
+  updated_at: string
+  channel?: {
+    channel: string
+    channel_app_id: string
+    channel_subject: string
+    metadata: Record<string, unknown> | null
+    created_at: string
+    updated_at: string
+  } | null
+}
+
+const requestContractExact: Assert<
+  IsExact<AdminBindAuthIdentityRequest, ExpectedAdminBindAuthIdentityRequest>
+> = true
+const responseContractExact: Assert<
+  IsExact<AdminBoundAuthIdentity, ExpectedAdminBoundAuthIdentity>
+> = true
+
+describe('admin users api auth identity binding', () => {
+  beforeEach(() => {
+    post.mockReset()
+  })
+
+  it('posts the backend-compatible auth identity bind payload and returns the backend response shape', async () => {
+    const payload: AdminBindAuthIdentityRequest = {
+      provider_type: 'wechat',
+      provider_key: 'wechat-main',
+      provider_subject: 'union-123',
+      metadata: { source: 'admin-repair' },
+      channel: {
+        channel: 'open',
+        channel_app_id: 'wx-open',
+        channel_subject: 'openid-123',
+        metadata: { scene: 'migration' },
+      },
+    }
+
+    const response: AdminBoundAuthIdentity = {
+      user_id: 9,
+      provider_type: 'wechat',
+      provider_key: 'wechat-main',
+      provider_subject: 'union-123',
+      verified_at: '2026-04-22T00:00:00Z',
+      issuer: null,
+      metadata: { source: 'admin-repair' },
+      created_at: '2026-04-22T00:00:00Z',
+      updated_at: '2026-04-22T00:00:00Z',
+      channel: {
+        channel: 'open',
+        channel_app_id: 'wx-open',
+        channel_subject: 'openid-123',
+        metadata: { scene: 'migration' },
+        created_at: '2026-04-22T00:00:00Z',
+        updated_at: '2026-04-22T00:00:00Z',
+      },
+    }
+    post.mockResolvedValue({ data: response })
+
+    const result = await bindUserAuthIdentity(9, payload)
+
+    expect(post).toHaveBeenCalledWith('/admin/users/9/auth-identities', payload)
+    expect(result).toEqual(response)
+  })
+
+  it('keeps bind auth identity request and response types aligned with the backend contract', () => {
+    expect(requestContractExact).toBe(true)
+    expect(responseContractExact).toBe(true)
+  })
+})

frontend/src/api/__tests__/client.spec.ts

@@ -91,6 +91,22 @@ describe('API Client', () => {
       const config = adapter.mock.calls[0][0]
       expect(config.params?.timezone).toBeUndefined()
     })
+
+    it('请求默认带 withCredentials 以支持跨域 cookie', async () => {
+      const adapter = vi.fn().mockResolvedValue({
+        status: 200,
+        data: { code: 0, data: {} },
+        headers: {},
+        config: {},
+        statusText: 'OK',
+      })
+      apiClient.defaults.adapter = adapter
+
+      await apiClient.post('/auth/oauth/bind-token')
+
+      const config = adapter.mock.calls[0][0]
+      expect(config.withCredentials).toBe(true)
+    })
   })
 
   // --- 响应拦截器 ---

frontend/src/api/__tests__/user.spec.ts

@@ -0,0 +1,32 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+describe('user api oauth binding urls', () => {
+  beforeEach(() => {
+    vi.resetModules()
+    vi.stubEnv('VITE_API_BASE_URL', 'https://api.example.com/api/v1')
+  })
+
+  afterEach(() => {
+    vi.unstubAllEnvs()
+  })
+
+  it('builds third-party bind urls against the bind start endpoint', async () => {
+    const { buildOAuthBindingStartURL } = await import('@/api/user')
+
+    expect(buildOAuthBindingStartURL('linuxdo', { redirectTo: '/settings/profile' })).toBe(
+      'https://api.example.com/api/v1/auth/oauth/linuxdo/bind/start?redirect=%2Fsettings%2Fprofile&intent=bind_current_user'
+    )
+    expect(
+      buildOAuthBindingStartURL('wechat', {
+        redirectTo: '/settings/profile',
+        wechatOAuthSettings: {
+          wechat_oauth_open_enabled: true,
+          wechat_oauth_mp_enabled: false,
+          wechat_oauth_mobile_enabled: false
+        }
+      })
+    ).toBe(
+      'https://api.example.com/api/v1/auth/oauth/wechat/bind/start?redirect=%2Fsettings%2Fprofile&intent=bind_current_user&mode=open'
+    )
+  })
+})

frontend/src/api/admin/users.ts

@@ -8,26 +8,40 @@ import type { AdminUser, UpdateUserRequest, PaginatedResponse, ApiKey } from '@/
 
 export interface AdminBindAuthIdentityChannelRequest {
   channel: string
-  channel_app_id?: string
+  channel_app_id: string
   channel_subject: string
-  metadata?: Record<string, unknown>
+  metadata?: Record<string, unknown> | null
 }
 
 export interface AdminBindAuthIdentityRequest {
   provider_type: string
   provider_key: string
   provider_subject: string
-  issuer?: string
-  metadata?: Record<string, unknown>
+  issuer?: string | null
+  metadata?: Record<string, unknown> | null
   channel?: AdminBindAuthIdentityChannelRequest
 }
 
+export interface AdminBoundAuthIdentityChannel {
+  channel: string
+  channel_app_id: string
+  channel_subject: string
+  metadata: Record<string, unknown> | null
+  created_at: string
+  updated_at: string
+}
+
 export interface AdminBoundAuthIdentity {
-  identity_id: number
+  user_id: number
   provider_type: string
   provider_key: string
   provider_subject: string
-  channel_id?: number | null
+  verified_at?: string | null
+  issuer?: string | null
+  metadata: Record<string, unknown> | null
+  created_at: string
+  updated_at: string
+  channel?: AdminBoundAuthIdentityChannel | null
 }
 
 /**

frontend/src/api/auth.ts

@@ -194,6 +194,7 @@ export interface OAuthTokenResponse {
 }
 
 export interface PendingOAuthBindLoginResponse extends Partial<OAuthTokenResponse> {
+  auth_result?: string
   redirect?: string
   error?: string
   requires_2fa?: boolean
@@ -206,7 +207,9 @@ export interface PendingOAuthBindLoginResponse extends Partial<OAuthTokenRespons
 
 export type PendingOAuthExchangeResponse = PendingOAuthBindLoginResponse
 
-export interface PendingOAuthCreateAccountResponse extends OAuthTokenResponse {}
+export interface PendingOAuthCreateAccountResponse extends OAuthTokenResponse {
+  auth_result?: string
+}
 
 export interface PendingOAuthSendVerifyCodeResponse extends SendVerifyCodeResponse {
   auth_result?: string

frontend/src/api/client.ts

@@ -13,6 +13,7 @@ const API_BASE_URL = import.meta.env.VITE_API_BASE_URL || '/api/v1'
 
 export const apiClient: AxiosInstance = axios.create({
   baseURL: API_BASE_URL,
+  withCredentials: true,
   timeout: 30000,
   headers: {
     'Content-Type': 'application/json'

frontend/src/api/user.ts

@@ -150,7 +150,7 @@ export function buildOAuthBindingStartURL(
     params.set('mode', mode)
   }
 
-  return `${normalized}/auth/oauth/${provider}/start?${params.toString()}`
+  return `${normalized}/auth/oauth/${provider}/bind/start?${params.toString()}`
 }
 
 export async function startOAuthBinding(