fix: restrict password login to existing phone accounts

2026-04-26 01:11:45 +08:00
parent c4b9b8173f
commit 0a0f3f1bd8
33 changed files with 489 additions and 778 deletions
--- a/docs/technical/SPACETIMEDB_AUTH_IDENTITY_TABLE_DESIGN_2026-04-21.md
+++ b/docs/technical/SPACETIMEDB_AUTH_IDENTITY_TABLE_DESIGN_2026-04-21.md
@@ -206,6 +206,8 @@

 1. 密码登录仍由 `user_account.password_hash` 承担
 2. 本轮不引入 `password` provider identity
+3. 密码登录只接受已绑定手机号的账号，不支持邮箱、用户名或叙世号作为登录身份
+4. 密码登录不创建账号，新账号只由手机号验证码登录创建

 ### 9.2 `POST /api/auth/phone/login`