mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-07 04:50:57 +08:00
fix(auth): allow re-fetching OTP for unverified users (#653)
* fix(auth): allow re-fetching OTP for unverified users
**Problem:**
- User registers but interrupts OTP setup
- Re-registration returns "邮箱已被注册" error
- User stuck, cannot retrieve QR code to complete setup
**Root Cause:**
- handleRegister rejects all existing emails without checking OTPVerified status
- No way for users to recover from interrupted registration
**Fix:**
- Check if existing user has OTPVerified=false
- If unverified, return original OTP QR code instead of error
- User can continue completing registration with same user_id
- If verified, still reject with "邮箱已被注册" (existing behavior)
**Code Changes:**
```go
// Before:
_, err := s.database.GetUserByEmail(req.Email)
if err == nil {
c.JSON(http.StatusConflict, gin.H{"error": "邮箱已被注册"})
return
}
// After:
existingUser, err := s.database.GetUserByEmail(req.Email)
if err == nil {
if !existingUser.OTPVerified {
// Return OTP to complete registration
qrCodeURL := auth.GetOTPQRCodeURL(existingUser.OTPSecret, req.Email)
c.JSON(http.StatusOK, gin.H{
"user_id": existingUser.ID,
"otp_secret": existingUser.OTPSecret,
"qr_code_url": qrCodeURL,
"message": "检测到未完成的注册,请继续完成OTP设置",
})
return
}
c.JSON(http.StatusConflict, gin.H{"error": "邮箱已被注册"})
return
}
```
**Testing Scenario:**
1. User POST /api/register with email + password
2. User receives OTP QR code but closes browser (interrupts)
3. User POST /api/register again with same email + password
4. ✅ Now returns original OTP instead of error
5. User can complete registration via /api/complete-registration
**Security:**
✅ No security issue - still requires OTP verification
✅ Only returns OTP for unverified accounts
✅ Password not validated on re-fetch (same as initial registration)
**Impact:**
✅ Users can recover from interrupted registration
✅ Better UX for registration flow
✅ No breaking changes to existing verified users
**API Changes:**
- POST /api/register response for unverified users:
- Status: 200 OK (was: 409 Conflict)
- Body includes: user_id, otp_secret, qr_code_url, message
Fixes #615
Co-Authored-By: tinkle-community <tinklefund@gmail.com>
* test(api): add comprehensive unit tests for OTP re-fetch logic
- Test OTP re-fetch logic for unverified users
- Test OTP verification state handling
- Test complete registration flow scenarios
- Test edge cases (ID=0, empty OTPSecret, verified users)
All 11 test cases passed, covering:
1. OTPRefetchLogic (3 cases): new user, unverified refetch, verified rejection
2. OTPVerificationStates (2 cases): verified/unverified states
3. RegistrationFlow (3 cases): first registration, interrupted resume, duplicate attempt
4. EdgeCases (3 cases): validates behavior with edge conditions
Related to PR #653 - ensures proper OTP re-fetch behavior for unverified users.
Co-Authored-By: tinkle-community <tinklefund@gmail.com>
* style: apply go fmt after rebase
Co-Authored-By: tinkle-community <tinklefund@gmail.com>
---------
Co-authored-by: ZhouYongyou <128128010+zhouyongyou@users.noreply.github.com>
Co-authored-by: tinkle-community <tinklefund@gmail.com>
This commit is contained in:
committed by
GitHub
parent
463a092a64
commit
bb2d81cbd4
@@ -967,7 +967,7 @@ func (s *Server) handleSyncBalance(c *gin.Context) {
|
||||
actualBalance = totalBalance
|
||||
} else {
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": "无法获取可用余额"})
|
||||
return
|
||||
return
|
||||
}
|
||||
|
||||
oldBalance := traderConfig.InitialBalance
|
||||
@@ -1724,8 +1724,21 @@ func (s *Server) handleRegister(c *gin.Context) {
|
||||
}
|
||||
|
||||
// 检查邮箱是否已存在
|
||||
_, err := s.database.GetUserByEmail(req.Email)
|
||||
existingUser, err := s.database.GetUserByEmail(req.Email)
|
||||
if err == nil {
|
||||
// 如果用户未完成OTP验证,允许重新获取OTP(支持中断后恢复注册)
|
||||
if !existingUser.OTPVerified {
|
||||
qrCodeURL := auth.GetOTPQRCodeURL(existingUser.OTPSecret, req.Email)
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"user_id": existingUser.ID,
|
||||
"email": req.Email,
|
||||
"otp_secret": existingUser.OTPSecret,
|
||||
"qr_code_url": qrCodeURL,
|
||||
"message": "检测到未完成的注册,请继续完成OTP设置",
|
||||
})
|
||||
return
|
||||
}
|
||||
// 用户已完成验证,拒绝重复注册
|
||||
c.JSON(http.StatusConflict, gin.H{"error": "邮箱已被注册"})
|
||||
return
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user