From 95d8c75500b9419337a39860b5de7a33a8599276 Mon Sep 17 00:00:00 2001 From: zheng020 Date: Fri, 22 May 2026 13:13:56 +0800 Subject: [PATCH] =?UTF-8?q?docs:=20=E4=BF=AE=E6=AD=A3=20verify=5Ftoken=20?= =?UTF-8?q?=E4=B8=BA=E7=AE=80=E5=8D=95=E9=9A=8F=E6=9C=BA=E5=AD=97=E7=AC=A6?= =?UTF-8?q?=E4=B8=B2=E9=9D=9EJWT?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit verify_token 使用 32 位随机字符串(vtf_xxx)而非 JWT, 避免签名验证的复杂性,直接 Redis 比对即可。 Co-Authored-By: Claude Opus 4.7 --- .../specs/2026-05-22-sms-register-design.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/superpowers/specs/2026-05-22-sms-register-design.md b/docs/superpowers/specs/2026-05-22-sms-register-design.md index e12bf05..9dfce28 100644 --- a/docs/superpowers/specs/2026-05-22-sms-register-design.md +++ b/docs/superpowers/specs/2026-05-22-sms-register-design.md @@ -243,25 +243,26 @@ Content-Type: application/json "message": "验证成功", "data": { "verified": true, - "verify_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", + "verify_token": "vtf_abc123xyz789...", "expires_in": 300 } } ``` **说明**: -- `verify_token` 用于后续注册接口的认证,后端在 Redis 中记录 `verify:register:{mobile}` = verify_token +- `verify_token` 是长度为 32 位的随机字符串(格式:`vtf_` + 29 位随机字符),不是 JWT +- 存储在 Redis 中:`verify:register:{mobile}` → `vtf_abc123xyz789...`,TTL = 300 秒 - 注册接口需携带此 token,验证通过后才处理注册请求 -- `expires_in` = 300 秒(5 分钟),超时需重新验证 +- 验证成功后删除该记录,防止重复使用 **注册接口携带 token**: ``` POST /api/v1/auth/register -Authorization: Bearer {verify_token} Content-Type: application/json { "mobile": "13800138000", + "verify_token": "vtf_abc123xyz789...", "password": "xxx", "nickname": "xxx", "star_id": 1 @@ -269,8 +270,8 @@ Content-Type: application/json ``` 后端逻辑: -1. 从 verify_token 中解析出 mobile -2. 检查 Redis 中 `verify:register:{mobile}` 是否与 token 匹配 +1. 根据 mobile 从 Redis 中获取 `verify:register:{mobile}` 的值 +2. 与请求中的 verify_token 比对,不一致则拒绝 3. 验证通过后删除该记录,防止重复使用 ---