feat(auth): switch signup to OTP verification flow

Replace legacy signup with start/verify/resend endpoints, add OTP-focused mail templates and auth rate limits, and align compose/env/runbook for local self-hosted Supabase OTP behavior.
2026-02-25 13:34:02 +08:00
parent 02e5e52e1f
commit 1cc8fa1abf
16 changed files with 707 additions and 112 deletions
@@ -11,11 +11,15 @@ import uvicorn
 from app import app
 from v1.auth.dependencies import get_auth_service
 from v1.auth.schemas import (
+    AuthResendCodeResponse,
+    AuthSignupStartResponse,
    AuthTokenResponse,
    AuthUser,
    LoginRequest,
    RefreshRequest,
-    SignupRequest,
+    SignupResendRequest,
+    SignupStartRequest,
+    SignupVerifyRequest,
 )
 from v1.auth.service import AuthService

@@ -24,7 +28,12 @@ class FakeE2EAuthService(AuthService):
    def __init__(self) -> None:
        self._user = AuthUser(id="user-1", email="user@example.com")

-    async def signup(self, request: SignupRequest) -> AuthTokenResponse:
+    async def signup_start(
+        self, request: SignupStartRequest
+    ) -> AuthSignupStartResponse:
+        return AuthSignupStartResponse(email=request.email)
+
+    async def signup_verify(self, request: SignupVerifyRequest) -> AuthTokenResponse:
        return AuthTokenResponse(
            access_token="access-1",
            refresh_token="refresh-1",
@@ -33,6 +42,11 @@ class FakeE2EAuthService(AuthService):
            user=self._user,
        )

+    async def signup_resend(
+        self, request: SignupResendRequest
+    ) -> AuthResendCodeResponse:
+        return AuthResendCodeResponse()
+
    async def login(self, request: LoginRequest) -> AuthTokenResponse:
        return AuthTokenResponse(
            access_token="access-2",
@@ -93,7 +107,7 @@ def test_auth_flow_e2e() -> None:
            )
            try:
                signup = request_context.post(
-                    "/api/v1/auth/signup",
+                    "/api/v1/auth/signup/start",
                    data=json.dumps(
                        {
                            "username": "demo",
@@ -103,8 +117,20 @@ def test_auth_flow_e2e() -> None:
                    ),
                    headers={"Content-Type": "application/json"},
                )
-                assert signup.status == 200
-                assert signup.json()["access_token"] == "access-1"
+                assert signup.status == 202
+
+                verify = request_context.post(
+                    "/api/v1/auth/signup/verify",
+                    data=json.dumps(
+                        {
+                            "email": "user@example.com",
+                            "token": "123456",
+                        }
+                    ),
+                    headers={"Content-Type": "application/json"},
+                )
+                assert verify.status == 200
+                assert verify.json()["access_token"] == "access-1"

                login = request_context.post(
                    "/api/v1/auth/login",