fix: restrict password login to existing phone accounts

2026-04-26 01:11:45 +08:00
parent c4b9b8173f
commit 0a0f3f1bd8
33 changed files with 489 additions and 778 deletions
--- a/server-rs/crates/shared-contracts/src/auth.rs
+++ b/server-rs/crates/shared-contracts/src/auth.rs
@@ -42,7 +42,7 @@ pub struct PublicUserSearchResponse {
 #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(rename_all = "camelCase")]
 pub struct PasswordEntryRequest {
-    pub username: String,
+    pub phone: String,
    pub password: String,
 }

@@ -193,12 +193,16 @@ pub struct WechatBindPhoneResponse {

 pub fn build_available_login_methods(
    sms_auth_enabled: bool,
+    password_auth_enabled: bool,
    wechat_auth_enabled: bool,
 ) -> Vec<String> {
-    let mut methods = vec![AUTH_LOGIN_METHOD_PASSWORD.to_string()];
+    let mut methods = Vec::new();
    if sms_auth_enabled {
        methods.push(AUTH_LOGIN_METHOD_PHONE.to_string());
    }
+    if password_auth_enabled {
+        methods.push(AUTH_LOGIN_METHOD_PASSWORD.to_string());
+    }
    if wechat_auth_enabled {
        methods.push(AUTH_LOGIN_METHOD_WECHAT.to_string());
    }
@@ -212,13 +216,13 @@ mod tests {

    #[test]
    fn available_login_methods_keep_phone_then_wechat_order() {
-        let methods = build_available_login_methods(true, true);
+        let methods = build_available_login_methods(true, true, true);

        assert_eq!(
            methods,
            vec![
-                AUTH_LOGIN_METHOD_PASSWORD.to_string(),
                AUTH_LOGIN_METHOD_PHONE.to_string(),
+                AUTH_LOGIN_METHOD_PASSWORD.to_string(),
                AUTH_LOGIN_METHOD_WECHAT.to_string()
            ]
        );
@@ -227,7 +231,7 @@ mod tests {
    #[test]
    fn password_entry_request_uses_camel_case_fields() {
        let payload = serde_json::to_value(PasswordEntryRequest {
-            username: "guest_001".to_string(),
+            phone: "13800138000".to_string(),
            password: "secret123".to_string(),
        })
        .expect("payload should serialize");
@@ -235,7 +239,7 @@ mod tests {
        assert_eq!(
            payload,
            json!({
-                "username": "guest_001",
+                "phone": "13800138000",
                "password": "secret123"
            })
        );