web-dev0521
1696d4ead6
feat(go-api): implement password-reset flow (issue #15282) (#15293)
## Summary
Ports the Python password-reset flow to Go, adding 4 unauthenticated
endpoints under `/api/v1/auth/password/`:
- `POST /auth/password/forgot/captcha` — generates and returns a PNG
captcha image; stores the plaintext code in Redis (60 s TTL)
- `POST /auth/password/forgot/otp` — verifies captcha, enforces resend
cooldown (60 s), generates HMAC-SHA256-hashed OTP (300 s TTL), sends
plain-text email via SMTP
- `POST /auth/password/forgot/otp/verify` — verifies OTP with attempt
counting (lock after 5 failures for 30 min), sets a
`otp:verified:{email}` flag (300 s TTL) on success
- `POST /auth/password/reset` — checks verified flag, decrypts +
validates passwords, updates user record, auto-logs in (issues JWT,
returns user profile)
Closes #15282
2026-06-02 09:38:02 +08:00
..
2026-05-11 20:19:08 +08:00
2026-05-28 19:40:54 +08:00
2026-05-29 20:04:10 +08:00
2026-05-25 14:00:08 +08:00
2026-05-25 14:00:08 +08:00
2026-05-20 20:32:06 +08:00
2026-05-29 10:12:12 +08:00
2026-06-01 11:23:44 +08:00
2026-06-01 11:22:08 +08:00
2026-05-19 17:34:59 +08:00
2026-05-06 11:33:32 +08:00
2026-03-13 14:41:02 +08:00
2026-05-29 10:08:55 +08:00
2026-05-26 18:18:46 +08:00
2026-04-24 15:30:14 +08:00
2026-06-02 09:37:05 +08:00
2026-06-02 09:37:05 +08:00
2026-05-18 19:21:47 +08:00
2026-05-06 11:33:32 +08:00
2026-04-24 15:30:14 +08:00
2026-05-29 19:33:09 +08:00
2026-05-29 19:33:09 +08:00
2026-06-02 09:38:02 +08:00
2026-04-24 15:30:14 +08:00
2026-05-19 17:34:59 +08:00
2026-05-19 17:34:59 +08:00
2026-05-19 17:34:59 +08:00
2026-05-29 19:32:21 +08:00
2026-05-28 13:30:22 +08:00
2026-05-29 10:12:12 +08:00
2026-05-06 10:41:58 +08:00
2026-05-29 10:13:09 +08:00
2026-05-29 10:13:09 +08:00
2026-05-29 19:29:23 +08:00