template-monorepo/internal/logic/auth/password_otp_helper.go

package auth

import (
	"context"
	"strings"
	"time"

	memberdom "gateway/internal/model/member/domain"
	dommember "gateway/internal/model/member/domain/usecase"
	notifenum "gateway/internal/model/notification/domain/enum"
	notifuc "gateway/internal/model/notification/domain/usecase"
	"gateway/internal/svc"
	"gateway/internal/types"
)

func sendPasswordResetOTP(
	ctx context.Context,
	sc *svc.ServiceContext,
	tenantID, uid, email string,
) (*types.PasswordForgotData, error) {
	cfg := sc.Config.Member.Defaults()
	rateKey := memberdom.GetVerifyRateRedisKey(tenantID, uid, string(passwordResetPurpose()))
	if err := sc.MemberVerifyRate.AssertResendAllowed(ctx, rateKey, time.Duration(cfg.OTP.ResendCooldownSeconds)*time.Second); err != nil {
		return nil, err
	}

	dto, plainCode, err := sc.MemberOTP.Generate(ctx, &dommember.GenerateOTPRequest{
		TenantID: tenantID,
		UID:      uid,
		Purpose:  passwordResetPurpose(),
		Target:   email,
	})
	if err != nil {
		return nil, err
	}
	locale := sc.Config.Notification.DefaultLocale
	if strings.TrimSpace(locale) == "" {
		locale = "en-us"
	}
	if _, sendErr := sc.Notifier.Send(ctx, &notifuc.SendRequest{
		TenantID:         tenantID,
		UID:              uid,
		Channel:          notifenum.ChannelEmail,
		Kind:             notifenum.NotifyVerifyEmail,
		Target:           email,
		Locale:           locale,
		Data:             map[string]any{"code": plainCode, "expires_in": dto.ExpiresIn},
		IdempotencyKey:   dto.ChallengeID,
		DoNotPersistBody: true,
		Severity:         notifenum.SeverityInfo,
	}); sendErr != nil {
		if invErr := sc.MemberOTP.Invalidate(ctx, dto.ChallengeID); invErr != nil {
			return nil, invErr
		}
		return nil, sendErr
	}
	return &types.PasswordForgotData{
		ChallengeID: dto.ChallengeID,
		ExpiresIn:   dto.ExpiresIn,
	}, nil
}
feat(auth): 登入 MFA、忘記/改密碼與註冊恢復流程補齊平台帳號（platform_native）的密碼自助能力，並讓未完成 Email 驗證的使用者可恢復註冊；OIDC/LDAP/SCIM 帳號禁止在本系統變更密碼。登入若已啟用 TOTP 改為兩階段驗證，OTP 重送加入 60 秒冷卻；同步調整 golangci 排除路徑與 zitadel lint 修正。 Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-26 16:55:37 +00:00			`package auth`

			`import (`
			`"context"`
			`"strings"`
			`"time"`

			`memberdom "gateway/internal/model/member/domain"`
			`dommember "gateway/internal/model/member/domain/usecase"`
			`notifenum "gateway/internal/model/notification/domain/enum"`
			`notifuc "gateway/internal/model/notification/domain/usecase"`
			`"gateway/internal/svc"`
			`"gateway/internal/types"`
			`)`

			`func sendPasswordResetOTP(`
			`ctx context.Context,`
			`sc *svc.ServiceContext,`
			`tenantID, uid, email string,`
			`) (*types.PasswordForgotData, error) {`
			`cfg := sc.Config.Member.Defaults()`
			`rateKey := memberdom.GetVerifyRateRedisKey(tenantID, uid, string(passwordResetPurpose()))`
			`if err := sc.MemberVerifyRate.AssertResendAllowed(ctx, rateKey, time.Duration(cfg.OTP.ResendCooldownSeconds)*time.Second); err != nil {`
			`return nil, err`
			`}`

			`dto, plainCode, err := sc.MemberOTP.Generate(ctx, &dommember.GenerateOTPRequest{`
			`TenantID: tenantID,`
			`UID: uid,`
			`Purpose: passwordResetPurpose(),`
			`Target: email,`
			`})`
			`if err != nil {`
			`return nil, err`
			`}`
			`locale := sc.Config.Notification.DefaultLocale`
			`if strings.TrimSpace(locale) == "" {`
			`locale = "en-us"`
			`}`
			`if _, sendErr := sc.Notifier.Send(ctx, &notifuc.SendRequest{`
			`TenantID: tenantID,`
			`UID: uid,`
			`Channel: notifenum.ChannelEmail,`
			`Kind: notifenum.NotifyVerifyEmail,`
			`Target: email,`
			`Locale: locale,`
			`Data: map[string]any{"code": plainCode, "expires_in": dto.ExpiresIn},`
			`IdempotencyKey: dto.ChallengeID,`
			`DoNotPersistBody: true,`
			`Severity: notifenum.SeverityInfo,`
			`}); sendErr != nil {`
			`if invErr := sc.MemberOTP.Invalidate(ctx, dto.ChallengeID); invErr != nil {`
			`return nil, invErr`
			`}`
			`return nil, sendErr`
			`}`
			`return &types.PasswordForgotData{`
			`ChallengeID: dto.ChallengeID,`
			`ExpiresIn: dto.ExpiresIn,`
			`}, nil`
			`}`