iye 8597957af4 fix(auth): reject wrong OTP codes when Redis is missing (security) ...

Bug: verifyOtp 里 dev 态 Redis 未配置时, 写了 /^\d{6}$/.test(code) 作为联调 fallback,
导致任意 6 位数字都能登录(包括恶意构造). 实际表现: 用户输入错误验证码也能直接登录。

修复:
- Redis 未配置时无论 dev/prod 一律拒绝, 不再做"任意 6 位"放行
- dev 联调若需要绕过短信, 用万能码 123456 (已保留, 仅 NODE_ENV !== production)

E2E 验证 (curl + NextAuth credentials callback):
  错误码 999999 → /login?error=CredentialsSignin , session=null ✓
  万能码 123456 → callbackUrl=/, session 有用户 ✓

新增 tools/test-verify-otp.mjs 作为该 bug 的回归测试。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-13 15:08:03 +08:00

..

asset-pipeline

chore(tools): asset compression pipeline for TOS bucket upload

2026-05-13 14:26:42 +08:00

test-verify-otp.mjs

fix(auth): reject wrong OTP codes when Redis is missing (security)

2026-05-13 15:08:03 +08:00