新增验证码功能

models.py

@@ -1,6 +1,12 @@
 from pydantic import BaseModel
 from typing import Optional
 
+# 【新增】：发送验证码的请求模型
+class SendCodeRequest(BaseModel):
+    contact: str
+    contact_type: str  # "email" 或 "phone"
+    action_type: str   # "register" 或 "reset"
+
 class UserRegister(BaseModel):
     account: str   
     password: str  
@@ -8,6 +14,7 @@ class UserRegister(BaseModel):
     phone: str     
     name: str      
     gender: str
+    code: str      # 【新增】：注册验证码
     avatarDataUrl: Optional[str] = None
     age: Optional[int] = None
     country: Optional[str] = None
@@ -28,8 +35,11 @@ class UserUpdate(BaseModel):
     avatarDataUrl: Optional[str] = None
 
 class PasswordReset(BaseModel):
-    old_password: str
+    old_password: Optional[str] = None  # 找回密码时此项可为空
     new_password: str
+    verify_contact: str # 【新增】：接收验证码的邮箱或手机号
+    verify_type: str    # 【新增】："email" 或 "phone"
+    code: str           # 【新增】：重置验证码
 
 class InteractionToggle(BaseModel):
     item_id: str

router_users.py

@@ -2,15 +2,95 @@
 from fastapi import APIRouter, HTTPException
 import time
 import re
+import random
+import os
+import smtplib
+from email.mime.text import MIMEText
 import 数据库连接 as db
 from notifications import add_notification
-from models import UserRegister, UserLogin, UserUpdate, PasswordReset, FollowToggle, PrivacySettings
+from models import UserRegister, UserLogin, UserUpdate, PasswordReset, FollowToggle, PrivacySettings, SendCodeRequest
 
 router = APIRouter()
 
+# ==========================================
+# 【核心新增】：验证码内存缓存与发送引擎
+# ==========================================
+# 结构: {"contact_action": {"code": "123456", "expires_at": 1690000000}}
+VERIFY_CODES = {} 
+
+def send_email_code(to_email: str, code: str, action: str):
+    """底层邮件发送引擎 (需在 HF Spaces 设置环境变量)"""
+    sender = os.environ.get("SMTP_USER")
+    pwd = os.environ.get("SMTP_PASS")
+    server = os.environ.get("SMTP_SERVER", "smtp.qq.com") # 默认使用 QQ 邮箱 SMTP
+    port = int(os.environ.get("SMTP_PORT", 465))
+
+    if not sender or not pwd:
+        print("警告: 未配置 SMTP_USER 或 SMTP_PASS 环境变量，跳过真实邮件发送")
+        return
+
+    action_str = "注册账号" if action == "register" else "修改/找回密码"
+    msg = MIMEText(f"【ComfyUI 社区精选】您的验证码是：{code}，用于{action_str}。有效期 10 分钟。如非本人操作，请忽略此邮件。")
+    msg['Subject'] = f"ComfyUI 社区 - {action_str}验证码"
+    msg['From'] = sender
+    msg['To'] = to_email
+
+    try:
+        if port == 465:
+            with smtplib.SMTP_SSL(server, port) as smtp:
+                smtp.login(sender, pwd)
+                smtp.send_message(msg)
+        else:
+            with smtplib.SMTP(server, port) as smtp:
+                smtp.starttls()
+                smtp.login(sender, pwd)
+                smtp.send_message(msg)
+    except Exception as e:
+        print(f"邮件发送失败: {e}")
+        raise HTTPException(status_code=500, detail="邮件下发失败，请检查云端 SMTP 配置")
+
+def send_sms_code(phone: str, code: str, action: str):
+    """短信发送接口挂载点"""
+    # TODO: 这里接入阿里云/腾讯云短信 SDK
+    print(f"[模拟短信发送] 手机号: {phone}, 验证码: {code}, 动作: {action}")
+    pass
+
+@router.post("/api/users/send-code")
+async def send_verify_code(req: SendCodeRequest):
+    # 生成 6 位纯数字验证码
+    code = str(random.randint(100000, 999999))
+    cache_key = f"{req.contact}_{req.action_type}"
+    
+    # 存入缓存，设置 10 分钟过期
+    VERIFY_CODES[cache_key] = {
+        "code": code,
+        "expires_at": int(time.time()) + 600
+    }
+    
+    if req.contact_type == "email":
+        send_email_code(req.contact, code, req.action_type)
+    elif req.contact_type == "phone":
+        send_sms_code(req.contact, code, req.action_type)
+    else:
+        raise HTTPException(status_code=400, detail="不支持的验证方式")
+        
+    return {"status": "success", "message": "验证码已发送"}
+
+
+# ==========================================
+# 原有业务接口修改 (增加验证码鉴权)
+# ==========================================
+
 @router.post("/api/users/register")
 async def register_user(user: UserRegister):
     users_db = db.load_data("users.json", default_data={})
+    
+    # 【新增】：校验注册验证码
+    cache_key = f"{user.email}_register"
+    cached = VERIFY_CODES.get(cache_key)
+    if not cached or cached["code"] != user.code or int(time.time()) > cached["expires_at"]:
+        raise HTTPException(status_code=400, detail="验证码不正确或已过期")
+        
     if len(user.account) <= 5: raise HTTPException(status_code=400, detail="账号必须大于5个字符")
     if not re.match(r'^[a-zA-Z0-9_]{6,20}$', user.account): raise HTTPException(status_code=400, detail="账号仅支持大小写英文字母、数字及下划线")
     if len(user.password) < 6: raise HTTPException(status_code=400, detail="密码必须大于等于6个字符")
@@ -21,7 +101,11 @@ async def register_user(user: UserRegister):
         if existing_user.get("email") == user.email: raise HTTPException(status_code=400, detail="该邮箱已被绑定")
         if existing_user.get("phone") == user.phone: raise HTTPException(status_code=400, detail="该手机号已被绑定")
     
+    # 验证通过，销毁验证码
+    VERIFY_CODES.pop(cache_key, None)
+    
     new_user = user.dict()
+    new_user.pop("code", None) # 不将验证码存入数据库
     new_user.update({"created_at": int(time.time()), "followers": [], "following": [], "privacy": {"follows": False, "likes": False, "favorites": False, "downloads": False}})
     users_db[user.account] = new_user
     db.save_data("users.json", users_db)
@@ -62,10 +146,27 @@ async def update_user_profile(account: str, update_data: UserUpdate):
 async def reset_password(account: str, pwd_data: PasswordReset):
     users_db = db.load_data("users.json", default_data={})
     if account not in users_db: raise HTTPException(status_code=404, detail="用户不存在")
+    
+    user = users_db[account]
+    
+    # 【新增】：校验账号与提供的联系方式是否匹配，防止通过自己的邮箱改别人的密码
+    if pwd_data.verify_type == "email" and user.get("email") != pwd_data.verify_contact:
+        raise HTTPException(status_code=400, detail="填写的邮箱与该账号绑定的邮箱不匹配")
+    if pwd_data.verify_type == "phone" and user.get("phone") != pwd_data.verify_contact:
+        raise HTTPException(status_code=400, detail="填写的手机号与该账号绑定的手机号不匹配")
+
+    # 【新增】：校验重置验证码
+    cache_key = f"{pwd_data.verify_contact}_reset"
+    cached = VERIFY_CODES.get(cache_key)
+    if not cached or cached["code"] != pwd_data.code or int(time.time()) > cached["expires_at"]:
+        raise HTTPException(status_code=400, detail="验证码不正确或已过期")
+
     if len(pwd_data.new_password) < 6: raise HTTPException(status_code=400, detail="新密码必须大于等于6个字符")
     if not re.match(r'^[a-zA-Z0-9!@#$%^&*()_+\-=\[\]{};\':"\\|,.<>\/?]{6,}$', pwd_data.new_password): raise HTTPException(status_code=400, detail="新密码包含不支持的特殊字符")
-    user = users_db[account]
-    if user.get("password") != pwd_data.old_password: raise HTTPException(status_code=401, detail="原密码错误")
+    
+    # 验证通过，销毁验证码
+    VERIFY_CODES.pop(cache_key, None)
+    
     user["password"] = pwd_data.new_password
     db.save_data("users.json", users_db)
     return {"status": "success"}