b402c367d3
smtp.SendMail automatically upgrades to STARTTLS when the server supports it. Our replacement sendMailPlain skipped this, causing credentials to be sent in plaintext on port 587. Add STARTTLS negotiation before Auth to restore the original security behavior.
611 lines
20 KiB
Go
611 lines
20 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/subtle"
|
|
"crypto/tls"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"log/slog"
|
|
"math/big"
|
|
"net"
|
|
"net/smtp"
|
|
"net/url"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
|
|
)
|
|
|
|
var (
|
|
ErrEmailNotConfigured = infraerrors.ServiceUnavailable("EMAIL_NOT_CONFIGURED", "email service not configured")
|
|
ErrInvalidVerifyCode = infraerrors.BadRequest("INVALID_VERIFY_CODE", "invalid or expired verification code")
|
|
ErrVerifyCodeTooFrequent = infraerrors.TooManyRequests("VERIFY_CODE_TOO_FREQUENT", "please wait before requesting a new code")
|
|
ErrVerifyCodeMaxAttempts = infraerrors.TooManyRequests("VERIFY_CODE_MAX_ATTEMPTS", "too many failed attempts, please request a new code")
|
|
|
|
// Password reset errors
|
|
ErrInvalidResetToken = infraerrors.BadRequest("INVALID_RESET_TOKEN", "invalid or expired password reset token")
|
|
)
|
|
|
|
// EmailCache defines cache operations for email service
|
|
type EmailCache interface {
|
|
GetVerificationCode(ctx context.Context, email string) (*VerificationCodeData, error)
|
|
SetVerificationCode(ctx context.Context, email string, data *VerificationCodeData, ttl time.Duration) error
|
|
DeleteVerificationCode(ctx context.Context, email string) error
|
|
|
|
// Notify email verification code methods
|
|
GetNotifyVerifyCode(ctx context.Context, email string) (*VerificationCodeData, error)
|
|
SetNotifyVerifyCode(ctx context.Context, email string, data *VerificationCodeData, ttl time.Duration) error
|
|
DeleteNotifyVerifyCode(ctx context.Context, email string) error
|
|
|
|
// Password reset token methods
|
|
GetPasswordResetToken(ctx context.Context, email string) (*PasswordResetTokenData, error)
|
|
SetPasswordResetToken(ctx context.Context, email string, data *PasswordResetTokenData, ttl time.Duration) error
|
|
DeletePasswordResetToken(ctx context.Context, email string) error
|
|
|
|
// Password reset email cooldown methods
|
|
// Returns true if in cooldown period (email was sent recently)
|
|
IsPasswordResetEmailInCooldown(ctx context.Context, email string) bool
|
|
SetPasswordResetEmailCooldown(ctx context.Context, email string, ttl time.Duration) error
|
|
}
|
|
|
|
// VerificationCodeData represents verification code data
|
|
type VerificationCodeData struct {
|
|
Code string
|
|
Attempts int
|
|
CreatedAt time.Time
|
|
ExpiresAt time.Time // absolute expiry; used to preserve remaining TTL when updating attempts
|
|
}
|
|
|
|
// PasswordResetTokenData represents password reset token data
|
|
type PasswordResetTokenData struct {
|
|
Token string
|
|
CreatedAt time.Time
|
|
}
|
|
|
|
const (
|
|
verifyCodeTTL = 15 * time.Minute
|
|
verifyCodeCooldown = 1 * time.Minute
|
|
maxVerifyCodeAttempts = 5
|
|
|
|
// Password reset token settings
|
|
passwordResetTokenTTL = 30 * time.Minute
|
|
|
|
// Password reset email cooldown (prevent email bombing)
|
|
passwordResetEmailCooldown = 30 * time.Second
|
|
)
|
|
|
|
// SMTPConfig SMTP配置
|
|
type SMTPConfig struct {
|
|
Host string
|
|
Port int
|
|
Username string
|
|
Password string
|
|
From string
|
|
FromName string
|
|
UseTLS bool
|
|
}
|
|
|
|
// EmailService 邮件服务
|
|
type EmailService struct {
|
|
settingRepo SettingRepository
|
|
cache EmailCache
|
|
}
|
|
|
|
// NewEmailService 创建邮件服务实例
|
|
func NewEmailService(settingRepo SettingRepository, cache EmailCache) *EmailService {
|
|
return &EmailService{
|
|
settingRepo: settingRepo,
|
|
cache: cache,
|
|
}
|
|
}
|
|
|
|
// GetSMTPConfig 从数据库获取SMTP配置
|
|
func (s *EmailService) GetSMTPConfig(ctx context.Context) (*SMTPConfig, error) {
|
|
keys := []string{
|
|
SettingKeySMTPHost,
|
|
SettingKeySMTPPort,
|
|
SettingKeySMTPUsername,
|
|
SettingKeySMTPPassword,
|
|
SettingKeySMTPFrom,
|
|
SettingKeySMTPFromName,
|
|
SettingKeySMTPUseTLS,
|
|
}
|
|
|
|
settings, err := s.settingRepo.GetMultiple(ctx, keys)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("get smtp settings: %w", err)
|
|
}
|
|
|
|
host := strings.TrimSpace(settings[SettingKeySMTPHost])
|
|
if host == "" {
|
|
return nil, ErrEmailNotConfigured
|
|
}
|
|
|
|
port := 587 // 默认端口
|
|
if portStr := settings[SettingKeySMTPPort]; portStr != "" {
|
|
if p, err := strconv.Atoi(portStr); err == nil {
|
|
port = p
|
|
}
|
|
}
|
|
|
|
useTLS := settings[SettingKeySMTPUseTLS] == "true"
|
|
|
|
return &SMTPConfig{
|
|
Host: host,
|
|
Port: port,
|
|
Username: strings.TrimSpace(settings[SettingKeySMTPUsername]),
|
|
Password: strings.TrimSpace(settings[SettingKeySMTPPassword]),
|
|
From: strings.TrimSpace(settings[SettingKeySMTPFrom]),
|
|
FromName: strings.TrimSpace(settings[SettingKeySMTPFromName]),
|
|
UseTLS: useTLS,
|
|
}, nil
|
|
}
|
|
|
|
// SendEmail 发送邮件(使用数据库中保存的配置)
|
|
func (s *EmailService) SendEmail(ctx context.Context, to, subject, body string) error {
|
|
config, err := s.GetSMTPConfig(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return s.SendEmailWithConfig(config, to, subject, body)
|
|
}
|
|
|
|
const smtpDialTimeout = 10 * time.Second
|
|
const smtpIOTimeout = 20 * time.Second
|
|
|
|
// SendEmailWithConfig 使用指定配置发送邮件
|
|
func (s *EmailService) SendEmailWithConfig(config *SMTPConfig, to, subject, body string) error {
|
|
// Sanitize all SMTP header fields to prevent header injection (CR/LF removal).
|
|
to = sanitizeEmailHeader(to)
|
|
subject = sanitizeEmailHeader(subject)
|
|
|
|
from := sanitizeEmailHeader(config.From)
|
|
if config.FromName != "" {
|
|
from = fmt.Sprintf("%s <%s>", sanitizeEmailHeader(config.FromName), sanitizeEmailHeader(config.From))
|
|
}
|
|
|
|
msg := fmt.Sprintf("From: %s\r\nTo: %s\r\nSubject: %s\r\nMIME-Version: 1.0\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n%s",
|
|
from, to, subject, body)
|
|
|
|
addr := fmt.Sprintf("%s:%d", config.Host, config.Port)
|
|
auth := smtp.PlainAuth("", config.Username, config.Password, config.Host)
|
|
|
|
if config.UseTLS {
|
|
return s.sendMailTLS(addr, auth, config.From, to, []byte(msg), config.Host)
|
|
}
|
|
|
|
return s.sendMailPlain(addr, auth, config.From, to, []byte(msg), config.Host)
|
|
}
|
|
|
|
// sendMailPlain sends mail without TLS using a dialer with timeout.
|
|
func (s *EmailService) sendMailPlain(addr string, auth smtp.Auth, from, to string, msg []byte, host string) error {
|
|
dialer := &net.Dialer{Timeout: smtpDialTimeout}
|
|
conn, err := dialer.Dial("tcp", addr)
|
|
if err != nil {
|
|
return fmt.Errorf("smtp dial: %w", err)
|
|
}
|
|
_ = conn.SetDeadline(time.Now().Add(smtpIOTimeout))
|
|
defer func() { _ = conn.Close() }()
|
|
|
|
client, err := smtp.NewClient(conn, host)
|
|
if err != nil {
|
|
return fmt.Errorf("new smtp client: %w", err)
|
|
}
|
|
defer func() { _ = client.Close() }()
|
|
|
|
// Opportunistic STARTTLS: upgrade to encrypted connection if the server supports it.
|
|
// This mirrors the behavior of smtp.SendMail which we replaced for timeout support.
|
|
if ok, _ := client.Extension("STARTTLS"); ok {
|
|
if err = client.StartTLS(&tls.Config{ServerName: host, MinVersion: tls.VersionTLS12}); err != nil {
|
|
return fmt.Errorf("starttls: %w", err)
|
|
}
|
|
}
|
|
|
|
if err = client.Auth(auth); err != nil {
|
|
return fmt.Errorf("smtp auth: %w", err)
|
|
}
|
|
if err = client.Mail(from); err != nil {
|
|
return fmt.Errorf("smtp mail: %w", err)
|
|
}
|
|
if err = client.Rcpt(to); err != nil {
|
|
return fmt.Errorf("smtp rcpt: %w", err)
|
|
}
|
|
w, err := client.Data()
|
|
if err != nil {
|
|
return fmt.Errorf("smtp data: %w", err)
|
|
}
|
|
if _, err = w.Write(msg); err != nil {
|
|
return fmt.Errorf("write msg: %w", err)
|
|
}
|
|
if err = w.Close(); err != nil {
|
|
return fmt.Errorf("close writer: %w", err)
|
|
}
|
|
_ = client.Quit()
|
|
return nil
|
|
}
|
|
|
|
// sendMailTLS 使用TLS发送邮件
|
|
func (s *EmailService) sendMailTLS(addr string, auth smtp.Auth, from, to string, msg []byte, host string) error {
|
|
tlsConfig := &tls.Config{
|
|
ServerName: host,
|
|
// 强制 TLS 1.2+,避免协议降级导致的弱加密风险。
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
|
|
dialer := &net.Dialer{Timeout: smtpDialTimeout}
|
|
conn, err := tls.DialWithDialer(dialer, "tcp", addr, tlsConfig)
|
|
if err != nil {
|
|
return fmt.Errorf("tls dial: %w", err)
|
|
}
|
|
_ = conn.SetDeadline(time.Now().Add(smtpIOTimeout))
|
|
defer func() { _ = conn.Close() }()
|
|
|
|
client, err := smtp.NewClient(conn, host)
|
|
if err != nil {
|
|
return fmt.Errorf("new smtp client: %w", err)
|
|
}
|
|
defer func() { _ = client.Close() }()
|
|
|
|
if err = client.Auth(auth); err != nil {
|
|
return fmt.Errorf("smtp auth: %w", err)
|
|
}
|
|
|
|
if err = client.Mail(from); err != nil {
|
|
return fmt.Errorf("smtp mail: %w", err)
|
|
}
|
|
|
|
if err = client.Rcpt(to); err != nil {
|
|
return fmt.Errorf("smtp rcpt: %w", err)
|
|
}
|
|
|
|
w, err := client.Data()
|
|
if err != nil {
|
|
return fmt.Errorf("smtp data: %w", err)
|
|
}
|
|
|
|
_, err = w.Write(msg)
|
|
if err != nil {
|
|
return fmt.Errorf("write msg: %w", err)
|
|
}
|
|
|
|
err = w.Close()
|
|
if err != nil {
|
|
return fmt.Errorf("close writer: %w", err)
|
|
}
|
|
|
|
// Email is sent successfully after w.Close(), ignore Quit errors
|
|
// Some SMTP servers return non-standard responses on QUIT
|
|
_ = client.Quit()
|
|
return nil
|
|
}
|
|
|
|
// GenerateVerifyCode 生成6位数字验证码
|
|
func (s *EmailService) GenerateVerifyCode() (string, error) {
|
|
const digits = "0123456789"
|
|
code := make([]byte, 6)
|
|
for i := range code {
|
|
num, err := rand.Int(rand.Reader, big.NewInt(int64(len(digits))))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
code[i] = digits[num.Int64()]
|
|
}
|
|
return string(code), nil
|
|
}
|
|
|
|
// SendVerifyCode 发送验证码邮件
|
|
func (s *EmailService) SendVerifyCode(ctx context.Context, email, siteName string) error {
|
|
// 检查是否在冷却期内
|
|
existing, err := s.cache.GetVerificationCode(ctx, email)
|
|
if err == nil && existing != nil {
|
|
if time.Since(existing.CreatedAt) < verifyCodeCooldown {
|
|
return ErrVerifyCodeTooFrequent
|
|
}
|
|
}
|
|
|
|
// 生成验证码
|
|
code, err := s.GenerateVerifyCode()
|
|
if err != nil {
|
|
return fmt.Errorf("generate code: %w", err)
|
|
}
|
|
|
|
// 保存验证码到 Redis
|
|
data := &VerificationCodeData{
|
|
Code: code,
|
|
Attempts: 0,
|
|
CreatedAt: time.Now(),
|
|
ExpiresAt: time.Now().Add(verifyCodeTTL),
|
|
}
|
|
if err := s.cache.SetVerificationCode(ctx, email, data, verifyCodeTTL); err != nil {
|
|
return fmt.Errorf("save verify code: %w", err)
|
|
}
|
|
|
|
// 构建邮件内容
|
|
subject := fmt.Sprintf("[%s] Email Verification Code", siteName)
|
|
body := s.buildVerifyCodeEmailBody(code, siteName)
|
|
|
|
// 发送邮件
|
|
if err := s.SendEmail(ctx, email, subject, body); err != nil {
|
|
return fmt.Errorf("send email: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// VerifyCode 验证验证码
|
|
func (s *EmailService) VerifyCode(ctx context.Context, email, code string) error {
|
|
data, err := s.cache.GetVerificationCode(ctx, email)
|
|
if err != nil || data == nil {
|
|
return ErrInvalidVerifyCode
|
|
}
|
|
|
|
// 检查是否已达到最大尝试次数
|
|
if data.Attempts >= maxVerifyCodeAttempts {
|
|
return ErrVerifyCodeMaxAttempts
|
|
}
|
|
|
|
// 验证码不匹配 (constant-time comparison to prevent timing attacks)
|
|
if subtle.ConstantTimeCompare([]byte(data.Code), []byte(code)) != 1 {
|
|
data.Attempts++
|
|
remaining := time.Until(data.ExpiresAt)
|
|
if remaining <= 0 {
|
|
return ErrInvalidVerifyCode
|
|
}
|
|
if err := s.cache.SetVerificationCode(ctx, email, data, remaining); err != nil {
|
|
slog.Error("failed to update verification attempt count", "email", email, "error", err)
|
|
}
|
|
if data.Attempts >= maxVerifyCodeAttempts {
|
|
return ErrVerifyCodeMaxAttempts
|
|
}
|
|
return ErrInvalidVerifyCode
|
|
}
|
|
|
|
// 验证成功,删除验证码
|
|
if err := s.cache.DeleteVerificationCode(ctx, email); err != nil {
|
|
slog.Error("failed to delete verification code after success", "email", email, "error", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// buildVerifyCodeEmailBody 构建验证码邮件HTML内容
|
|
func (s *EmailService) buildVerifyCodeEmailBody(code, siteName string) string {
|
|
return fmt.Sprintf(`
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<style>
|
|
body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif; background-color: #f5f5f5; margin: 0; padding: 20px; }
|
|
.container { max-width: 600px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 8px rgba(0,0,0,0.1); }
|
|
.header { background: linear-gradient(135deg, #667eea 0%%, #764ba2 100%%); color: white; padding: 30px; text-align: center; }
|
|
.header h1 { margin: 0; font-size: 24px; }
|
|
.content { padding: 40px 30px; text-align: center; }
|
|
.code { font-size: 36px; font-weight: bold; letter-spacing: 8px; color: #333; background-color: #f8f9fa; padding: 20px 30px; border-radius: 8px; display: inline-block; margin: 20px 0; font-family: monospace; }
|
|
.info { color: #666; font-size: 14px; line-height: 1.6; margin-top: 20px; }
|
|
.footer { background-color: #f8f9fa; padding: 20px; text-align: center; color: #999; font-size: 12px; }
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div class="container">
|
|
<div class="header">
|
|
<h1>%s</h1>
|
|
</div>
|
|
<div class="content">
|
|
<p style="font-size: 18px; color: #333;">Your verification code is:</p>
|
|
<div class="code">%s</div>
|
|
<div class="info">
|
|
<p>This code will expire in <strong>15 minutes</strong>.</p>
|
|
<p>If you did not request this code, please ignore this email.</p>
|
|
</div>
|
|
</div>
|
|
<div class="footer">
|
|
<p>This is an automated message, please do not reply.</p>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
`, siteName, code)
|
|
}
|
|
|
|
// TestSMTPConnectionWithConfig 使用指定配置测试SMTP连接
|
|
func (s *EmailService) TestSMTPConnectionWithConfig(config *SMTPConfig) error {
|
|
addr := fmt.Sprintf("%s:%d", config.Host, config.Port)
|
|
|
|
if config.UseTLS {
|
|
tlsConfig := &tls.Config{
|
|
ServerName: config.Host,
|
|
// 与发送逻辑一致,显式要求 TLS 1.2+。
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
conn, err := tls.Dial("tcp", addr, tlsConfig)
|
|
if err != nil {
|
|
return fmt.Errorf("tls connection failed: %w", err)
|
|
}
|
|
defer func() { _ = conn.Close() }()
|
|
|
|
client, err := smtp.NewClient(conn, config.Host)
|
|
if err != nil {
|
|
return fmt.Errorf("smtp client creation failed: %w", err)
|
|
}
|
|
defer func() { _ = client.Close() }()
|
|
|
|
auth := smtp.PlainAuth("", config.Username, config.Password, config.Host)
|
|
if err = client.Auth(auth); err != nil {
|
|
return fmt.Errorf("smtp authentication failed: %w", err)
|
|
}
|
|
|
|
return client.Quit()
|
|
}
|
|
|
|
// 非TLS连接测试
|
|
client, err := smtp.Dial(addr)
|
|
if err != nil {
|
|
return fmt.Errorf("smtp connection failed: %w", err)
|
|
}
|
|
defer func() { _ = client.Close() }()
|
|
|
|
auth := smtp.PlainAuth("", config.Username, config.Password, config.Host)
|
|
if err = client.Auth(auth); err != nil {
|
|
return fmt.Errorf("smtp authentication failed: %w", err)
|
|
}
|
|
|
|
return client.Quit()
|
|
}
|
|
|
|
// GeneratePasswordResetToken generates a secure 32-byte random token (64 hex characters)
|
|
func (s *EmailService) GeneratePasswordResetToken() (string, error) {
|
|
bytes := make([]byte, 32)
|
|
if _, err := rand.Read(bytes); err != nil {
|
|
return "", err
|
|
}
|
|
return hex.EncodeToString(bytes), nil
|
|
}
|
|
|
|
// SendPasswordResetEmail sends a password reset email with a reset link
|
|
func (s *EmailService) SendPasswordResetEmail(ctx context.Context, email, siteName, resetURL string) error {
|
|
var token string
|
|
var needSaveToken bool
|
|
|
|
// Check if token already exists
|
|
existing, err := s.cache.GetPasswordResetToken(ctx, email)
|
|
if err == nil && existing != nil {
|
|
// Token exists, reuse it (allows resending email without generating new token)
|
|
token = existing.Token
|
|
needSaveToken = false
|
|
} else {
|
|
// Generate new token
|
|
token, err = s.GeneratePasswordResetToken()
|
|
if err != nil {
|
|
return fmt.Errorf("generate token: %w", err)
|
|
}
|
|
needSaveToken = true
|
|
}
|
|
|
|
// Save token to Redis (only if new token generated)
|
|
if needSaveToken {
|
|
data := &PasswordResetTokenData{
|
|
Token: token,
|
|
CreatedAt: time.Now(),
|
|
}
|
|
if err := s.cache.SetPasswordResetToken(ctx, email, data, passwordResetTokenTTL); err != nil {
|
|
return fmt.Errorf("save reset token: %w", err)
|
|
}
|
|
}
|
|
|
|
// Build full reset URL with URL-encoded token and email
|
|
fullResetURL := fmt.Sprintf("%s?email=%s&token=%s", resetURL, url.QueryEscape(email), url.QueryEscape(token))
|
|
|
|
// Build email content
|
|
subject := fmt.Sprintf("[%s] 密码重置请求", siteName)
|
|
body := s.buildPasswordResetEmailBody(fullResetURL, siteName)
|
|
|
|
// Send email
|
|
if err := s.SendEmail(ctx, email, subject, body); err != nil {
|
|
return fmt.Errorf("send email: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// SendPasswordResetEmailWithCooldown sends password reset email with cooldown check (called by queue worker)
|
|
// This method wraps SendPasswordResetEmail with email cooldown to prevent email bombing
|
|
func (s *EmailService) SendPasswordResetEmailWithCooldown(ctx context.Context, email, siteName, resetURL string) error {
|
|
// Check email cooldown to prevent email bombing
|
|
if s.cache.IsPasswordResetEmailInCooldown(ctx, email) {
|
|
slog.Info("password reset email skipped due to cooldown", "email", email)
|
|
return nil // Silent success to prevent revealing cooldown to attackers
|
|
}
|
|
|
|
// Send email using core method
|
|
if err := s.SendPasswordResetEmail(ctx, email, siteName, resetURL); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Set cooldown marker (Redis TTL handles expiration)
|
|
if err := s.cache.SetPasswordResetEmailCooldown(ctx, email, passwordResetEmailCooldown); err != nil {
|
|
slog.Error("failed to set password reset cooldown", "email", email, "error", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// VerifyPasswordResetToken verifies the password reset token without consuming it
|
|
func (s *EmailService) VerifyPasswordResetToken(ctx context.Context, email, token string) error {
|
|
data, err := s.cache.GetPasswordResetToken(ctx, email)
|
|
if err != nil || data == nil {
|
|
return ErrInvalidResetToken
|
|
}
|
|
|
|
// Use constant-time comparison to prevent timing attacks
|
|
if subtle.ConstantTimeCompare([]byte(data.Token), []byte(token)) != 1 {
|
|
return ErrInvalidResetToken
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ConsumePasswordResetToken verifies and deletes the token (one-time use)
|
|
func (s *EmailService) ConsumePasswordResetToken(ctx context.Context, email, token string) error {
|
|
// Verify first
|
|
if err := s.VerifyPasswordResetToken(ctx, email, token); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Delete after verification (one-time use)
|
|
if err := s.cache.DeletePasswordResetToken(ctx, email); err != nil {
|
|
slog.Error("failed to delete password reset token after consumption", "email", email, "error", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// buildPasswordResetEmailBody builds the HTML content for password reset email
|
|
func (s *EmailService) buildPasswordResetEmailBody(resetURL, siteName string) string {
|
|
return fmt.Sprintf(`
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<style>
|
|
body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif; background-color: #f5f5f5; margin: 0; padding: 20px; }
|
|
.container { max-width: 600px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 8px rgba(0,0,0,0.1); }
|
|
.header { background: linear-gradient(135deg, #667eea 0%%, #764ba2 100%%); color: white; padding: 30px; text-align: center; }
|
|
.header h1 { margin: 0; font-size: 24px; }
|
|
.content { padding: 40px 30px; text-align: center; }
|
|
.button { display: inline-block; background: linear-gradient(135deg, #667eea 0%%, #764ba2 100%%); color: white; padding: 14px 32px; text-decoration: none; border-radius: 8px; font-size: 16px; font-weight: 600; margin: 20px 0; }
|
|
.button:hover { opacity: 0.9; }
|
|
.info { color: #666; font-size: 14px; line-height: 1.6; margin-top: 20px; }
|
|
.link-fallback { color: #666; font-size: 12px; word-break: break-all; margin-top: 20px; padding: 15px; background-color: #f8f9fa; border-radius: 4px; }
|
|
.footer { background-color: #f8f9fa; padding: 20px; text-align: center; color: #999; font-size: 12px; }
|
|
.warning { color: #e74c3c; font-weight: 500; }
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div class="container">
|
|
<div class="header">
|
|
<h1>%s</h1>
|
|
</div>
|
|
<div class="content">
|
|
<p style="font-size: 18px; color: #333;">密码重置请求</p>
|
|
<p style="color: #666;">您已请求重置密码。请点击下方按钮设置新密码:</p>
|
|
<a href="%s" class="button">重置密码</a>
|
|
<div class="info">
|
|
<p>此链接将在 <strong>30 分钟</strong>后失效。</p>
|
|
<p class="warning">如果您没有请求重置密码,请忽略此邮件。您的密码将保持不变。</p>
|
|
</div>
|
|
<div class="link-fallback">
|
|
<p>如果按钮无法点击,请复制以下链接到浏览器中打开:</p>
|
|
<p>%s</p>
|
|
</div>
|
|
</div>
|
|
<div class="footer">
|
|
<p>这是一封自动发送的邮件,请勿回复。</p>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
`, siteName, resetURL, resetURL)
|
|
}
|