功能性及安全修复

2026-06-09 23:34:54 +08:00
parent 70e7ad8e5e
commit 5e0052564b
3 changed files with 12 additions and 5 deletions
--- a/backend/services/auth_service.py
+++ b/backend/services/auth_service.py
@@ -123,8 +123,16 @@ class AuthService:
        if not user:
            return {"success": False, "message": "用户不存在"}
        
-        # 验证原密码（强制改密时跳过）
-        if not force:
+        # 验证原密码
+        # force=True 仅在 need_change_password=1 时允许（首次登录强制改密）
+        # 其他情况必须验证旧密码
+        if force and user.get("need_change_password") == 1:
+            # 首次登录强制改密，跳过旧密码验证
+            pass
+        else:
+            # 正常改密，必须验证旧密码
+            if not old_password:
+                return {"success": False, "message": "请输入原密码"}
            is_valid, _ = security.verify_password_v2(old_password, user["password_hash"])
            if not is_valid:
                return {"success": False, "message": "原密码错误"}