93 lines
4.2 KiB
Python
93 lines
4.2 KiB
Python
import re
|
|
|
|
from django.core.cache import cache
|
|
from django.db import transaction
|
|
from rest_framework.decorators import api_view, permission_classes, throttle_classes
|
|
from rest_framework.permissions import AllowAny
|
|
from rest_framework.response import Response
|
|
from rest_framework import serializers as drf_serializers
|
|
from drf_spectacular.utils import extend_schema, inline_serializer
|
|
|
|
from config.exceptions import AppError
|
|
from apps.user.models import User
|
|
from apps.user.throttling import ResetPhoneThrottle
|
|
from apps.user.utils.password import validate_password_strength
|
|
from apps.user.utils.jwt_redis import invalidate_user_tokens
|
|
from apps.user.audit import log_password_reset
|
|
|
|
|
|
@extend_schema(
|
|
summary='U5 找回密码',
|
|
request=inline_serializer('ResetPasswordRequest', fields={
|
|
'phone': drf_serializers.CharField(help_text='手机号'),
|
|
'code': drf_serializers.CharField(help_text='6 位短信验证码'),
|
|
'new_password': drf_serializers.CharField(help_text='新密码'),
|
|
}),
|
|
responses={200: inline_serializer('ResetPasswordResponse', fields={
|
|
'message': drf_serializers.CharField(),
|
|
})},
|
|
tags=['认证'],
|
|
)
|
|
@api_view(['POST'])
|
|
@permission_classes([AllowAny])
|
|
@throttle_classes([ResetPhoneThrottle])
|
|
def reset_password(request):
|
|
"""U5 找回密码(手机号 + 验证码 + 新密码)"""
|
|
data = request.data
|
|
phone = str(data.get('phone', ''))
|
|
code = str(data.get('code', ''))
|
|
new_password = str(data.get('new_password', ''))
|
|
|
|
# ── 入参校验 ──────────────────────────────────────────────────────────────
|
|
|
|
if not re.match(r'^1[3-9]\d{9}$', phone):
|
|
raise AppError('SMS_INVALID_PHONE', '手机号格式不合法')
|
|
|
|
if not code or len(code) != 6 or not code.isdigit():
|
|
raise AppError('AUTH_CODE_INVALID', '验证码必须为 6 位数字')
|
|
|
|
if not new_password:
|
|
raise AppError('AUTH_PASSWORD_WEAK', '请输入新密码')
|
|
|
|
# ── 查找用户 ──────────────────────────────────────────────────────────────
|
|
|
|
try:
|
|
user = User.objects.get(phone=phone)
|
|
except User.DoesNotExist:
|
|
raise AppError('AUTH_PHONE_NOT_FOUND', '手机号未注册')
|
|
|
|
# ── 验证码校验 ────────────────────────────────────────────────────────────
|
|
|
|
cache_key = f'sms:reset:{phone}'
|
|
cached_code = cache.get(cache_key)
|
|
if not cached_code:
|
|
raise AppError('AUTH_CODE_EXPIRED', '验证码已过期或未发送')
|
|
if str(cached_code) != code:
|
|
raise AppError('AUTH_CODE_MISMATCH', '验证码错误')
|
|
|
|
# ── 新密码校验 ────────────────────────────────────────────────────────────
|
|
|
|
# 新密码不得与旧密码相同(独立错误码)
|
|
if user.check_password(new_password):
|
|
raise AppError('AUTH_PASSWORD_SAME_AS_OLD', '新密码不能与旧密码相同')
|
|
|
|
# 密码强度校验
|
|
pwd_errors = validate_password_strength(new_password, phone=user.phone, real_name=user.real_name)
|
|
if pwd_errors:
|
|
raise AppError('AUTH_PASSWORD_WEAK', pwd_errors[0], details=pwd_errors)
|
|
|
|
# ── 事务内:重置密码 + 失效旧 token ──────────────────────────────────────
|
|
|
|
with transaction.atomic():
|
|
user.set_password(new_password)
|
|
user.save(update_fields=['password'])
|
|
invalidate_user_tokens(user.id)
|
|
|
|
# ── 善后 ──────────────────────────────────────────────────────────────────
|
|
|
|
cache.delete(cache_key)
|
|
cache.delete(f'login_fail:{phone}')
|
|
log_password_reset(user.id)
|
|
|
|
return Response({'message': '密码已重置,请重新登录'})
|