template-monorepo/internal/logic/auth/password_helper.go

package auth

import (
	memberenum "gateway/internal/model/member/domain/enum"
	dommember "gateway/internal/model/member/domain/usecase"
)

func passwordResetPurpose() memberenum.OTPPurpose {
	return memberenum.OTPPurposePasswordReset
}

func ensurePlatformNativePassword(member *dommember.MemberDTO) error {
	if member == nil {
		return errb.ResNotFound("member", "")
	}
	switch member.Origin {
	case memberenum.MemberOriginPlatformNative:
		return nil
	case memberenum.MemberOriginOIDC:
		return errb.AuthForbidden("social login accounts cannot change password here")
	case memberenum.MemberOriginLDAP:
		return errb.AuthForbidden("ldap accounts cannot change password here")
	case memberenum.MemberOriginSCIM:
		return errb.AuthForbidden("scim provisioned accounts cannot change password here")
	default:
		return errb.AuthForbidden("account cannot change password here")
	}
}

func ensurePasswordResetEligible(status memberenum.MemberStatus) error {
	switch status {
	case memberenum.MemberStatusActive:
		return nil
	case memberenum.MemberStatusUnverified:
		return errb.AuthForbidden("account is not verified")
	case memberenum.MemberStatusSuspended:
		return errb.AuthForbidden("account is suspended")
	case memberenum.MemberStatusDeleted:
		return errb.ResNotFound("member", "")
	default:
		return errb.AuthForbidden("account is not allowed to reset password")
	}
}
feat(auth): 登入 MFA、忘記/改密碼與註冊恢復流程補齊平台帳號（platform_native）的密碼自助能力，並讓未完成 Email 驗證的使用者可恢復註冊；OIDC/LDAP/SCIM 帳號禁止在本系統變更密碼。登入若已啟用 TOTP 改為兩階段驗證，OTP 重送加入 60 秒冷卻；同步調整 golangci 排除路徑與 zitadel lint 修正。 Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-26 16:55:37 +00:00			`package auth`

			`import (`
			`memberenum "gateway/internal/model/member/domain/enum"`
			`dommember "gateway/internal/model/member/domain/usecase"`
			`)`

			`func passwordResetPurpose() memberenum.OTPPurpose {`
			`return memberenum.OTPPurposePasswordReset`
			`}`

			`func ensurePlatformNativePassword(member *dommember.MemberDTO) error {`
			`if member == nil {`
			`return errb.ResNotFound("member", "")`
			`}`
			`switch member.Origin {`
			`case memberenum.MemberOriginPlatformNative:`
			`return nil`
			`case memberenum.MemberOriginOIDC:`
			`return errb.AuthForbidden("social login accounts cannot change password here")`
			`case memberenum.MemberOriginLDAP:`
			`return errb.AuthForbidden("ldap accounts cannot change password here")`
			`case memberenum.MemberOriginSCIM:`
			`return errb.AuthForbidden("scim provisioned accounts cannot change password here")`
			`default:`
			`return errb.AuthForbidden("account cannot change password here")`
			`}`
			`}`

			`func ensurePasswordResetEligible(status memberenum.MemberStatus) error {`
			`switch status {`
			`case memberenum.MemberStatusActive:`
			`return nil`
			`case memberenum.MemberStatusUnverified:`
			`return errb.AuthForbidden("account is not verified")`
			`case memberenum.MemberStatusSuspended:`
			`return errb.AuthForbidden("account is suspended")`
			`case memberenum.MemberStatusDeleted:`
			`return errb.ResNotFound("member", "")`
			`default:`
			`return errb.AuthForbidden("account is not allowed to reset password")`
			`}`
			`}`