refactor: 统一认证端点并删除冗余 profile 模块

- 合并 auth 端点: /verifications/verify → /verify, /verifications/resend → /resend
- 整合密码重置到 /verify 端点 (type=recovery)
- 移除未使用的 /auth/users 端点
- 添加 redirect URL 白名单验证 (site_url + additional_redirect_urls)
- 限流改用 Redis + IP 标识，替代内存锁
- 删除 v1/profile 死代码模块
- 更新前端 auth_api 适配新端点
- 添加 supabase site_url 和 additional_redirect_urls 配置

backend/tests/unit/v1/auth/test_auth_gateway.py

@@ -7,7 +7,11 @@ import pytest
 from fastapi import HTTPException
 
 from v1.auth.gateway import SupabaseAuthGateway
-from v1.auth.schemas import PasswordResetConfirmRequest, PasswordResetRequest
+from v1.auth.schemas import (
+    PasswordResetConfirmRequest,
+    PasswordResetRequest,
+    VerificationResendRequest,
+)
 
 
 class TestSupabaseAuthGateway:
@@ -56,6 +60,22 @@ class TestSupabaseAuthGateway:
             options={"redirect_to": "http://localhost:3000/reset-password"},
         )
 
+    @pytest.mark.asyncio
+    async def test_request_password_reset_rejects_redirect_outside_allowlist(
+        self, gateway: tuple[SupabaseAuthGateway, MagicMock, MagicMock]
+    ) -> None:
+        sut, _, _ = gateway
+        request = PasswordResetRequest(
+            email="test@example.com",
+            redirect_to="https://evil.example/reset",
+        )
+
+        with pytest.raises(HTTPException) as exc_info:
+            await sut.request_password_reset(request)
+
+        assert exc_info.value.status_code == 422
+        assert exc_info.value.detail == "Invalid redirect URL"
+
     @pytest.mark.asyncio
     async def test_request_password_reset_swallows_auth_error(
         self, gateway: tuple[SupabaseAuthGateway, MagicMock, MagicMock]
@@ -165,3 +185,24 @@ class TestSupabaseAuthGateway:
 
         assert exc_info.value.status_code == 401
         assert exc_info.value.detail == "Invalid or expired verification code"
+
+    @pytest.mark.asyncio
+    async def test_recovery_resend_calls_reset_password_email(
+        self, gateway: tuple[SupabaseAuthGateway, MagicMock, MagicMock]
+    ) -> None:
+        sut, mock_client, _ = gateway
+        mock_reset_email = MagicMock()
+        mock_client.auth.reset_password_email = mock_reset_email
+
+        await sut.resend_verification(
+            VerificationResendRequest(
+                type="recovery",
+                email="test@example.com",
+                redirect_to="http://localhost:3000/reset-password",
+            )
+        )
+
+        mock_reset_email.assert_called_once_with(
+            "test@example.com",
+            options={"redirect_to": "http://localhost:3000/reset-password"},
+        )

backend/tests/unit/v1/auth/test_auth_models.py

@@ -33,6 +33,25 @@ def test_signup_verify_requires_six_digit_token() -> None:
         VerificationVerifyRequest(email="user@example.com", token="abc123")
 
 
+def test_signup_verify_disallows_new_password() -> None:
+    with pytest.raises(ValidationError):
+        VerificationVerifyRequest(
+            type="signup",
+            email="user@example.com",
+            token="123456",
+            new_password="secret123",
+        )
+
+
+def test_recovery_verify_requires_new_password() -> None:
+    with pytest.raises(ValidationError):
+        VerificationVerifyRequest(
+            type="recovery",
+            email="user@example.com",
+            token="123456",
+        )
+
+
 def test_signup_resend_requires_valid_email() -> None:
     with pytest.raises(ValidationError):
         VerificationResendRequest(email="invalid")

backend/tests/unit/v1/auth/test_auth_service.py

@@ -5,6 +5,8 @@ import pytest
 import v1.auth.gateway as auth_gateway_module
 from v1.auth.schemas import (
     AuthUser,
+    PasswordResetConfirmRequest,
+    PasswordResetRequest,
     SessionCreateRequest,
     SessionRefreshRequest,
     SessionResponse,
@@ -44,40 +46,15 @@ class FakeGateway(AuthServiceGateway):
         return None
 
     async def get_user_by_email(self, email: str) -> UserByEmailResponse:
-        return UserByEmailResponse(
-            id="user-1",
-            email=email,
-            created_at="2026-02-24T00:00:00Z",
-            email_confirmed_at=None,
-        )
+        raise NotImplementedError
 
+    async def request_password_reset(self, request: PasswordResetRequest) -> None:
+        raise NotImplementedError
 
-@pytest.mark.asyncio
-async def test_signup_maps_response() -> None:
-    user = AuthUser(id="user-1", email="user@example.com")
-    token_response = SessionResponse(
-        access_token="access",
-        refresh_token="refresh",
-        expires_in=3600,
-        token_type="bearer",
-        user=user,
-    )
-    service = AuthService(gateway=FakeGateway(token_response))
-
-    start_result = await service.create_verification(
-        VerificationCreateRequest(
-            username="demo", email="user@example.com", password="secret123"
-        )
-    )
-    assert start_result.email == "user@example.com"
-
-    result = await service.verify_verification(
-        VerificationVerifyRequest(email="user@example.com", token="123456")
-    )
-
-    assert result.access_token == "access"
-    assert result.refresh_token == "refresh"
-    assert result.user.id == "user-1"
+    async def confirm_password_reset(
+        self, request: PasswordResetConfirmRequest
+    ) -> None:
+        raise NotImplementedError
 
 
 class LogoutAssertingGateway(AuthServiceGateway):
@@ -109,6 +86,14 @@ class LogoutAssertingGateway(AuthServiceGateway):
     async def get_user_by_email(self, email: str) -> UserByEmailResponse:
         raise NotImplementedError
 
+    async def request_password_reset(self, request: PasswordResetRequest) -> None:
+        raise NotImplementedError
+
+    async def confirm_password_reset(
+        self, request: PasswordResetConfirmRequest
+    ) -> None:
+        raise NotImplementedError
+
 
 @pytest.mark.asyncio
 async def test_logout_forwards_refresh_token() -> None:
@@ -117,23 +102,6 @@ async def test_logout_forwards_refresh_token() -> None:
     await service.delete_session("refresh-token")
 
 
-@pytest.mark.asyncio
-async def test_get_user_by_email_forwards_to_gateway() -> None:
-    user = AuthUser(id="user-1", email="user@example.com")
-    token_response = SessionResponse(
-        access_token="access",
-        refresh_token="refresh",
-        expires_in=3600,
-        token_type="bearer",
-        user=user,
-    )
-    service = AuthService(gateway=FakeGateway(token_response))
-
-    result = await service.get_user_by_email("user@example.com")
-
-    assert result.email == "user@example.com"
-
-
 @pytest.mark.asyncio
 async def test_signup_resend_returns_none() -> None:
     user = AuthUser(id="user-1", email="user@example.com")
@@ -182,7 +150,9 @@ async def test_supabase_signup_passes_username_in_metadata(
     class FakeClient:
         auth = FakeSupabaseAuth()
 
-    monkeypatch.setattr(auth_gateway_module, "create_client", lambda *_: FakeClient())
+    monkeypatch.setattr(
+        auth_gateway_module.supabase_service, "get_client", lambda: FakeClient()
+    )
 
     gateway = auth_gateway_module.SupabaseAuthGateway()
     await gateway.create_verification(