feat: 实现邮箱绑定接口

yokowu · yokowu · commit 73432b2f1ef1 · 2026-03-24T18:17:26.000+08:00
diff --git a/backend/biz/user/handler/v1/auth.go b/backend/biz/user/handler/v1/auth.go
@@ -3,6 +3,7 @@ package v1
 import (
 	"fmt"
 	"log/slog"
+	"net/http"
 
 	"github.com/GoYoko/web"
 	"github.com/google/uuid"
@@ -59,6 +60,10 @@ func NewAuthHandler(i *do.Injector) (*AuthHandler, error) {
 	v1.GET("/status", web.BaseHandler(h.Status), auth.Check())
 	v1.POST("/logout", web.BaseHandler(h.Logout), auth.Auth())
 
+	// 邮箱绑定接口
+	v1.PUT("/email/bind-request", web.BindHandler(h.SendBindEmailVerification), auth.Auth())
+	v1.GET("/email/verify", web.BindHandler(h.VerifyBindEmail))
+
 	return h, nil
 }
 
@@ -315,3 +320,26 @@ func (h *AuthHandler) ResetPassword(c *web.Context, req domain.ResetUserPassword
 
 	return c.Success(nil)
 }
+
+// SendBindEmailVerification 发送邮箱绑定验证邮件
+func (h *AuthHandler) SendBindEmailVerification(c *web.Context, req domain.SendBindEmailVerificationReq) error {
+	user := middleware.GetUser(c)
+	if user == nil {
+		return errcode.ErrUnauthorized
+	}
+
+	err := h.usecase.SendBindEmailVerification(c.Request().Context(), user.ID, &req)
+	if err != nil {
+		return err
+	}
+	return c.Success(nil)
+}
+
+// VerifyBindEmail 验证邮箱绑定
+func (h *AuthHandler) VerifyBindEmail(c *web.Context, req domain.VerifyBindEmailReq) error {
+	err := h.usecase.VerifyBindEmail(c.Request().Context(), req.Token)
+	if err != nil {
+		return err
+	}
+	return c.Redirect(http.StatusFound, h.config.Server.BaseURL)
+}
diff --git a/backend/biz/user/repo/user.go b/backend/biz/user/repo/user.go
@@ -113,3 +113,8 @@ func (u *userRepo) ChangePassword(ctx context.Context, userID uuid.UUID, current
 func (u *userRepo) GetUserByEmail(ctx context.Context, emails []string) ([]*db.User, error) {
 	return u.db.User.Query().WithTeams().Where(user.EmailIn(emails...)).All(ctx)
 }
+
+// SetEmail implements domain.UserRepo.
+func (u *userRepo) SetEmail(ctx context.Context, userID uuid.UUID, email string) error {
+	return u.db.User.UpdateOneID(userID).SetEmail(email).Exec(ctx)
+}
diff --git a/backend/biz/user/usecase/user.go b/backend/biz/user/usecase/user.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"strings"
 	"time"
 
 	"github.com/google/uuid"
@@ -14,6 +15,7 @@ import (
 	"github.com/chaitin/MonkeyCode/backend/db"
 	"github.com/chaitin/MonkeyCode/backend/domain"
 	"github.com/chaitin/MonkeyCode/backend/errcode"
+	"github.com/chaitin/MonkeyCode/backend/pkg/crypto"
 	"github.com/chaitin/MonkeyCode/backend/pkg/cvt"
 )
 
@@ -139,3 +141,113 @@ func (u *UserUsecase) GetUserByEmail(ctx context.Context, emails []string) ([]*d
 	})
 	return result, nil
 }
+
+// SendBindEmailVerification 发送邮箱绑定验证邮件
+func (u *UserUsecase) SendBindEmailVerification(ctx context.Context, userID uuid.UUID, req *domain.SendBindEmailVerificationReq) error {
+	// 检查邮箱是否已被其他用户使用
+	existingUsers, err := u.repo.GetUserByEmail(ctx, []string{req.Email})
+	if err != nil && !db.IsNotFound(err) {
+		return errcode.ErrDatabaseQuery.Wrap(err)
+	}
+	for _, eu := range existingUsers {
+		if eu.ID == userID {
+			return errcode.ErrEmailAlreadyBound
+		}
+		return errcode.ErrEmailTaken
+	}
+
+	// 生成验证 token
+	token, err := crypto.Simple(userID.String(), time.Now().Add(time.Hour*24))
+	if err != nil {
+		u.logger.ErrorContext(ctx, "generate bind email token failed", "error", err)
+		return errcode.ErrInternalServer.Wrap(err)
+	}
+
+	// 存储 token 到 Redis，格式：{token}:{email}，有效期 24 小时
+	key := fmt.Sprintf("bind_email_token:%s", userID.String())
+	value := fmt.Sprintf("%s:%s", token, req.Email)
+	if err := u.redis.Set(ctx, key, value, time.Hour*24).Err(); err != nil {
+		u.logger.ErrorContext(ctx, "set redis key failed", "error", err)
+		return errcode.ErrDatabaseOperation.Wrap(err)
+	}
+
+	// 获取用户信息用于邮件发送
+	user, err := u.repo.Get(ctx, userID)
+	if err != nil {
+		u.logger.ErrorContext(ctx, "get user failed", "error", err)
+		return errcode.ErrDatabaseQuery.Wrap(err)
+	}
+
+	// 异步发送邮件
+	verifyURL := fmt.Sprintf("%s/api/v1/users/email/verify?token=%s", u.config.Server.BaseURL, token)
+	go func() {
+		if err := u.email.SendBindEmailVerification(context.Background(), req.Email, user.Name, verifyURL); err != nil {
+			u.logger.ErrorContext(ctx, "send bind email verification mail failed", "error", err)
+		}
+	}()
+
+	return nil
+}
+
+// VerifyBindEmail 验证邮箱绑定
+func (u *UserUsecase) VerifyBindEmail(ctx context.Context, token string) error {
+	// 验证 token 的有效性（检查签名和过期时间）
+	userIDStr, err := crypto.ValidateSimple(token)
+	if err != nil {
+		u.logger.WarnContext(ctx, "validate token failed", "error", err)
+		return errcode.ErrEmailVerifyFailed.Wrap(err)
+	}
+
+	userID, err := uuid.Parse(userIDStr)
+	if err != nil {
+		u.logger.WarnContext(ctx, "parse user id from token failed", "error", err)
+		return errcode.ErrEmailVerifyFailed.Wrap(err)
+	}
+
+	// 从 Redis 中取出存储的 token 和邮箱（一次性消费）
+	key := fmt.Sprintf("bind_email_token:%s", userID.String())
+	redisValue, err := u.redis.GetDel(ctx, key).Result()
+	if err != nil {
+		if err == redis.Nil {
+			return errcode.ErrEmailVerifyFailed
+		}
+		u.logger.ErrorContext(ctx, "get redis key failed", "error", err)
+		return errcode.ErrDatabaseOperation.Wrap(err)
+	}
+
+	// 解析 Redis 中的值：{token}:{email}
+	parts := strings.SplitN(redisValue, ":", 2)
+	if len(parts) != 2 {
+		u.logger.WarnContext(ctx, "invalid redis value format", "value", redisValue)
+		return errcode.ErrEmailVerifyFailed
+	}
+
+	storedToken := parts[0]
+	email := parts[1]
+
+	// 验证 token 是否匹配（防止 token 替换）
+	if storedToken != token {
+		u.logger.WarnContext(ctx, "token mismatch")
+		return errcode.ErrEmailVerifyFailed
+	}
+
+	// 再次检查邮箱是否被其他用户占用（防止竞态条件）
+	existingUsers, err := u.repo.GetUserByEmail(ctx, []string{email})
+	if err != nil && !db.IsNotFound(err) {
+		return errcode.ErrDatabaseQuery.Wrap(err)
+	}
+	for _, eu := range existingUsers {
+		if eu.ID != userID {
+			return errcode.ErrEmailTaken
+		}
+	}
+
+	// 更新用户邮箱
+	if err := u.repo.SetEmail(ctx, userID, email); err != nil {
+		u.logger.ErrorContext(ctx, "set email failed", "error", err)
+		return errcode.ErrDatabaseOperation.Wrap(err)
+	}
+
+	u.logger.InfoContext(ctx, "bind email success", "user_id", userID, "email", email)
+	return nil
+}
diff --git a/backend/domain/email.go b/backend/domain/email.go
@@ -5,4 +5,5 @@ import "context"
 // EmailSender 邮件发送接口
 type EmailSender interface {
 	SendResetPasswordEmail(ctx context.Context, to, username, resetURL string) error
+	SendBindEmailVerification(ctx context.Context, to, username, verifyURL string) error
 }
diff --git a/backend/domain/user.go b/backend/domain/user.go
@@ -19,6 +19,8 @@ type UserUsecase interface {
 	ChangePassword(ctx context.Context, userID uuid.UUID, req *ChangePasswordReq, isReset bool) error
 	SendResetPasswordEmail(ctx context.Context, req *ResetUserPasswordEmailReq) error
 	GetUserByEmail(ctx context.Context, emails []string) ([]*User, error)
+	SendBindEmailVerification(ctx context.Context, userID uuid.UUID, req *SendBindEmailVerificationReq) error
+	VerifyBindEmail(ctx context.Context, token string) error
 }
 
 type UserRepo interface {
@@ -28,6 +30,7 @@ type UserRepo interface {
 	PasswordLogin(ctx context.Context, req *TeamLoginReq) (*db.User, error)
 	ChangePassword(ctx context.Context, uid uuid.UUID, currentPassword, newPassword string, isReset bool) error
 	GetUserByEmail(ctx context.Context, emails []string) ([]*db.User, error)
+	SetEmail(ctx context.Context, userID uuid.UUID, email string) error
 }
 
 type User struct {
@@ -38,9 +41,10 @@ type User struct {
 	Role       consts.UserRole   `json:"role"`
 	Status     consts.UserStatus `json:"status"`
 	IsBlocked  bool              `json:"is_blocked"`
-	Token      string            `json:"token,omitempty"`
-	Identities []*UserIdentity   `json:"identities"`
-	Team       *Team             `json:"team,omitempty"`
+	Token       string            `json:"token,omitempty"`
+	Identities  []*UserIdentity   `json:"identities"`
+	Team        *Team             `json:"team,omitempty"`
+	HasPassword bool              `json:"has_password"`
 }
 
 func (u *User) From(src *db.User) *User {
@@ -55,6 +59,7 @@ func (u *User) From(src *db.User) *User {
 	u.Role = src.Role
 	u.Status = consts.UserStatusActive
 	u.IsBlocked = src.IsBlocked
+	u.HasPassword = src.Password != ""
 	u.Identities = cvt.Iter(src.Edges.Identities, func(_ int, i *db.UserIdentity) *UserIdentity {
 		return cvt.From(i, &UserIdentity{})
 	})
@@ -155,3 +160,13 @@ type CursorReq struct {
 	Cursor string `query:"cursor"`
 	Limit  int    `query:"limit"`
 }
+
+// SendBindEmailVerificationReq 发送邮箱绑定验证邮件请求
+type SendBindEmailVerificationReq struct {
+	Email string `json:"email" validate:"required,email"` // 要绑定的邮箱地址
+}
+
+// VerifyBindEmailReq 验证邮箱请求
+type VerifyBindEmailReq struct {
+	Token string `query:"token" validate:"required"` // 验证 token
+}
diff --git a/backend/errcode/errcode.go b/backend/errcode/errcode.go
@@ -89,6 +89,9 @@ var (
 	ErrResetPasswordFailed  = web.NewErr(http.StatusOK, 10608, "err-reset-password-failed")
 	ErrWalletInsufficient   = web.NewErr(http.StatusOK, 10609, "err-wallet-insufficient")
 	ErrAccountOverdraft     = web.NewErr(http.StatusOK, 10610, "err-account-overdraft")
+	ErrEmailVerifyFailed    = web.NewErr(http.StatusOK, 10611, "err-email-verify-failed")
+	ErrEmailAlreadyBound    = web.NewErr(http.StatusOK, 10612, "err-email-already-bound")
+	ErrEmailTaken           = web.NewErr(http.StatusOK, 10613, "err-email-taken")
 
 	// captcha 模块
 	ErrCreateCaptchaFailed  = web.NewErr(http.StatusOK, 10700, "err-create-captcha-failed")
diff --git a/backend/errcode/locale.en.toml b/backend/errcode/locale.en.toml
@@ -129,6 +129,15 @@ other = "Insufficient wallet balance"
 [err-account-overdraft]
 other = "Account overdraft"
 
+[err-email-verify-failed]
+other = "Email verification failed"
+
+[err-email-already-bound]
+other = "Email already bound"
+
+[err-email-taken]
+other = "Email already taken by another user"
+
 [err-deposit-failed]
 other = "Deposit failed"
 
diff --git a/backend/errcode/locale.zh.toml b/backend/errcode/locale.zh.toml
@@ -136,6 +136,15 @@ other = "余额不足"
 [err-account-overdraft]
 other = "账户超支"
 
+[err-email-verify-failed]
+other = "邮箱验证失败"
+
+[err-email-already-bound]
+other = "该邮箱已绑定"
+
+[err-email-taken]
+other = "该邮箱已被使用"
+
 [err-deposit-failed]
 other = "充值失败"
 
diff --git a/backend/pkg/email/smtp.go b/backend/pkg/email/smtp.go
@@ -43,6 +43,21 @@ func (c *EmailClient) SendResetPasswordEmail(ctx context.Context, to, username,
 	return c.Send("Reset Your Password", to, buf.String())
 }
 
+func (c *EmailClient) SendBindEmailVerification(ctx context.Context, to, username, verifyURL string) error {
+	tmpl, err := template.New("bind_email").Parse(string(templates.BindEmail))
+	if err != nil {
+		return err
+	}
+	var buf bytes.Buffer
+	if err := tmpl.Execute(&buf, map[string]string{
+		"user":       username,
+		"verify_url": verifyURL,
+	}); err != nil {
+		return err
+	}
+	return c.Send("Verify Your Email", to, buf.String())
+}
+
 type Smtp struct {
 	cfg *config.Config
 }
diff --git a/backend/templates/bind_email.html.tmpl b/backend/templates/bind_email.html.tmpl
diff --git a/backend/templates/temp.go b/backend/templates/temp.go

Original file line number	Diff line number	Diff line change
`@@ -113,3 +113,8 @@ func (u *userRepo) ChangePassword(ctx context.Context, userID uuid.UUID, current`
`113`	`113`	`func (u userRepo) GetUserByEmail(ctx context.Context, emails []string) ([]db.User, error) {`
`114`	`114`	`return u.db.User.Query().WithTeams().Where(user.EmailIn(emails...)).All(ctx)`
`115`	`115`	`}`
	`116`	`+`
	`117`	`+// SetEmail implements domain.UserRepo.`
	`118`	`+func (u *userRepo) SetEmail(ctx context.Context, userID uuid.UUID, email string) error {`
	`119`	`+ return u.db.User.UpdateOneID(userID).SetEmail(email).Exec(ctx)`
	`120`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -5,4 +5,5 @@ import "context"`
`5`	`5`	`// EmailSender 邮件发送接口`
`6`	`6`	`type EmailSender interface {`
`7`	`7`	`SendResetPasswordEmail(ctx context.Context, to, username, resetURL string) error`
	`8`	`+ SendBindEmailVerification(ctx context.Context, to, username, verifyURL string) error`
`8`	`9`	`}`